Skip to main content
HashnodeComplizo

Command Palette

Search for a command to run...

Your Hospital Customer Just Sent Two Questionnaires at Once — One for MDR and One for EU AI Act: How to Answer When They Overlap

Published
7 min read
A
Ari Volcoff

It started with one email.

A 1,600-bed academic medical center in the Netherlands was evaluating your AI-assisted clinical decision support tool. Six weeks into procurement, their medical devices procurement officer sent a 58-question MDR compliance questionnaire. Three days later, their IT risk team sent a separate 44-question EU AI Act vendor assessment.

You now have two questionnaires, covering overlapping territory from two different regulatory frameworks, with one response deadline.

Question 11 of the MDR form: "Describe the clinical validation methodology for the software's intended purpose." Question 9 of the EU AI Act form: "Describe the performance testing methodology used to validate the system's accuracy before deployment."

These are not the same question. But they're not entirely different either. Answering them inconsistently — using different numbers, different study citations, or different framing of your validation scope — is the single fastest way to lose a clinical procurement deal.

This post is about how healthtech CTOs navigate the overlap.

Why the Overlap Exists

The EU AI Act and the Medical Device Regulation (MDR, EU 2017/745) were designed by different teams, enacted years apart, and contain no formal cross-reference mechanism. But AI clinical decision support tools often fall under both frameworks simultaneously:

Under MDR, software that influences clinical diagnosis, prognosis, treatment selection, or patient monitoring is classified as a medical device (MDSW — Medical Device Software) under Article 2(1) and must go through conformity assessment based on its risk class (Class IIa or IIb for most AI diagnostic tools).

Under the EU AI Act, AI systems used in health services that can significantly affect health outcomes are classified as high-risk under Annex III, Category 5a. The EU AI Act's obligations (Articles 9–15, 17) sit on top of MDR, not instead of it.

The result: a healthtech AI tool that's Class IIa under MDR and high-risk under the EU AI Act must satisfy both conformity regimes. Procurement teams at large hospital systems have learned this and now issue both questionnaires.

The Six Overlap Areas That Confuse CTOs

1. Clinical validation vs. AI performance testing

MDR asks: What clinical studies or data demonstrate that the software achieves its intended clinical purpose for the intended patient population?

EU AI Act asks: What methodology did you use to test the accuracy, robustness, and freedom from bias of your AI system before deployment? (Article 9(7), Article 15)

How to answer both consistently: These are testing the same underlying question from different angles. MDR wants clinical evidence (prospective or retrospective studies, sensitivity/specificity data, AUC, tested against your intended use population). The EU AI Act wants technical performance evidence (test set composition, accuracy metrics, bias testing across subgroups).

Your answer to both should use the same validation study as the foundation. State the study design once, then frame the MDR answer around clinical outcomes and the EU AI Act answer around model performance metrics. Do not use different accuracy figures in each answer — they will be compared.

2. Post-deployment surveillance vs. post-market performance follow-up

MDR asks: Describe your Post-Market Surveillance plan and Post-Market Clinical Follow-Up (PMCF) methodology per MDR Article 83 and Annex XIV.

EU AI Act asks: Describe your post-deployment performance tracking arrangements for the high-risk AI system per Article 72.

How to answer both consistently: These overlap almost entirely. Your MDR PMS/PMCF process — systematic data collection on real-world clinical performance, incident reporting, periodic safety update reports — addresses the EU AI Act Article 72 substance. Frame your EU AI Act answer as a summary of your PMS system, then add any elements Article 72 requires that MDR doesn't explicitly cover (specifically: logging of anomalous AI outputs per Article 12, and the EU AI Act's shorter serious incident reporting timelines under Article 73).

One practical note: MDR PMCF and EU AI Act Article 72 have different reporting cadences. MDR serious incidents must be reported within 15 days (life-threatening), 10 days (serious public health threat), or 30 days (other serious incidents). EU AI Act Article 73 requires serious incident notifications to national market surveillance authorities "without undue delay." Know both timelines and cite them separately when asked.

3. Intended purpose and high-risk classification

MDR asks: What is the intended purpose of the software? Is it a Class I, IIa, IIb, or III medical device?

EU AI Act asks: Do you consider this system high-risk under Annex III of the EU AI Act?

How to answer both consistently: Your MDR risk class and your EU AI Act risk classification are determined by different criteria but describe the same product. State your MDR class first (the more established regulatory determination), then map from there to the EU AI Act classification. A Class IIa MDSW that assists clinical diagnosis almost always maps to Annex III, Category 5a high-risk. Confirm this explicitly rather than leaving the EU AI Act classification as an open question.

Avoid the mistake of saying "we believe we are not high-risk under the EU AI Act" on the EU AI Act form while simultaneously claiming Class IIa classification on the MDR form. Procurement teams will identify the inconsistency.

4. Quality management system

MDR asks: Are you certified under ISO 13485 (Quality Management System for Medical Devices)?

EU AI Act asks: Describe your quality management system per Article 17 of the EU AI Act.

How to answer both consistently: ISO 13485 certification substantially satisfies Article 17 requirements. The EU AI Act Article 17 QMS elements (risk management, data governance, post-market follow-up, change management, incident handling) are all within ISO 13485 scope. State your ISO 13485 certification status, certification body, and scope. Then note any EU AI Act-specific QMS additions (such as the AI-specific bias testing protocols or the Article 9 iterative risk assessment cycle) that your QMS addresses beyond standard ISO 13485 requirements.

5. Technical documentation

MDR asks: Is your technical documentation per Annex II (MDR) complete and available for competent authority inspection?

EU AI Act asks: Is your technical documentation per Annex IV (EU AI Act) complete and current?

How to answer both consistently: These are separate documentation requirements, but they share significant content. Your MDR Annex II documentation (intended purpose, design specifications, risk management file, clinical evaluation) overlaps heavily with EU AI Act Annex IV sections 1, 2, 4, and 5. You are not required to maintain two entirely separate document sets — you can maintain a unified technical documentation file with MDR-specific and EU AI Act-specific annexes clearly labeled. Tell procurement teams this: "Our technical documentation is maintained as a unified file addressing MDR Annex II and EU AI Act Annex IV simultaneously. We can provide the complete file or a summary index on request."

6. Notified body and conformity assessment

MDR asks: Which Notified Body performed your conformity assessment? What is your CE certificate number?

EU AI Act asks: Have you completed the conformity assessment procedures required under Article 43?

How to answer both consistently: Article 40 of the EU AI Act establishes that for high-risk AI systems already subject to MDR or IVDR conformity assessment, a unified conformity assessment may be conducted. In practice, until the EU Commission issues harmonised standards specifically for EU AI Act purposes, most high-risk AI medical devices satisfy the EU AI Act conformity requirement by completing MDR conformity assessment with a Notified Body and documenting EU AI Act-specific obligations (Articles 9–17) in their QMS.

Cite your Notified Body, CE certificate number, and the EU AI Act self-assessment under Article 43(1) that references MDR conformity. Do not claim the MDR CE mark alone covers EU AI Act compliance — it does not. The CE mark covers MDR; EU AI Act conformity is separately demonstrated via technical documentation and QMS records.

Keeping Both Answers Consistent Under Deadline Pressure

The failure mode in dual-questionnaire scenarios is not intentional inconsistency — it's two engineers answering the questionnaires independently under time pressure, pulling from different documents, using different study data.

Before you answer, establish a single source of truth: the most recent version of your MDR technical documentation package. Every EU AI Act answer about performance, validation, clinical evidence, and QMS should trace back to that same document. Then frame the EU AI Act answers using the EU AI Act's vocabulary (Articles 9, 10, 11, 12, 13, 14, 15, 17, 72, 73) while pointing to the same underlying data the MDR answers reference.

That consistency is what converts a procurement team's "we'll need to follow up with more questions" into a signed contract.

Try Complizo free at complizo.com

#compliance#eu-ai-act#healthtech#saas

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Complizo

87 posts