EU AI Act + MDR/IVDR Notified Body Coordination: Conformity Assessment for Healthcare AI (2026)

Post #4 in the sota.io EU AI Act + MDR/IVDR Healthcare AI Compliance Series

If your AI system is classified as a medical device under MDR or IVDR, you cannot reach the EU market without third-party conformity assessment. And once the EU AI Act high-risk obligations apply — from August 2, 2026 — you face the same requirement again, independently, under a parallel regulatory framework. Two notified bodies, or one notified body with dual competence. Two declarations of conformity, or a co-signed joint declaration. Two CE marking processes feeding into the same physical label.

This guide explains how the two conformity assessment tracks intersect for healthcare AI, what the practical coordination options are, and how to manage the timeline so you are ready on August 2, 2026.

Why Healthcare AI Gets Two Conformity Assessment Requirements

The standard path for AI high-risk system conformity assessment under the EU AI Act runs through Article 43. For most high-risk AI systems — those falling under Annex III categories such as recruitment tools, credit scoring systems, or law enforcement applications — providers conduct a self-assessment against the harmonised standards (if adopted) or common specifications, document the assessment in the technical documentation under Article 11, and issue an EU declaration of conformity under Article 47.

Healthcare AI breaks from this pattern. The EU AI Act Article 43 includes a specific provision for AI systems embedded in products already covered by Union harmonisation legislation listed in Annex I of the AI Act. MDR and IVDR are both in that Annex I list.

When your AI system falls under this provision, the conformity assessment must follow the applicable sector-specific regulation — meaning MDR or IVDR conformity assessment procedures apply to the AI component of the product, not the standard AI Act self-assessment track. The AI Act obligations (Articles 9 through 17 on risk management, technical documentation, transparency, human oversight, accuracy, and QMS) still apply in full. But the procedure for demonstrating compliance shifts to the sector-specific framework.

What this means in practice: if your medical device requires notified body involvement under MDR or IVDR — which applies to Class IIa, IIb, and III under MDR and to Class B, C, and D under IVDR — then the notified body that certifies your device is also the route through which the AI Act conformity assessment for the embedded AI system is conducted.

The Notified Body Landscape for Healthcare AI

Existing Medical Device Notified Bodies

There are currently around 40 notified bodies designated under MDR and IVDR operating in the EU and EEA. These bodies are designated by national competent authorities and listed in the NANDO (New Approach Notified and Designated Organisations) database. Their competence scope is defined by device classification and technology type — not every MDR notified body covers every device category.

The critical question for healthcare AI developers is whether your existing or prospective MDR/IVDR notified body has the technical competence to also assess the AI components of your device. Not all bodies have developed this capability. The EU AI Act requires that notified bodies carrying out assessments of high-risk AI demonstrate specific AI competence — including understanding of machine learning methods, data governance, performance evaluation, and bias assessment.

You should ask your notified body directly: do they have qualified AI assessors, do they have experience assessing AI-enabled medical devices, and can they issue a conformity assessment certificate that covers both the MDR/IVDR requirements and the Article 9–17 AI Act requirements in a unified process?

Newly Designated AI Act Notified Bodies

The EU AI Act separately establishes a framework for designating notified bodies under AI Act Article 43 and following articles. These bodies are not automatically the same as MDR/IVDR notified bodies. However, for healthcare AI specifically, the AI Act structure anticipates that the MDR/IVDR conformity assessment track is the operative route — so the relevant notified body for healthcare AI is the one designated under MDR/IVDR, provided it has demonstrated the necessary AI competence.

In practice, many of the major European MDR/IVDR notified bodies — BSI (UK, with EU operations), TÜV SÜD, TÜV Rheinland, SGS, DEKRA, RISE — are investing in AI assessment competence. Before August 2026, you should verify your specific body's current capability and the likely timeline for them to formally demonstrate competence for AI-enabled devices.

The Conformity Assessment Path: Step by Step

Step 1: Device Classification Under MDR/IVDR

Before any conformity assessment begins, you need a defensible classification decision. Medical device software — including AI-powered clinical decision support tools, diagnostic imaging AI, and patient monitoring systems — is classified under MDR Rule 11 and IVDR rules that depend on the device's intended purpose and the potential severity of harm from a malfunction.

Most AI-based clinical decision support tools providing diagnosis or treatment recommendations will fall into Class IIa or Class IIb under MDR, triggering mandatory notified body involvement. AI systems used in in vitro diagnostics will typically fall under IVDR Class B, C, or D.

Your classification determines which conformity assessment procedure applies. MDR Annex IX (quality management system plus technical documentation assessment) is the most common route for Class IIa and IIb software devices. MDR Annex X (type examination) or Annex XI (product verification) may apply to Class III devices or specific Class IIb products.

Step 2: AI Act Risk Tier Confirmation

In parallel with MDR/IVDR classification, confirm your AI Act classification. AI systems embedded in MDR/IVDR-classified devices that require third-party conformity assessment under those regulations are automatically high-risk under AI Act Article 6(1) and Annex I. This classification does not depend on what the AI actually does — it is automatic based on the regulatory status of the device.

Document this classification decision in your technical documentation under Article 11 of the AI Act, alongside the MDR/IVDR classification rationale.

Step 3: Assemble the Unified Technical File

As covered in Post #2 of this series, the technical documentation required under AI Act Article 11 (Annex IV) and the MDR/IVDR technical file (MDR Annex II) have significant overlap. A unified technical file structure that satisfies both frameworks simultaneously reduces the assessment effort and avoids inconsistencies between what you tell the AI assessor and what you tell the MDR notified body.

The unified file should include:

• AI system description and intended purpose — maps to both Annex IV AI Act and MDR Annex II Section 1
• Risk management file — ISO 14971 methodology satisfies MDR Annex I GSPR and aligns with AI Act Article 9 risk management requirements
• Training dataset description and validation methodology — required under AI Act Article 10 and Article 11, and forms part of the clinical evidence under MDR
• Technical specifications and performance metrics — accuracy, sensitivity, specificity, AUC-ROC — required under AI Act Article 15 and MDR/IVDR GSPR
• Post-market monitoring plan — AI Act Article 72 and MDR PMS plan (as covered in Post #3 of this series)

Step 4: Submit to Your Notified Body

For MDR/IVDR Class IIa and IIb products, the notified body assessment under Annex IX includes:

1. Audit of your quality management system against ISO 13485 (or equivalent)
2. Assessment of the technical documentation for representative samples
3. Ongoing surveillance activities post-certification

When your device incorporates AI, the notified body must assess the AI-specific elements of your technical documentation — the training data governance, performance validation methodology, bias analysis, and the continuous monitoring plan that connects to your AI Act Article 72 obligations. A notified body with AI competence will assess these elements as part of the Annex IX review; they do not require a separate AI-specific assessment procedure for embedded healthcare AI.

The output of this assessment, if successful, is an MDR/IVDR conformity assessment certificate. For the AI Act, this certificate constitutes the conformity evidence that underlies your Article 47 EU declaration of conformity.

Step 5: Issue the EU Declarations of Conformity

Healthcare AI developers must issue declarations of conformity under both regulatory frameworks:

MDR/IVDR declaration: The manufacturer's declaration that the device conforms to all applicable MDR/IVDR requirements, including the General Safety and Performance Requirements (GSPR). This declaration references the notified body certificate number.

AI Act Article 47 EU declaration of conformity: The provider's written declaration that the high-risk AI system conforms to the AI Act. For healthcare AI where the MDR/IVDR conformity assessment route applies, this declaration references the same notified body assessment and certificate.

In practice, many manufacturers use a single combined declaration that satisfies both requirements simultaneously. Check with your notified body whether they issue a combined certificate format or whether you need to issue separate declarations.

Step 6: CE Marking

AI Act Article 48 establishes that high-risk AI systems covered by Annex I sector legislation — including MDR and IVDR — must bear the CE marking of conformity in accordance with that sector legislation. The CE marking on your MDR/IVDR-certified device simultaneously covers the AI Act conformity. You do not affix a second CE mark for the AI Act specifically.

The CE marking requirements under MDR and IVDR — minimum 5mm height, placed on the device or packaging, accompanied by the four-digit number of the notified body — remain unchanged. The AI Act does not add additional marking requirements for healthcare AI devices beyond what MDR/IVDR already requires.

Step 7: EUDB Registration

AI Act Article 49 requires providers of high-risk AI systems to register themselves and the AI system in the EU database (EUDB) before placing the system on the market. This is separate from any MDR/IVDR EUDAMED registration obligations.

The EUDB is established under AI Act Article 51 and is intended to be operational ahead of the August 2, 2026 deadline. Registration requires provider identification information and key characteristics of the AI system as listed in Annex VIII of the AI Act.

For healthcare AI, EUDAMED registration (the medical device database operated by the European Commission) is also required under MDR/IVDR. EUDAMED covers: UDI (Unique Device Identification) registration, the registration database for manufacturers and devices, notified body certificates, clinical investigations, vigilance reports, and market surveillance data.

You will need to manage both registrations separately — EUDB for the AI Act obligation and EUDAMED for the MDR/IVDR obligation. There is currently no unified registration system that satisfies both in a single submission, though the Commission has indicated interest in data sharing between the two databases.

Coordinating Two Notified Bodies (If Necessary)

Most healthcare AI developers will work with a single notified body for both their MDR/IVDR certification and the AI Act conformity assessment component, provided that body has developed AI competence. This is the simplest and most efficient path.

In some cases — particularly where a developer has an existing relationship with an MDR notified body that has not yet developed AI assessment capability — it may become necessary to work with two separate notified bodies: one for MDR/IVDR certification and a separately designated AI Act notified body for the AI-specific elements.

If you face this situation, the documentation burden increases significantly. You must ensure that:

• Both bodies assess a consistent version of your technical documentation
• The AI Act notified body's assessment conclusions are integrated into your Article 47 declaration
• Any observations or findings from one body that affect the scope of the other's assessment are communicated between the bodies (with your coordination)
• The combined certificate structure clearly evidences compliance with both regulatory frameworks

This two-body scenario is legally permissible but operationally complex. It significantly increases cost, timeline risk, and the potential for conflicting assessments. The strong practical recommendation is to identify an MDR/IVDR notified body with demonstrated AI competence and use them as the single point of assessment.

Timeline to August 2, 2026

The practical timeline for healthcare AI conformity assessment is tight. Notified body review cycles for complex Class IIb medical device software typically run 12–18 months from initial application to certificate issuance, and that is without the added complexity of AI assessment elements that many bodies are still building competence for.

If you have not yet initiated your MDR/IVDR notified body process: You are unlikely to be certified by August 2, 2026 through a standard process. Explore whether your product can be brought within the scope of an existing device family already in assessment, whether any notified body offers expedited review for AI-enabled devices, or whether your device classification might be re-evaluated.

If you are in the middle of MDR/IVDR assessment: Ensure your notified body is aware that the device incorporates AI elements that trigger AI Act Article 43 obligations. Confirm they will assess the AI Act documentation requirements as part of the current review cycle, not as a separate post-certification exercise.

If you are already MDR/IVDR certified: You may need to update your technical documentation and trigger a change notification to your notified body to add the AI Act documentation elements. The change procedure depends on whether the AI Act obligations are considered a "significant change" to the device — in most cases, adding AI Act documentation to an existing certified device (without changing the device's functionality) is manageable within a standard change procedure.

Common Mistakes in Notified Body Coordination

Treating AI Act compliance as a post-certification add-on. AI Act Article 17 requires a quality management system that covers the AI system from development through deployment. If your QMS was built for MDR/IVDR compliance (ISO 13485) without AI-specific processes built in, retrofitting those processes post-certification is more disruptive than building them into the original assessment scope.

Assuming your MDR notified body automatically covers AI Act requirements. MDR certification covers MDR requirements. The AI Act adds obligations — Articles 9 through 17 — that are not co-extensive with MDR GSPR. Even if your notified body assesses your device and issues an MDR certificate, you must confirm they have explicitly assessed the AI Act elements and that your Article 47 declaration is supportable on that basis.

Issuing an Article 47 declaration without notified body support. For healthcare AI embedded in MDR/IVDR products, the self-assessment route is not available for the conformity assessment procedure. Your Article 47 declaration must be backed by a notified body certificate. Issuing a declaration without that support is a regulatory violation, not just a documentation gap.

Underestimating EUDB registration timing. Article 49 registration in the EUDB must occur before placing the system on the market. If the EUDB system is not fully operational by August 2, 2026 (which is an implementation uncertainty), the Commission may issue transition guidance — but do not assume a delay. Plan for registration readiness by July 2026.

Choosing the Right Notified Body: Questions to Ask

Before selecting or confirming your notified body for a healthcare AI device, ask:

1. What is your current designated scope for MDR/IVDR? Confirm they are designated for the relevant device classification and specialty area.

2. Have you assessed AI-enabled medical devices before? Ask for examples of device categories and AI modalities they have assessed.

3. Who are your AI assessors? Understand their qualifications — are they data scientists, software engineers, clinical informaticists? What standards do they assess against?

4. Can you issue a certificate that explicitly covers the EU AI Act Article 43 conformity assessment requirements? Get a clear yes or no, not a vague commitment to "cover AI elements."

5. What is your current estimated review timeline for a new Class IIb AI-enabled software device? If the answer is "18 months or more," factor that into your August 2026 planning.

6. Will you assess the Article 9 risk management system as a distinct element? The AI Act risk management system requirements are not identical to ISO 14971 — confirm your notified body can assess both.

What's Next in the Series

This post has covered the conformity assessment machinery — how you get from "we have a healthcare AI system" to "we have a CE-marked, EUDB-registered product backed by a notified body certificate."

Post #5 (Finale): We bring the full series together with a practical compliance checklist and deployment roadmap for healthcare AI developers targeting the August 2, 2026 deadline — covering QMS integration, documentation milestones, notified body coordination, EUDB registration, and the ongoing surveillance obligations that continue after certification.

Series Navigation

Developing healthcare AI for the EU market? sota.io provides EU-native deployment infrastructure — GDPR-compliant, data-sovereign, deployed on European servers. Get started →