When Two Regulations Apply to the Same Device: Mapping Where the EU AI Act and MDR Agree, Diverge, and Leave Gaps

For manufacturers of AI-enabled medical devices operating in the European Union, 2026 marks the point at which two major regulatory frameworks apply simultaneously. The EU Medical Device Regulation has governed medical devices since May 2021, and its requirements for clinical evaluation, technical documentation, post-market surveillance, and serious incident reporting are already well established in the compliance landscape. The EU AI Act came into force in August 2024, with high-risk AI obligations for medical devices becoming enforceable during 2026 and 2027. Both regulations apply to the same devices. They overlap in some areas, diverge in others, and together leave gaps that neither addresses adequately.

A paper published in Abdominal Radiology in February 2026 by Mifsud Bonnici and colleagues from the University of Groningen's Security, Technology and e-Privacy Research Group conducts what may be the most systematic analysis of this dual-regulation problem to date. Using a Class III AI SaMD for prostate cancer radiology as a case study, the authors map post-market obligations across both frameworks, categorize them into ten domains, and identify where the two regulations converge, where they diverge, and where neither provides clear guidance. The findings have implications well beyond prostate radiology: the same analytical structure applies to any high-risk AI medical device in the EU market.

Why a Case Study Approach

The methodological choice to anchor the analysis in a specific device type rather than conducting a purely abstract comparison is important and deliberate. Post-market regulatory obligations become concrete only when applied to a specific technology, a specific intended use, and a specific risk classification. A Class III AI SaMD for prostate cancer diagnosis sits in the highest risk category under both the MDR and the AI Act, making it the most demanding case for compliance and the most revealing case for identifying regulatory gaps.

The authors conducted a qualitative doctrinal legal analysis of post-market provisions in both frameworks, focusing on manufacturers as providers and healthcare organizations as deployers. They explicitly did not collect empirical clinical or performance data; the contribution is legal and regulatory analysis, not clinical validation. What this produces is a structured map of what each regulation requires, from whom, and under what conditions, against which the gaps and tensions between the two frameworks become visible.

The Gaps: System Updates and Human Oversight

The paper identifies two areas where current guidance from both regulations is inadequate: system modification and human oversight in clinical deployment. On system modification, neither the MDR nor the AI Act provides clear guidance on how changes to an AI SaMD after market authorization should be handled. The MDR's change notification procedures were designed for hardware modifications and do not map cleanly onto software changes, particularly the kind of continuous or periodic retraining that AI systems may require. The AI Act anticipates that high-risk AI systems may be updated and requires that updated systems meet the same requirements as the original, but does not establish a streamlined pathway for manufacturers to demonstrate continued conformity after updates without full re-assessment. The result is a compliance environment in which manufacturers face significant uncertainty about what kinds of post-authorization changes require what level of regulatory re-engagement, and where the conservative response is to avoid updates entirely, which is exactly the frozen model problem that multiple researchers have identified as a safety risk in its own right.

On human oversight, the paper finds that while the AI Act establishes that human oversight of high-risk AI is required, the specific operational requirements for what human oversight looks like in a radiological workflow are not specified. A radiologist reviewing AI output on a prostate MRI is providing human oversight in a general sense, but whether that review meets the AI Act's requirements for meaningful oversight, including the ability to detect and correct AI errors, to understand the basis of AI recommendations, and to exercise genuine independent judgment rather than anchoring on the AI output, depends on factors that neither the regulation nor current clinical AI deployment standards adequately address.

Implications for Manufacturers and Deployers

For manufacturers of AI SaMD targeting the EU market, the paper's findings point to several concrete compliance implications. Post-market surveillance plans need to be designed with both the MDR's clinical follow-up requirements and the AI Act's continuous monitoring obligations in mind, which means building surveillance systems that capture not just clinical outcomes and adverse events but also ongoing performance metrics and distributional shift indicators. Technical documentation needs to address AI-specific elements including training data characteristics, bias testing methodology, and explainability provisions that go beyond what the MDR alone would require. Change management procedures need to be designed for the possibility of model updates, with a documented process for evaluating whether a given change triggers MDR change notification requirements or AI Act re-assessment obligations.

For deployers, which in healthcare settings means hospitals and clinical departments, the implications are more novel and less well understood. The AI Act creates obligations for deployers that have no direct equivalent in the MDR framework. Healthcare organizations using high-risk AI medical devices are now required to ensure appropriate human oversight, maintain use logs, report serious incidents, conduct fundamental rights impact assessments for certain applications, and provide AI literacy training to staff. These are not obligations that hospital compliance teams typically have infrastructure to manage, and the guidance from both the European Commission and national competent authorities on how to operationalize them remains limited.

The Coordination Problem

The paper's final argument is structural: two regulations applying to the same device type from different policy origins will inevitably create coordination problems that no amount of compliance effort by individual manufacturers or deployers can fully resolve. The solution requires regulatory coordination at the source: clearer joint guidance from the European Commission on how the MDR and AI Act interact for medical device manufacturers, standardized templates for the documentation that satisfies both frameworks, and explicit designation of which competent authority is the lead for which type of post-market issue.

MDCG guidance document 2025-6, published in mid-2025, was the first significant step toward this coordination, providing initial clarification on the interaction between the MDR and the AI Act. The paper treats this as a beginning rather than a solution. The ten-category analysis the authors have conducted identifies specific areas where that guidance needs to go further, particularly on system updates and human oversight, before manufacturers and deployers can navigate the dual-regulation environment with the clarity that responsible AI deployment in high-risk clinical settings requires.


Analysis based on: Mifsud Bonnici JP et al. The AI Act and the MDR post-market requirements for semiautonomous AI SaMD: a radiology case study in prostate cancer. Abdominal Radiology (2026). https://doi.org/10.1007/s00261-026-05434-z