Both the EU Medical Device Regulation (MDR) and the EU AI Act (AIA) apply in parallel to AI-based medical devices (AIMDs) under the current regulatory framework.[1] This article explains how the MDR and AIA currently assign responsibility to economic operators, focusing on the dual role of the medical device "manufacturer" under the MDR and the "provider" under the AI Act. Further, it gives an outlook on how regulatory roles would change in case the European Commission's (EC) latest proposal simplifying the MDR is enacted.

Under the current regulatory framework, a product that qualifies as a medical device under the MDR and at the same time is [or incorporates] an AI system as defined by the AIA is subject to both regimes. Most AIMDs will be classified as high-risk AI systems under the AIA, meaning they will be subject to the most rigorous compliance requirements of the AIA.

The MDR's key economic operator, responsible for ensuring compliance with regulatory requirements, is the "manufacturer", the entity that manufactures or has manufactured the device and markets it under its name. Under the AIA, the key operator with comparable obligations is the "provider": the entity responsible for developing/having developed an AI system and placing it on the market or putting it into service. While these definitions are similar, the question arises whether the medical device manufacturer will usually also be considered the AI provider, especially since most medical device companies will incorporate AI systems developed by third parties in their devices.

However, eventually, the decisive criterion for both the manufacturer and the provider role is who takes responsibility for the final AIMD by marketing the product under its brand. This will usually be the device manufacturer, irrespective of third parties involved in development. Moreover, for AI systems that are a safety component of a medical device and are not marketed independently from the device, the AIA expressly stipulates that the product manufacturer is also deemed the provider under the AIA if the device is marketed under their trademark.

The MDR and AIA are, however, quite different on the "user-side": the MDR defines the "user" as the individual operating the device – without own regulatory obligations. The AIA, however, introduces the "deployer," which role is associated with several regulatory responsibilities and does not depend on the actual use of an AI system but on having authority over the AI system's use. Thus, in hospitals or similar organizations, the institution as such (not the individual HCP) will be the deployer under the AIA. In smaller practices, these roles may overlap.

While the MDR and AIA share a risk-based approach and similar obligations for manufacturers/providers, the roles of users and deployers are quite different. Understanding these roles is essential for ensuring compliance with legal requirements in practice and should already be considered at the product design and development stage.

Navigating the "human oversight" requirement for AI-based medical devices in Europe

For AIMDs, one of the crucial questions arising is how to ensure that human physicians can still ultimately oversee and steer diagnostic and treatment decisions. In response to these challenges, the EU AI Act introduced the principle of "human oversight": a concept that impacts both the design and use of AIMDs in Europe.

Under the AIA, human oversight refers to the ability of natural persons to understand, monitor, and, where necessary, intervene in the operation of AI systems. The goal is to ensure that AI does not operate in a "black box," but remains subject to meaningful human control, minimizing risks to health or safety of patients or others. Providers of high-risk AI systems must enable natural persons, to whom human oversight is assigned, to properly understand the relevant capacities and limitations of the high-risk AI system and be able to duly monitor its operation.

For manufacturers of AIMDs, the human oversight requirement has direct consequences for the design and development of AIMDs. They need to implement technical and organizational measures that enable effective human oversight. This may include:

• User Interfaces: Designing interfaces that allow users to understand and, if necessary, override AI outputs and intervene in the operation of the AI system.
• Instructions: Providing AIMDs in a way that enables users to understand capacities and limitations of the AI system and correctly interpret outputs.

Health care professionals and other users of AIMDs must be able to effectively exercise human oversight. This needs to be ensured by the deployer (i.e., the person or entity using the AIMD under its authority (usually a hospital or other health care facility) and includes ensuring that persons assigned human oversight have the necessary competence, training and authority.

Whether the principle of human oversight will continue to be an obligation of manufacturers and users of AIMDs under the MDR and its delegated acts remains to be seen. As of today, the MDR does not assign regulatory responsibilities to users of medical devices.

As the regulatory landscape continues to evolve, manufacturers developing AIMDs are facing uncertainty as to whether – and to which extent – human oversight requirements will still apply in the future. As of now, it is recommended to design AIMDs in accordance with the AIA's current requirements of human oversight. It is not clear whether the far-reaching draft removing medical devices from almost the entire scope of the AIA will be enacted. Even if it will, it is likely that human oversight will remain relevant as a core principle for AIMDs.

[1] Notably, however, on 16 December 2025 the European Commission published a proposal for amendments to the MDR and IVDR that, if enacted, would largely remove the applicability of the AI Act to AIMDs and would also transform how regulatory roles with regard to AIMDs are defined today.