Three regulatory frameworks apply simultaneously. Each was built without the other two in mind
Hospitals and health systems, medical device manufacturers, pharmaceutical companies, health insurers, digital health platforms. Healthcare AI sits at the convergence of the EU AI Act, the Medical Device Regulation (EU) 2017/745 (MDR), and data protection law. The compliance question is how to operate when all three apply at the same time.
How AI is changing healthcare and life sciences
The dominant assumption inside healthcare institutions has been that AI governance is a subset of medical device regulation. If a clinical AI tool qualifies as software as a medical device under MDR (Medical Device Regulation (EU) 2017/745), the MDR conformity pathway, which requires assessment by a designated Notified Body, governs it. If it does not, clinical governance and data protection frameworks apply. The prevailing assumption has been that existing regulatory infrastructure is sophisticated enough to absorb AI without a new layer.
MDR was designed for the certification of medical devices with deterministic software, where the version number defines the product and post-market surveillance monitors defined parameters. AI models in clinical use do not behave this way. They are retrained. Their performance drifts. The validation that cleared version 1.0 does not guarantee version 1.2. MDR post-market surveillance was not designed for systems whose behavior changes between certification cycles.
The EU AI Act adds a second layer on top, with its own classification logic. An AI system used in clinical decision support may be high-risk under Annex III regardless of whether it qualifies as a medical device under MDR. The two classifications are not aligned. A product can be a medical device under MDR and not high-risk under the AI Act, or high-risk under the AI Act and not a medical device under MDR, or both. Each combination requires a different compliance path.
The processing of health data at scale, which is intrinsic to almost all healthcare AI, activates GDPR Article 9 obligations on top of both. Three frameworks, three governance logics, one operational environment.
What risks does this create
The risks in healthcare AI carry a dimension that no other sector matches: patient safety and clinical liability.
Dual conformity assessment for software-as-medical-device
AI tools qualifying as medical devices require MDR conformity assessment through a designated Notified Body, and AI Act conformity assessment under the EU AI Act's high-risk framework, where Zertia is ANAB-accredited. These are separate processes, with separate documentation requirements, separate timelines, and separate auditors. Most MedTech companies and hospitals have not yet mapped which of their AI tools require one, the other, or both.
Model lifecycle mismatch with regulatory cycles
Medical device versioning under MDR assumes software updates can be defined, bounded, and certified. AI model retraining works differently. A model retrained on new clinical data may produce materially different outputs than the certified version, potentially requiring a new conformity assessment before clinical use. Most clinical AI deployments are not managing this boundary explicitly.
Health data under GDPR Article 9 and AI Act simultaneously
Patient records are special category data under GDPR. Deploying AI that processes health information at scale requires DPIA, specific legal basis, and data minimization controls that go beyond standard healthcare IT governance. When the AI system is also high-risk under Annex III, the obligations from both frameworks apply in parallel, with distinct documentation requirements.
Pharma and life sciences AI in discovery and trials
AI used in drug discovery, target identification, and clinical trial design is not currently classified as high-risk under Annex III, but it operates under scientific integrity standards and regulatory oversight from EMA and national competent authorities that increasingly intersect with AI governance obligations. The operational and reputational exposure from ungoverned AI in clinical research is significant and poorly understood.
The question that has changed
The question clinical governance bodies and regulators are asking has shifted: from whether the AI tool has MDR clearance, to whether the organization can demonstrate, across all three regulatory frameworks that apply simultaneously, that AI in clinical, research, and operational contexts operates under controls proportional to the stakes involved.
How these risks can be mitigated
The mitigation path requires a governance architecture that addresses the convergence of MDR, AI Act, and GDPR explicitly, not sequentially.
Dual conformity assessment mapping
For each AI tool in clinical use, determine whether MDR, AI Act high-risk obligations, or both apply, and structure the conformity pathways accordingly. The classification logic of each framework applies per use case, which means the same product can carry different obligations depending on how it is deployed.
Model lifecycle governance
Establish explicit policies for when AI model retraining triggers a new conformity assessment under MDR and when it constitutes a material change requiring AI Act review. This boundary is not defined by either regulation with the precision clinical operations require. It has to be operationalized internally, documented, and made auditable.
ISO/IEC 42001 as the integrating management system
ISO/IEC 42001 certification provides the organizational governance layer that integrates MDR quality management requirements and AI Act management system obligations into a single auditable framework.
For healthcare organizations, the certification process surfaces AI deployments that were invisible to the compliance function.
How we help
ISO/IEC 42001 Certification for Healthcare and Life Sciences
ANAB-accredited certification of the AI Management System, scoped to the regulatory reality of healthcare deployers and MedTech providers. Integrates with MDR quality management requirements and AI Act deployer obligations.
AI Act and MDR Intersection Assessment
For AI tools that may qualify as both high-risk AI under the AI Act and software as a medical device under MDR. Maps the conformity requirements of each framework per use case, identifies whether MDR Notified Body assessment is required alongside AI Act obligations, and structures the pathway and timeline for each.
Clinical AI Risk Assessment
Independent assessment of AI deployed in clinical decision support, diagnostic imaging, patient triage, and risk scoring. Documented findings for clinical governance bodies, supervisory authorities, and risk management.
Health Data AI Compliance
DPIA and AI Act assessment for AI systems processing health data under GDPR Article 9. Integrates data protection obligations with AI Act risk management requirements.
Zertia Academy — Healthcare Track
Training for clinical informatics, regulatory affairs, data protection officers, and medical leadership. Builds shared institutional capacity to govern AI at the convergence of MDR, AI Act, and GDPR.
What regulators are asking and what certification answers
| Regulatory obligation | What it requires | How Zertia addresses it |
|---|---|---|
| EU AI Act — Annex III (High-risk: healthcare) | AI systems intended to be used to make decisions or assist in making decisions with significant impact on natural persons' health or safety, including in medical diagnosis support, patient risk stratification, and clinical triage, are classified as high-risk under Annex III point 6. The classification is use-case specific: not all AI in a clinical setting is high-risk, but any system in the decision-support chain for individual patient outcomes is. Applies to deployers (hospitals) and providers (MedTech companies) with different obligations under each role. | ISO/IEC 42001 certification covers AI Act high-risk deployer and provider obligations for healthcare AI. Our audit scope includes clinical AI tools and the governance structures that oversee them. |
| Medical Device Regulation (MDR) — Software as Medical Device | AI tools qualifying as SaMD require MDR conformity assessment through a designated Notified Body. Zertia is not a Notified Body under MDR. Post-market surveillance must cover AI behavior in production, including model drift and retraining. The MDR certification lifecycle does not align with AI model update cycles by default, creating a governance gap that organizations need to manage explicitly. | Zertia covers the AI Act side of the conformity picture. Our AI Act and MDR Intersection Assessment maps which systems require MDR Notified Body assessment, which require AI Act conformity assessment, and which require both. ISO/IEC 42001 certification provides the organizational governance layer that supports MDR quality management requirements without substituting for Notified Body assessment. |
| GDPR — Art. 9 (Special category data: health) | Processing health data requires explicit legal basis, DPIA for high-risk processing, data minimization, and specific security measures. AI systems that process patient data at scale for clinical or operational purposes activate all of these simultaneously. | Health Data AI Compliance service integrates DPIA obligations with AI Act risk management requirements. DPIA scope and methodology are calibrated to the specific AI use case and data processing context. |
| EMA Reflection Papers on AI in clinical development | EMA has published reflection papers and is developing guidance on the use of AI and machine learning in drug development, clinical trial design, and regulatory submissions. These are not yet adopted guidelines with binding obligations, but they signal the evidentiary standard EMA expects for AI-generated data in regulatory submissions. Scientific integrity and reproducibility requirements apply now under existing GCP and GMP frameworks. | ISO/IEC 42001 certification addresses the organizational governance of AI in research and development contexts. Clinical AI Risk Assessment covers the specific requirements of AI used in pharma and life sciences research workflows. |
From inquiry to certification
If you're earlier in the process
Get the Healthcare and Life Sciences AI Roadmap
FreeA structured assessment for hospitals, MedTech companies, health insurers, and pharma. Covers AI inventory, AI Act and MDR dual classification, DPIA scoping, and governance gap analysis.
Download the roadmapReadiness Audit
Paid · Fixed feeDiagnostic of your AI deployments against ISO/IEC 42001 and AI Act high-risk obligations, including mapping of MDR intersections where applicable. Documented gap report, conformity pathway mapping, and certification timeline.
Book a readiness auditIf you're ready for certification
ISO/IEC 42001 Certification
ANAB-accreditedThree-year cycle, fixed fees, ANAB-accredited. Scoped to the regulatory reality of healthcare and life sciences organizations. Surveillance audits included.
Talk to us about certificationA model that adapts to your firm
How we work with you depends on your organization's position in the healthcare value chain. A hospital deploying third-party clinical AI operates differently than a MedTech company placing AI products on the EU market. Three engagement models adapted to healthcare and life sciences realities.
See how we engage →-
Startup
Early-stage AI. Light roadmap, certification when you scale.
-
Scaleup
Readiness audit and certification timed to your growth.
-
Enterprise
Full certification with recurring governance and ongoing support.
Zertia is a conformity assessment body accredited by ANAB for ISO/IEC 42001
Our certification activities under ISO/IEC 42001 are conducted under accreditation by ANAB (ANSI National Accreditation Board), a globally recognized accreditation body.
ANAB accreditation confirms that our audit and certification processes meet applicable ISO standards and international requirements for competence, impartiality, and independence. Our methodologies, auditor qualifications, and decision processes are externally assessed against rigorous technical criteria.
For certified organizations, this provides internationally recognized certificates and enhanced credibility with regulators, clients, and investors.
Your fast track to compliance starts here
Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.
