AI Compliance for Healthcare Devices: FDA SaMD, EU MDR, and EU AI Act
AI embedded in medical devices faces the most complex compliance landscape of any sector. You may need FDA clearance, EU MDR conformity assessment, and EU AI Act registration — simultaneously, with overlapping but non-identical requirements. This guide maps the complete picture.
Three overlapping frameworks — none of which replaces the others
FDA SaMD clearance, EU MDR conformity assessment, and EU AI Act registration are independent obligations. Achieving one does not satisfy the others. Companies selling AI-enabled medical devices in both the US and EU must complete all three separately.
What Counts as AI in a Medical Device?
The regulatory scope is broader than most teams realise. AI in a medical device context includes:
- Diagnostic AI: Algorithms that analyse imaging (X-ray, MRI, pathology slides) to detect conditions
- Predictive clinical AI: Models predicting patient deterioration, sepsis risk, readmission likelihood
- Treatment planning AI: Radiotherapy planning, drug dosing recommendation systems
- Triage and monitoring AI: Real-time patient monitoring with automated alerts
- Administrative clinical AI: AI that automates clinical documentation with downstream patient safety implications
Both the FDA and EU regulators distinguish between locked algorithms (fixed after training) andadaptive/continuous learning algorithms (update themselves post-deployment). Adaptive algorithms face stricter requirements because their behaviour changes over time.
Framework 1: FDA Software as a Medical Device (SaMD)
In the US, AI that meets the definition of a medical device requires FDA review before market entry. The FDA's framework for AI-enabled devices builds on its Software as a Medical Device (SaMD) guidance.
Does Your AI Need FDA Clearance?
The FDA applies the Device Software Functions (DSF) framework. Not all health software is regulated. The key test: does the software function to diagnose, treat, prevent, or cure a condition? If yes, it likely requires clearance.
Exempt from FDA review
General wellness apps (step counters, general stress management), administrative hospital software, electronic health records without clinical decision making
NSTC — Non-Device Software Functions
Software intended for administrative support, maintaining records, transferring data — not making clinical decisions
Requires FDA clearance (510k) or approval (PMA)
AI diagnosing diabetic retinopathy, AI detecting stroke from CT scans, AI recommending medication doses, AI predicting sepsis risk from vitals
FDA Clearance Pathways for AI Devices
| Pathway | When Used | Timeline | Cost |
|---|---|---|---|
| 510(k) Premarket Notification | AI similar to a legally marketed predicate device | 3–12 months | $20,000–$100,000 |
| De Novo Request | Novel AI with no predicate; low-to-moderate risk | 9–18 months | $50,000–$200,000 |
| Premarket Approval (PMA) | High-risk AI (Class III); life-sustaining | 18–48 months | $200,000–$2M+ |
| Breakthrough Device | Priority review for serious conditions; 25% faster | Varies | FDA fee waiver possible |
FDA SaMD Documentation Requirements
The FDA expects AI device submissions to include:
Framework 2: EU Medical Device Regulation (EU MDR)
In the EU, AI embedded in medical devices must comply with EU MDR (2017/745). MDR replaced the older Medical Device Directive (MDD) and carries significantly stricter requirements, particularly for software.
Under MDR, AI software qualifies as a medical device if it performs a medical purpose — diagnosis, monitoring, prediction, prognosis, treatment, or alleviation of disease. Software that merely stores or displays data without clinical decision-making does not qualify.
MDR Classification and Conformity Assessment
| MDR Class | AI Examples | Conformity Assessment |
|---|---|---|
| Class I | Fitness tracking with health indicators; general wellness AI | Self-certification (Declaration of Conformity) |
| Class IIa | AI analysing non-life-threatening imaging; wound assessment AI | Notified Body involvement required |
| Class IIb | AI for monitoring vital signs in hospital; AI-assisted surgical guidance | Full quality management system audit by Notified Body |
| Class III | AI diagnosing life-threatening conditions; brain/cardiac AI with treatment implications | Full technical dossier review; design examination by Notified Body |
Notified Bodies are the independent certification organisations that review Class IIa+ medical devices. With EU MDR, the number of Notified Bodies dropped dramatically (from 80+ under MDD to ~35), creating a significant backlog. Budget 12–24 months for Notified Body review for Class IIb/III devices.
MDR Technical Documentation for AI
EU MDR Annex II requires technical documentation covering (among other items):
- Device description, intended purpose, and intended users
- Design and manufacturing information (including software lifecycle per IEC 62304)
- General safety and performance requirements (Annex I) compliance
- Benefit-risk analysis
- Post-market clinical follow-up (PMCF) plan
- For AI: algorithm validation, training data characteristics, performance by clinical subgroup
Framework 3: EU AI Act — Healthcare AI as High-Risk
EU AI Act Annex III classifies AI systems used in healthcare as high-risk in two categories:
- Annex III, Category 5(a): AI used to assist in making decisions on access to or entitlement to essential services — including healthcare services. This covers AI triaging patients, AI prioritising waiting lists, AI allocating healthcare resources.
- AI embedded in regulated medical devices (EU MDR/IVDR): AI that falls within the scope of EU MDR or IVDR and requires third-party assessment is automatically deemed high-risk under the EU AI Act.
EU AI Act Requirements for High-Risk Healthcare AI
Where FDA, EU MDR, and EU AI Act Overlap
| Requirement | FDA | EU MDR | EU AI Act | Synergy? |
|---|---|---|---|---|
| Technical documentation | ✓ | ✓ | ✓ | Partial overlap — FDA 510k dossier ≠ EU MDR technical file ≠ AI Act Article 11 |
| Training data description | ✓ | ✓ | ✓ | Strong overlap — document once, reference across all three |
| Performance testing | ✓ | ✓ | ✓ | Strong overlap — same clinical validation data used for all three |
| Post-market monitoring | ✓ | ✓ | ✓ | Partial overlap — different reporting channels (FDA MDR vs EU EUDAMED vs AI Act ESMA) |
| Human oversight requirement | ✓ | ✓ | ✓ | Strong overlap — one set of override controls satisfies all three |
| Change management | ✓ | Limited | ✓ | FDA PCCP and AI Act lifecycle process align; EU MDR has less formal change control |
| Registry/database registration | — | EUDAMED | EU AI Act DB | Different registries — both required for EU market |
Practical Compliance Timeline for Healthcare AI Manufacturers
For a company building AI diagnostic software for both the US and EU market, a realistic compliance timeline:
Design and architecture
Define intended use precisely (this determines FDA pathway + MDR class + EU AI Act category). Build technical documentation infrastructure from day one — retro-fitting is expensive.
Clinical validation study
Run prospective validation with appropriate patient population diversity. Document training/test data provenance. Results feed FDA submission, MDR technical file, and EU AI Act documentation simultaneously.
FDA pre-submission meeting
Request Q-sub meeting with FDA to agree on submission pathway and acceptance criteria before spending 6 months preparing the wrong package.
FDA 510(k) or De Novo submission
Prepare and submit to FDA. Typical review timeline 3–12 months after submission. Continue EU preparation in parallel.
EU MDR Notified Body engagement
Engage Notified Body early — they have 12–18 month backlogs for Class IIb/III. Submit technical dossier. Parallel: register in EUDAMED.
EU AI Act registration
Register in EU AI Act database. Complete risk management documentation. Establish post-market monitoring system per AI Act lifecycle requirements.
Key Risks Healthcare AI Companies Underestimate
- Scope creep triggers reclassification: Adding a new clinical indication or patient population mid-development can trigger a higher risk class — requiring a more expensive pathway. Lock your intended use before investing in validation.
- Notified Body backlog: With only ~35 EU MDR-designated Notified Bodies, lead times are 12–24 months. Start engagement early or miss your EU launch window.
- Adaptive algorithm change control: Both FDA (PCCP) and EU AI Act require pre-defined processes for how the AI can change after clearance. Design this process before submission — retrofitting it is complex.
- Sub-group performance gaps: Regulators increasingly scrutinise AI performance across demographic subgroups (age, sex, ethnicity). Insufficient diversity in validation data is a leading cause of FDA submission rejections.
- Post-market surveillance obligations: Both FDA (MDR adverse event reporting) and EU MDR (PMCF) require ongoing post-market monitoring. This is not a one-time activity — budget for it operationally.
Track Your Healthcare AI Compliance Status
ComplianceIQ maps your AI systems against FDA, EU MDR, and EU AI Act requirements simultaneously — so you can see what is complete, what is outstanding, and what needs updating as regulations evolve.
Start Your Assessment