Artificial intelligence in medical technology: How medtech companies are developing MDR and IVDR-compliant AI products
The development of AI-based medical devices presents manufacturers with a regulatory dilemma: on the one hand, artificial intelligence promises more precise diagnoses, personalized therapies and better patient care. On the other hand, companies have to deal with a complex web of MDR, IVDR and the new AI Act. Three sets of regulations that apply in parallel and each place their own requirements on documentation, risk management and quality assurance. While traditional medical devices follow a largely established approval process, AI systems present additional challenges: dynamic learning processes, data bias, model drift and the question of explainability. How can manufacturers ensure that their AI solutions are both innovative and compliant?
The interplay of regulations: MDR, IVDR and AI Act
A dual compliance model has applied to AI-supported medical devices in Europe since August 2024. The Medical Device Regulation (MDR 2017/745) and the In Vitro Diagnostic Regulation (IVDR 2017/746) continue to form the primary legal framework for all medical devices. Regardless of whether they contain AI components or not. However, the EU AI Act (Regulation 2024/1689) places a horizontal layer on top of these existing regulations and defines additional requirements specifically for high-risk AI systems.
The key question for manufacturers is: When does my AI-based medical device also become a high-risk AI system? The answer is provided by the MDCG 2025-6 Guidance document published in June 2025, which was developed jointly by the Medical Device Coordination Group and the EU AI Board. An AI system is considered high-risk AI within the meaning of the AI Act if two conditions are met simultaneously: The AI system is either a safety component of a medical device or a medical device itself, and it is subject to a conformity assessment by a Notified Body in accordance with the MDR or IVDR.
In practice, this means that AI-based medical devices in risk classes IIa to III under MDR and in vitro diagnostic medical devices in classes B to D under IVDR are typically considered high-risk AI systems and must be fully AI Act compliant from August 2027. It is important to understand that classification as high-risk AI under the AI Act does not change the existing MDR or IVDR risk classification. The regulations build on each other, but do not replace each other.
Core obligations under MDR and IVDR for AI products
Even if the AI Act adds new requirements, the basic obligations from the MDR and IVDR remain in place. For AI systems, however, these must be interpreted in an AI-specific manner. Risk management in accordance with ISO 14971 must systematically address AI-typical risks throughout the entire product life cycle. These include systematic distortions in training data (bias), model drift due to changing input data in the field, overfitting when training data sets are too homogeneous, misclassification with potentially serious clinical consequences, and questions of the explainability and interpretability of AI decisions.
The clinical evaluation or performance assessment must demonstrate the safety and performance of the AI system based on clinical data. Real-world performance data and continuous post-market data are particularly relevant for learning systems, as the system behavior can change during practical use. The technical documentation for AI systems expands considerably: it must contain a complete description of the algorithm, the data sources used, the training and testing strategy and the performance metrics such as sensitivity, specificity, positive and negative predictive values.
The quality management system in accordance with ISO 13485 must explicitly cover data lifecycle management, model versioning and re-training processes. The post-market surveillance system is also becoming increasingly important for AI products: continuous monitoring of performance metrics in the field, identification of error patterns and model drift as well as the integration of real-world data in feedback loops for product improvement are essential.
What the AI Act also requires
The AI Act introduces specific requirements for high-risk AI systems that go beyond the MDR and IVDR requirements. The good news is that many of these requirements can be integrated into existing processes. The MDCG 2025-6 guidance document explicitly recommends that manufacturers embed AI Act obligations into their existing MDR and IVDR structures wherever possible. From quality management systems to technical documentation and post-market surveillance.
Data quality and data governance are among the central AI Act requirements. Training, validation and test data must be representative, relevant, error-free and complete. Manufacturers must establish processes to identify and avoid systematic distortions – such as unbalanced data sets in terms of gender, age, ethnicity or other subgroups. The requirement for transparency and explainability means that users must be able to understand how the AI system works, what limitations it has and under what conditions it can be used safely. When interacting directly with users, it must be clearly communicated that an AI system is in use.
Accuracy, robustness and cybersecurity are further pillars. AI systems must also function reliably under varying conditions and be protected against adversarial attacks. Human oversight ensures that people can monitor the system appropriately and take corrective action in case of doubt. This is particularly important in highly critical clinical contexts. Finally, the AI Act requires automated logging mechanisms for functional traceability. The system must log events to enable performance tracking, bias detection and cybersecurity monitoring.
Practical implementation: Six steps to compliance
How can medtech companies systematically implement these complex requirements? Six strategic steps form the foundation for MDR, IVDR and AI Act-compliant AI products.
Step 1: Early and precise classification
The first step is to clarify early in the development process whether the product falls under MDR or IVDR, which risk class applies and whether it is to be classified as a high-risk AI system under the AI Act. The intended purpose should be formulated as precisely as possible, as it largely determines the regulatory requirements and the scope of clinical data. A vague purpose statement leads to ambiguities in classification and can lead to problems in audits.
Step 2: Expand QMS to include AI-specific processes
The existing quality management system must be supplemented with AI-relevant elements. This includes clearly defined roles and responsibilities for data governance, model training, validation and re-training. Change control must define criteria for when a model update is considered a “significant change” and requires a new conformity assessment. A Predetermined Change Control Plan (PCCP) can help to enable controlled updates without having to go through a full approval process every time.
Step 3: Establish a robust AI validation strategy
The validation of AI systems differs fundamentally from classic software validation. A clear separation of training, validation and test data is crucial, whereby the origin of all data sets must be fully documented. Performance metrics and acceptance criteria should be defined in advance, not only for the overall population, but also for clinically relevant subgroups. This allows systematic bias to be identified at an early stage. The data must be representative of the actual application scenario – a model that has been trained exclusively on data from a single hospital may fail in other clinical settings.
Step 4: Align post-market surveillance with AI
Traditional post-market surveillance is not enough for AI systems. Manufacturers must establish continuous monitoring mechanisms that track performance metrics in the field, identify error patterns and recognize model drift. Real-world data and structured user feedback form the basis for improvements and, if necessary, for re-validation. The AI Act also requires the monitoring of possible interactions with other AI systems and the documentation of serious incidents that could violate fundamental rights.
Step 5: Create integrated technical documentation
Instead of maintaining separate documentation for MDR/IVDR and the AI Act, the MDCG 2025-6 guidance document recommends integrated technical documentation. This should cover all requirements of both sets of regulations: classic medical device content such as intended purpose, risk management, clinical evaluation and instructions for use, combined with AI-specific elements such as data origin and quality, training and validation strategies, bias mitigation measures, logging mechanisms and human oversight concepts. Well-structured, linked documentation is not only crucial for approval, but also makes subsequent audits and change management processes much easier.
Step 6: Build interdisciplinary teams
AI medical devices require close collaboration between different disciplines. Regulatory affairs, clinical experts, data scientists, IT security specialists and quality management must work together from the outset. This is the only way to reconcile technical feasibility, clinical relevance and regulatory compliance. Communication between regulatory teams and data scientists is particularly important here, as they often have different terminologies and priorities.
The role of systematic documentation
The more complex the regulatory requirements become, the more important consistent, system-supported documentation becomes. Fragmented processes – an Excel sheet for risks here, a Word document for the intended purpose there, loosely filed test protocols elsewhere – inevitably lead to inconsistencies, redundancies and gaps. These weaknesses become particularly apparent during audits or inquiries from notified bodies.
This problem is exacerbated for AI products: the argumentation for risk classification must be based on the new MDR Rule 11 logic, data set versions must be traceable, model updates require impact analyses, and the link between clinical data, risk assessments and performance metrics must be transparent at all times. A structured documentation platform makes it possible to systematically record the intended purpose, clinical situation, role of the software in the decision-making process and the resulting classification. Risks, measures, tests, clinical data and regulatory requirements can be directly linked so that in the event of changes – such as a re-training of the model – it is immediately clear which areas of the technical documentation are affected.
This link is particularly valuable for AI systems: if performance metrics change in the field, integrated documentation can be used to understand which risks potentially need to be reassessed, which tests should be repeated and whether the clinical evaluation needs to be updated. This not only saves time, but also minimizes the risk of regulatory-relevant changes being overlooked.
BAYOOSOFT Themis: end-to-end governance for AI medical devices
Developing MDR and IVDR-compliant AI medical devices requires more than just ticking off regulatory checklists. It is about establishing end-to-end regulatory governance that seamlessly combines technical documentation, risk management, clinical evaluation and post-market surveillance. This is exactly where BAYOOSOFT Themis comes in.
Themis digitizes and links the technical documentation processes for medical devices and in-vitro diagnostics. The validated software solution enables manufacturers to record and consistently link intended use, risk classification, risk management, clinical data and performance metrics in a central platform. For AI products, this means Data set versions, training and validation strategies, bias mitigation measures and performance monitoring can be documented in a structured manner and linked to the corresponding regulatory requirements.
This system is particularly valuable in change management processes. When an AI model is retrained or new features are added, an impact analysis automatically shows which areas of technical documentation, risk management or clinical evaluation are affected. This enables a well-founded assessment of whether a change is considered a “significant change” and requires a new conformity assessment. Themis not only reduces effort and minimizes redundant data, but also creates the transparency and traceability that notified bodies and authorities expect.
Companies that lay the foundations for structured regulatory governance today are well equipped for future developments. Be it the full implementation of the AI Act from August 2027, the adjustments due to MDR 2.0 or new harmonized standards for AI systems.
Do you want to put your AI medical devices on a robust regulatory footing? Find out more about BAYOOSOFT Themis or test the software free of charge.
Conclusion: Continuous adaptation as a normal state
The regulatory landscape for AI medical devices is far from final. The MDCG 2025-6 guidance document is designed as a FAQ and is updated regularly. Further guidelines are in the pipeline, for example on Predetermined Change Control Plans for AI systems at the level of the International Medical Device Regulators Forum (IMDRF). The European Commission is also planning a “regulatory reset” for MDR and IVDR in order to address structural problems and better facilitate innovation.
Harmonized standards specifically for AI in medical technology are currently being developed, including ISO 24971-2 on the application of risk management for AI-based medical devices and IEC 62366-3 on usability engineering for AI systems. Conformity with such harmonized standards creates a presumption of conformity with legal requirements and facilitates approval.
Manufacturers must be prepared for the fact that regulatory adjustments are the new normal. A flexible, well-structured documentation and process landscape is therefore not a nice-to-have, but a strategic necessity. Companies that invest in a solid regulatory infrastructure today are not only equipped for current requirements, but can also implement future changes much more efficiently.
