Key Takeaway
Healthcare AI is automatically classified as high-risk under the EU AI Act (Regulation EU 2024/1689), which has been in force since 2024 with high-risk obligations fully applicable in 2026. High-risk classification triggers four categories of operational obligation: conformity assessment before deployment, human oversight mechanisms embedded in clinical workflows, technical documentation covering the AI system's design and limitations, and post-market monitoring throughout the deployment lifecycle. These are not documentation requirements; they are infrastructure requirements. And they apply to US-based organizations deploying AI systems used by or affecting patients in the EU, not only to European providers.
Healthcare AI Is Automatically High-Risk
If your organization deploys AI in a clinical context, that AI system is almost certainly classified as high-risk under the EU AI Act. The Act's Annex III lists the categories of AI systems that carry high-risk designation by default. For healthcare, the relevant categories include AI used as a medical device or as a safety component in one, AI intended to assist in clinical diagnosis or treatment decisions, AI used to determine patient access to healthcare services, and AI deployed in the management of critical healthcare infrastructure.
This is not a risk-based assessment that your organization performs and submits for review. It is a classification that applies automatically based on what the AI system does. A sepsis prediction tool, a prior authorization recommendation system, a readmission risk model, a clinical decision support assistant: each of these falls within the high-risk category as a matter of law, not as a result of any finding about the quality or safety of the specific system.
A Common Misreading
High-risk classification does not mean the AI system is unsafe or prohibited. It means the system is subject to a defined set of obligations before it can be deployed and while it remains in use. The classification is a threshold, not a verdict. Meeting the obligations is what makes compliant deployment possible.
This Applies to US-Based Organizations
The EU AI Act has explicit extraterritorial reach. The relevant question is not where your organization is incorporated; it is where the AI system's outputs are used and who is affected by them.
Under the Act, the obligations apply to providers who place AI systems on the EU market, regardless of where they are established, and to deployers who use AI systems in a professional context within the EU. A US-based health technology vendor whose AI product is licensed to European hospitals is a provider subject to the Act. A US-based health system with operations or patients in EU member states is a deployer subject to it. A US company with no direct EU presence but whose AI outputs affect EU-based patients through a partner or affiliate relationship is in a grey zone that regulators are actively examining.
"The EU AI Act does not ask where your organization was incorporated. It asks where your AI system's outputs are used and who bears the consequences."
The practical implication is that EU AI Act readiness is not exclusively a European compliance problem. US healthcare organizations selling to, partnering with, or operating within EU member states should be assessing their high-risk obligations now, not when a European customer or regulator raises the question.
Four Operational Obligations of High-Risk Classification
High-risk classification under the EU AI Act triggers a set of obligations that are operational in nature. They cannot be satisfied through policy documentation alone; they require governance infrastructure built into how the AI system is developed, deployed, monitored, and maintained. Four categories of obligation are most directly relevant to healthcare organizations.
Obligation 1: Conformity Assessment
EU AI Act — Article 43
Conformity Assessment Before Deployment
Before a high-risk AI system can be placed on the EU market or put into service, the provider must conduct a conformity assessment demonstrating that the system meets the Act's requirements. For most healthcare AI systems, this is a self-assessment following defined procedures; for AI systems that are also regulated medical devices, it may require third-party assessment through a notified body under existing medical device regulations.
The conformity assessment is not a one-time gate. If the AI system undergoes substantial modification after initial assessment, a new assessment is required before the modified system is deployed.
In practice: A documented, evidence-based process for evaluating each AI system against the Act's requirements before deployment, with records sufficient to demonstrate compliance to a regulator. This is a governance infrastructure task, not a legal filing.
Most healthcare organizations that have not done this work formally have some of the underlying components: vendor contracts, internal review processes, clinical validation studies. The conformity assessment does not necessarily require building from scratch; it requires structuring what exists into a defensible, documented form that can be produced on request.
Obligation 2: Human Oversight Mechanisms
EU AI Act — Article 14
Human Oversight Embedded in Clinical Workflows
High-risk AI systems must be designed and deployed so that human oversight is effective. The Act specifies that deployers must assign oversight to individuals with the necessary competence, authority, and resources to exercise it. Oversight must be capable of detecting and addressing problems, and must include the ability to override, interrupt, or stop the AI system's operation.
This is the provision that most directly connects EU AI Act compliance to the governance infrastructure problem described in this blog's earlier posts. Nominal oversight — where a clinician technically reviews AI outputs but lacks the time, context, or criteria to evaluate them meaningfully — does not satisfy Article 14.
In practice: Defined oversight roles with documented competence requirements, review criteria that go beyond acknowledgment, and an operational escalation path with clear authority to intervene. The oversight mechanism must be designed to catch problems, not to document that a human was present.
Where does your AI oversight stand?
Health-Vision.AI's AI Readiness & Maturity Assessment evaluates your governance posture across eight dimensions, including human oversight design, and produces a gap heatmap aligned to regulatory requirements.
Start the AssessmentObligation 3: Technical Documentation
EU AI Act — Article 11
Technical Documentation Covering Design and Limitations
Providers of high-risk AI systems must prepare and maintain technical documentation sufficient to demonstrate compliance with the Act. The required content is detailed in Annex IV and includes a general description of the system, its intended purpose, the design and development process, the training data and methodology, performance metrics and testing results, known limitations and foreseeable risks, and the human oversight measures in place.
For deployers using third-party AI systems, this obligation shifts primarily to the provider, but deployers must ensure they have received adequate documentation and that it reflects the system as actually deployed, not as originally designed.
In practice: Structured documentation that captures not just what the AI system does, but what it cannot do, where it is likely to fail, and what conditions should trigger a review or pause. For healthcare organizations using vendor AI tools, this means vendor contracts and onboarding processes should require the technical documentation the Act mandates.
Obligation 4: Post-Market Monitoring
EU AI Act — Article 72
Continuous Monitoring Through the Deployment Lifecycle
Providers must establish and document a post-market monitoring system that actively collects and reviews data on the AI system's performance in real-world use. Where monitoring reveals that the system is no longer performing within the required parameters, providers must take corrective action, including informing deployers, reporting to national authorities, and, where necessary, withdrawing the system from use.
For deployers, the parallel obligation is to monitor the system within their specific deployment context and to report serious incidents or malfunctions to the provider and to national authorities where required.
In practice: A continuous monitoring process with defined performance metrics, review frequency, and reporting paths. This is the same continuous evaluation described in the NIST AI RMF's MEASURE function; for organizations building toward both frameworks, the post-market monitoring requirement can be designed to satisfy both simultaneously.
Penalty Context and Where to Start
The EU AI Act sets financial penalties for violations of high-risk obligations at up to €15 million or 3% of global annual turnover, whichever is higher. For context, violations of the Act's prohibited AI practices — a distinct and more serious category — carry higher penalties of up to €35 million or 7% of global annual turnover. The figures sometimes cited in general coverage conflate these two categories; the 3% / €15M threshold is the correct reference point for high-risk compliance failures.
The penalty structure matters less as a deterrent than as a signal: regulators have designed enforcement with sufficient financial weight to motivate substantive compliance, not documentation theater. The organizations most exposed are those that have deployed clinical AI without the four categories of governance infrastructure the Act requires, and that cannot produce evidence of conformity assessment, oversight design, technical documentation, or monitoring when asked.
For most healthcare organizations, the correct starting point is a gap assessment against the four obligation categories. That assessment does not need to be the full conformity assessment required before deployment; it is a readiness evaluation that identifies where governance infrastructure exists, where it is partial, and where it is absent. From that baseline, the work can be sequenced proportionally: highest-risk AI deployments first, each obligation category addressed in order of the gap found.
Key Takeaways
Healthcare AI is automatically high-risk under the EU AI Act. Clinical decision support, patient risk stratification, AI used in access-to-care determinations, and AI integrated into medical devices all fall within Annex III's high-risk categories by default.
The Act applies to US-based organizations whose AI systems are deployed in the EU or whose outputs affect EU patients, regardless of where the organization is incorporated.
High-risk classification triggers four operational obligations: conformity assessment before deployment, human oversight mechanisms with genuine authority and criteria, technical documentation covering design and known limitations, and post-market monitoring throughout the deployment lifecycle.
These are infrastructure requirements, not documentation exercises. An organization that satisfies them on paper but has no operational oversight mechanism or monitoring process has not satisfied them.
The penalty for high-risk compliance failures is up to €15 million or 3% of global annual turnover. The higher figures cited in some coverage apply to the separate category of prohibited AI practices.
The correct starting point is a gap assessment against the four obligation categories, prioritizing AI deployments with the highest decision impact and the broadest affected population.