MDR/IVDR, AI Act & data protection - the magic triangle

Regulatory overlaps in medical technology: focus on MDR/IVDR, AI Act and data protection

The integration of artificial intelligence (AI) into medical devices opens up new possibilities - but also presents manufacturers with complex regulatory challenges. The European Union's AI Act is a further regulatory instrument that must be observed in addition to the existing requirements of the MDR (Medical Device Regulation) and IVDR (In-vitro Diagnostic Regulation) as well as the General Data Protection Regulation (GDPR).

In practice, this results in a complex interplay of three sets of rules that requires a careful strategic and operational approach.

MDR/IVDR: Regulatory basis for medical devices

The MDR (EU 2017/745) and IVDR (EU 2017/746) form the regulatory framework for medical devices and in vitro diagnostic medical devices in the EU. Medical devices with integrated AI must also fully comply with these requirements. The most important requirements relate to

  • Clinical assessment and performance evaluation

  • Risk classification, especially with self-learning algorithms

  • Software validation under consideration of current standards (e.g. IEC 62304, ISO 14971)

With AI-based products in particular, the question regularly arises as to whether it is a matter of "fixed behavior" or whether the AI independently develops new decision-making logic. The latter can have a direct impact on classification and approval.

AI Act: New requirements for AI systems

With the draft AI Act, the EU is creating an independent set of rules for the regulation of artificial intelligence for the first time. Medical devices with AI are generally classed as "high-risk AI systems" and are therefore subject to a range of additional obligations.

Key requirements of the AI Act include:

  • Strict transparency requirements: The way the AI works must be comprehensible.

  • Data sets and training data must be of high quality and representative.

  • Mechanisms for human oversight of automated decisions must be in place.

  • Manufacturers must implement AI-specific risk management.

These requirements partly overlap with existing MDR requirements, but also lead to new assessment and verification obligations - for example with regard to bias, traceability or systemic risks of AI.


Data protection: GDPR requirements remain in place

In addition to MDR/IVDR and the AI Act, the General Data Protection Regulation (GDPR) is still fully applicable - especially as AI-based systems are often based on sensitive health data.

The following applies to medical technology manufacturers:

  • Privacy by design must be embedded in development right from the start.

  • Processing of personal data requires a clear legal basis, usually in the form of informed consent.

  • Automated decisions with legal or similar effect are particularly critical (Art. 22 GDPR).

There is also a risk that conclusions can be drawn about individuals when using training data. Manufacturers must take suitable technical and organizational measures to ensure that data processing complies with the GDPR.


Challenges due to overlapping regulations

The simultaneous application of the MDR/IVDR, AI Act and GDPR can lead to overlaps in terms of content and process - with potential conflicts of interest:

  • The MDR requires a high level of performance and intended purpose of the product, while the AI Act focuses on explainable function and traceability.

  • AI-based systems can dynamically adapt their logic, which makes validation according to MDR more difficult.

  • At the same time, the GDPR requires strict requirements for consent and transparency in data processing - requirements that are sometimes difficult to reconcile with self-learning systems.

As DeviceMed analyzes, the question often arises in practice as to which legal framework "prevails". There is no clear legal hierarchy - it is therefore up to the manufacturer to map the requirements in a consistent, documented overall system.


What manufacturers should do now

  • Early integration of the AI Act: AI requirements should already be taken into account in the early development phase.

  • Holistic approach to quality management: The regulatory requirements from the MDR/IVDR, AI Act and GDPR must be harmonized in the quality management system (QMS).

  • Interdisciplinary teams: The integration of data protection, technology, clinical evaluation and regulatory requirements should not take place separately, but in dialog.

  • Rethink documentation strategy: Companies should review how they structure their technical documentation to enable multiple use for different regulatory requirements.


Conclusion: strengthening regulatory resilience

The interplay of MDR/IVDR, AI Act and GDPR demands a high degree of regulatory resilience, strategic thinking and technical excellence from medtech manufacturers. Companies that develop integrated compliance strategies at an early stage and set up their processes accordingly will secure clear advantages in terms of market access and international competition.

MEDAGENT supports manufacturers in the safe and compliant integration of AI in medical devices - from strategy to concrete implementation in quality management.

Our teams of experts are on hand to answer any questions about MDR, the AI Act or data protection.

Latest posts

Table of contents

Contact us now
Scroll up