EU MDR Compliance for AI-Powered Medical Devices and SaMD
EU MDR applies to your AI product if it performs a medical function. Most digital health teams are underestimating the classification.
CE marking — a market access requirement in EU
The EU Medical Device Regulation has applied since 26 May 2021. It replaced the Medical Device Directive with a significantly more demanding framework — stricter classification rules, mandatory notified body involvement for a wider range of devices, stronger post-market surveillance obligations, and direct applicability to software performing a medical function.
Software as a Medical Device (SaMD) is one of the fastest-growing and most complex MDR compliance challenges. An AI system that diagnoses, monitors, predicts, or supports clinical decisions for individual patients is a medical device under MDR regardless of whether it touches the patient physically. The classification turns on what the software does — its intended purpose — not on its technical architecture, its commercial model, or whether a clinician reviews its output.
For AI-powered medical devices and SaMD, MDR creates specific obligations that interact directly with EU AI Act high-risk requirements, CRA security obligations, and GDPR special category data rules — frequently landing on the same product simultaneously. Satisfying one regime does not satisfy the others. Most digital health AI teams have not mapped all three.
European Compliance Suite provides specialist MDR compliance assessments for AI-powered medical devices and SaMD. We determine your device classification, establish your conformity assessment pathway, map your MDR obligations against your EU AI Act and GDPR position, and deliver a documented compliance record specific to your product.
EU MDR Compliance Assessment for Your AI Medical Device
A lawyer-built assessment of your AI product’s MDR obligations — SaMD classification, risk class determination, conformity assessment pathway, essential requirements mapping, technical documentation review, notified body requirement assessment, clinical evaluation obligations, and a documented compliance record your notified body, competent authority, and clinical partners can rely on.
How EU MDR works for AI medical devices
Four risk classes. One regulation. Demanding conformity assessment obligations for AI performing medical functions.
MDR classifies medical devices — including SaMD — into four risk classes. The class determines your conformity assessment pathway, the level of notified body involvement required, and the clinical evidence standard your product must meet.
Class I — lowest risk
Devices presenting the lowest risk — general wellness software, non-diagnostic AI tools, administrative healthcare software. Most Class I devices self-certify — no notified body involvement required unless the device is sterile, has a measuring function, or is a reusable surgical instrument. Class I devices must still satisfy MDR’s general safety and performance requirements and maintain technical documentation. AI tools that support administrative functions without performing a medical function are likely Class I or outside MDR scope entirely.
Class IIa — medium risk
Devices presenting moderate risk — software intended to provide information used to make decisions with diagnosis or therapeutic purposes for individual patients, AI systems monitoring physiological parameters where deterioration could create serious risk. Class IIa requires notified body involvement — the notified body reviews a representative sample of technical documentation and issues a certificate. Most diagnostic support AI falls into Class IIa or above.
Class IIb — medium-high risk
Devices presenting higher risk — AI software intended to make or influence decisions with potentially serious consequences, software used in high-risk therapeutic applications, AI supporting surgical planning or radiation therapy. Class IIb requires full notified body review of technical documentation and quality management system audit. Clinical evaluation requirements are more demanding than Class IIa.
Class III — highest risk
Devices presenting the highest risk — AI systems making autonomous clinical decisions with potentially life-threatening consequences, AI used in active implantable devices, software for diagnosis or therapy of immediately life-threatening conditions. Class III requires the most intensive notified body involvement including design dossier scrutiny, clinical investigation where existing clinical evidence is insufficient, and ongoing surveillance requirements. The clinical evidence standard for Class III AI is the most demanding in the regulation.
Is your AI product a medical device under MDR?
The boundary between MDR-regulated SaMD and non-regulated software is the intended purpose — what the software is intended to do for or to a patient. This table maps common AI product types to their likely MDR status.
| AI product type | MDR status | Likely risk class |
|---|---|---|
| AI diagnosing a specific disease from medical images | Medical device — SaMD | Class IIa minimum — IIb or III depending on disease and consequence |
| AI predicting patient deterioration from vital signs | Medical device — SaMD | Class IIa or IIb depending on clinical context and autonomous action |
| AI recommending medication dosing for individual patients | Medical device — SaMD | Class IIb or III depending on drug category and consequence |
| AI supporting surgical planning or navigation | Medical device — SaMD | Class IIb or III |
| AI monitoring chronic disease parameters for individual patients | Medical device — SaMD | Class IIa or IIb |
| AI triaging patients in emergency settings | Medical device — SaMD | Class IIa or IIb |
| AI analysing population health data without individual patient decisions | Not a medical device | Not in scope — but document the determination |
| AI providing general wellness recommendations without medical claims | Not a medical device | Not in scope — but document the determination |
| AI used for hospital administrative functions | Not a medical device | Not in scope |
| AI performing clinical decision support reviewed and overridden by clinician | Borderline — depends on intended purpose and degree of autonomy | Assess against MDCG 2019-11 guidance |
| AI embedded in a regulated medical device | Medical device component | Classified with the device — typically IIb or III |
| AI used for in vitro diagnostic functions | IVDR not MDR | Separate regime — IVDR applies |
Clinical evaluation: the MDR obligation AI teams underestimate most
Clinical evaluation is MDR’s most demanding and most frequently underestimated obligation for AI medical devices. Every medical device must have clinical evaluation conducted and documented throughout its lifetime — demonstrating that the device achieves its intended purpose, that the benefits outweigh the risks, and that the device performs as claimed in the manufacturer’s documentation.
For AI SaMD, clinical evaluation creates specific challenges that do not arise for conventional software.
Three things AI medical device teams consistently misunderstand:
- Clinical evaluation is not a literature review attached to the technical file. It is a structured, ongoing process — covering identification of applicable standards, literature search and appraisal, clinical data from the device itself where available, gap analysis, and a clinical evaluation report that synthesises all of this into a documented clinical position. A literature review describing AI in a clinical domain is not clinical evaluation of your specific device.
- Post-market clinical follow-up is mandatory for Class IIa and above — an ongoing programme of clinical data collection after the device is placed on the market, designed to confirm that the safety and performance established in the clinical evaluation are maintained in real-world use. For AI systems whose performance may drift over time or whose user population differs from the clinical validation cohort, PMCF is not a formality — it is a substantive ongoing obligation.
- The clinical evidence standard scales with risk class. A Class IIa diagnostic AI may satisfy clinical evaluation through literature appraisal combined with performance data from clinical validation studies. A Class III AI making autonomous clinical decisions in a life-threatening context may require prospective clinical investigation — a structured study under MDR’s clinical investigation rules — before the device can be placed on the market. Teams that assume literature evidence is sufficient for high-risk AI medical devices frequently discover otherwise at the notified body stage.
What EU MDR compliance requires for AI medical devices
These are the MDR requirements that apply most directly to AI-powered medical devices and SaMD — with specific attention to where AI creates obligations beyond those of conventional medical device software.
Cross-framework mapping — identification of where MDR technical documentation obligations overlap with EU AI Act Annex IV technical file requirements, where MDR clinical evaluation contributes to EU AI Act accuracy and robustness evidence, and where CRA security-by-design obligations interact with MDR’s general safety and performance requirements.
Intended purpose determination — precise, documented statement of the intended purpose of your AI system — what it is intended to do, for which patients, in which clinical context, and by which users. It’s the single most important document in your MDR technical file because every subsequent classification and compliance decision flows from it.
MDR scope determination — confirmation that your AI product qualifies as a medical device or SaMD under MDR’s definition, and is not outside scope as general wellness software, administrative software, or population health analytics with reference to MDCG 2019-11 guidance on software qualification and classification.
Risk class determination — classification of your device under MDR’s four-tier framework using the implementing rules in Annex VIII, including application of the software-specific classification rules and the classification criteria for AI performing diagnostic, monitoring, predictive, or therapeutic functions.
Conformity assessment pathway — identification of the correct conformity assessment route for your device class — self-certification for Class I non-sterile non-measuring devices; notified body technical documentation review for Class IIa; full notified body QMS audit and technical documentation review for Class IIb and III; design dossier scrutiny for Class III.
Notified body selection and engagement — identification of an EU-designated notified body for medical devices with the specific expertise to assess AI SaMD in your clinical domain. Not all notified bodies are designated for all device types. The document must cover the management of the notified body engagement process.
Technical documentation compilation — assembly of MDR-compliant technical documentation covering device description, design and manufacturing information, general safety and performance requirements compliance, benefit-risk analysis, risk management, verification and validation, clinical evaluation, and post-market surveillance plan.
Clinical evaluation — structured clinical evaluation conducted in accordance with MEDDEV 2.7/1 rev 4 and MDR Annex XIV, covering literature identification and appraisal, clinical data from the device, gap analysis, and a clinical evaluation report. This document must be updated throughout the device lifetime as new clinical data becomes available.
Post-market clinical follow-up — documented PMCF plan for Class IIa and above, specifying the methods for ongoing clinical data collection, the frequency of PMCF evaluation, and the process for updating the clinical evaluation report based on PMCF findings.
Post-market surveillance system — documented PMS system covering proactive collection and analysis of post-market data — complaints, vigilance reports, literature, registry data — with periodic safety update reports for Class IIa and trend reports for Class IIb and III.
One engagement. Every EU MDR obligation mapped for your AI SaMD product.
A lawyer-built MDR assessment covering intended purpose determination, MDR scope confirmation, risk class determination, conformity assessment pathway, notified body requirement assessment, technical documentation gap analysis, clinical evaluation obligations, PMCF requirements, post-market surveillance system, and vigilance obligations — documented and specific to your AI medical device, mapped against your EU AI Act, GDPR, and CRA position where all apply.
Frequently Asked Questions About EU MDR
What is EU MDR and when did it apply?
The EU Medical Device Regulation is the primary EU regulatory framework for medical devices, applying since 26 May 2021. It replaced the Medical Device Directive with significantly stricter requirements — broader notified body involvement, stronger post-market surveillance, mandatory unique device identification, and direct applicability to software performing a medical function. MDR applies to all medical devices placed on the EU market regardless of where the manufacturer is established, and requires CE marking as the legal precondition for market access.
What is Software as a Medical Device under MDR?
Software as a Medical Device is software intended to be used for one or more medical purposes — diagnosis, prevention, monitoring, prediction, prognosis, treatment, or alleviation of disease or injury — without being part of a hardware medical device. The medical purpose must be for individual patients, not for population health analytics or administrative functions. MDR’s definition of SaMD is interpreted in accordance with MDCG 2019-11 guidance on software qualification and classification. An AI system that provides diagnostic support, monitors patient-specific parameters, or recommends treatment for individual patients is likely SaMD regardless of its technical architecture.
How is AI SaMD classified under MDR?
SaMD classification under MDR uses the implementing rules in Annex VIII, with specific rules for software. The key factors are the intended purpose and the potential consequences of the software’s output — whether providing information for diagnosis or therapy, whether clinician review mitigates risk, and the severity of the condition the software addresses.
Most diagnostic AI falls into Class IIa or above — the rule that software intended to provide information used for decision-making with individual diagnostic or therapeutic consequences is at minimum Class IIa is significant for AI medical devices. The MDCG 2019-11 guidance provides detailed classification examples.
What is the difference between MDR and the EU AI Act for AI medical devices?
MDR governs the safety and performance of the medical device — clinical evidence, risk management, technical documentation, and post-market surveillance specific to the device’s medical function. The EU AI Act governs the AI system’s classification, transparency, technical robustness, and human oversight as an AI system.
Both apply simultaneously to AI SaMD. The EU AI Act classifies AI used as safety components in medical devices as high-risk under Annex III — triggering the full suite of AI Act technical documentation and conformity assessment obligations alongside MDR’s clinical evaluation and device classification requirements. A cross-framework assessment maps where one technical file satisfies both regimes and where distinct documentation is required.
Does MDR apply to AI medical devices manufactured outside the EU?
Yes. MDR applies to any medical device placed on the EU market regardless of where the manufacturer is established. Non-EU manufacturers must appoint an EU-based authorised representative before placing the device on the market — a named individual or legal entity established in the EU who acts as the point of contact for competent authorities and can be held accountable for MDR compliance.
The authorised representative obligation under MDR is distinct from the EU AI Act Article 22 Authorised Representative requirement but both may apply to the same non-EU AI medical device manufacturer simultaneously.
When is a notified body required for AI SaMD under MDR?
A notified body is required for all medical devices except Class I non-sterile, non-measuring, non-reusable surgical instrument devices. Class IIa SaMD requires notified body review of a technical documentation sample and quality management system. Class IIb SaMD requires full notified body review of technical documentation and QMS audit. Class III SaMD requires notified body scrutiny of the design dossier and, where existing clinical evidence is insufficient, approval of a clinical investigation plan before the investigation begins.
AI SaMD that does not involve a notified body — because the manufacturer has incorrectly classified it as Class I — faces serious market surveillance risk.
What clinical evidence is required for AI SaMD under MDR?
The clinical evidence standard scales with risk class. For Class IIa AI SaMD, clinical evaluation typically combines literature appraisal — identifying published evidence on the clinical domain and comparable devices — with clinical performance data from validation studies of the specific device.
For Class IIb, the evidence standard is higher — more rigorous study designs and larger datasets are expected.
For Class III AI SaMD, where existing clinical evidence is insufficient, prospective clinical investigation under MDR’s clinical investigation rules may be required before CE marking. The clinical evaluation must be updated throughout the device lifetime as new data becomes available.
What is post-market clinical follow-up and is it mandatory for AI medical devices?
Post-market clinical follow-up is an ongoing programme of clinical data collection after the device is placed on the market — designed to confirm that the safety and performance established in the clinical evaluation are maintained in real-world use. PMCF is mandatory for Class IIa and above.
For AI medical devices, PMCF is particularly important because AI performance may differ in real-world populations from clinical validation cohorts, and because AI systems whose outputs change over time — whether through retraining, distribution shift, or changing clinical context — require ongoing monitoring that PMCF supports. PMCF findings must be reflected in the clinical evaluation report update cycle.
How does MDR interact with GDPR for AI medical devices processing patient data?
AI medical devices almost invariably process health data — special category personal data under GDPR requiring explicit consent or a specific Article 9(2) lawful basis. MDR’s clinical evaluation and post-market surveillance obligations require collection and analysis of clinical data about patients — creating ongoing GDPR obligations around lawful basis, data minimisation, retention, and international transfer that must be maintained for the device’s lifetime.
A DPIA is mandatory where health data is processed at scale. MDR and GDPR are administered by different regulators — competent authorities and the FDPIC or national DPA respectively — and compliance with one does not satisfy the other.
What are the penalties for MDR non-compliance?
MDR penalties are set at member state level. They typically include fines — reaching significant amounts in major member states — withdrawal of the device from the market, prohibition on placing the device on the market, and suspension or withdrawal of CE marking certificates by the notified body.
Placing a medical device on the EU market without CE marking, with CE marking based on an incorrect classification, or with technical documentation that does not support the declaration of conformity are all serious violations that market surveillance authorities actively investigate. The clinical risk dimension of medical device non-compliance means that enforcement tends to be more intrusive and more rapid than in other product sectors
How do I start MDR compliance for my AI medical device?
Four steps in order. First, determine whether your AI product qualifies as SaMD under MDR — document the intended purpose precisely and apply the MDCG 2019-11 qualification criteria.
Second, classify the device under Annex VIII — identify the correct risk class and the conformity assessment pathway it requires.
Third, assess whether a notified body is required and identify an appropriate designated notified body for your device type and clinical domain.
Fourth, begin building the technical documentation — starting with the risk management file and the clinical evaluation plan, which must be established before clinical validation studies are designed. A lawyer-built assessment covers all four steps and delivers a documented compliance position specific to your AI medical device — mapped against your EU AI Act, GDPR, and CRA position where all apply.