EU AI Act compliance for HealthTech SaaS founders

HealthTech is the most complex industry under the EU AI Act because the regime stacks with the Medical Devices Regulation (MDR, EU 2017/745). If your product is regulated as a medical device, Annex II of the AI Act pulls it into high-risk territory. Most patient-facing AI in digital health is high-risk. The Chapter III obligations apply on 2 August 2026 for Annex III categories; for Annex II (medical devices), the implementation date is 2 August 2027 but most national regulators expect readiness in 2026. Penalty ceiling is €15M or 3% of global turnover.

Is your product high-risk under Annex III?

HealthTech intersects with three parts of the Act:

  • Annex II: AI systems that are safety components of medical devices regulated under EU 2017/745 (MDR). Most diagnostic AI, decision-support AI, and patient-monitoring AI sits here.
  • Annex III point 5(a): AI for evaluation of natural persons by public authorities (e.g., disability assessments).
  • Annex III point 7: AI for migration or asylum decisions, relevant only for very specific health-tech serving border health screening.

If your product is CE-marked under MDR Class IIa or higher, you are likely high-risk under the AI Act too. The conformity assessment route depends on your existing notified body: most digital health vendors will use the same notified body for both MDR and AI Act conformity.

Article 50 transparency obligations

Article 50 applies regardless of medical-device status:

Article 50(1): patients interacting with your AI (chatbots, symptom checkers, mental health agents) must be told they are talking to AI.

Article 50(3): emotion recognition or biometric inference in mental health or behavioural health tools requires explicit disclosure.

Article 50(4): AI-generated medical content (auto-generated clinic notes, AI-summarised lab reports, AI-drafted patient letters) must be marked as AI-generated in a machine-readable way.

This stacks with GDPR Article 9 (special category data: health data needs explicit consent or another Article 9 basis) and member-state-specific health data rules.

Self-audit checklist before 2 August 2026

Seven checks before 2 August 2026:

  1. Confirm whether each AI feature is also a medical device under MDR. If yes, plan combined conformity.
  2. List all AI features against Annex II (MDR overlap) and Annex III (other high-risk categories).
  3. Document training data, particularly clinical validation data and any synthetic data generation. Bias testing across demographics is required under Article 10.
  4. Build the combined MDR and AI Act conformity assessment file. If you have an existing notified body, schedule a review now; notified-body queues are 9 to 18 months.
  5. Implement clinician-in-the-loop human oversight per Article 14. Patient-facing AI must have a documented escalation to a healthcare professional.
  6. Update patient-facing disclosures and clinician-facing dashboards with Article 50 language. Verify GDPR Article 9 consent capture.
  7. Set up the combined MDR vigilance and AI Act Article 73 incident reporting workflow.

Penalties and enforcement

Penalty ceilings: €15M or 3% of global turnover for high-risk failures or Article 50 failures, €7.5M or 1% for misinformation. Plus MDR fines stack separately (member-state defined, often €50,000 to €500,000 per violation). Worked example: a digital health SaaS with €4M ARR faces theoretical max of €120,000 (AI Act) plus €100,000 to €500,000 (MDR per member state). The biggest cost is hospital procurement: NHS, AOK, Assistance Publique already require both MDR and AI Act attestations for any AI-touching purchase.

Last updated: 2026-05-28