AIAdopt
HomeInsightsAI in healthcare: what the EU AI Act changes in practice for healthcare organisations
articleMay 2026· 6 min reading time

AI in healthcare: what the EU AI Act changes in practice for healthcare organisations

What the EU AI Act changes for healthcare organisations: which tools are high-risk, the MDR/IVDR overlap, human oversight and the deadlines you need to plan for.

AI in healthcare: what the EU AI Act changes in practice for healthcare organisations
Updated 3 July 2026. On 29 June 2026, the Council gave its final green light to the Digital Omnibus on AI. The act still awaits publication in the Official Journal and will enter into force on the third day after publication. With it, the application dates for high-risk AI move to 2 December 2027 (stand-alone systems) and 2 August 2028 (AI embedded in products, such as medical devices). The AI literacy obligation of Article 4 is unchanged and has applied since 2 February 2025.

From triage algorithms in the emergency department to AI-supported image analysis in radiology: AI has swept into healthcare faster than governance can keep pace. AI literacy has been mandatory since 2 February 2025. For the heavier high-risk AI obligations, the Digital Omnibus is set to provide more time, but healthcare organisations would do well to get their AI use, governance and supplier agreements in order now.

Why healthcare is a separate category

In almost every sector the same holds: AI is new, regulation catches up, organisations have to keep pace. In healthcare it is different. Here AI touches directly on things that are already deeply regulated: patient safety, medical decision-making, the privacy of the most sensitive type of personal data that exists. The EU AI Act does not land in an empty field. It comes on top of the GDPR, on top of the Medical Devices Regulation (MDR/IVDR), on top of national health legislation and on top of the professional disciplinary law for healthcare professionals.

That makes healthcare organisations both the organisations with the most compliance experience and the ones where AI governance is the most complex to set up. With various supervisory authorities evaluating the same system from different angles, no healthcare provider wants to be the first to make a patient-harming mistake.

Which AI applications can count as high-risk AI

The EU AI Act works with Annex III: categories of AI applications that are in principle designated as high-risk AI unless a specific exception applies. For healthcare, the relevant ones are:

AI for triage or prioritisation of patients in emergency care
AI as a safety component in a medical device, which incidentally is already regulated through the MDR/IVDR as well
AI for access decisions to healthcare services, public healthcare benefits or reimbursement, depending on the institutional context and legal basis
AI in recruitment and selection of healthcare staff

But the law does not work only with Annex III. Some AI applications in healthcare fall under the transparency rules for limited-risk AI, for example triage chatbots or other systems that interact directly with patients. Others may be minimal-risk, high-risk, or regulated through the MDR/IVDR, depending on their purpose and use. And even for minimal-risk applications, the Article 4 obligation applies: the organisation must be able to show that it has taken appropriate measures to ensure sufficient AI literacy among staff who work with AI. What the AI literacy obligation under Article 4 precisely entails, we set out elsewhere.

The applications that healthcare organisations often do not see as "AI"

In conversations with care managers and quality officers, it turns out again and again that the term "AI" is interpreted narrowly. People think of striking applications such as image analysis software from a radiology supplier. But in practice, almost every modern healthcare organisation already uses:

Speech-to-text dictation software with AI-driven recognition, used for patient records
Triage chatbots on the website or in patient portals
Clinical decision support in the EHR , which, depending on purpose and qualification, can fall under the MDR/IVDR and/or the high-risk AI rules of the AI Act
Risk stratification models that classify patients by likelihood of readmission, decompensation or fall incidents
Rostering tools that use AI for staffing
AI features in PACS systems that alert radiologists to anomalies
ChatGPT or Copilot in the hands of an employee who uses it to write policy documents, letters or even discharge letters for patients

Insofar as these applications qualify as an AI system under the EU AI Act, they fall under the AI Act framework. Not all of them as high-risk AI, but they do fall under the basic obligations such as AI literacy.

The four areas healthcare organisations should not leave until 2027

The formal application of many high-risk AI obligations is moving later, but AI literacy already applies. On top of that, inventory, contract review, governance and training take time in the healthcare sector. Four areas therefore need attention now.

First area: AI literacy of staff. Healthcare workers who use AI outcomes in decisions about patients must know what the tool does, where the limits lie, how to recognise warning signs and when to override the outcome. A nurse who blindly follows a score from an early-warning system without understanding what sits behind it is a liability risk, for themselves, for the organisation, and ultimately for the patient.

Second area: human oversight and final responsibility. For high-risk AI, there must always be a healthcare professional who takes the final decision and who also has the ability and authority to override the AI. "The system decided it that way" is not a valid justification in a disciplinary complaint. The doctor or nurse remains professionally accountable for how they use the AI output, while the organisation must make that responsibility workable through training, procedures and authority to override.

Third area: transparency towards patients. When AI plays a role in decisions that materially affect patients, healthcare organisations must carefully assess which information and explanation duties apply. These can arise from the AI Act, the GDPR, patient rights, informed consent, the MDR/IVDR and internal quality procedures. In most information leaflets and intake procedures, this is currently barely arranged, if at all.

Fourth area: supplier contracts and MDR/IVDR overlap. Many AI tools in healthcare are already regulated under the MDR/IVDR. The EU AI Act adds a layer on top. The question then is: what is the responsibility of the supplier (provider) and what is the organisation's (deployer)? That demarcation has to be clear contractually, and in many existing contracts it is not.

The three groups that each need their own training

Care providers (doctors, nurses, allied health professionals) who use AI tools in direct patient care: practical knowledge about how to handle AI output, recognise bias, exercise human oversight and know their responsibility under both the AI Act and disciplinary law.
Management, quality and the executive board: governance knowledge, risk assessment at institutional level, setting up an AI committee or working group, supplier management, the duty to account to the inspectorate and the supervisory board.
Support functions (administration, secretarial, planning, communication): basic knowledge of responsible AI use, what they may and may not enter into an AI tool (such as entering patient data into ChatGPT, which can create a data breach or an unlawful processing situation) and how to recognise warning signs in their own work.

What is already mandatory, what is still to come

Already in force. Article 4 on AI literacy has applied since 2 February 2025. Providers and deployers of AI systems must take measures to ensure, to the best of their ability, that their staff and those who work with AI on their behalf are sufficiently AI-literate, tailored to role, experience and context of use. For healthcare organisations, this is the most concrete obligation at this moment.

On 2 December 2026. The Digital Omnibus adds a ban on AI systems for non-consensual intimate-content generation, often referred to as "nudification", and on AI that can generate child sexual abuse material. For healthcare, this is mainly relevant for AI procurement policy and for what ends up in the AI tool inventory.

On 2 December 2027. Following the Council's final green light on the Digital Omnibus of 29 June 2026, the obligations for stand-alone high-risk AI systems under Annex III become enforceable on this date. Think of AI for emergency triage or for access to care provisions. Originally, 2 August 2026 was set in Regulation 2024/1689; that date remains formally valid until the Digital Omnibus is published in the Official Journal of the EU and enters into force.

On 2 August 2028. On that date, the high-risk AI requirements become applicable for AI systems embedded in regulated products. For healthcare, that is the big category: AI as a safety component in, or as, a medical device under the MDR/IVDR.

This extension is by no means a free pass. For systems that will later be classified as high-risk AI, the obligation to carry out a conformity assessment lies primarily with the supplier as provider. For the healthcare organisation as deployer, something else applies: using the system in line with the instructions, arranging human oversight with people trained for it, keeping input data under control, monitoring use, reporting serious incidents, keeping logs, informing affected persons where the law requires it and cooperating with supervisory authorities.

What you can realistically do now

The postponement of the high-risk AI deadlines to 2027 and 2028 changes the time pressure, not the task. The Article 4 obligation already applies, and the time until 2 December 2027 is exactly what an organisation needs to take the high-risk steps carefully rather than in a rush.

Start now:

Inventory: map all AI applications. Work from departments, not from IT, because IT often knows only the centrally purchased systems, not the AI features in local tools or the ChatGPT use on the shop floor. Determine for each system whether it falls under Annex III and whether an MDR/IVDR classification exists.
Role-based training: start AI literacy training for the three groups above. This can be done now, and must be done now, because Article 4 is in force.

Second half of 2026:

AI governance at institutional level: appoint a responsible person (often the CMIO, quality officer or DPO, or a combination). Start with the three or four highest-risk systems, not with an attempt at completeness that never gets finished.
Supplier contracts: review contracts for AI components. Which supplier is the provider, what information should you receive from them as deployer, how does the AI Act relate to the existing MDR/IVDR arrangements?
Central file: document everything in one central AI file, alongside the existing quality and privacy files, but cross-referenced to them.

Towards 2027 and 2028:

Make high-risk AI systems operational: for systems that will be high-risk AI, stand-alone from 2 December 2027 and medical-device-integrated from 2 August 2028, set up human oversight, make logging operational, record usage instructions and put an incident-reporting procedure in place. The conformity assessment lies with the supplier; your task is to check that it exists and that the system is used according to specifications.
Dry run: could you show the inspectorate tomorrow what you do? Test that internally before someone else asks.

In closing

Healthcare has led the way in compliance for years: GDPR, MDR/IVDR, NEN 7510, quality frameworks, HKZ. In that light, AI Act compliance is not an extra burden but a logical extension of what is already being done. The difference is that AI is newer, changes faster and touches more directly on decisions that patients feel first-hand. That is precisely why there is little room to leave this to chance.

At AIAdopt, we developed the Healthcare sector extension (M3-ZO) specifically for care providers, care management and support staff in healthcare organisations. The training covers human oversight in a clinical context, the interplay between the AI Act and the MDR/IVDR, transparency towards patients and the disciplinary-law implications, ending with an assessed certificate that lists the AI Act articles covered.

👉 See our approach for healthcare or build your own package tailored to your organisation.

Want to know where your organisation stands?

Download our free EU AI Act Compliance Checklist or view our AI literacy training.

Want to know more?

Get in touch for a no-obligation conversation about what AIAdopt can do for your organisation.