Since its entry into force on 1 August 2024, Regulation (EU) 2024/1689 (the “AI Act”) has raised a recur-ring question for the medical technology sector: Do AI-enabled medical devices and in vitro diagnostics (IVDs) – already comprehensively regulated under Regulations (EU) 2017/745 (“MDR”) and (EU) 2017/746 (“IVDR”) – additionally fall within the scope of the AI Act’s high-risk regime? Following the political agree-ment on the “Digital Omnibus on AI” reached by the EU co-legislators on 7 May 2026, the answer is now settled: They do!
Under Art. 6 (1) in conjunction with Annex I, Sec. A of the AI Act, an AI system qualifies as high-risk where (i) it is itself a product, or a safety component of a product, covered by the Union harmonisation legislation listed in Annex I – which expressly includes the MDR and the IVDR – and (ii) that product is required to undergo a third-party conformity assessment under the relevant sectoral act. Because the vast majority of AI-enabled medical devices and IVDs (for example, AI/ML-based software as a medical de-vice, diagnostic imaging or clinical decision-support software) require the involvement of a Notified Body under the MDR/IVDR classification rules, they are automatically classified as high-risk AI systems. Only the narrow category of devices eligible for self-certification – such as certain Class I devices under the MDR – may fall outside this trigger.
Key changes under the Digital Omnibus agreement (7 May 2026):
- No sector-specific carve-out for medical devices: Throughout the legislative process, MedTech Europe, BVMed Germany and other industry associations advocated for a single, sector-specific compliance pathway under which high-risk AI requirements would be implemented through the MDR/IVDR alone, and the European Parliament had proposed moving the MDR and IVDR from Annex I, Sec. A to Sec. B of the AI Act. The final compromise did not adopt this approach. The horizontal nature of the AI Act was reaffirmed, and AI-enabled medical devices and IVDs remain subject to its high-risk requirements in parallel to the MDR/IVDR.
- Postponed application date: For high-risk AI embedded in regulated products under Annex I – including medical devices and IVDs – the application date is deferred from 2 August 2027 to 2 August 2028 (a one-year postponement). For stand-alone high-risk AI systems under Annex III, the date moves from 2 August 2026 to 2 December 2027. The agreed text replaces the Commis-sion’s originally proposed conditional “trigger” mechanism with these fixed dates, acknowledging that the necessary harmonised standards, guidance and conformity-assessment infrastructure are not yet in place.
- Mechanism to limit duplicative requirements: To mitigate “double regulation”, the Commission is to be empowered to limit the application of specific AI Act requirements where the sectoral leg-islation – here, the MDR/IVDR – already imposes equivalent obligations. The framework neverthe-less remains a dual one: manufacturers must continue to satisfy both regimes unless and until such limitations are actually adopted.
- Narrowed definition of “safety component”: AI systems used solely for non-safety-related functions – such as user assistance, performance optimisation, service efficiency, automation or convenience, or quality control – will no longer be classified as high-risk merely because they are embedded in a regulated device, unless their failure or malfunction would endanger health and safety. This creates welcome scope to exclude purely ancillary AI features from the high-risk category.
Key Takeaways | What’s next?
For manufacturers of AI-enabled medical devices and IVDs, the strategic message is that dual compli-ance is here to stay: the AI Act applies on top of – not instead of – the MDR and IVDR. The postpone-ment to 2 August 2028 provides valuable additional preparation time, but it should not be read as an invi-tation to pause. The practical task now is to integrate the AI Act’s high-risk requirements – data and data governance, risk management, technical documentation, transparency and human oversight, logging, accuracy, robustness and cybersecurity, and post-market monitoring – into the existing ISO 13485 quality management system and the MDR/IVDR technical documentation, rather than building a parallel compli-ance silo. Companies should also follow the development of harmonised standards and any forthcoming MDCG guidance, the broadened access to AI regulatory sandboxes and real-world testing now opened to Annex I systems, and the extent to which the Commission ultimately exercises its power to limit duplica-tive requirements.
Importantly, the Digital Omnibus is at this stage a provisional political agreement (Council document 9247/26 of 13 May 2026) and not yet binding law. Formal adoption by the European Parliament and the Council, followed by publication in the Official Journal, is expected before 2 August 2026 – the date on which the high-risk rules would otherwise begin to apply. Until then, the original timeline in the AI Act remains the legally applicable text.
The forthcoming revision of the MDR and IVDR is set to become the principal forum for resolving this coherence question. The Commission's December 2025 simplification proposal (COM(2025) 1023) already envisages making the device rules the primary framework, with the AI Act applying to medical devices and IVDs only to a limited extent and AI-specific requirements handled within the ordinary con-formity assessment. Whether this delivers the single, duplication-free pathway long sought by industry will depend on the final text and