Kicky Gerhilde van Leeuwen, Leon Doorn, Erik Gelderblom
Diagnostic and Interventional Radiology - 2026;32(3):273-275
On August 1, 2024, the artificial intelligence (AI) Act 2024/1689 officially came into force within the European Union (EU). Since the United States Executive Order 14110 on AI from 2023 was recently revoked, it sets the global standard as a regulatory framework to govern AI systems. The Act applies across all sectors and, as such, also introduces requirements and controls for the use of AI in healthcare. Although medical devices (MDs) (with and without AI) have long been subject to the rules and requirements of the MD Regulation (MDR) (preceded by the MD directive) and the in vitro diagnostics regulation (IVDR) (preceded by the in vitro diagnostic MDs directive), these requirements primarily focus on the manufacturers. The AI Act extends this dynamic by introducing AI-specific requirements for manufacturers (providers), as well as additional responsibilities for the users (deployers) of AI-enabled MDs. Central to the AI Act is the classification of AI systems based on their level of risk: prohibited, high-risk, limited-risk, minimal-risk, and general-purpose AI models (with and without systemic risk) or systems. MDs incorporating AI are generally classified as "high-risk" because AI often serves as a key functionality or safety component, and most software-based MDs require a conformity assessment, per their assigned risk classification, by a notified body under the MDR or IVDR before they can be placed on the EU market. High-risk AI systems must meet stringent requirements for design, risk management, performance, transparency, human oversight, logging, and monitoring under the AI Act to ensure their safe and effective use. The additional requirements for the providers do not exempt healthcare organizations and individual users, designated deployers, from keeping pace with the new regulations. Some requirements are already covered by the MDR and IVDR, such as ensuring the MD is used according to its intended purpose and reporting incidents. Other regulatory frameworks, such as the General Data Protection Regulation 2016/679, may require healthcare organizations to conduct data protection impact assessments to ensure privacy is adequately protected. This commentary highlights the most important additional requirements for deployers of high-risk AI solutions in healthcare, as summarized in Figure 1 and Table 1. It explores the boundaries of responsibility between the MD industry, healthcare organizations, and individual users. We reflect on how the AI Act reshapes accountability and places new demands on healthcare professionals as users of AI systems.
