The EU AI Act has arrived, and the countdown to compliance is on. As of August 2, 2025, penalties, including administrative fines, are in force. The next phase-in date for high-risk systems, which comprise many medical products using artificial intelligence (AI) systems, is one year away—requiring compliance for AI systems placed on the market prior to August 2, 2026. Proactive compliance with this next phase will provide opportunities for stakeholder AI-system owners to shape the future of the compliance landscape in the EU, particularly in the medical device and in vitro diagnostic (IVD) sectors.
The final implementation date of August 2, 2027, expands full scope to products that either are an AI system, or where an AI system is intended to be used as a safety component of the product, covered by certain "harmonisation [sic] legislation" and requiring third-party conformity assessments, such as those required to obtain CE-Mark through EU MDR 2017/745 and EU IVDR 2017/746
What’s Already in Effect: August 2025 Milestones
The Act applies retroactively to all general-purpose AI models in use within the EU as of August 2, 2025. This is the first implementation date placing many requirements of the Act, 2024/1689, related to general-purpose models in force. These include:
- Chapter III Section 4 for the establishment of notifying authorities, notified bodies, and notification procedures;
- Chapter V for the comprehensive requirements of general-purpose AI models and systems;
- Chapter VII for national and Union levels of governance; and
- Chapter XII – penalties.
General-purpose AI models in operation in the EU before 2 August 2025, are required to complete the documentation, reporting, and disclosure steps of the Act by 2 August 2027.
The privacy and confidentiality provisions of Article 78 of the Act are also in force. Enforcement of general-purpose models is presently delayed, but future penalties may reach up to 3% of global revenues or €15 million, whichever is higher.
The Clock Is Ticking for the August 2026 Implementation
The Act will be fully applicable on August 2, 2026, with an additional phase-in period for the high-risk systems described in Article 6.
Recital 117 of the preamble aligns “significant change” as closely related to “substantial modification.” Fortunately, “substantial modification” is defined and described four times in the Act. The text of the Act confirms continued learning of even a high-risk model does not constitute a significant change. Operator is defined as a provider, product manufacturer, deployer, authorized representative, importer, or distributor.
High-Risk AI Systems: What You Need to Know
A system is classified as high-risk under the Act if its intended use may pose a high-risk of harm to the health and safety or the fundamental rights of persons, including an analysis of the harm severity and probability of occurrence.
Article 2 of the Act extends its scope to all “providers and deployers” when the outputs of their AI-enabled systems occur in the EU. A medical device, IVD, or healthcare product provider with even a single AI-enabled product in the EU is subject to this regulation. Medical devices, in vitro diagnostic devices, and software used in healthcare triage are explicitly designated as high-risk systems. The Act also includes all systems regulated under EU MDR (2017/745) and EU IVDR (2017/746). This approach mirrors the harm analysis under ISO 14971 familiar to MedTech companies.
Notably, the Act envisions that even though it addresses new ground, it will complement existing law (such as EU MDR and EU IVDR) rather than duplicate all regulatory burdens, allowing for medical device manufacturers to integrate various existing activities under these regulations to support compliance with the Act.
What’s Coming: Full Implementation by August 2, 2027
The remaining provisions of the Act will require compliance on August 2, 2027.
On this date, the Act will apply to all high-risk AI systems entering use in the EU. High-risk systems are listed and described in Article 6, paragraph 1. High-risk system operators, especially those of medical device and in vitro diagnostic applications subject to CE-marking requirements, must be compliant on this final date. Instead of a freeze for introducing high-risk systems between August 2, 2026, and August 2, 2027, these systems will be reviewed and approved within their respective conformity assessment regulations. Additional insights can be gleaned by searching “third-party conformity assessment” in the text of the EU AI Act.
A new term for the Medical and In vitro Diagnostic Device communities is “regulatory sandbox.” This term entered the EU regulatory lexicon at the end of 2020, after multiple delays and, arguably, the compliance chaos of the implementation of EU MDR (2017/745) and EU IVDR (2017/746). A “regulatory sandbox” is a structured environment for testing innovative technologies under regulatory supervision. It is the closest thing to the FDA’s Q-Sub process for the EU, and the proposed EU Pharmaceutical Regulation was the first framework to include it. Per Chapter VI, MEASURES IN SUPPORT OF INNOVATION, Article 57 all Member States shall ensure that at least one AI regulatory sandbox has been established and operational at the national level by August 2, 2026.
Scope and Jurisdiction of the Act
Cross-Border Reach and Regulatory Scope
The Act generally applies to companies bringing AI systems to the market or putting them into service in the EU. There are nuances to the Act’s applicability depending on the nature of a given company’s involvement in the AI system’s development or deployment. Exceptions apply as well. Even if not classified as high-risk, systems built as general-purpose AI models fall within scope.
Models and systems used solely for research and development and those in pre-commercial development phases are exempt from compliance with the Act until their applications are marketed or the models are put into service.
Expert Oversight: The Role of the Scientific Panel
Recognizing the need for sustained technical oversight, the EU launched a scientific panel of independent experts on August 2, 2025. This panel supports the AI Office in evaluating technical risks, AI classifications, and systemic threats. It can issue “qualified alerts” when new risks are identified. The AI Office serves as the primary implementation body and single point of contact across Member States.
Next Steps for Medtech and AI Developers
The European Union is establishing a regulatory framework that enables stakeholders to actively participate and influence the approval and deployment of AI-enabled systems. Organizations with strategic foresight can position themselves as leaders in AI use and compliance, shaping the future of responsible technology governance in the EU.
~Billy Delfs, Associate Attorney, Gardner Law
With key provisions of the EU AI Act now in force and full application arriving August 2, 2027, Medtech companies operating in the EU must act decisively. The retroactive scope of the regulation, the designation of high-risk systems, and the introduction of a regulatory sandbox framework represent both compliance challenges and innovation opportunities.
Entities subject to the Act should begin by assessing their exposure, updating documentation, and preparing for engagement with regulators.
