Regulation and policy

How the EU AI Act Sorts Medical AI Into Risk Tiers, and What High Risk Means

The EU AI Act does not treat all artificial intelligence the same way. It sorts systems into four bands by the risk they pose to health, safety, and fundamental rights: a small prohibited tier, a large high-risk tier, a limited-risk tier that mainly triggers transparency duties, and a minimal-risk tier that carries almost no new obligations.

The short answer

The EU AI Act does not treat all artificial intelligence the same way. It sorts systems into four bands by the risk they pose to health, safety, and fundamental rights: a small prohibited tier, a large high-risk tier, a limited-risk tier that mainly triggers transparency duties, and a minimal-risk tier that carries almost no new obligations. Most clinical AI lands in the high-risk tier, because a tool that is a medical device (or a safety component of one) is high-risk by definition under the Act. This piece is an educational explainer of that classification logic and the duties that follow. It is not legal advice, and anyone building or buying medical AI should confirm their own path with qualified regulatory and legal counsel.

Four tiers, sorted by risk rather than by technology

A useful feature of the Act is that it asks what a system does, not which algorithm it uses. The same underlying model can sit in different tiers depending on its purpose.

The top tier is unacceptable risk, a short list of prohibited practices. These are uses the Act treats as incompatible with fundamental rights, such as untargeted scraping to build facial-recognition databases or certain forms of social scoring. Very little clinical software touches this band, but it exists to draw a hard outer boundary.

Below it sits high-risk, where the real regulatory weight lives and where most medical AI belongs. I will come back to why in a moment.

The third tier is limited risk, better understood as a transparency tier. Here the concern is not physical safety but that a person should know when they are dealing with a machine. A chatbot has to disclose that it is a chatbot; certain synthetic or manipulated media has to be labeled. A patient-facing symptom-triage assistant might carry these transparency duties on top of any device obligations.

The fourth tier is minimal risk, which covers the large majority of everyday software: spam filters, inventory tools, most back-office automation. The Act leaves this band largely untouched and encourages voluntary good practice rather than mandatory controls.

Why most medical AI is high-risk

Two doors lead into the high-risk tier, and medical AI usually walks through the first one.

The first door is products already regulated under existing EU safety law. If an AI system is itself a regulated product, or a safety component of one, and that product must undergo third-party conformity assessment, the AI is high-risk. Medical devices and in vitro diagnostic devices sit squarely here. So an AI tool that qualifies as Software as a Medical Device under the Medical Device Regulation or the In Vitro Diagnostic Regulation, or an AI component embedded in a physical device, generally counts as high-risk under the AI Act. That is the structural reason so much clinical AI lands in this band: it was a regulated medical product before the AI Act arrived.

A second door is a list of specific use cases the Act singles out, covering areas like biometrics, critical infrastructure, education, employment, and access to essential services. Health appears here too, for example in certain uses tied to emergency care triage and to eligibility for public benefits. A narrow filter applies: a system that would otherwise be listed may escape high-risk status if it does not pose a significant risk to health, safety, or rights, and the provider documents that assessment. That carve-out is deliberately narrow, and a tool that meaningfully influences diagnosis or treatment rarely fits through it.

In practice, if your software helps decide what is wrong with a patient or what to do about it, expect the high-risk label and plan accordingly.

What high-risk actually asks of you

The obligations read like a codified version of good medical-device engineering. If you have worked under a modern quality system, much of this will feel familiar, which is by design.

Risk management. A continuous, documented process that identifies and reduces foreseeable risks across the whole lifecycle, revisited whenever the system changes. This maps closely onto the risk-management discipline that device engineers already know from standards such as ISO 14971.

Data governance. Training, validation, and test data must be governed for relevance, representativeness, accuracy, and completeness, with known biases examined and addressed. For clinical tools this is where questions of who the data represents, and who it does not, become formal obligations rather than afterthoughts.

Technical documentation and record-keeping. A defined dossier that demonstrates conformity, kept current as the system evolves.

Logging. The system must automatically record events over its lifetime so behavior can be traced and audited. In a clinical setting, traceability earns its keep by letting you reconstruct what happened when an output is questioned.

Transparency and instructions for use. Deployers need clear information about capabilities, limits, and appropriate use, so a clinician can interpret an output rather than defer to it blindly.

Human oversight. Systems must be designed so a competent person can understand, monitor, and if necessary override them. For medical AI, the aim is to keep a clinician meaningfully in the loop rather than reduced to a rubber stamp.

Accuracy, robustness, and cybersecurity. The system should perform consistently and resist both error and interference across its intended use.

Post-market monitoring. After launch, providers keep watching real-world performance, feed what they learn back into risk management, and report serious incidents. This is a living duty, not a one-time gate at approval.

These AI Act duties are meant to run alongside existing device rules, not to duplicate them. The intent is one coordinated conformity assessment that satisfies both the device framework and the AI framework, so a manufacturer avoids two entirely separate processes.

A phased, and still-moving, timeline

The Act entered into force in 2024 and switches on in stages rather than all at once. The prohibited-practice rules and initial AI-literacy duties came first. Obligations for general-purpose AI models followed. The high-risk obligations arrive later, and here the calendar deserves care: the timeline for high-risk systems, and in particular for AI tied to already-regulated products like medical devices, has kept moving, and during 2026 EU institutions worked toward a provisional agreement to postpone parts of the high-risk regime. Rather than commit to a single date that may shift again, the safer reading is directional. High-risk duties for medical AI fall among the later phases, and the exact dates are worth confirming against the current official text before you build a compliance plan around them.

The steadier point is preparation. Risk files, data-governance records, logging, oversight design, and monitoring plans take time to assemble, and starting early is prudent regardless of where the final dates land.

References and sources

  1. European Commission EU AI Act regulatory framework
  2. AI Act Article 6 classification rules for high-risk AI
  3. AI Act Annex III high-risk use cases including healthcare triage
  4. High-level summary of the AI Act risk tiers and phased timeline

How this was researched. This explainer is built from the primary sources listed above and reflects Dr. Tojjar's own critical appraisal of that evidence. It explains and evaluates research and does not provide medical care.

This article is for general education and is not medical or professional advice. For guidance about your own health, talk with a qualified clinician.

Cite this article

Tojjar, D. (2024). How the EU AI Act Sorts Medical AI Into Risk Tiers, and What High Risk Means. Dr. Damon Tojjar. https://readingtheevidence.org/articles/eu-ai-act-risk-classes-in-health/

Back to all insights