Decoding MDCG 2025-6: Interplay between the MDR/IVDR and AIA

By Sade Sobande

If guidance on medical device software (MDSW) were a series, we just got three episodes in one week. Kicking off the triple release was MDCG 2025-4, released on  June 16, which tackled the safe deployment of medical device apps on digital platforms. On June 17, a revised MDCG 2019-11 version clarified the qualification and classification of software under MDR/IVDR and introduced the interplay with the European Health Data Space (EHDS). On June 19, AIB 2025-1 / MDCG 2025-6 was released, providing a much anticipated roadmap that explains how the Artificial Intelligence Act (AIA) is intended to interface with existing medical device regulations (Regulation 2017/745 (EU) MDR and Regulation 2017/746 (EU) IVDR). This update focuses on the latest guidance.  

Integrated compliance: Separate systems and Technical Documentation are not required

The expectation is that manufacturers of medical device artificial intelligence (MDAI) systems will meet their obligations under MDR/IVDR and AIA via integrated quality management and risk management frameworks that are robust and incorporate enhanced traceability through both pre-market and post-market phases.

Only one technical documentation file and one conformity assessment via the MDR/IVDR route are required. To avoid duplication, existing technical documentation created under the MDR/IVDR should be expanded to include AI-specific elements like data governance, algorithm transparency, performance monitoring and human oversight mechanisms. The goal is to streamline compliance while demonstrating how AI-specific risks are identified, mitigated and managed throughout the device lifecycle.

There are exceptions. For example, a high-risk AI system that falls within the remit of AIA must comply only with the requirements and obligations of the AIA and undergo a conformity assessment procedure per Article 43 (1) AIA, internal control or Notified Body involvement.

Data and data governance: Data is fundamental to the regulations

While the MDR/IVDR focus on providing clinically relevant high-quality data to support safety and performance, the AIA supplements this by requiring representative, relevant and appropriately pre-processed data sets to reduce bias and improve reliability. The need for clear documentation of data sources, labelling processes and traceability throughout the AI lifecycle is highlighted.

Transparency, explainability and human oversight

In line with the core focus of the MDR/IVDR on safe use of devices, the AIA introduces explicit obligations: users must understand how the MDAI system works, be informed that they are interacting with AI, and be empowered to intervene when necessary. User interfaces should be intuitive and have well-documented decision logic. As well as robust mechanisms that confirm human control remains meaningful, especially in high-risk clinical contexts that require critical decision-making. Devices must work safely, communicate clearly and remain under human authority.

Accuracy, robustness and cybersecurity

In pursuit of accuracy, performance and cyber safety, security-by-design is emphasized. The guidance underlines the need for technical safeguards not just around the device software, but also the models, datasets and algorithms they rely on. Continuous performance monitoring, resilience to adversarial inputs and secure update mechanisms are essential. AI-specific vulnerabilities should be considered in design, risk management and ongoing monitoring.

Clinical/performance evaluation testing

Clinical/performance evaluations are central to demonstrating the safety and effectiveness of MDAI systems. These evaluations must consider the dynamic nature of AI. Validation must reflect real-world variability and not just initial performance, but also how the system behaves across diverse patient populations, its limitations under specific use conditions and how it adapts to changes over time.

Substantial modification / significant change

Changes to an AI system, particularly through retraining, may trigger the need for assessment under each applicable regulation. The concept of “significant change” must be applied to MDAI that continues to evolve after being placed on the market. A predetermined change control plan (PCCP) offers one way of mitigating the constant need for reassessment. Guidance on PCCP is being developed by the International Medical Device Regulators Forum (IMDRF). Significant change obligations for MDAI systems already on the market do not kick in until August 2, 2027.

Concluding remarks

The regulatory landscape for MDAI systems is evolving.  Manufacturers of such devices need to start planning for compliance. The goal isn’t to reinvent the wheel, but to integrate safeguards that are critical to the safe and effective deployment of MDAI systems.