Blog & Media

    When Two Regulations Apply to the Same Device: Mapping Where the EU AI Act and MDR Agree, Diverge, and Leave Gaps

    For manufacturers of AI-enabled medical devices operating in the European Union, 2026 marks the point at which two major regulatory frameworks apply simultaneously. The EU Medical Device Regulation has governed medical devices since May 2021, and its requirements for clinical evaluation, technical documentation, post-market surveillance, and serious incident reporting are already well established in the compliance landscape. The EU AI Act came into force in August 2024, with high-risk AI obligations for medical devices becoming enforceable during 2026 and 2027. Both regulations apply to the same devices. They overlap in some areas, diverge in others, and together leave gaps that neither addresses adequately.

    The Tools Changed Everywhere Except Where It Matters Most

    Software engineering went through a revolution. Version control became standard. CI/CD became expected. Code review became culture. Teams ship daily. Deployment is automated. Monitoring is real-time. The distance between writing code and delivering value collapsed. Drag Medical device development missed that revolution. Drag Not because the people are behind. The engineers building medical devices are using the same languages, the same frameworks, the same infrastructure as every other software team. They write in Python and TypeScript. They deploy to AWS. They use Jira and Git. They know what modern development looks like, because they practice it every day.

    Seventy FDA-cleared AI devices for orthopaedic surgery. Eight validated through a prospective clinical trial

    That is the headline finding of a retrospective analysis published this month in JAAOS Global Research & Reviews by Lee, Jay, Fox, Padley, Dai, and Levin from Johns Hopkins Medicine. The study catalogues every FDA-cleared AI-enabled medical device with an orthopaedic-specific indication as of February 2025 - 70 devices in total - and systematically characterises their regulatory pathways, clinical validation, AI architecture, and commercialisation landscape. As a snapshot of where regulatory oversight stands for one of medicine's most procedurally intensive specialties, it is not a reassuring picture.

    Most health AI tools being used right now have never had to prove they actually help patients

    That is the uncomfortable truth at the center of the JAMA Summit Report on AI in Health and Health Care - and if you work anywhere near digital health, regulation, or policy, this paper deserves your full attention.

    Your Device Is Engineered to Surgical Precision. Your Compliance System Runs on Hope.

    You can tell a lot about a medical device company by looking at the gap between how precisely they engineer their product and how loosely they manage their regulatory evidence. The product side is rigorous. Tolerances are measured in microns. Materials are tested against biocompatibility standards. Sterilization processes are validated through IQ, OQ, PQ protocols. Supply chains are qualified, monitored, and audited. Every physical component has a specification, a test, and a record. The engineering discipline is real.

    An AI system training a predictive cardiology model today may not be subject to the EU AI Act — but the same system, validated and running six months later, could fall under both the AI Act and the MDR. Is your ethics committee ready?

    A new paper published in European Cardiology Review by researchers from Italy's National Research Council and Careggi University Hospital addresses a question that has been generating quiet anxiety in clinical research ethics circles across Europe: how do the obligations of the EU AI Act actually apply to the different stages of an AI clinical study, and what does that mean concretely for researchers designing protocols and ethics committees evaluating them?

    The global race to regulate AI medical devices has produced five distinct frameworks. None of them fully solves the same three problems.

    A new decade-spanning review in Frontiers in Medicine - authored by researchers from Shenyang Pharmaceutical University and Peking Union Medical College Hospital - maps AI medical device regulation across the US, EU, China, Japan, and South Korea from 2015 to 2025. It is the kind of comparative synthesis the field has needed, and what it surfaces is instructive: the regulatory diversity is real, the progress is genuine, and the shared blind spots are harder to escape than any single jurisdiction wants to admit.

    The guidance documents governing cybersecurity for medical devices have gaps. Some of those gaps correspond directly to the most common real-world vulnerabilities in devices currently on the market.

    That is the uncomfortable finding at the center of a new paper from researchers at TU Dresden's Else Kröner Fresenius Center for Digital Health, published in Computational and Structural Biotechnology Journal. The study, authored by Ostermann, Freyer, Gilbert and colleagues, does something that is rarer in this space than it should be: it systematically compares what the EU and US cybersecurity guidance documents for medical devices actually require against a structured baseline derived from international standards, and then tests whether following that guidance would have prevented the most impactful known vulnerabilities in medical devices.

    Mental health AI is already in your pocket. Is anyone making sure it actually works for you?

    A new Comment in Nature Computational Science from Stanford HAI's Dr. Nicole Martinez-Martin asks that question directly - and the answer, from a regulatory standpoint, is deeply unsettling. Mental health is one of the fastest-growing areas for AI deployment. Millions of people are already using apps and chatbots for therapy support, crisis intervention, mood tracking, and diagnosis. Yet this is precisely the domain where the regulatory gaps are most dangerous.

    Your continuous glucose monitor is generating data right now. Who owns it?

    Not you, legally. Not your clinician, exactly. Possibly the device manufacturer who wrote the terms of service you accepted during setup. Possibly a data broker who acquired it downstream. The answer depends on jurisdiction, contract law, and how the data moved - and in most jurisdictions, there is no clear answer at all.

    Your doctor used AI to help make a decision about your care. Did they tell you?

    Probably not. And a new JAMA Perspective from Stanford argues that silence may no longer be defensible. Written by Prof. Michelle Mello (Stanford Law), Dr. Danton Char, and Sonnet Xu, "Ethical Obligations to Inform Patients About Use of AI Tools" does something the field has been quietly avoiding: it applies the actual logic of informed consent doctrine to AI deployment in clinical settings, and asks who bears responsibility for telling patients what's happening to them.

    AI in your radiology department has been cleared and deployed. Is anyone watching what it does next?

    That is the question at the heart of a new consensus paper from the European Society of Radiology, published in Insights into Imaging. Using a modified Delphi procedure involving 16 domain experts, the ESR has produced a set of recommendations on post-market surveillance (PMS) and post-market clinical follow-up (PMCF) for AI medical devices in imaging - and the picture it paints of where the field currently stands is not reassuring.