Eight Practical Actions to Future-Proof Your AI-Enabled Medical Devices
MDVG 2025-6 guidance offers a roadmap to prepare your AI enabled medical devices for Notified Body review for compliance to both EU-MDR and EU AI Act.
Note: This is a guest post by Tibor Zechmeister, Head of Regulatory and Quality at Finn.ai.
The EU Artificial Intelligence Act1 (EU AI Act)is now final, and its first MedTech impact came only weeks later: MDCG 2025-62, a 27-page FAQ that explains how the AI Act interacts with the Medical Devices Regulation (MDR)3 and In Vitro Diagnostic Regulation (IVDR)4.
If you develop, deploy, or audit AI-driven devices, this document is your new playbook. Below, I translate its dense legal text into eight concrete actions that can get straight into a sprint backlog.
1. Confirm whether your AI device is really high risk
Under the AI Act, a system is high-risk only when the AI itself is a medical device (or part of one) that already requires a notified-body review.
Pure Class I MDR and Class A IVDR software escape the AI-Act net, at least for now (Section I.2). Treat this as a scoping exercise: list every algorithm, flag the ones embedded in Class IIa-III or Class B-D devices, and park the rest for lighter controls. Ideally, you should do this exercise early in design and development at the point of defining your intended use/intended purpose statement.
2. Fold AI-Act clauses into your existing QMS—don’t build a second one
MDCG’s answer to the most common fear “Do we need two quality systems?”, is a firm no.
The guidance explicitly allows you to embed AI-Act quality, risk-management, and post-market activities directly inside ISO 13485 procedures and offer a single evidence set to the notified body (Section II.1.6). Start by mapping AI-Act Article 17 requirements to your SOPs; every gap you close now saves dual audits later.
3. Give data its own design dossier section
Training, validation, and test sets move from engineering detail to legal deliverable. You must show that datasets are representative, error-checked, bias-controlled, and traceable, and you must document that workflow (Section II.2.11). Create a “Data Governance File” with lineage tables, bias-check outputs, and sign-offs, then reference it in the main technical file.
4. Merge technical files to spare your auditor’s sanity
Article 11(2) of the AI Act lets you combine its Annex IV points with MDR/IVDR Annex II (Section II.3.12). One dossier means one review cycle and fewer sampling surprises. A simple annex-to-annex cross-matrix helps notified-body teams follow a single trail.
5. Move explainability from UX nicety to legal duty
Users must understand outputs, limits, and override logic (Section II.4.14). Rewrite IFUs to include model purpose, input ranges, confidence measures, and what to do when the algorithm disagrees with clinical judgment. Provide screenshots or schematics that show where human oversight happens in your workflow.
6. Keep your old conformity-assessment route
Good news: sampling volumes do not change. Whatever conformity route you use today (Annex IX, X or XI) stays intact; the notified body simply layers AI-Act checks onto the same technical-file review (Section IV.27). Plan for an extra half-day in the audit agenda but not an extra quarter in the project schedule.
7. Treat substantial modification as a landmine—unless you defuse it now
Any change that meets the AI Act’s “substantial modification” threshold triggers a fresh evaluation (Section V.29). The workaround is a Predetermined Change Plan (PCP): document anticipated updates (e.g., retraining frequency, new input modalities) and have them pre-cleared in your certificate. Borrow language from the FDA’s PCCP template; auditors on both sides of the Atlantic will appreciate the harmonization.
8. Prepare for a post-market era of logging and bias monitoring
Beginning 2 Feb 2026, you must implement mandatory logging, bias monitoring, and a harmonized EU post-market monitoring plan (Section VI.34). Pull your vigilance, clinical-follow-up, and cybersecurity teams into one group now; by 2026 they will co-own real-time dashboards that feed periodic safety-update reports, and auditors will expect to see them live.
First move: build a living checklist
Open a spreadsheet (or your favourite backlog tool) with these eight headers. For each AI claim, dataset, and update pathway, mark status (“OK,” “Gap,” “In progress”), assign an owner, and add a due date. Finish the checklist this week; your audit team will thank you next quarter.
Questions to consider
Data governance: What new controls must you add to prove representativeness and bias mitigation?
Documentation merge: How will you integrate AI-Act Annex IV items into your existing technical file structure?
Post-market logging: Are your vigilance systems ready to capture algorithm drift, bias, and security events in real time?
Let’s move beyond guidance into implementation together. Share your insights below so we can crowd-source best practices across the MedTech community.
About Tibor Zechmeister
Tibor Zechmeister is Head of Regulatory & Quality at Flinn.ai, a notified-body auditor and serial MedTech entrepreneur with almost 15 years of experience. He helps manufacturers automate regulatory workflows with AI, turning compliance from a bottleneck into a competitive edge.
EU AI Act — Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)
MDCG 2025-6 — FAQ on Interplay between the Medical Devices Regulation & In Vitro Diagnostic Medical Devices Regulation and the Artificial Intelligence Act (European Commission, 19 Jun 2025)
MDR — Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (Text with EEA relevance.)
IVDR — Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (Text with EEA relevance.)