← News & Insights

How the EU AI Act Reshapes Compliance for Medical App Developers.

The EU AI Act, which came into force in 2024, is the world’s first comprehensive regulation for artificial intelligence. For developers of medical apps and digital health solutions, it adds a new layer of compliance on top of existing frameworks like the MDR, IVDR, and GDPR.

To better understand what this means in practice, R2G spoke with Eric Behrendt from TÜVIT, an expert in digital health regulation and AI compliance. 

Question 1: What does the EU AI Act mean for medical app developers?

Eric: The Act addresses the development and use of AI systems, algorithms, and applications in general. Its main purpose is to protect fundamental rights, privacy ,and safety, while defining clear security requirements for both users and developers, defining requirements for risk-mitigation systems, high-quality data sets, clear user information, and human oversight. These requirements must be met for any AI solution used in the European market.

Question 2: How does it interact with other compliance rules like MDR and GDPR?

Eric: It aligns and interacts with existing regulations like the EU MDR/IVDR and GDPR, and the Act impacts AI across healthcare, focusing on patient safety, AI system efficacy, data governance, and ethical use. Compliance has to happen in parallel. The AI Act complements, e.g. the MDR in all AI-related aspects. First, you need to define whether an AI system is standalone or embedded in a device. If it is part of a medical device, then MDR applies as the overarching regulation. The device must meet all MDR requirements, but in addition, the AI components must also fulfill AI Act-specific obligations—particularly around security and privacy.

Question 3: What are the main challenges to complying with the EU AI Act?

Eric: There are six parameters regulators use to assess AI systems: robustness, fairness/ bias, explainability/transparency, data quality, performance and security. These define how well and reliably an AI application performs. What’s important to remember is that the required level of compliance depends on the system’s risk classification.

Question 4: How does the risk pyramid affect compliance requirements?

Eric: The AI Act defines four main risk levels: minimal, limited, high, and forbidden.

  • Forbidden applications include things like social scoring, which conflict with EU values and human rights.
  • High-risk applications are those with strong impacts on privacy, personal rights, or the health and safety of users. These must meet the strictest requirements, including testing and certification, and conformity assessment.
  • Limited risk applications include chatbots, voice assistants, or AI-generated content. They mainly require transparency measures so that users know they are interacting with AI.
  • Minimal risk applications face very light obligations.

Question 5: How do you actually manage such a compliance project?

Eric: For high-risk systems, developers must work with a notified body or accredited testing lab to verify compliance. These certifications are usually run by public or semi-public institutions at the EU or national level. For limited risk systems, companies are required to provide documentation—such as user manuals and configuration guides—so that operators know how the AI works. This documentation also serves as evidence that compliance steps were followed if an incident occurs.

Question 6: How long does it typically take to get certification?

Eric: It depends on the scope and size of the system. For a small, limited-risk application, the process might take between weeks and some months. For a complex, high-risk system, it could take up to a year or more.

Question 7: Do compliance projects follow typical phases?

**Eric: **Yes, compliance projects usually follow a structured process. Risk classification and assessment – These two steps classify the risk category of the AI and assess the risk level of the AI application. This doesn’t always require third-party involvement, since the AI Act provides a clear catalog of categories, but a managed risk classification and assessment may shorten the process and avoid feedback loops. Tools like TÜVIT’s Risk Navigator can help. This phase typically takes 2–6 weeks, but could extend to several months, depending on the complexity of the application. Documentation creation – Next comes preparing the technical file, transparency statements, and user documentation. This step can be resource-intensive and varies in duration, depending on how much existing documentation you already have under MDR or IVDR. Risk management system establishment – Implementing or extending a risk management system in line with ISO 42001 is the third step. For teams with a strong QMS already in place, this may take 3–6 months. For those starting from scratch, it can take longer. Testing and certification planning – Finally, you prepare for external testing or certification. For high-risk systems, this involves notified bodies or accredited labs and can add another 6–12 months. For limited-risk systems, it’s often just a matter of completing a self-assessment and ensuring transparent documentation, which may take 4–8 weeks. Overall, depending on the risk level and the maturity of the company’s processes, compliance can take anywhere from several months up to years, depending on the scope and criticality of the system for an initial certification.

Question 8: Do you have any final recommendations for medical app developers?

Eric: One additional layer to consider is that, in some countries, there are further national rules on top of MDR and the AI Act. For example, in Germany, we have the DiGA framework for digital health applications. Developers targeting these markets must plan for compliance not only with EU rules but also with national frameworks. We also recommend that medical app developers integrate a dedicated compliance workstream from the very beginning of app development. Starting too late often leads to costly redesigns or, in some cases, requirements that can no longer be met once the product is finalized.

Thank you, Eric.

If you want to continue the conversation with Eric and understand what the EU AI Act means for your medical app project and learn from his hands on experiences, you can sign up for his Deal on R2GConnect: Free 60-Minute Briefing on the EU AI Act + Access to TÜVIT’s AI Risk Navigator.

To see more details, click here.