AI for companies
Jun 26, 2026

The EU AI Act in MedTech: What Medical Device Companies Need to Know and Do in 2026

The EU AI Act in MedTech: What Medical Device Companies Need to Know and Do in 2026
You want to know more about MAIA?
Book a free demo now.
Table of contents

Note: This article is for general information only and does not constitute legal advice. The legal situation around the EU AI Act keeps evolving; this article reflects the status as of June 2026.

In short: The EU AI Act has applied since 1 August 2024 and is being phased in step by step. For most medical device companies, the first lever is not the much-quoted high-risk obligations but two rules that have already applied since February 2025: the ban on certain AI practices (Art. 5) and the obligation to ensure AI literacy among staff (Art. 4). The high-risk requirements were pushed back by the "Digital Omnibus" (political agreement on 7 May 2026): to December 2027 (standalone systems) and August 2028 (AI in regulated products such as medical devices) (Council of the European Union, 2026). Anyone who now inventories their AI applications, classifies the risk, and documents it verifiably meets today's obligations and is prepared for the ones to come.

Few topics currently unsettle the medical technology sector as much as the EU's AI regulation. Headlines swing between "EUR 35 million fine" and "everything postponed". Both are true, and both are misleading if you only read the headline. This guide explains what the EU AI Act concretely means for MedTech and medical devices, which deadlines really matter, and what you should do now.

What is the EU AI Act? A simple explanation

The EU AI Act (officially Regulation (EU) 2024/1689) is the world's first comprehensive law regulating artificial intelligence. It follows a risk-based approach: it does not regulate AI as such but the specific use case. The higher the risk to people and fundamental rights, the stricter the obligations (European Commission, n.d.).

The regulation has been in force since 1 August 2024 and applies directly across the EU. Its obligations, however, do not take effect all at once but in stages over several years.

Which risk classes does the EU AI Act define?

The EU AI Act divides AI systems into four classes. The classification determines the entire effort involved (European Commission, n.d.):

Unacceptable risk (prohibited): Practices such as subliminal manipulation, social scoring by public authorities, or emotion recognition in the workplace. These have been banned since February 2025.

High risk: AI in sensitive areas (for example critical infrastructure, recruitment, education) or as a safety component in regulated products. Here the full catalogue of obligations applies (risk management, technical documentation, human oversight, conformity assessment).

Limited risk: Systems such as chatbots or assistants with transparency obligations under Art. 50. Users must be able to recognise that they are interacting with AI or that content is AI-generated.

Minimal risk: The majority of today's applications, such as spam filters. No specific obligations.

Decisive in practice: most AI tools that medical device companies use today, from ChatGPT to specialised knowledge platforms, fall into the limited or minimal risk categories. Genuine high-risk obligations mainly affect those who build AI into medical devices, and in medical technology that is a realistic scenario (more on this below).

Does the EU AI Act apply to my company if we only use AI?

Yes. The regulation distinguishes four roles (provider, deployer, importer, and distributor) with different obligations. Most medical device companies, as users of internal tools, are deployers: they do not develop the AI themselves but put tools to use. Deployers have a reduced catalogue of obligations (Art. 26), but not none (European Commission, n.d.).

The obligation most often underestimated in practice is Art. 4 (AI literacy). Since 2 February 2025 it has required all providers and deployers to ensure that staff who operate AI systems have sufficient AI literacy. This explicitly includes teams in sales, regulatory affairs, quality management, or development that use tools such as ChatGPT, Copilot, or dedicated specialist applications. Anyone who has documented nothing on this is, according to the reading of specialised law firms, already in breach today (cf. specialist law firm commentaries on the Digital Omnibus, 2026).

Which deadlines really apply in 2026 and 2027?

This is where the biggest misunderstanding lies. The original cut-off date of 2 August 2026 was eased for part of the obligations by the Digital Omnibus (political agreement of the Council and Parliament on 7 May 2026) (Council of the European Union, 2026). The current status (June 2026):

  • Prohibited practices (Art. 5) and AI literacy (Art. 4): apply unchanged since 2 February 2025.
  • Obligations for general-purpose AI models (GPAI): apply since 2 August 2025, enforcement from 2 August 2026.
  • Transparency obligations for deployers (Art. 50): apply since 2 August 2026.
  • Labelling of AI-generated content by providers (Art. 50(2)): postponed to 2 December 2026.
  • High-risk systems under Annex III (standalone): postponed to 2 December 2027.
  • High-risk AI in regulated products under Annex I (for example medical devices): postponed to 2 August 2028.

Three points are critical to understand:

  1. The Omnibus expressly does not change Art. 4 and Art. 5. These obligations have applied without any transition period since February 2025.
  2. For Art. 50, only part was postponed. What is postponed is solely the labelling and watermarking obligation of the model providers (Art. 50(2)). The transparency obligations for deployers, and thus for most medical device companies, apply entirely as normal since 2 August 2026.
  3. Postponing the high-risk deadlines is a breather, not an all-clear. A conformity assessment typically takes three to six months. Anyone affected should use the time gained rather than wait.

And in general: the legal situation is in flux. Individual deadlines may shift further; the direction of the requirements does not change. (Status of this article: June 2026.)

What does the EU AI Act mean specifically for medical technology?

For medical device companies there is a particularity that general guides often overlook. Medical devices and in vitro diagnostics are regulated products under Annex I. Anyone who integrates AI as a safety component into a medical device, or uses AI that is itself a medical device (software as a medical device), for example for AI-assisted analysis of image data or to support a diagnosis, is therefore dealing with high-risk requirements.

What matters is which framework these requirements run through. Medical devices already fall under the Medical Device Regulation (MDR, Regulation (EU) 2017/745), and in vitro diagnostics under the IVDR (Regulation (EU) 2017/746). The EU AI Act does not require you to run a second, separate conformity procedure for AI in such products. The AI-specific high-risk requirements (risk management, technical documentation, human oversight) are integrated into the conformity assessment under the MDR or IVDR that is needed anyway and are reviewed by the notified body (cf. specialist law firm commentaries on the Digital Omnibus, 2026). After the Digital Omnibus, the relevant deadline for the high-risk obligations remains 2 August 2028.

For medical device companies this means: no double compliance under the AI Act and the MDR or IVDR in parallel, but an integrated path through the medical device law you already know. This is not an all-clear, because the requirements for safety and clinical evaluation remain demanding; the proof, however, shifts into a regime you are already familiar with. In addition, the term "safety component" was defined more narrowly: AI functions that merely support users or optimise performance do not automatically fall under the high-risk obligations, as long as their failure creates no health or safety risks.

This is clearly distinct from the far more common case: AI in the office and in the regulatory day-to-day, such as research in QM and regulatory documents, document analysis, review of technical documentation, and onboarding. As a rule, these internal applications are limited or minimal risk. Here it is not about conformity assessments but about transparency, traceability, and proof of AI literacy.

EU AI Act and GDPR: What is the difference?

The two frameworks are often confused but govern different things. The GDPR protects personal data. The EU AI Act regulates AI systems, regardless of whether personal data is processed. Where an AI processes personal data, both regulations apply in parallel. For medical device companies this means: GDPR-compliant data processing is necessary but not sufficient; the AI Act obligations come on top. This is especially relevant for health data, because special categories of personal data under Art. 9 GDPR are involved here.

In Germany, the AI Market Surveillance and Innovation Promotion Act (KI-MIG) gives shape to national implementation. It names the Federal Network Agency (BNetzA) as the central market surveillance authority, point of contact, and complaints body, together with the Coordination and Competence Centre (KoKIVO) housed there, and regulates the sanctions. Sectoral authorities remain responsible in their areas, for example the BfArM for medical devices; the BSI contributes its cybersecurity expertise in a supporting role (Federal Ministry for Digital Affairs and State Modernisation [BMDS], 2026; TÜV Rheinland Consulting, n.d.).

What happens in the event of violations?

Fines are graduated according to the severity of the breach: for the use of prohibited practices, up to EUR 35 million or 7% of worldwide annual turnover. Breaches of the high-risk obligations can be penalised with up to EUR 15 million or 3% of turnover. The higher amount applies in each case (European Commission, n.d.).

Checklist: What medical device companies should do now

Regardless of the postponed deadlines, preparation is worthwhile in any case. These five steps are the pragmatic starting point:

  1. Create an AI inventory. Which AI tools are actually in use in the company, including "unofficially" in individual teams?
  2. Classify the risk. Assign each system to one of the four risk classes. Important: even where a system is not high-risk, Art. 6(3) requires a documented justification.
  3. Build and document AI literacy. Training, internal guidelines, and a documented training history satisfy the Art. 4 obligation.
  4. Anchor governance. Define responsibilities, approval processes, and transparency rules (labelling of AI-generated content). In MedTech, ideally interlinked with the existing QM system under ISO 13485.
  5. Choose compliant tools. Favour providers that build in data processing, source attribution, and transparency from the outset; this significantly reduces your own documentation effort.

How does MAIA help with AI Act-compliant use of AI?

MAIA is designed as an AI-powered knowledge platform for regulated industrial and medical device companies with exactly this requirement in mind. Three points feed directly into the demands of the EU AI Act:

Traceability instead of a black box. Every answer is backed by a source reference down to the document and version. This satisfies the transparency principle of Art. 50 and makes results auditable. That is a clear difference from generic AI tools that "sound right" but cannot be substantiated, and it fits the documentation culture in MDR and ISO 13485 environments.

GDPR-compliant, no training on customer data. Data processing to European standards, hosted in Germany and Switzerland. Your internal documents do not flow into third-party model training.

Controlled, documentable use. A clearly defined use case (knowledge access rather than clinical decision-making or control of a medical device) makes it easier to classify the risk as limited and therefore eases your own documentation.

Anyone who wants to use AI in their regulatory and knowledge work without buying into new compliance risks should look closely at these properties.

[Book a free demo →]

Frequently asked questions about the EU AI Act

Does the EU AI Act already apply? Yes. The regulation has been in force since 1 August 2024. The ban on certain practices (Art. 5) and the AI literacy obligation (Art. 4) have applied since 2 February 2025. The high-risk obligations take effect later (December 2027 and August 2028 respectively).

Is my medical device company affected by the EU AI Act if we only use ChatGPT or similar tools? Yes, as a deployer. Above all you must ensure the AI literacy of your staff and must not use any prohibited practices. You only have to deal with the actual high-risk requirements if you integrate AI as a safety component into a medical device or the AI is itself a medical device; these are reviewed through the conformity assessment under the MDR or IVDR (deadline 2 August 2028).

When must high-risk AI systems in medical technology be compliant? After the Digital Omnibus, the date for AI in regulated products (Annex I), which include medical devices and in vitro diagnostics, is 2 August 2028; the AI-specific requirements are integrated into the conformity assessment under the MDR or IVDR. For standalone high-risk systems (Annex III) the date is 2 December 2027.

What is the difference between the EU AI Act and the GDPR? The GDPR protects personal data; the EU AI Act regulates AI systems regardless of that. If an AI processes personal data, both frameworks apply in parallel.

How high are the penalties for violations? Up to EUR 35 million or 7% of worldwide annual turnover for prohibited practices, and up to EUR 15 million or 3% for breaches of the high-risk obligations.

References

European Commission. (n.d.). Regulatorischer Rahmen für künstliche Intelligenz [Regulatory framework for artificial intelligence].

Federal Ministry for Digital Affairs and State Modernisation. (2026, February). Kabinett beschließt schlanke KI-Aufsicht in Deutschland [Cabinet approves lean AI oversight in Germany].

Council of the European Union. (2026, May 7). Künstliche Intelligenz: Rat und Parlament einigen sich auf Vereinfachung der Regeln [Artificial intelligence: Council and Parliament agree to simplify the rules] [Press release].

Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices (MDR). (2017). Official Journal of the European Union.

Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices (IVDR). (2017). Official Journal of the European Union.

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (AI Act). (2024). Official Journal of the European Union.

Specialist law firm commentaries on the Digital Omnibus on AI. (2026, May to June). [Practitioner notes / client briefings].

TÜV Rheinland Consulting. (n.d.). KI-MIG Deutschland: Behörden, Bußgelder, Fristen [KI-MIG Germany: Authorities, fines, deadlines].

Blog

More blog articles

Knowledge Loss in Engineering: What Happens When Your Most Experienced People Leave?
AI for companies

Knowledge Loss in Engineering: What Happens When Your Most Experienced People Leave?

Jun 23, 2026
Top 10 areas of application of AI in companies
AI for companies

Top 10 areas of application of AI in companies

Feb 4, 2025
Artificial intelligence in companies: A guide for a successful start
Best Practices

Artificial intelligence in companies: A guide for a successful start

Feb 4, 2025