Skip to main content
← Back to Blog
Use-case·11 min read·

EU AI Act Compliance for Healthtech Startups: End-to-End

A concrete case study of AI Act readiness for a healthtech startup deploying a clinical decision-support AI — classification, FRIA, MDR overlap, notified body pathway, timeline, cost.

#healthtech#use case#MDR#clinical decision support#notified body

Quick answer

Healthtech startups deploying clinical decision-support AI are almost always placing a high-risk AI system on market (Annex I safety-component or Annex III use case, depending on claim). That triggers full provider obligations under the EU AI Act and, separately, Medical Device Regulation (MDR) obligations for the medical-device aspects. Plan 12-18 months for combined readiness, €150,000-€400,000 budget for a seed/Series A startup, and engage a notified body covering both MDR and AI Act from day one.

The startup in this case study

Our worked example: an early-stage European startup building an AI-assisted triage tool for primary care. The system ingests patient complaint + vitals + history, suggests triage category (routine / urgent / emergency), and presents the recommendation to a clinician who makes the final call. Users: GP clinics across Spain and Germany. Team: 14 FTE, seed-funded €3m.

Step 1: Classification

Is this a medical device? Yes — it provides information used to make decisions for prevention, diagnosis, or treatment (Article 2 MDR). Classification under MDR Rule 11 (software for decisions with diagnosis/therapeutic purposes) — likely Class IIa or IIb depending on severity of decisions.

Is this a high-risk AI system? Yes — if it is a medical device under MDR Class IIa+ and subject to third-party conformity assessment (Annex I, Section A, MDR listed). High-risk confirmed.

Step 2: Dual-regulation overlap

Article 8 of the AI Act recognises systems covered by sectoral legislation — MDR conformity assessment can integrate AI Act requirements. Practical approach: notified body covers both regimes in one assessment, saving time and money.

Look for notified bodies designated under both MDR (with software scope) and AI Act (when designations catch up through 2026). BSI, TÜV SÜD, and Dekra are leading contenders.

Step 3: QMS build

Implement ISO 13485 (medical device QMS) extended to cover AI Act Article 17 requirements — risk management (ISO 14971 + ISO/IEC 23894 for AI), data governance (Article 10), technical documentation (Annex IV of AI Act + Annex II of MDR), logging (Article 12), accuracy / robustness / cybersecurity (Article 15), human oversight (Article 14), post-market monitoring (Article 72).

Step 4: Training data and validation

Article 10 AI Act requires training, validation, and test datasets to be "relevant, representative, free of errors, complete, and have appropriate statistical properties". For healthtech this converges with MDR clinical evidence requirements. Plan: diverse clinical dataset; documented preprocessing; hold-out validation; bias testing across protected characteristics; clinical validation study with real-world comparator.

Step 5: Fundamental Rights Impact Assessment

Article 27 FRIA required by deployers (GP clinics) for this system. The startup should provide a FRIA template — saves clinics time and ensures consistency.

Step 6: Human oversight (Article 14)

Critical design choice: the AI outputs a recommendation, the clinician decides. The system must support the clinician's ability to override, ignore, or confirm — and must log each interaction. "Automation bias" mitigation: recommendation confidence shown honestly; disagreement workflow documented; regular training for clinician users.

Step 7: Post-market monitoring and incident reporting

Both MDR and AI Act require post-market surveillance. Serious incidents reported within 15 days (AI Act Article 73) or immediately for safety issues (MDR Article 87). Integrate into one process.

Timeline (realistic)

  • Months 0-3: classification, notified body selection, QMS scope.
  • Months 3-9: QMS implementation, technical documentation, training-data pipeline.
  • Months 6-12: clinical validation study.
  • Months 9-15: notified body pre-assessment and formal review.
  • Months 12-18: CE marking achieved, system placed on market.

Budget (for the example startup)

  • Internal team time: €80,000-€150,000.
  • External counsel (regulatory + clinical-trial law): €30,000-€80,000.
  • Clinical validation study: €30,000-€120,000 depending on size.
  • Notified body: €30,000-€90,000 for joint assessment.
  • Compliance platform: €10,000-€30,000 ARR.
  • Training and change management: €5,000-€15,000.
  • Total year-1: €185,000-€485,000.

Related reading

Conformity assessment walkthrough · FRIA guide · GeraClinic — telemedicine platform