EU AI Act for Medical Device Software (SaMD): What Changes in 2026 — and What Just Got Pushed to 2028

If you build software as a medical device (SaMD) with an AI or machine-learning component, the EU AI Act has been hanging over your roadmap for almost two years. In late 2025 and early 2026 the goalposts moved — twice. This article walks through where things actually stand for medical device manufacturers in mid-2026, which obligations are still active, which got pushed, and what a small SaMD team should be doing this quarter regardless of which deadline survives the legislative dust.

Why this article exists right now

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 with a staggered application schedule. The original plan was simple in shape: prohibitions and AI literacy in February 2025, general-purpose AI model obligations in August 2025, most high-risk obligations in August 2026, and the rules covering AI embedded in regulated products like medical devices in August 2027.

Then, on 19 November 2025, the European Commission published its “Digital Omnibus on AI” package proposing to delay several of those deadlines. The Council agreed its position on 13 March 2026, the Parliament plenary on 26 March, and on 7 May 2026 the two institutions reached a provisional political agreement at trilogue. Standalone high-risk AI moves to 2 December 2027 and AI embedded in third-party-assessed products (which is where most medical device AI sits) to 2 August 2028. Formal adoption is expected before 2 August 2026, after which the amended dates will be published in the Official Journal.

The practical effect is that the high-risk dates have effectively moved back by a year, but formal adoption is still pending. Below is what you can act on now — the underlying work doesn’t change with the deadline.

Is your SaMD high-risk AI under the AI Act?

For medical devices, the answer is almost always yes — and the route is Article 6(1) of the AI Act, not Annex III. Article 6(1) automatically classifies as high-risk any AI system that is (a) intended to be used as a safety component of, or is itself, a product covered by EU harmonisation legislation listed in Annex I, and (b) requires a third-party conformity assessment under that legislation.

In medical-device language, that translates to a simple test:

• MDR Class IIa, IIb, III with an AI/ML component → high-risk AI. These need Notified Body involvement under MDR, so Article 6(1) triggers automatically.
• IVDR Class B, C, D with an AI/ML component → high-risk AI. Same logic via IVDR Notified Body involvement.
• MDR Class I & IVDR Class A (self-certified) → usually not high-risk under Article 6(1), because no third-party conformity assessment is required. But check if any sterile/measuring/reusable surgical sub-category bumps you to NB review.
• Wellness or lifestyle software outside MDR/IVDR scope → not automatically high-risk via Article 6(1), but may still hit Annex III (e.g. biometric categorisation, emotion recognition) or fall under transparency duties in Article 50.

A useful mental model: if your device needs a Notified Body under MDR or IVDR and uses AI/ML in any safety-relevant function, assume high-risk AI obligations apply on top of MDR/IVDR. The interesting question stops being “am I high-risk?” and becomes “by when?”

The original timeline (as published, pending formal adoption of the amending regulation)

Until the amending regulation is formally adopted and published in the Official Journal — expected before 2 August 2026 — these are the dates that legally bind you:

• 2 February 2025 (in force): Prohibited AI practices (Article 5) and AI literacy obligations (Article 4). These already apply to your organisation.
• 2 August 2025 (in force): Obligations for providers of general-purpose AI models (Article 51 onwards). Relevant if you build on or fine-tune a foundation model.
• 2 August 2026: Most high-risk AI obligations begin to apply for systems classified through Annex III (standalone high-risk AI). Penalties regime starts. Authority designations finalised.
• 2 August 2027: Full application of Article 6(1) — the rules covering AI embedded in regulated products including medical devices. This is the date that has historically mattered most for MDR/IVDR SaMD.

What the Digital Omnibus changes

Two shifts matter for SaMD (confirmed in the 7 May 2026 provisional political agreement):

• Annex III standalone high-risk AI: application date moves from 2 August 2026 to 2 December 2027.
• Article 6(1) embedded high-risk AI (MDR/IVDR territory): application date moves from 2 August 2027 to 2 August 2028.
• Conditional triggers: the Council version makes some deadlines contingent on harmonised standards and a functioning EU AI database actually being available — an explicit recognition that without the tooling, compliance can’t be assessed.

Important: a provisional political agreement is not the same as formal adoption. Until the amending regulation is published in the Official Journal (expected before 2 August 2026), the original dates technically remain the legal reference. The political deal is solid enough that the new dates are the realistic planning horizon — but treat it as near-certain, not done.

Why medical devices didn’t get the full carve-out

The political fight that produced the 7 May 2026 agreement matters for SaMD developers, because the outcome was uneven. Industrial AI in machinery secured a full exemption from direct AI Act applicability after sustained pressure from Germany. The European Parliament pushed for the same complete sectoral exemption for medical devices and IVDs. The Council blocked it on fragmentation grounds. The compromise has three components:

• AI Act QMS obligations (Article 17) can be discharged through your existing MDR/IVDR QMS — confirmed explicitly in the agreement. This validates the “don’t start a separate QMS” approach.
• For other obligations, the Commission gains authority to issue implementing acts limiting AI Act application where sectoral law already covers equivalent requirements. These implementing acts have not been published yet.
• The MDR/IVDR revision (already in progress) becomes the next vehicle for reducing AI Act / MDR-IVDR duplication. MedTech Europe has flagged this as where the unresolved concerns will be raised.

Practical reading: assume dual MDR/IVDR + AI Act compliance for your current programme, but track two specific signals over the next 12 months — forthcoming Commission implementing acts on AI Act / sectoral alignment, and the MDR/IVDR revision text. That is where any real reduction in duplication will surface.

What hasn’t moved — act on these now

Whatever happens to the high-risk deadline, three things are already in force and apply to your team today:

• AI literacy (Article 4): providers and deployers must ensure staff dealing with AI systems have a sufficient level of AI literacy. For a SaMD developer that means documented training for engineers, clinical evaluators, QA and post-market staff — not a Notified Body finding waiting to happen.
• Prohibited practices (Article 5): low risk for most medical devices, but check uses involving emotion recognition in workplace/education contexts, social scoring, or untargeted scraping of facial images. Some adjacent “wellness” or HR-flavoured features have been caught here.
• GPAI provider obligations (Article 51+): if you fine-tune or rely on a general-purpose model, understand what your upstream provider is contractually committing to and document it. Notified Bodies have started asking.
• MDR/IVDR is unchanged: none of the AI Act dates affect your existing MDR or IVDR obligations. CE marking timelines, EUDAMED registration, PMS, vigilance — those continue on their own schedule.
• Voluntary alignment with ISO/IEC 42001: the AI management system standard is becoming the practical benchmark Notified Bodies and customers reference. Adopting it early is cheap insurance whichever way the deadlines land.

Where MDR/IVDR and the AI Act overlap (and where they don’t)

The good news is that a serious MDR or IVDR technical file already covers a lot of what the AI Act asks for. The bad news is that “a lot” is not “all”. Here is the overlap map most teams need:

• Risk management: ISO 14971 covers patient-safety risk. The AI Act (Article 9) also wants risks to fundamental rights, fairness, and reasonably foreseeable misuse documented in the same continuous process. Extend, don’t duplicate.
• Data and data governance (Article 10): goes well beyond MDR clinical evaluation. You need documented provenance, representativeness, bias examination, and labelling quality of training, validation and testing datasets. This is the single biggest new workstream for most SaMD teams.
• Technical documentation (Article 11 + Annex IV): overlaps heavily with MDR Annex II/III but adds AI-specific content: training methodology, performance metrics across subgroups, known limitations, foreseeable misuse, monitoring plan.
• Human oversight (Article 14): requires designed-in measures that allow a qualified human to interpret outputs and intervene. Maps onto MDR usability engineering (IEC 62366) but with specific AI Act expectations about “automation bias” and the ability to disregard, override, or reverse the output.
• Post-market monitoring (Article 72): on top of MDR PMS/PMCF and IVDR PMPF, the AI Act expects active monitoring of performance, including drift, for the lifetime of the system. Plan now for a unified PMS + AI performance monitoring procedure rather than two parallel systems.
• Quality management system (Article 17): if you already run a serious ISO 13485 QMS, expect to add procedures for data governance, change management of AI models, logging, and incident reporting specific to AI behaviour. Don’t start a separate QMS.

What goes into the AI-specific part of your technical file

Annex IV of the AI Act lists the technical documentation contents for high-risk AI systems. For a SaMD team that already has an MDR or IVDR file, these are the additions you will be writing:

• General description: intended purpose, version, integration into devices/services, instructions for use specific to the AI behaviour.
• Detailed description of the AI system: design choices, key architectural decisions, methods and training/testing/validation processes, datasets used (with provenance, scope, characteristics).
• Monitoring, functioning and control: capabilities and limitations, expected accuracy levels, foreseeable misuse, human oversight measures, technical robustness and cybersecurity measures.
• Risk management documentation: the integrated process described above, with outputs.
• Lifecycle change documentation: what counts as a substantial modification (the AI Act treats this differently from MDR “significant change”) and how it is controlled.
• Performance metrics: validation results, including subgroup analyses where relevant, and statement of accuracy and robustness metrics with the reasoning for those choices.
• Post-market monitoring plan: aligned with MDR/IVDR PMS but covering AI-specific signals (drift, distribution shift, performance degradation).

Notified Bodies under the AI Act

For AI embedded in MDR/IVDR devices, the AI Act conformity assessment is integrated into the existing MDR/IVDR Notified Body procedure. You do not get a second NB — your existing MDR/IVDR NB has to be designated under the AI Act too and assess AI Act compliance as part of the same audit. As of mid-2026, very few NBs have completed this designation. Expect this to be a bottleneck.

Practical implication: ask your NB now whether they have applied for AI Act designation, what their expected scope is, and whether your device type falls within it. If the answer is “not yet”, that is your single biggest scheduling risk for 2027/2028.

A practical action plan for SaMD developers in 2026

Regardless of whether the Article 6(1) date is August 2027 or August 2028, the work below is the same. Treating it as a 2026 programme is what avoids a panic in early 2027.

1. Q2 2026 — AI literacy & gap analysis: roll out documented AI literacy training across product, clinical and quality teams. In parallel, run a gap analysis of your current technical file against AI Act Annex IV.
2. Q3 2026 — Data governance baseline: document provenance, scope, and limitations of training/validation/test datasets. Add a bias examination step. This is usually the longest workstream — start it first.
3. Q3 2026 — QMS extension: add AI-specific procedures (data governance, model change control, AI incident reporting, post-market AI monitoring) into your existing ISO 13485 QMS. Avoid a parallel system.
4. Q4 2026 — Risk management integration: extend ISO 14971 risk files to include AI Act risks (fundamental rights, foreseeable misuse, fairness). Update human oversight documentation under IEC 62366.
5. Q4 2026 — NB conversation: formal written enquiry to your MDR/IVDR Notified Body on their AI Act designation status, expected timeline, and scope. Decision point on whether to change NB if the answer is unsatisfactory.
6. Q1 2027 — Technical file consolidation: produce the integrated MDR/IVDR + AI Act technical file. Pilot internal audit. Address findings. Lock the version before NB submission.

Three common misconceptions

“If it’s in EUDAMED it’s fine.” EUDAMED does not assess AI Act compliance. A future EU AI database is foreseen for high-risk AI systems and you will need to register there separately. Plan for two registrations, not one.

“The omnibus delay means I can stop work.” The political deal is locked; the work is not. Even at the new 2 August 2028 deadline for embedded high-risk AI, that date is still on the same side of your typical 18–24-month NB queue. Stopping work today means starting from behind in 2027.

“My device is Class IIa, so the AI Act doesn’t really apply yet.” Class IIa requires Notified Body conformity assessment under MDR, which is exactly the trigger for Article 6(1). Class IIa AI-enabled devices are high-risk AI. The only honest debate is about the date, not the principle.

Bottom line

The EU AI Act will sit on top of MDR or IVDR for any AI-enabled medical device that needs a Notified Body. The deadlines may shift; the architecture of the obligation will not. The teams that will be ready are the ones treating mid-2026 as the time to extend their existing ISO 13485 + MDR/IVDR programme to cover data governance, AI risk, human oversight and AI post-market monitoring — not the ones waiting to see which date sticks. Whichever side of the omnibus you bet on, the work in Q2–Q4 2026 is the same.