• The Experience
  • Customer Stories
  • LLMs
  • Transfers
  • Mission
  • Company
  • Blog
  • Careers
  • Get in touch
    •
    / 2 Jun, 2026
    / Felicity Ellis

    Building SaMD under the AI Act: a practical guide

    The good news is that you have a little more time. Here's what you'll need in order to comply.

    Recently, a provisional agreement was reached on the Digital Omnibus package relating to the AI Act, offering more clarity for manufacturers building a Class IIa+ AI medical device. 

    The new agreement reinforced the position that you’ll need to undergo conformity assessment against both the EU Medical Device Regulation (MDR) and the AI Act. But it does give you a little longer to comply.

    The proposed MDR revision could change this picture, but that’s a story for another day.

    For now, here’s an overview of what you’ll need to have in order ahead of the deadline.

    Here’s what needs to happen by the summer of 2028:

    Building SaMD under the AI Act: a practical guide.

    1. Get your AI medical device to market

    If you’re building AI as a medical device, the best thing that you can do is to make use of the transitional provisions. 

    You’ll likely have seen the Medical Device Coordination Group (MDCG) Guidance 2025-6, which is an FAQ on the interplay between the MDR and the AI Act. That guidance clarifies that if you already have an AI medical device on the market by the deadline, you won’t have to undergo assessment against the AI Act until you make a significant change to that device.

    It’s worth noting that the August 2027 deadline (set out in the Guidance in 2025) will likely be extended to August 2028, in light of an extension to compliance deadlines in the Digital Omnibus.

    If you’re tight on resources, the best place to focus your efforts on is application, assessment, and certification of your AI medical device under the MDR.


    2. Run the gap analysis

    Compliance and assessment against the AI Act and the MDR are not intended to be duplicative. From the recitals to the AI Act itself:

    “It is appropriate that, in order to minimise the burden on operators and avoid any possible duplication, for high-risk AI systems related to products which are covered by [the MDR], the compliance of those AI systems with the requirements of this [AI Act] should be assessed as part of the conformity assessment already provided for in that law.” 

    So you’ll be able to proceed with an enhanced, yet single Quality Management System (QMS), a single set of technical documentation, and a single conformity assessment process, provided that your Notified Body is entitled to assess you against MDR and the AI Act.

    Art 43(3) of the AI Act helpfully points you to the key areas of uplift between the MDR and the AI Act, for the purposes of conformity assessment, i.e. what we’ll be looking out for.

    Specifically, the focus of our assessment will be on Section 2 of the AI Act:

    • Article 8: General compliance with the AI-specific “state of the art”
    • Article 9: The risk management system considers AI-specific risks, including risks to health, safety, or fundamental rights
    • Article 10: Training, validation and testing data sets are sufficiently representative, ensure bias protection, and the data itself adequately protected
    • Article 11: Technical documentation demonstrates compliance against the applicable requirements of the AI Act
    • Article 12: An automated recording of events (logs) over the lifetime of the system
    • Article 13: Users (“deployers”) of the device are able to use it appropriately, within the context of its intended purpose
    • Article 14: The design of the device facilitates human oversight while in use
    • Article 15: The device is able to achieve an appropriate level of accuracy, robustness, and cybersecurity consistently throughout its lifecycle

     

    And Annex VII of the AI Act sets out how we might get a little more up close and personal:

    • Point 4.3: We might (if relevant, and only to the extent necessary to “fulfil our tasks”) need access to your training, validation and testing data sets, potentially through an API
    • Point 4.4: We might conduct our own direct tests of your AI system, if certain conditions are met
    • Point 4.5: We might request access to the training and trained models of your AI system, including its relevant parameters
    • Point 4.6 (fifth paragraph): We might comment on the data used to train your AI system as part of certification decision making

    The juicy detail of our assessment will be in the technical standards, mentioned below.

    3. Build in alerts for guidance and technical standards

    Above, we mentioned the MDCG guidance (2025-6) on the Interplay between the MDR and the AI Act. We’re expecting a v.2.0 of this to be released, and we’re watching for that closely.

    CEN-CENELEC is the relevant standards body under the AI Act, with JTC21 as the technical committee within that generating the harmonised standards. Late last year, they announced that they would streamline the process and approvals to develop the standards to “accelerate their delivery”.

    JTC21’s work programme is available here. The standards tracker here is a little more aesthetic.

    The one-stop shop at the AI Act Single Information Platform also has some useful resources.

    4. Hire for AI literacy

    If you’re already manufacturing an AI medical device, you probably have a few AI experts in your product development (and potentially even your clinical) teams.

    But you also need folks who are well versed in AI to:

    • Translate regulatory requirements into product and processes
    • Build out technical data to ensure compliance under both MDR and the AI Act
    • Support AI literacy across your business, and those deploying your device

    While systems and processes can be built relatively quickly, recruitment takes time. 

    5. Don’t panic

    Don’t let regulatory panic stop you from building life-changing technology. Plenty has been written about the revolutionary regulatory movement that is the AI Act.

    The reality is that we have already been assessing the safety and performance of your AI medical device under the MDR. As set out in point two above, there is an uplift in the substantive requirements that are prescribed, but the AI Act is designed in a way to make placing your device on the market safer, and not impossible. 

    If you’ve got evidence that it’s safe and performs the way it’s intended, you’re already well on your way.

    Felicity Ellis is Scarlet’s Head of Legal. She has been passionately following legislative developments under both the AI Act, and the MDR.

    Related

    22 May, 2026
    Blog

    Not all AI systems are created equal: A guide to AI risk in healthtech regulation

    Read more
    6 May, 2026
    Blog

    How to use LLMs for your SaMD regulatory documentation

    Read more
    15 Apr, 2026
    Blog

    Why you should use Secure Data Environments to deliver PMCF for SaMD

    Read more
    View all

    Want Scarlet news in your inbox?

    Sign up to receive updates from Scarlet, including our newsletter containing blog posts, sent straight to you by email.

    You can unsubscribe at any time by clicking the link in the footer of our emails. For more information, please visit our privacy policy.

    We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices.