We place cookies to ensure essential functionalities, measure audience, and offer you personalized content. Learn more

Blog

Explore our articles

Find all the latest Certeafiles news and our regular watch on the medical device universe.

Retour
AI Act and GDPR in medical devices

AI Act, GDPR, and Medical Devices: When Regulations Collide

Artificial IntelligenceGDPR
How to anticipate the overlap between the AI Act, GDPR, and MDR in HealthTech—and turn complexity into a strategic advantage.

Introduction

Ten years ago, the GDPR came crashing into the business world, sending companies into a frenzy of privacy policies, cookie banners, and compliance training.
In the following years, the EU Medical Device Regulation (MDR) sparked a similar storm in the MedTech industry, requiring massive preparation, new clinical data, and thousands of pages of documentation.

Both felt a bit like the Y2K bug: everyone running around, preparing for disaster, only to discover that the real-world impact was less dramatic than the hype.

Now in 2025, the AI Act is about to join the party. HealthTech professionals who already weathered GDPR and MDR tend to be skeptical.
But dismissing the AI Act would be a mistake: unlike earlier waves of regulation, it intersects directly with GDPR and MDR, creating overlapping—and sometimes conflicting—obligations.

Every company that develops or uses AI in Europe will be affected.
Whether you’re a startup training diagnostic algorithms or a hospital deploying AI-driven triage, you will fall into one of two roles: provider or operator.
And with medical devices considered high-risk systems, the stakes couldn’t be higher.

So how exactly do these regulations collide, and what should HealthTech innovators do today?
Let’s break it down.

1. The AI Act in a Nutshell

The EU AI Act is the first comprehensive legal framework to regulate Artificial Intelligence.
Its goals are clear: ensure AI is safe, transparent, and ethical.

1.1 Core Principles

Two roles (sometimes combined):

  • Providers develop or place AI systems on the market.
  • Operators use AI systems professionally within the EU.

Risk-based classification:
Healthcare applications are almost always high-risk, triggering stricter requirements for testing, documentation, and human oversight.

Timeline:
Some provisions apply in 2025, with full enforcement expected by 2027.

💡 For MedTech, this means any AI-enabled device must comply with the MDR and demonstrate conformity with the AI Act obligations.

2. GDPR and Personal Health Data

The General Data Protection Regulation (GDPR) has been in force since 2018 and remains one of the strictest privacy regimes worldwide.
In HealthTech, it is central: almost all AI systems process sensitive personal data (biometric, physiological, genetic).

2.1 Key GDPR Principles

  • Lawful basis: personal data may only be processed under strict legal conditions (e.g., patient consent, vital interests, public health).
  • Data minimization: collect only what you need—no more.
  • Accountability: be able to demonstrate compliance at any time.

2.2 Where GDPR and the AI Act Overlap

  • Both stress explainability: individuals must understand how their data is used and how decisions are made.
  • GDPR requires Data Protection Impact Assessments (DPIAs) for high-risk processing; the AI Act requires risk classification and documentation.
  • Both demand human oversight for high-stakes automated decisions.

3. Medical Devices Regulation (MDR + ISO Standards)

On top of GDPR and the AI Act, HealthTech innovators must meet the MDR, which already imposes strict requirements on safety, performance, risk management, and clinical evaluation.

3.1 ISO Standards Especially Relevant

Standard Primary Focus Key Application
ISO 13485 Quality Management System for medical devices Foundation of the medical QMS
ISO 14971 Risk management Identify, evaluate, and control clinical risks
ISO 62304 Medical device software lifecycle Design, testing, maintenance, and documentation

The gap? The MDR was not designed with AI in mind.
Traditional devices are static: once certified, they change little.
AI systems can learn continuously, evolve with new data, and behave unpredictably.
Result: significant friction when fitting AI into MDR’s conformity framework.

4. Where the Frameworks Collide

The real challenge isn’t any single regulation, but how they interact.
Here are key collision points:

4.1 Transparency vs. Confidentiality

  • The AI Act requires transparency and explainability.
  • GDPR mandates data minimization and trade-secret protection.
    ➡️ Balancing openness with confidentiality will be tricky.

4.2 Liability and Accountability

  • MDR holds manufacturers responsible for safety and performance.
  • GDPR holds controllers responsible for lawful data use.
  • The AI Act adds duties for providers and operators.
    👉 Result: overlapping liabilities when AI goes wrong.

4.3 Continuous Learning Models

  • MDR assumes a stable device design.
  • ISO 62304 frames well-defined software versions.
  • The AI Act requires monitoring and risk management for evolving systems.
    👉 How do you certify something that never stops learning?

4.4 Cross-Border Data Transfers

  • GDPR strictly regulates personal data transfers outside the EU.
  • Many AI training pipelines rely on US-hosted infrastructure.
    👉 A persistent compliance headache for startups.

5. Practical Guidance for HealthTech Developers

How to prepare for this regulatory collision?
Here are five concrete steps:

1.Map your role(s)
Are you a provider, operator, or both? Obligations differ.

2.Classify your AI system early
In healthcare, it’s almost always high-risk → plan for CE marking.

3.Integrate GDPR into AI design

  • Prefer true anonymization over mere pseudonymization where feasible.
  • Conduct DPIAs.
  • Obtain explicit consent where required.

4.Strengthen documentation and traceability

  • Extend traceability matrices to data pipelines and algorithm training.
  • Be ready to show not just what the device does, but how the AI was trained, tested, and validated.

5.Prepare for audits

  • Demonstrate explainability, risk management, and human oversight.
  • Build AI Act and GDPR requirements into your existing QMS to avoid duplication.

6. Conclusion – Turning Collision into Opportunity

At first glance, the overlap of the AI Act, GDPR, and MDR looks like a regulatory nightmare.
Handled well, it becomes a strategic differentiator.

Companies that anticipate alignment will gain:

  • Faster market access,
  • Stronger trust from patients and regulators,
  • A more resilient compliance strategy.

Don’t wait until 2027 when the AI Act is fully enforced—by then, it’s too late to build compliance from scratch.

Start now:

  • Integrate GDPR and AI Act requirements into your QMS.
  • Treat documentation as a strategic asset.
  • Design AI devices with transparency and accountability in mind.

Contact

Start today by mapping your AI systems and documenting their data flows.
At Certeafiles, we support you at every stage:

  • Personalized guidance from our experts.
  • Hands-on, tailored training.
  • Internal audits.

👉 Contact us for a free initial consultation and discover how Certeafiles can accelerate and secure your AI Act, GDPR, and MDR compliance efforts.