With almost two thirds of UK healthcare organisations already leveraging AI in their operations, this legislation presents a fundamental shift in how medical technologies will be regulated and monitored.
Despite this being European legislation, this is not just a European issue. If a business’ medical device utilises AI and is “used or marketed in the EU”, it must comply with the Act’s requirements, regardless of where the company is based.
With the AI Act becoming enforceable by 2026, and some critical provisions kicking in as early as February 2025, organisations must start preparing now. Scottish healthcare businesses and organisations using AI will need to stay informed about these regulations if they deal with EU partners or customers, to ensure compliance.
Healthcare organisations will particularly need to watch out for “high-risk systems”. Medical devices which incorporate AI as a component, or which operate as an AI system, will be categorised as a high-risk system due to their potential impact on patient health and safety. This classification triggers a host of stringent technical compliance measures that healthcare organisations need to meet.
To help businesses navigate this classification, we have outlined the technical compliance requirements for these high-risk AI systems:
- Adopt comprehensive risk management systems. AI systems in medical devices require a comprehensive, ongoing risk management process. This includes monitoring not just during the design and development phases, but throughout the product's entire lifecycle.
- Ensure AI-driven medical devices meet regulatory quality standards. High-quality, compliant data sets are critical for the safety and performance of these devices, which often process sensitive health data. Poor data quality can compromise diagnostic or therapeutic decisions, endangering patients and risking non-compliance with the EU AI Act and GDPR.
- Produce technical documentation to demonstrate compliance and ensure it has human oversight. This is crucial for high-risk AI systems to ensure that they are complying with the legislation and that they do not replace human judgement – particularly those medical devices which make diagnostic and or therapeutic decisions.
- Perform with appropriate accuracy, robustness and cyber security. AI-powered devices must be designed to operate with cybersecurity safeguards, as outlined by the Act. Companies should provide deployers with their instructions for use (IFUs) to ensure safe use of medical devices.
Penalties for non-compliance in the most serious of breaches of the Act include fines up to 6% of global annual turnover. Poor data management, inadequate oversight and weak risk management frameworks could also see companies pushed out of the market, so there is no time to delay preparation.
As AI innovation accelerates, regulators are working to keep pace, and Scottish healthcare organisations, as well as the broader MedTech sector, must do the same. While compliance may seem challenging, it offers an opportunity for companies to enhance their systems and build trust in their products.
This article was originally published in The Scotsman.
