MedTech Europe has published a position paper urging the EU to “simplify” horizontal digital laws (AI Act, Cybersecurity, Data Act, EHDS) and align them with sectoral frameworks (MDR/IVDR). This reaction summarises the key asks, assesses their feasibility from a QA/RA perspective, and proposes an implementation playbook for manufacturers and policymakers.

TL;DR (What matters for RA/QA)

• AI Act timing & scope. Industry asks to push full application for medical tech to 2 August 2029, align “substantial modification” with MDR/IVDR “significant change,” and let MDR/IVDR-designated Notified Bodies carry the AI Act load—sensible if coupled with concrete readiness milestones.
• Data Act boundaries. Make Chapter II data-sharing voluntary for regulated MedTech, extend application to September 2029, exclude legacy products, and rebalance trade-secret protections—coherent with design control and safety.
• Cybersecurity. Keep EU cybersecurity certification voluntary and harmonise NIS2 transposition/reporting to prevent a patchwork that drains assurance capacity.
• EHDS scope. Narrow “EHR system” definition to primary intended purpose, avoid double regulation of devices, and allow modular self-certification where components overlap.

What the Paper Gets Right (from a QA/RA lens)

1. Avoiding duplicate risk systems. Recognising that vertical MDR/IVDR processes (e.g., ISO 14971 risk management within QMS) should fulfil horizontal AI Act obligations reduces audit friction and preserves traceability.
2. Extending AI Act timelines—with guardrails. A move to 2 Aug 2029 reflects standards lead time, NB capacity, and evolving guidance; wins only if tied to deliverables (AI Office guidance, harmonised standards, NB designation pathways).
3. Fixing the pre-market evidence trap. Clinical/performance studies should not be misconstrued as “put into service.” Exemptions (when studies follow MDR/IVDR rules) avoid blocking evidence generation.
4. Terminology alignment on change control. Map AI Act “substantial modification” to MDR/IVDR “significant change” to prevent routine updates from triggering re-certification.
5. Pragmatic stance on Data Act & EHDS. Mandatory raw-data sharing in safety-critical products can jeopardise security and mislead users; prioritising EHDS as the sectoral mechanism and protecting trade secrets aligns with PMS goals.

Where the Argument Needs Sharpening

• No blank-cheque delays. Extensions should be conditional: publish a MedTech AI implementation roadmap (standards, NB designation, guidance on learning systems and post-market update control) with public milestones.
• Operational definition of “learning safely.” Alignment must include model lifecycle controls: data governance, drift/bias monitoring, rollback, real-world performance evidence, and field-update validation—mapped to MDR/IVDR PMS/PMCF and AI Act risk management.
• EHDS modularity in practice. Define component boundaries, assurance artefacts, and labelling to keep modular conformity assessments auditable.
• One-stop incident reporting. Implement a single-intake, multi-routing model (taxonomy, SLAs, deduplication) to reduce RA/QA overhead across CRA/NIS2/EHDS/MDR.

Implications for RA/QA Leaders

1. Convergence, not duplication. Build a single, integrated risk-and-assurance stack where AI Act duties are referenced from MDR/IVDR processes (design control, risk, usability, cybersecurity, PMS).
2. Evidence pathways for pre-market AI. Create a protocol template for AI clinical/performance studies that documents non–“put into service” status plus data-protection and safety controls.
3. Model-update governance. Define safety-relevant vs non-relevant model changes; set gates for V&V, field release, PMS analytics; and pre-agree with your NB on reporting.
4. Data Act hygiene. Establish a risk-based data-sharing playbook: when to share, what to share (processed vs raw), how to protect (trade-secret screening, minimisation, security handbrake).
5. EHDS scoping. Apply a primary intended-purpose test; where overlap with EHR functions exists, scope a modular conformity dossier and confirm expectations early with authorities.

A 90-Day QA/RA Playbook (Practical and Auditable)

Day 0–30: Baseline & Gap Map

• Build a requirements traceability matrix: AI Act ↔ MDR/IVDR clauses, noting duplicates and gaps (risk management, data/record-keeping, human oversight, transparency).
• Catalogue model changes from the last 12 months; classify via a draft “significant vs non-significant” decision tree aligned to MDR/IVDR.
• Identify products with EHR-like functions and run an EHDS scope screen using primary intended purpose.

Day 31–60: Controls & Templates

• Publish a Model Update SOP: data controls, V&V, deployment, rollback, PMS signals, NB notification triggers.
• Draft a Pre-market AI Study Protocol Addendum clarifying non-placement/non-service status and safeguards.
• Stand up a Data-Sharing Review Board (RA + Legal + Security) with trade-secret screening and “security handbrake” criteria.

Day 61–90: Assurance & External Alignment

• Pilot an Integrated Tech File section mapping AI Act artefacts to existing MDR/IVDR evidence—one binder, two regimes.
• Meet your Notified Body to agree on technology codes/scopes for AI and on your change-control decision tree.
• Define a single incident intake that can populate CRA/NIS2/EHDS/MDR reporting to avoid duplicate submissions.

Policy Recommendations (Targeted and Testable)

1. Conditional AI Act extension to 2029, tied to:
   • Publication of MedTech AI guidance (change control, learning systems, clinical evaluation links)
   • NB designation pathway that reuses MDR/IVDR technology codes where appropriate
   • Delivery of relevant harmonised standards by 2026 with adoption support thereafter
   • Legal clarity for pre-market studies: Exclude MDR/IVDR investigations/performance studies from “placing on the market/putting into service” under the AI Act when compliant with sectoral rules.
   • Recognise sectoral risk systems: Confirm that MDR/IVDR-conformant risk management fulfils AI Act risk obligations; avoid duplicate audits.
   • Data Act health carve-out: Make device/IVD/EHR data obligations voluntary; extend to 2029; exclude legacy products; rebalance trade-secret protections.
   • EHDS scope precision: Anchor “EHR system” to primary intended purpose; enable modular self-certification of overlapping components; issue consistent guidance to Member States.
   • Cybersecurity coherence: Preserve voluntary EU certification; harmonise NIS2 definitions, timelines, and reporting; reuse the CRA single reporting platform for NIS2 (“report once”).

Closing Thought

“Simplification” should mean one set of controls that satisfies many laws, not many parallel systems that exhaust teams. The position paper points in the right direction—now it needs deliverable-level specificity so QA/RA leaders can execute with confidence.

---

Note: This article is for informational purposes only and does not constitute legal or regulatory advice.