Let me be direct: EU AI Act vs FDA SaMD compliance is the most consequential dual-regulatory challenge facing digital health startups right now. Not eventually. Right now, in 2026, with the AI Act’s high-risk provisions fully operative.
FDA’s Predetermined Change Control Plan (PCCP) guidance is simultaneously reshaping how machine-learning-enabled devices are reviewed on the US side. The companies that treat these two frameworks as parallel but separate workstreams are burning runway and courting enforcement risk.
The ones that architect a unified compliance posture from day one are moving faster, spending less, and walking into notified body audits with something rare: confidence.
I have spent the better part of two decades helping medical device and digital health companies navigate regulatory submissions on both sides of the Atlantic. What I am seeing in 2026 is a new category of friction — one that did not exist three years ago — and it is catching even well-funded startups completely off guard.
If you are earlier in this process, it helps to first get clear on how SaMD classification actually works under MDR and on building an ISO 13485 quality system from scratch. Both of those pieces lay groundwork this article builds on directly.
In This Guide:
The EU AI Act vs FDA SaMD Compliance Gap: Why It’s Wider Than Most Founders Think
Start with the fundamental mismatch in how risk is assigned. Under the EU MDR, your Software as a Medical Device is classified using the well-established Class I through Class III framework.
A clinical decision support tool that influences treatment of a serious condition will typically land at Class IIa or IIb. That classification drives your conformity assessment route, your Notified Body engagement, and your Technical Documentation structure.
Then the AI Act walks in and hands you a second classification decision. If your SaMD uses an AI component — and in 2026, most of them do — you must now determine whether that component qualifies as a “high-risk AI system” under Annex III of the AI Act.
The critical thing to understand: this is not the same classification. A Class IIa MDR device can simultaneously be a high-risk AI system under the AI Act. The overlap is not guaranteed. Neither is the alignment.
Startups often miss this. They assume their MDR conformity work covers the AI Act requirements by implication. It does not. The AI Act introduces obligations that have no direct MDR equivalent.
❗Crucial Gap: Genuine duplication of effort. You must produce genuinely additional algorithmic transparency documentation, establish specific human oversight mechanisms, create new training data governance, and design a post-market monitoring architecture that goes further than MDR’s PMCF requirements in certain respects.
The FDA Side: PCCP and the Machine Learning Lifecycle Problem
On the US side, FDA’s approach to FDA artificial intelligence medical device regulation has matured considerably.
The agency’s December 2024 final guidance on Predetermined Change Control Plans gave sponsors a structured mechanism to pre-approve the types of modifications an ML-enabled SaMD can make autonomously without triggering a new 510(k) or PMA supplement.
That was a meaningful step forward. However, a PCCP is not a permission slip for open-ended model drift.
FDA expects a precisely scoped “Description of Planned Changes,” a detailed “Change Protocol” specifying how each change will be implemented and validated, and a “Methodology,” which is your evidence that the change process itself is controlled.
🛑Audit Alert: Retroactive documentation is expensive. If you obtain FDA clearance pure-PCCP, you face an expensive exercise during your EU audit. You will discover that documentation written for a different regulatory philosophy will not satisfy your Notified Body.
Understanding the Dual Timeline: Where Audits Collide
Timeline management for cross-border startups is its own discipline. Under the SaMD regulatory framework 2026 environment, review timelines for novel AI-enabled devices are overlapping and intense.
FDA review timelines for De Novo requests are running 12 to 18 months. 510(k) clearances for AI SaMD with PCCP are averaging 9 to 14 months when the submission is well-constructed.
Meanwhile, your Notified Body pipeline for a Class IIb device under MDR — assuming you have a contract in place — is running 12 to 18 months for the conformity assessment phase alone.
These timelines collide. Your QMS must satisfy three overlapping audit readiness standards simultaneously: FDA Quality System Regulation (21 CFR Part 820), MDR Annex IX/XI, and AI Act Article 17 requirements. Preparation is the rule, not the exception.
The Comparison That Matters: EU AI Act vs FDA SaMD Side by Side
The table below is the reference I wish had existed when I started advising companies on dual compliance digital health strategies. It covers the actual friction points that surface in audits and submissions.
| Compliance Dimension | EU AI Act Requirements | FDA SaMD Requirements |
|---|---|---|
| Risk Classification Trigger | High-risk if listed in Annex III (e.g., AI in medical devices, critical infrastructure). Assessment is purpose-based and AI-system-specific. | Risk classification via intended use + significance of information provided (IOM/FDA SaMD framework). Class I/II/III or De Novo pathway. |
| QMS Standard | ISO 13485 (via MDR) plus AI Act Article 17 quality management obligations (data governance, human oversight, robustness). ISO/IEC 42001 increasingly expected. | ISO 13485 via QMSR (21 CFR Part 820, effective Feb 2026). PCCP methodology must be embedded in QMS procedures. |
| Training Data Requirements | Extensive. Article 10 mandates documented data governance practices, bias examination, data quality criteria, and dataset provenance. Notified Bodies are auditing this actively. | Addressed within PCCP “Description of Planned Changes” and performance monitoring plan. Less prescriptive than EU on data governance documentation structure. |
| Transparency & Explainability | Mandatory Instructions for Use must explain AI system capabilities, limitations, and human oversight requirements (Article 13). “Black box” outputs require documented justification. | FDA expects labeling to communicate algorithm outputs and limitations but does not mandate formal explainability frameworks. Guidance evolving. |
| Post-Market Monitoring | AI Act Article 72 (for providers) mandates automatic logging, performance monitoring, and incident reporting to market surveillance authorities. Ties into MDR PMCF. | PCCP “Change Protocol” governs post-deployment monitoring. MDR 803 adverse event reporting applies separately. FDA’s Total Product Life Cycle (TPLC) approach expects ongoing real-world performance data. |
| Human Oversight | Article 14: high-risk AI systems must be designed to allow human intervention, override, and monitoring. Must be documented in technical file. | Human oversight addressed through intended use definition and labeling. CDS tools that support (rather than replace) clinician judgment receive more favorable review pathway. |
| Conformity Assessment Body | Notified Body (MDR). AI Act conformity for high-risk AI in medical devices is folded into the MDR Notified Body assessment per AI Act Article 40. | FDA directly reviews 510(k), De Novo, or PMA submissions. No third-party conformity assessment body equivalent. |
| Change Management | Significant changes require Notified Body re-assessment. AI Act Article 43 links change classification to whether the AI system’s intended purpose is affected. | PCCP pre-defines permitted changes. Modifications outside the approved PCCP scope require a new submission. Clear bright-line test, but PCCP scope definition is the hard work. |
| Cybersecurity | EU AI Act + MDR + NIS2 Directive create a three-layer obligation. ENISA guidance on AI cybersecurity adds further specificity. | FDA’s 2023 Cybersecurity Final Guidance requires a Software Bill of Materials (SBOM) and a documented cybersecurity management plan in the submission. |
| Enforcement & Penalties | AI Act: up to €30M or 6% of global annual turnover for high-risk violations. MDR: national competent authority enforcement, market withdrawal, CE marking revocation. | FDA: Warning Letters, consent decrees, import alerts, civil monetary penalties, criminal liability for willful violations. No single penalty cap equivalent. |
The AI Act High-Risk Classification: Where Most Startups Miscalculate
AI Act high-risk classification is not automatic for every SaMD.
This is a nuance frequently lost in breathless coverage. If your software qualifies as a medical device under MDR and uses an AI component, Annex III, Point 5(a) of the AI Act does bring it into scope as a high-risk AI system. Full stop.
But the practical implication is not that you file two separate compliance dossiers. Per AI Act Article 40, when a high-risk AI system is already subject to conformity assessment requiring a third-party — which MDR does — the AI Act conformity assessment is integrated. Your Notified Body handles it.
💸Penalty Watch: AI Act high-risk violations carry penalties of up to €30M or 6% of global annual turnover.
We are seeing Notified Bodies issue major non-conformities specifically on Article 10 data governance documentation.
This is the one that catches companies who developed their models on datasets that were never formally characterized, cleaned, and logged to the standard the AI Act now demands retroactively. It illustrates why EU AI Act vs FDA SaMD compliance diverges sharply in documentation depth.
The PCCP-Technical File Synchronization Problem
A startup obtains FDA clearance with an approved PCCP. Functionally and FDA-compliantly, they proceed. Eighteen months later, they go for CE marking.
The Notified Body reviews their Technical File and finds no documentation of the model change management process satisfying AI Act Article 11(1)(f).
The requirement calls for deep details on training methodologies, techniques, metrics, and threshold measurements. The PCCP that FDA approved does not satisfy this requirement in its FDA-format. Result: costly remediation and delayed CE marking.
QMS Harmonization Checklist: Satisfying ISO 13485, ISO/IEC 42001, FDA QMSR, and the AI Act Simultaneously
Below is the working checklist I give to QA directors at the start of a dual-compliance engagement. Every item here directly affects EU AI Act vs FDA SaMD compliance in practice.
Quality Management System Architecture
- ✅Confirm ISO 13485:2016 certification scope explicitly includes software development and AI/ML systems. Scope statements referencing only hardware frequently lack specificity for AI Act Article 17.
- ⚙️Conduct a gap assessment against ISO/IEC 42001:2023. This is the AI management system standard. It is not legally mandated, but Notified Bodies are referencing it and some are beginning to expect alignment.
- 📄Create a unified document control matrix mapping each QMS procedure to the specific regulatory requirement it satisfies: AI Act article, MDR annex point, ISO 13485 clause, and 21 CFR Part 820 section. It demonstrates systematic thinking.
- 🔍Ensure your Design and Development procedure explicitly covers AI/ML model development lifecycle, including data collection, annotation, training, validation, testing, and deployment.
Data Governance
- ✅Create a Data Management Plan documenting training dataset provenance, inclusion/exclusion criteria, known biases, preprocessing steps, and version control.
- ⚙️Establish a dataset versioning system with audit trails. If you retrain your model, you must demonstrate which version of training data was used. This is now table stakes.
- 📊Document sub-group performance analysis across clinically relevant demographic variables — age, sex, ethnicity, clinical setting. FDA expects this. The AI Act demands it.
Change Management & PCCP Harmonization
- ✅Draft your PCCP document in a modular format with an explicit “EU Technical File Supplement” translating each PCCP element into AI Act Article 11 terminology.
- ⚙️Define your “significant change” threshold explicitly in your SOP using both FDA’s PCCP significance criteria and the AI Act’s “substantial modification” definition (Article 3(23)). Where they diverge, document the more conservative threshold as your standard.
- 📈Build your post-market performance monitoring system to generate data satisfying both FDA PCCP “Change Protocol” requirements and AI Act Article 72 logging obligations. A single data architecture can serve both.
Technical Documentation
- ✅Structure your Technical File with a dedicated AI/ML Annex mapping directly to AI Act Annex IV. The annex must cover training methodologies, human oversight measures, and post-market monitoring specific to AI performance.
- ⚙️Prepare Instructions for Use satisfying both FDA labeling and AI Act transparency requirements concurrently. Key AI Act additions: explicit statement of capabilities and limitations, failure conditions, accuracy, robustness, and responsibility for human oversight.
- 🔒Produce a cybersecurity technical file section addressing FDA’s SBOM requirement and MDR/AI Act/NIS2 obligations concurrently.
Audit Readiness Operations
- ✅Conduct a mock audit at the 12-month mark before your target CE marking date using an external auditor with actual AI Act experience — not just MDR experience.
- ⚙️Establish a regulatory intelligence function — even if one person with a structured process — tracking FDA AI guidance and EC AI Act implementing acts on a quarterly basis. The guidance landscape in 2026 is not the same as 2024.
- 📈Maintain a live Regulatory Strategy Document capturing your dual regulatory pathway, key decisions, rationale, and open action items.
The Commercial Reality: Compliance as a Competitive Moat
I want to close with something rarely said plainly in regulatory guidance. Dual compliance is expensive. It takes longer. It demands more from your quality team, your development team, and leadership than most startup roadmaps budget for.
It is also, increasingly, a structural competitive advantage. A digital health tool holding FDA clearance, CE marking under MDR, and documented AI Act conformity is a materially different procurement conversation than one holding only one or none of those.
The compliance investment creates a moat difficult for underfunded competitors to replicate. Front-loading harmonization investment is strategy, not just obligation.
For direct regulatory guidance, consult FDA’s official guidance on artificial intelligence in Software as a Medical Device and the full text of Regulation (EU) 2024/1689 on the European Commission’s AI Act portal. For QMS standards, the ISO 13485:2016 standard and ISO/IEC 42001:2023 are foundational.
What is the difference between EU AI Act high-risk classification and FDA SaMD risk levels?
Can a single Quality Management System (QMS) satisfy both FDA QMSR and the EU AI Act?
Does an FDA approved Predetermined Change Control Plan (PCCP) satisfy EU Notified Bodies?
The Critical EU MedTech Innovation Pressure: Navigating 2026 MDR & EY-DG SANTE Updates.

P. Murugesh is a Regulatory Affairs Specialist with over 18 years of experience navigating the complex landscape of healthcare regulations, compliance, and product development. Combining his deep pharmaceutical industry knowledge and expertise, he founded MediTech Chronicles to share his passion for innovation and simplify complex scientific concepts for the next generation of healthcare professionals.
Great content! Keep up the good work!
Thanks, ExoWatts! I’m glad you found the insights on the dual-regulatory landscape helpful. It’s certainly a complex space, so I appreciate you stopping by!