EU AI Act + MDR/IVDR Healthcare AI FINALE: EUDAMED Registration, Vigilance Reporting, and the Complete Compliance Stack (2026)

Post #5 in the sota.io EU AI Act + MDR/IVDR Healthcare AI Compliance Series

Four posts in this series have covered the architecture of double conformity: the burden of operating under two parallel regulatory frameworks simultaneously, the technical documentation requirements that span both, the post-market surveillance obligations that run indefinitely after CE marking, and the notified body process that validates your compliance before you can place your product on the EU market. This final guide brings those threads together into a complete compliance stack — covering registration, vigilance, the audit-readiness documentation package, and the end-to-end timeline you need to be market-ready by August 2, 2026.

EUDAMED: The Registration Obligation That Runs Before Market Placement

EUDAMED — the European database on medical devices — is not optional. Under the MDR and IVDR, manufacturers must register their devices in EUDAMED before placing them on the EU market. This registration obligation is separate from the conformity assessment process: you must have completed registration even if your notified body certificate is in hand.

The EU AI Act adds a parallel registration requirement for high-risk AI systems. Article 49 of the AI Act requires providers of high-risk AI systems listed in Annex III to register in the EU database before placing the system on the market or putting it into service. Article 51 defines this database and the obligations that flow from it.

For a medical device embedding a high-risk AI system, this means two concurrent registration obligations:

EUDAMED registration covers the medical device as a whole — the device description, classification, intended purpose, notified body certificate numbers, and unique device identifiers. MDR requires full EUDAMED registration for Class IIa, IIb, and III devices; Class I devices have a lighter registration path. The registration must be completed before the device is placed on the EU market.

AI Act database registration covers the AI system component. Article 51 requires registration information including: the provider's identity, the AI system description and intended purpose, the AI Act high-risk classification category under Annex III, the conformity assessment outcome reference, and the declaration of conformity details. This registration must occur before the high-risk AI system is placed on the market or put into service.

What this means in practice: by the time you are ready for market, you will have completed EUDAMED registration for the device, AI Act database registration for the embedded AI system, issued an EU declaration of conformity under MDR/IVDR and a separate declaration under Article 47 of the AI Act (or a single co-signed joint declaration if your notified body and the relevant authority agree to that approach), and applied the CE marking. These steps must be completed in sequence and verified before you can begin commercial distribution.

Vigilance: Coordinating Serious Incident Reporting Under Two Frameworks

Post-market surveillance does not end at registration. Both the MDR/IVDR and the EU AI Act impose ongoing vigilance obligations — and when a serious incident occurs, both frameworks may require concurrent reporting to different authorities on potentially different timelines.

MDR Article 87: Serious Incident and FSCA Reporting

Under MDR, manufacturers must report serious incidents and field safety corrective actions (FSCAs) to the relevant national competent authority. A serious incident under MDR is any malfunction or deterioration in the characteristics or performance of a device made available on the market that has led or could lead to death, serious deterioration of the state of health of a patient or user, or a serious public health threat.

FSCA reporting timelines under MDR operate on a graduated basis: immediately upon becoming aware of an FSCA that is being implemented, or — in the case of a serious incident that has not yet resulted in an FSCA — within defined timeframes depending on the severity and urgency of the situation. The MDR specifies that serious incidents involving a risk of death or serious health deterioration must be reported immediately, with full reports to follow.

The national competent authority for medical devices in Germany is the Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM). Each member state designates its own medical device competent authority, and EUDAMED's electronic vigilance module is the infrastructure through which serious incident reports are submitted and shared across member states.

EU AI Act Article 73: Reporting of Serious Incidents to Market Surveillance Authorities

Article 73 of the EU AI Act creates a separate and parallel reporting obligation for providers of high-risk AI systems. A serious incident under the AI Act means any incident or malfunctioning of a high-risk AI system that directly or indirectly leads to death, serious damage to health, a serious breach of fundamental rights, serious property damage, or significant societal harm.

Providers must report serious incidents to the market surveillance authority in the member state where the incident occurred. The AI Act's reporting timeline distinguishes between incident severities: life-threatening incidents require immediate notification, while other serious incidents must be reported without undue delay.

The coordination challenge: when a serious incident occurs with a medical AI device, it is likely to satisfy the seriousness threshold under both the MDR (as a device malfunction causing health harm) and the AI Act (as a high-risk AI system malfunction). This triggers concurrent reporting obligations to potentially two different authorities: the medical device competent authority for the MDR report, and the AI Act market surveillance authority for the AI Act report.

In many member states, the same authority may hold both designations — Germany's BfArM, for example, acts as both the medical device competent authority and a market surveillance authority under the AI Act. But this is not uniform across the EU. Your vigilance procedure must identify the relevant authorities in each member state where you distribute, map which authority receives which report, and specify the timeline for each reporting path.

Practical vigilance procedure requirements:

1. Incident triage classification — a documented procedure for classifying incidents against both the MDR serious incident definition and the AI Act serious incident definition on first assessment.
2. Dual reporting workflow — parallel report preparation processes for MDR reporting via EUDAMED vigilance module and AI Act reporting to the AI Act market surveillance authority.
3. Timeline tracking — a centralised incident management system that tracks the separate reporting deadlines under each framework from the moment of awareness.
4. Trend reporting — both the MDR and the AI Act impose trend reporting obligations beyond individual incident reports. Your Article 72 post-market monitoring system under the AI Act feeds into the continuous technical documentation updates required under Article 11, and triggers corrective action obligations under Article 20.

The Complete Post-Market Monitoring Architecture

Article 72 of the EU AI Act requires providers of high-risk AI systems to establish and document a post-market monitoring system. This system must collect, document, and analyse data from deployers and users about the AI system's performance throughout its intended lifetime.

For a medical device embedding a high-risk AI system, the post-market monitoring architecture under the AI Act must be integrated with the MDR/IVDR post-market surveillance infrastructure. This integration is not optional: the two frameworks overlap substantially in what they require — performance data collection, trend identification, systematic analysis, and escalation to corrective action — and operating two entirely separate systems creates unnecessary duplication and audit risk.

An integrated post-market architecture for healthcare AI typically includes:

Performance data collection layer: telemetry from clinical deployments, tracking system outputs against expected performance across the indications and patient populations defined in the intended purpose. Under the AI Act, this feeds the post-market monitoring plan. Under the MDR, it feeds the Post-Market Clinical Follow-Up (PMCF) and the periodic safety update report (PSUR).

AI system log retention under Article 12: the AI Act requires providers to ensure that the high-risk AI system automatically generates logs for each use. These logs must be retained for the period specified in the post-market monitoring plan, and must be accessible to national competent authorities on request. For a deployed clinical AI system, this means logging each decision instance — the inputs, the model output, and any human oversight action — at the clinical deployment level.

Change management integration: when model updates, retraining events, or software changes occur, the post-market monitoring system must assess whether the change is substantial enough to trigger a new conformity assessment under Article 43 or, under the MDR, a re-evaluation of the conformity of the modified device. The AI Act and MDR use different thresholds for what constitutes a substantial modification requiring a new assessment, and your change management procedure must apply both tests.

PMCF under MDR: beyond MDR post-market surveillance, Class II and Class III devices are required to have a PMCF plan that systematically collects clinical data on the marketed device throughout its lifetime. For AI medical devices, PMCF data and AI Act post-market monitoring data overlap substantially — both are tracking the device's clinical performance in real-world use — and a unified PMCF/AI-Act-monitoring plan is more efficient to operate than two parallel programmes.

The Complete Audit Documentation Package

When a market surveillance authority or national competent authority conducts an inspection or requests documentation, you must be able to demonstrate compliance simultaneously under both frameworks. This audit-readiness requirement is more demanding for healthcare AI than for most other regulated product categories, because the documentation required under the AI Act and under the MDR/IVDR are distinct but interlinked.

The complete audit documentation package for a healthcare AI product includes:

EU AI Act Documentation

• Technical documentation (Article 11): the AI Act technical documentation set, covering system design description, training data governance under Article 10, performance metrics, risk management system documentation under Article 9, quality management system documentation under Article 17, and the post-market monitoring plan under Article 72.
• EU declaration of conformity (Article 47): the signed declaration confirming conformity with all applicable AI Act requirements, including the Annex III classification, the applicable conformity assessment procedure, and the notified body reference if third-party assessment was required.
• AI Act database registration (Article 51): the registration record from the EU AI system database, with registration number and details.
• Record of automatically generated logs (Article 19): documentation confirming the log retention system is operational and that logs are stored for the defined retention period.
• Instructions for deployers (Article 13): the information provided to deployers covering the AI system's intended purpose, performance characteristics, limitations, human oversight requirements, and technical infrastructure needs.

MDR/IVDR Documentation

• Technical file: the complete MDR/IVDR technical documentation set, covering device design and manufacturing documentation, clinical evaluation, clinical investigations where required, and performance evaluation under IVDR.
• Notified body certificate: the valid CE marking certificate issued by the notified body, including any surveillance audit confirmations and annexes.
• EUDAMED registration: the device registration record in EUDAMED with the UDI (Unique Device Identifier) and registration number.
• Post-market surveillance report (Class I) or PSUR (Class IIa and above): the periodic safety update report documenting post-market surveillance findings, trend analysis, and corrective action history.
• EU declaration of conformity (MDR/IVDR): the CE marking declaration.

Integrated Cross-Framework Documentation

• Serious incident reporting log: records of all incidents assessed against both frameworks, showing the classification decision, reporting actions taken, timelines, and outcomes.
• Change management log: records of all system changes assessed against both the AI Act substantial modification threshold and the MDR significant change criterion, with documented decisions on whether new conformity assessment was required.
• PMCF/post-market monitoring integration plan: the unified plan showing how clinical performance data is collected, analysed, and escalated under both frameworks.
• Quality management system (Article 17) with MDR QMS alignment: documentation showing that the AI Act QMS requirements and the MDR QMS requirements (under ISO 13485 or equivalent) are satisfied by a single integrated system.

Competent Authority Oversight: Who Regulates What

Healthcare AI sits at the intersection of multiple regulatory domains, and understanding which authority supervises which aspect of your product is essential for audit readiness.

Medical device competent authorities supervise MDR/IVDR compliance, including post-market surveillance, vigilance reporting, and market surveillance activities. Germany: BfArM. France: ANSM. Netherlands: IGJ. These authorities have the power to request technical documentation, conduct inspections, require post-market studies, and take corrective measures including recall.

AI Act market surveillance authorities supervise EU AI Act compliance for high-risk AI systems in their member state market. Each member state designates its own AI Act market surveillance authority or authorities by sector. In most member states, different authorities are designated by AI Act sector category — health AI may fall under the same authority as medical devices, or under a general market surveillance authority, depending on the member state's designation choices.

The European Commission and EAIB: the European Artificial Intelligence Board (EAIB) under Article 65 of the AI Act coordinates market surveillance across member states and handles cross-border cases. Where a high-risk AI healthcare system is distributed across multiple member states and a serious incident occurs, the EAIB coordination mechanism determines how surveillance activity is shared.

Notified bodies have ongoing post-certification surveillance responsibilities under both MDR and AI Act tracks — conducting periodic surveillance audits, reviewing PSUR submissions, and reassessing certification when substantial modifications occur.

The August 2, 2026 Compliance Timeline: Complete Checklist

The AI Act high-risk AI system obligations under Articles 6 through 49 apply from August 2, 2026. From that date, providers placing high-risk AI systems on the EU market must be in full compliance with all provider obligations. For medical AI, this deadline is absolute: there is no grace period for products already in development or already CE-marked under MDR/IVDR alone.

Pre-market requirements that must be completed before August 2, 2026:

• Risk management system documented and operational (Article 9)
• Training and validation dataset governance documented (Article 10)
• Technical documentation complete and current (Article 11)
• Logging system operational at deployer deployment level (Article 12)
• Instructions for deployers prepared and ready for delivery (Article 13)
• Human oversight measures implemented and documented (Article 14)
• Quality management system established and documented (Article 17)
• Post-market monitoring plan documented (Article 72)
• Conformity assessment completed (Article 43 — via notified body for medical AI)
• EU declaration of conformity issued (Article 47)
• AI Act database registration completed (Articles 49 and 51)
• CE marking applied incorporating AI Act conformity

MDR/IVDR requirements that must be current:

• EUDAMED registration current and complete
• Notified body certificate valid and covering current device version
• Post-market surveillance plan current
• PSUR submitted for current surveillance period (Class IIa and above)
• PMCF plan in place and PMCF data collection active

Ongoing obligations active from August 2, 2026:

• Serious incident reporting procedure operational for dual-framework reporting (Article 73 + MDR Article 87)
• Post-market monitoring data collection and analysis active (Article 72)
• Change management procedure in place for assessing substantial modifications
• Vigilance log maintained and accessible to authorities on request
• Technical documentation update process active to reflect post-market findings

EU-Native Infrastructure: Why It Matters for Healthcare AI Compliance

The entire MDR/IVDR and EU AI Act compliance architecture assumes that the data processed by your medical AI system — patient data, clinical inputs, system logs, model outputs — is subject to EU legal jurisdiction and accessible to EU competent authorities.

When a medical AI system is deployed on US-headquartered cloud infrastructure, the data processed by that system is subject to the CLOUD Act, which allows US authorities to compel disclosure of data held by US companies regardless of where the data is physically located. This creates a compliance gap: patient health data processed under EU AI Act and MDR obligations is simultaneously accessible to non-EU authorities under US law, without the EU data access controls that the regulatory frameworks assume are in place.

EU-native managed platform infrastructure eliminates this gap. When your healthcare AI system runs on infrastructure with no US parent company, no US ownership chain, and no CLOUD Act exposure — deployed on Hetzner Germany or equivalent EU-sovereign infrastructure — the jurisdictional exposure that US-headquartered cloud creates simply does not exist.

For healthcare AI, this is not a marginal consideration. Your technical documentation under Article 11 must describe the infrastructure on which the AI system operates. Your data governance documentation under Article 10 must document the regulatory controls that apply to your training data and operational data. An auditor reviewing your documentation will ask whether the infrastructure under your AI system is subject to non-EU data access obligations — and the answer to that question is visible in your cloud provider choice.

Choosing EU-native infrastructure is part of the documentation, not separate from it.

Series Summary: The MDR/IVDR + EU AI Act Stack

This five-post series has covered the complete regulatory architecture for healthcare AI at the EU AI Act + MDR/IVDR intersection:

1. Double conformity burden — the structural reality of operating under two parallel frameworks simultaneously, and why healthcare AI cannot use the standard AI Act self-assessment path.
2. Technical documentation alignment — how to construct a documentation set that satisfies both Article 11 of the AI Act and the MDR/IVDR technical file requirements without duplicating effort.
3. Post-market surveillance — how the AI Act's Article 72 post-market monitoring obligations integrate with MDR post-market surveillance, PMCF, and periodic safety update reports.
4. Notified body coordination — how to navigate the dual notified body requirement, the options for coordinated assessment, and the timeline implications for CE marking.
5. Registration, vigilance, and audit readiness (this post) — EUDAMED and AI Act database registration, dual-framework serious incident reporting, the complete audit documentation package, and the August 2, 2026 compliance checklist.

Healthcare AI development teams building products for the EU market now have the complete regulatory map. The path is clear; the timeline is fixed. The question is whether your compliance programme is moving fast enough to reach the August 2, 2026 line with all obligations satisfied.

All regulatory references are to Regulation (EU) 2024/1689 (EU AI Act) and Regulation (EU) 2017/745 (MDR). Article numbers are based on the published Regulations. Legal review of your specific product configuration is recommended before market placement.