gesundAi
Solutions
Company
Resources
Customers
Contact

EU AI Act Is Now Law: What Healthcare AI Leaders Must Do in 2025

A Seismic Shift is Underway

Europe’s Artificial Intelligence Act (Regulation (EU) 2024/1689) entered into force in August 2024 and begins phasing‑in over the next 36 months. For every company that designs, deploys, or validates clinical AI, the Act rewrites the rule‑book: nearly all AI medical devices, diagnostic algorithms, and decision‑support tools will be treated as “high‑risk”, subject to new mandatory risk‑management, data‑governance, human‑oversight, transparency, and post‑market monitoring obligations. Penalties for non‑compliance top €35 million or 7 % of global turnover—putting AI compliance on the same strategic level as GDPR.

The EU AI Act is Redefining High‑Risk Healthcare AI

  • Automatic high‑risk classification. Any AI that is itself a medical device—or a safety component of one—falls under the Act if it already requires third‑party conformity assessment under the Medical Device Regulation (MDR) or the In‑Vitro Diagnostic Regulation (IVDR). In practice, that captures virtually every AI/ML‑enabled SaMD, CADx algorithm, digital pathology model, and patient‑triage tool.

  • Annex III triggers. Even non‑device healthcare AI can become high‑risk if it:

    • Determines eligibility for healthcare benefits;

    • Performs emergency‑call triage or patient prioritization;

    • Sets life‑ or health‑insurance pricing;

    • Uses biometric identification or categorization in clinical settings.

  • Horizontal requirements layered on top of MDR/IVDR. The AI Act does not replace sectoral rules; it adds a second stack of obligations: continuous risk management, quality management system updates, bias and fairness controls, detailed logging, and incident reporting to competent authorities within 15 days.

  • Human oversight rewritten. The provider must build technical and procedural “off‑ramps” so clinicians can override or contest AI outputs, and deployers must assure AI literacy, input‑data quality, and real‑time performance monitoring.

  • Integrated conformity assessment (Article 43). From 2026, Notified Bodies will evaluate AI‑specific evidence—including data‑set governance, model robustness, cybersecurity, and bias audits—alongside traditional safety and performance dossiers.

Why This Matters for Healthcare AI Innovators

Impact Area

What Changes

Strategic Consequence

Regulatory Pathway

Dual MDR/IVDR + AI‑Act assessment; new technical‑file sections for risk management, bias testing, and human‑oversight design.

Product‑development timelines lengthen; evidence expectations rise; budget for two rounds of design‑freeze documentation.

Market Access & Liability

Market‑surveillance authorities gain takedown powers; serious incidents trigger EU‑wide alerts; fines rival GDPR.

Non‑compliant models face rapid withdrawal; board‑level risk appetite must factor AI compliance exposures.

Clinical Adoption & Trust

Mandatory transparency to users and patients; providers must prove explainability and auditability.

Hospitals will prefer platforms that ship “compliance‑by‑design”; opaque “black‑box” tools risk procurement exclusion.

Data & Bias Governance

Training/validation data must be representative, error‑checked, and documented; feedback loops monitored for drift.

Data‑engineering and MLOps budgets increase; continuous‑learning models need versioned tracking and performance dashboards.

What Forward‑Looking Teams Should Do Now

  • Map your product portfolio against Annex I and Annex III. Confirm which models are automatically high‑risk and which might be exempt only by documented, evidence‑backed justification.

  • Upgrade your Quality Management System. Embed AI‑specific SOPs for data governance, bias testing, post‑market performance tracking, and serious‑incident escalation. Align them with ISO 13485 and ISO/IEC 42001 where possible.

  • Run a gap analysis on risk‑management files. The Act demands a continuous, lifecycle risk process—revise hazard analyses to include drift, automation bias, adversarial vulnerabilities, and misuse scenarios.

  • Design human‑oversight interfaces. Provide clear confidence scores, highlight model limits, and build override workflows that integrate into the clinician’s EHR/PACS context.

  • Operationalize bias and subgroup testing. Establish statistically powered analyses for age, sex, race/ethnicity, and site‑specific performance; document mitigation measures.

  • Prepare integrated technical documentation for Notified Bodies. Merge AI‑Act evidence (risk files, bias reports, data lineage records, explainability demonstrations) with existing MDR Annex II/III technical files.

  • Institute a post‑market monitoring plan. Automate real‑time logging, set performance drift thresholds, and rehearse incident‑reporting drills to ensure the 15‑day clock can be met.

How Gesund.ai Accelerates AI‑Act Readiness

  • End‑to‑end lifecycle governance. Our regulatory‑grade repository version‑controls every data set, model artefact, experiment, and validation result—providing the complete evidence trail Notified Bodies expect.

  • Bias & fairness engine. Pre‑built statistical tests surface performance gaps across protected classes and cohorts, with automated mitigation workflows and visual audit reports.

  • Integrated risk‑management workspace. Teams document hazards, severity, occurrence, and mitigation links directly to model versions; updates propagate through the technical file in real time.

  • Human‑in‑the‑loop validation. Radiologists and clinical SMEs can annotate cases, override model outputs, and flag anomalies; those events feed back into post‑market dashboards.

  • Conformity‑assessment templates. MDR/IVDR and AI‑Act document blueprints auto‑populate with traceable evidence, cutting weeks of manual compilation.

  • Secure federated deployment & monitoring. Hospitals run models on‑prem or in virtual private clouds while Gesund.ai streams anonymised performance metrics to a central compliance console—supporting EU data‑sovereignty and incident‑reporting needs.

The competitive Edge Belongs to the Compliant

The EU AI Act transforms AI compliance from a regulatory after‑thought into a strategic prerequisite for market survival. Teams that integrate risk management, bias governance, and transparent audit trails today will enter 2026 with both regulatory clearance and clinician trust—while late movers scramble to retrofit safety into shipped code.

Ready to operationalise regulatory‑grade, trustworthy AI? Explore the Gesund.ai platform and book a live demo at https://gesund.ai/get-in-touch-gesund

Bibliography

  1. European Union.

    Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 March 2024 on artificial intelligence (AI Act). Official Journal of the European Union. 12 July 2024. http://data.europa.eu/eli/reg/2024/1689/oj

  2. van Leeuwen K G, Doorn L, Gelderblom E. The AI Act: responsibilities and obligations for healthcare professionals and organizations. Diagnostic and Interventional Radiology. 2025. https://www.dirjournal.org/articles/the-ai-act-responsibilities-and-obligations-for-healthcare-professionals-and-organizations/doi/dir.2025.252851

  3. European Commission. Article 43: Conformity Assessment – EU Artificial Intelligence Act portal. Accessed 9 July 2025. https://artificialintelligenceact.eu/article/43/

  4. European Commission. Annex III: High‑Risk AI Systems Referred to in Article 6(2). EU Artificial Intelligence Act portal. Accessed 9 July 2025.  https://artificialintelligenceact.eu/annex/3/

  5. Müller A. Navigating the EU AI Act: implications for regulated digital medical products. Health Policy. 2024. https://pmc.ncbi.nlm.nih.gov/articles/PMC11379845/

  6. World Health Organization. Ethics and governance of artificial intelligence for health. 2021. https://www.who.int/publications/i/item/9789240029200

About the Author

Gesundai Slug Author

Enes HOSGOR

CEO at Gesund.ai

Dr. Enes Hosgor is an engineer by training and an AI entrepreneur by trade driven to unlock scientific and technological breakthroughs having built AI products and companies in the last 10+ years in high compliance environments. After selling his first ML company based on his Ph.D. work at Carnegie Mellon University, he joined a digital surgery company named Caresyntax to found and lead its ML division. His penchant for healthcare comes from his family of physicians including his late father, sister and wife. Formerly a Fulbright Scholar at the University of Texas at Austin, some of his published scientific work can be found in Medical Image Analysis; International Journal of Computer Assisted Radiology and Surgery; Nature Scientific Reports, and British Journal of Surgery, among other peer-reviewed outlets.