EU AI Act and Healthcare AI: Sector Map and Compliance Routes

Healthcare is one of the most technically complex sectors in the EU AI Act. Three distinct regulatory routes converge here — Article 6(1) via Annex I for medical-device AI, Article 6(2) via Annex III for health services access, and Article 50 for patient-facing chatbots — each with its own compliance timeline, documentation obligations, and interaction with other EU law. Understanding which route applies to a given system, and by when, is the first problem every health tech provider and hospital compliance team needs to solve.

This page maps the full picture. For deep dives into specific areas, see the cross-linked pages below.

---

Four Categories of Healthcare AI — and Where Each Route Leads

Healthcare AI is not a single regulatory object. What matters is what the system does and how it is governed under EU product law. Four categories cover most deployments.

1. Medical-Device AI: Annex I Route (Article 6(1))

AI software used for diagnostic imaging, clinical decision support, surgical robotics, or in vitro diagnostics qualifies as a medical device or in vitro diagnostic under Regulation (EU) 2017/745 (MDR) and Regulation (EU) 2017/746 (IVDR) respectively. Once an AI system is a safety component of — or itself constitutes — such a regulated product, it becomes high-risk under the EU AI Act via Article 6(1) read with Annex I. The MDR/IVDR listing in Annex I does the triggering work.

This Annex I pathway has two consequences that differ from the Annex III route:

Integrated conformity assessment. Under Article 43(3), Annex I systems use an integrated conformity procedure that runs alongside the product-regulation conformity assessment. For most MDR Class IIa/IIb/III devices and most IVDR Class B/C/D devices, a notified body is already involved in the MDR process. The EU AI Act conformity assessment is coordinated with — but does not replace — that process. One technical file may serve both, with an explicit mapping of which section satisfies which regulation. A single EU Declaration of Conformity can cover both frameworks under Article 47.

Deadline: 2 August 2028. High-risk AI embedded in Annex I products is subject to the extended deadline under the Digital Omnibus (political agreement, May 2026). The original 2 August 2026 date has been deferred. For medical-device AI companies mid-MDR technical file, this is practically useful — but the documentation lead time for a Class IIb device is often two years, so the 2028 date is a ceiling, not a starting point.

Systems in this category: diagnostic imaging AI (radiology, pathology, ophthalmology), AI for drug-interaction alerting, surgical robot software with decision-support functions, AI analysing laboratory biomarkers under IVDR. For a full treatment of this route, see the medical devices and AI Act cross-compliance guide.

2. Annex III Health Uses: Emergency Triage and Biometrics

Two Annex III headings capture healthcare uses directly — without any MDR/IVDR involvement required.

Annex III, point 5 — emergency triage and dispatch. AI systems used to determine the order in which emergency patients are seen, or to allocate ambulance dispatch priority, are high-risk under Annex III point 5 (access to essential private and public services). Healthcare is an essential service; an AI system that decides who gets care first is determining access to it for natural persons. This includes AI triage in emergency departments and AI-assisted dispatch protocols used by emergency medical services.

Annex III, point 1 — biometric categorisation. If a healthcare AI system categorises patients by a biometric attribute — a legitimate use would be dermatology AI that classifies skin lesion images using biometric features — it may trigger Annex III point 1. Providers should conduct an explicit Article 6 analysis. Note that emotion recognition in clinical settings was addressed directly in Article 5(1)(f): AI systems inferring emotions in the workplace or educational institutions are prohibited, not high-risk. Healthcare contexts are not a carve-out.

Deadline for Annex III systems: 2 December 2027. Stand-alone Annex III systems (those not also subject to Annex I product law) apply from 2 December 2027 under the Digital Omnibus.

For the detailed obligations for Annex III healthcare systems — the full Article 9–15 stack, human oversight design, and deployer FRIA requirements — see AI governance for healthcare.

3. Administrative and Back-Office AI: Mostly Minimal Risk

Scheduling optimisation, coding and billing AI, patient-flow management, inventory management, hospital administration — most of these do not trigger Annex III and are not medical devices. They sit at minimal risk (no mandatory obligations beyond what GDPR requires for processing). The key test is whether the system makes or substantially influences a decision about a natural person's access to healthcare or a clinical outcome. Purely operational optimisation, with no such decision-influence, stays minimal.

One exception: AI used by health insurers to assess eligibility, approve prior authorisations, or price policies for life or health insurance is high-risk under Annex III, point 5(c) (health and life insurance risk assessment and pricing). A hospital billing system is administrative; an insurer's prior-authorisation AI is not.

4. Patient-Facing Chatbots: Article 50 Limited Risk

AI chatbots deployed to interact with patients — for symptom triage guidance, appointment booking, post-discharge follow-up, or general health information — are limited-risk under Article 50(1) unless they cross into clinical decision support that meets the MDR definition. The Article 50 obligation is disclosure: the patient must be informed they are interacting with an AI system. This applies from 2 August 2026. It does not require conformity assessment or technical documentation under Articles 9–15.

If a patient-facing chatbot is also providing clinical decision support of sufficient sophistication to qualify as a medical device, the Article 50 disclosure obligation is a floor, not a ceiling — the full high-risk stack applies via the Annex I MDR route.

---

Cross-Cutting Obligations for High-Risk Healthcare AI

GDPR Article 9 and Health Data

Health data is special-category personal data under GDPR Article 9. Processing it — including in AI training datasets — requires an explicit legal basis. For healthcare purposes, Article 9(2)(h) (healthcare provision, under professional secrecy) or explicit consent (Article 9(2)(a)) are the typical bases. For population health research, Article 9(2)(j) with appropriate safeguards applies.

This intersects with the EU AI Act's Article 10 data governance requirements for high-risk AI. The training data section of your Annex IV technical documentation must record the GDPR Article 9 legal basis for health data use, document population representativeness across demographic subgroups, and address performance disparities. A system trained predominantly on data from one demographic may produce clinically worse outcomes for others — that is both an Article 10 data governance issue and an Article 15 accuracy issue.

Clinical Validation and Article 15

Article 15 requires accuracy, robustness, and cybersecurity appropriate to the system's intended purpose. For clinical AI, this means validated accuracy across patient subgroups (age, sex, ethnicity, disease severity), not just overall performance metrics. A diagnostic AI reporting 94% sensitivity on its validation cohort but performing at 78% sensitivity for a specific demographic has an Article 15 problem, not merely a clinical quality concern.

For MDR-regulated AI, clinical evaluation under Annex XIV of the MDR and Article 15 EU AI Act requirements overlap significantly. Map them explicitly — gaps in one framework's clinical evidence often reveal gaps in the other.

Human Oversight Under Article 14

Article 14 requires that high-risk AI systems be designed to allow human oversight — that overseers can understand, monitor, and intervene to stop or override the system's output. In healthcare, this obligation lands on system design. A diagnostic AI that produces an output a clinician cannot interrogate or a recommendation that cannot be documented as overridden in the clinical workflow fails Article 14 by design.

Real clinical oversight is not nominal oversight. A checkbox that says "clinician reviewed" is not sufficient if the clinical workflow does not give the clinician the information needed to exercise genuine judgment. Providers must design for real oversight and document how the design enables it in the intended deployment environment.

Post-Market Monitoring and MDR Vigilance

Article 72 requires providers of high-risk AI to have a post-market monitoring plan, collecting and reviewing real-world performance data. Article 73 requires providers to report serious incidents — malfunctions with a risk to health or safety of persons — to national market surveillance authorities: within 15 days of awareness (Article 73(2)), 2 days for widespread infringement or critical infrastructure disruption (Article 73(3)), and 10 days where a death has occurred (Article 73(4)).

MDR Article 87 imposes its own vigilance reporting obligations on device manufacturers: serious incidents and field safety corrective actions must be reported to the competent authority. These two frameworks are parallel obligations. Companies with MDR-governed AI should build a coordinated incident-reporting protocol that satisfies both simultaneously.

Fundamental Rights Impact Assessment (Article 27)

Deployers that are public bodies or that deploy high-risk AI in the context of publicly funded healthcare — and deployers of systems within Annex III 5(b) creditworthiness or 5(c) health/life insurance — must complete an Article 27 Fundamental Rights Impact Assessment (FRIA) before deployment. A public hospital deploying triage AI is within scope. A private hospital providing services under a public health fund contract should assess whether it meets the public service provider definition.

The FRIA must address the rights and groups at risk: discriminatory triage outcomes for vulnerable patient populations, access to care and non-discrimination, the right to effective remedy for AI-influenced decisions. Under Article 27(4), the FRIA may build on an existing GDPR DPIA — they are distinct assessments, but the data-processing analysis in a DPIA provides useful input.

---

The Penalty Exposure

Non-compliance with the high-risk obligations (Articles 9–15, 16–27, 43, 47–49, 72–73) carries a maximum fine of €15,000,000 or 3% of total worldwide annual turnover, whichever is higher — under Article 99(4) of Regulation (EU) 2024/1689. For a health tech company with €100 million annual revenue, that ceiling is €3 million. For a large integrated health system, significantly more.

The SME and start-up proportionality provision in Article 99(6) caps fines at the lower of the percentage or the fixed amount — a meaningful protection for smaller health tech companies.

---

How Confir Helps Healthcare Companies

Classifying healthcare AI correctly is the hardest first step — and the one where the Annex I / Annex III route distinction matters most. Confir's rule-based classification workflow covers both pathways: the guided intake distinguishes medical-device AI (Article 6(1) / Annex I) from Annex III health-services AI, records the specific regulatory basis, and links forward to the appropriate obligation set.

For health tech providers, Confir's AIRC module maps your system to the correct conformity-assessment route, and the AITR module (Article 10/15) generates the data-governance documentation framework specific to health training data — GDPR Article 9 legal basis, subgroup performance, corrective measures — for inclusion in the Annex IV technical file.

For healthcare deployers, Confir's FRIA workflow is mapped to Article 27(1)(a)–(g) with healthcare-specific guidance on patient rights, access-to-care obligations, and the interaction with GDPR. The output is a formatted, submittable FRIA document.

The classification and documentation logic is deterministic and rule-based. Same intake answers produce the same regulatory finding — reproducible, explainable, and defensible in an audit.

For the step-by-step operational program, see AI compliance for healthcare.

---

Frequently Asked Questions

Which EU AI Act deadline applies to medical-device AI?

AI software that is a medical device or in vitro diagnostic under MDR (Regulation (EU) 2017/745) or IVDR (Regulation (EU) 2017/746) is high-risk under the EU AI Act via Article 6(1) and Annex I. The applicable deadline is 2 August 2028, under the Digital Omnibus agreed in May 2026. This is the deadline for high-risk AI embedded in Annex I regulated products. The original 2 August 2026 date was deferred by the Digital Omnibus; the 2 December 2027 date applies to stand-alone Annex III systems, not Annex I product-route systems.

Is emergency triage AI high-risk under the EU AI Act?

Yes. AI systems that determine the order in which emergency patients are seen — triage algorithms, emergency dispatch AI — are high-risk under Annex III, point 5 (access to essential private and public services). Healthcare is an essential service, and a system that determines patient access to emergency care is within scope. The deadline for these Annex III systems is 2 December 2027.

What are the main obligations for hospitals deploying clinical AI?

Hospitals deploying high-risk AI must: use the system only in accordance with provider instructions (Article 26); designate qualified staff as human overseers capable of monitoring and overriding AI outputs (Article 14 + Article 26); maintain logs of AI system use for at least 6 months (Article 26); and complete a Fundamental Rights Impact Assessment (Article 27) if they are public service providers or are deploying Annex III point 5(b)/(c) systems. Public hospitals are clearly within the FRIA scope.

How does the EU AI Act interact with MDR/IVDR for a medical AI device?

Both apply in parallel. MDR and IVDR govern the medical device aspects — clinical evaluation, performance testing, notified body involvement for Class IIa/IIb/III and IVDR Class B/C/D. The EU AI Act adds its own requirements: an Article 9 risk management system specific to AI risks, Article 10 data governance, Article 14 human oversight design, Article 15 demographic-subgroup accuracy validation, and Article 43 conformity assessment. Under Article 47, one combined EU Declaration of Conformity can cover both. Technical documentation should map each section to the regulation it satisfies.

Do patient-facing AI chatbots need to comply with the EU AI Act?

Yes — Article 50(1) requires that any AI system intended to interact directly with natural persons discloses that the person is interacting with an AI, unless this is obvious to an informed user. This applies from 2 August 2026 and covers patient chatbots used for symptom guidance, appointment booking, or health information. It does not require conformity assessment. If the chatbot crosses into clinical decision support sufficient to qualify as a medical device, the full high-risk MDR/AI Act stack applies.

What health data rules apply when training a clinical AI system?

Health data is special-category data under GDPR Article 9. Training a clinical AI system on health data requires an explicit legal basis — typically Article 9(2)(h) (healthcare provision) or explicit consent. This must be documented as part of the Article 10 data governance section in your Annex IV technical file. EU AI Act Article 10 also requires that training data be representative of the intended patient population and that performance disparities across demographic subgroups be assessed and addressed.

---

Related guides

• Medical devices and EU AI Act: Annex I compliance route
• AI governance for healthcare organisations
• AI compliance program for healthcare
• insurance sector high-risk obligations
• financial services AI compliance
• manufacturing Annex III requirements
• HR and recruitment AI rules
• legal tech compliance framework
• medical imaging Annex III category