AI in healthcare: what the EU AI Act changes in practice for healthcare organisations
What the EU AI Act changes for healthcare organisations: which tools are high-risk, the MDR/IVDR overlap, human oversight and the deadlines you need to plan for.

Updated 3 July 2026. On 29 June 2026, the Council gave its final green light to the Digital Omnibus on AI. The act still awaits publication in the Official Journal and will enter into force on the third day after publication. With it, the application dates for high-risk AI move to 2 December 2027 (stand-alone systems) and 2 August 2028 (AI embedded in products, such as medical devices). The AI literacy obligation of Article 4 is unchanged and has applied since 2 February 2025.
From triage algorithms in the emergency department to AI-supported image analysis in radiology: AI has swept into healthcare faster than governance can keep pace. AI literacy has been mandatory since 2 February 2025. For the heavier high-risk AI obligations, the Digital Omnibus is set to provide more time, but healthcare organisations would do well to get their AI use, governance and supplier agreements in order now.
Why healthcare is a separate category
In almost every sector the same holds: AI is new, regulation catches up, organisations have to keep pace. In healthcare it is different. Here AI touches directly on things that are already deeply regulated: patient safety, medical decision-making, the privacy of the most sensitive type of personal data that exists. The EU AI Act does not land in an empty field. It comes on top of the GDPR, on top of the Medical Devices Regulation (MDR/IVDR), on top of national health legislation and on top of the professional disciplinary law for healthcare professionals.
That makes healthcare organisations both the organisations with the most compliance experience and the ones where AI governance is the most complex to set up. With various supervisory authorities evaluating the same system from different angles, no healthcare provider wants to be the first to make a patient-harming mistake.
Which AI applications can count as high-risk AI
The EU AI Act works with Annex III: categories of AI applications that are in principle designated as high-risk AI unless a specific exception applies. For healthcare, the relevant ones are:
But the law does not work only with Annex III. Some AI applications in healthcare fall under the transparency rules for limited-risk AI, for example triage chatbots or other systems that interact directly with patients. Others may be minimal-risk, high-risk, or regulated through the MDR/IVDR, depending on their purpose and use. And even for minimal-risk applications, the Article 4 obligation applies: the organisation must be able to show that it has taken appropriate measures to ensure sufficient AI literacy among staff who work with AI. What the AI literacy obligation under Article 4 precisely entails, we set out elsewhere.
The applications that healthcare organisations often do not see as "AI"
In conversations with care managers and quality officers, it turns out again and again that the term "AI" is interpreted narrowly. People think of striking applications such as image analysis software from a radiology supplier. But in practice, almost every modern healthcare organisation already uses:
Insofar as these applications qualify as an AI system under the EU AI Act, they fall under the AI Act framework. Not all of them as high-risk AI, but they do fall under the basic obligations such as AI literacy.
The four areas healthcare organisations should not leave until 2027
The formal application of many high-risk AI obligations is moving later, but AI literacy already applies. On top of that, inventory, contract review, governance and training take time in the healthcare sector. Four areas therefore need attention now.
First area: AI literacy of staff. Healthcare workers who use AI outcomes in decisions about patients must know what the tool does, where the limits lie, how to recognise warning signs and when to override the outcome. A nurse who blindly follows a score from an early-warning system without understanding what sits behind it is a liability risk, for themselves, for the organisation, and ultimately for the patient.
Second area: human oversight and final responsibility. For high-risk AI, there must always be a healthcare professional who takes the final decision and who also has the ability and authority to override the AI. "The system decided it that way" is not a valid justification in a disciplinary complaint. The doctor or nurse remains professionally accountable for how they use the AI output, while the organisation must make that responsibility workable through training, procedures and authority to override.
Third area: transparency towards patients. When AI plays a role in decisions that materially affect patients, healthcare organisations must carefully assess which information and explanation duties apply. These can arise from the AI Act, the GDPR, patient rights, informed consent, the MDR/IVDR and internal quality procedures. In most information leaflets and intake procedures, this is currently barely arranged, if at all.
Fourth area: supplier contracts and MDR/IVDR overlap. Many AI tools in healthcare are already regulated under the MDR/IVDR. The EU AI Act adds a layer on top. The question then is: what is the responsibility of the supplier (provider) and what is the organisation's (deployer)? That demarcation has to be clear contractually, and in many existing contracts it is not.
The three groups that each need their own training
What is already mandatory, what is still to come
Already in force. Article 4 on AI literacy has applied since 2 February 2025. Providers and deployers of AI systems must take measures to ensure, to the best of their ability, that their staff and those who work with AI on their behalf are sufficiently AI-literate, tailored to role, experience and context of use. For healthcare organisations, this is the most concrete obligation at this moment.
On 2 December 2026. The Digital Omnibus adds a ban on AI systems for non-consensual intimate-content generation, often referred to as "nudification", and on AI that can generate child sexual abuse material. For healthcare, this is mainly relevant for AI procurement policy and for what ends up in the AI tool inventory.
On 2 December 2027. Following the Council's final green light on the Digital Omnibus of 29 June 2026, the obligations for stand-alone high-risk AI systems under Annex III become enforceable on this date. Think of AI for emergency triage or for access to care provisions. Originally, 2 August 2026 was set in Regulation 2024/1689; that date remains formally valid until the Digital Omnibus is published in the Official Journal of the EU and enters into force.
On 2 August 2028. On that date, the high-risk AI requirements become applicable for AI systems embedded in regulated products. For healthcare, that is the big category: AI as a safety component in, or as, a medical device under the MDR/IVDR.
This extension is by no means a free pass. For systems that will later be classified as high-risk AI, the obligation to carry out a conformity assessment lies primarily with the supplier as provider. For the healthcare organisation as deployer, something else applies: using the system in line with the instructions, arranging human oversight with people trained for it, keeping input data under control, monitoring use, reporting serious incidents, keeping logs, informing affected persons where the law requires it and cooperating with supervisory authorities.
What you can realistically do now
The postponement of the high-risk AI deadlines to 2027 and 2028 changes the time pressure, not the task. The Article 4 obligation already applies, and the time until 2 December 2027 is exactly what an organisation needs to take the high-risk steps carefully rather than in a rush.
Start now:
Second half of 2026:
Towards 2027 and 2028:
In closing
Healthcare has led the way in compliance for years: GDPR, MDR/IVDR, NEN 7510, quality frameworks, HKZ. In that light, AI Act compliance is not an extra burden but a logical extension of what is already being done. The difference is that AI is newer, changes faster and touches more directly on decisions that patients feel first-hand. That is precisely why there is little room to leave this to chance.
At AIAdopt, we developed the Healthcare sector extension (M3-ZO) specifically for care providers, care management and support staff in healthcare organisations. The training covers human oversight in a clinical context, the interplay between the AI Act and the MDR/IVDR, transparency towards patients and the disciplinary-law implications, ending with an assessed certificate that lists the AI Act articles covered.
👉 See our approach for healthcare or build your own package tailored to your organisation.
Want to know where your organisation stands?
Download our free EU AI Act Compliance Checklist or view our AI literacy training.