Data governance in MedTech: Why AI quality starts with compliance
With the EU AI Act, the medical technology sector is entering a new regulatory phase. For the first time, there is a standalone, legally binding set of rules applicable across the EU specifically for AI systems. At the same time, the MDR remains the central regulatory framework for medical devices. For medtech manufacturers, this means not less, but more complexity.
However, it is becoming clear that the real challenge does not lie in understanding individual regulatory frameworks. What matters is their coordinated application. The MDR and the AI Act pursue similar protection goals but have different priorities. If viewed separately, they create parallel compliance pathways that unnecessarily slow down projects.
For AI-based medical devices, high-risk AI under the AI Act is the rule rather than the exception. As soon as a safety-critical AI component is part of a regulated product and a Notified Body is involved, additional requirements apply. These include data governance, risk management, transparency, and human oversight.
Many companies respond to this with separate documentation and process streams. In practice, however, this approach leads to redundancies, inconsistencies, and increased regulatory risk. The better strategy is an integrated compliance approach in which existing MDR artifacts are specifically expanded.
For example, risk management processes in accordance with ISO 14971 can be supplemented with AI-specific risks. Development and lifecycle processes in accordance with IEC 62304 can be expanded to include requirements for AI models. Post-market surveillance concepts can also be designed to meet both MDR and AI Act requirements.
At the same time, there are AI Act-exclusive requirements that cannot be derived from the MDR. These include, in particular, the systematic documentation of training data or the registration of high-risk AI systems. An integrated strategy therefore does not mean that everything is duplicated, but rather that a clear distinction is made between where existing documents need to be expanded and where new ones must be created.
A key advantage of this approach lies in planning certainty. Those who consider the MDR and AI Act together early on can realistically plan approval strategies, reduce documentation efforts, and avoid regulatory surprises. Conversely, addressing AI compliance late often leads to costly rework or project delays.
This makes it clear: AI compliance in medtech is not an add-on to existing regulations. It is a structural expansion that must be strategically planned. Companies that view the MDR and AI Act holistically lay the foundation for scalable, updatable, and long-term secure AI products.
The white paper “AI in Medical Devices: Safe Integration, Valid Approval” explains in detail how MDR and AI Act requirements can be effectively aligned and which documents are truly critical.
