Digital platforms and AI-driven medical software: new MDCG guidance on operator responsibilities and MDR/IVDR–AI Act compliance

In June 2025, two highly anticipated MDCG guidance documents — MDCG 2025-4 and MDCG 2025-6 — were published. They clarify the responsibilities of digital platform operators that host medical device software (MDSW) and explain how to ensure simultaneous compliance with the MDR/IVDR and the EU Artificial Intelligence Act (AI Act). For the first time, the interdependencies between these frameworks are presented in a cohesive, practical manner.

Doctor using futuristic touch interface to access digital health records and medical diagnostics.

The evolving digital landscape of medical devices

In June 2025, two highly anticipated MDCG guidance documents — MDCG 2025-4 and MDCG 2025-6 — were published. They clarify the responsibilities of digital platform operators that host medical device software (MDSW) and explain how to ensure simultaneous compliance with the MDR/IVDR and the EU Artificial Intelligence Act (AI Act). For the first time, the interdependencies between these frameworks are presented in a cohesive, practical manner.

MDCG 2025-4: Defining roles for digital distributors and intermediaries

The guidance outlines that platform operators may assume roles such as:

  • service intermediaries under the Digital Services Act (DSA),
  • distributors or importers under MDR/IVDR,
  • or, in specific cases, a person responsible for regulatory compliance (PRRC).

The actual role depends on how much control the platform has over distribution and access to the software. If the platform qualifies as a distributor, it must:

  • ensure visibility of CE marking and safety information,
  • provide access to the manufacturer’s IFU, contact details, and PMS documentation,
  • maintain systems for incident reporting and post-market surveillance,
  • monitor app content for non-compliance.

MDCG 2025-6: MDR/IVDR meets the AI Act

This FAQ-style guidance clarifies that any MDSW incorporating AI is automatically classified as a high-risk AI system under the AI Act. Key takeaways include:

obligations under MDR/IVDR and the AI Act are cumulative, not interchangeable,

  • any change to the AI algorithm may require reassessment of conformity,
  • technical documentation must address both AI-specific and MDR/IVDR-specific requirements,
  • the manufacturer must ensure human oversight and robust risk mitigation mechanisms.

The big picture: convergence of legal frameworks and future audits

Together, MDCG 2025-4 and 2025-6 introduce new layers of regulatory responsibility for software producers, app distributors, and platform operators. Integrated compliance strategies must now bridge the gap between clinical performance, cybersecurity, and algorithm transparency.

Summary

These documents may soon become reference tools for notified body audits and competent authority inspections. Early implementation of these principles will be key to ensuring uninterrupted market access for digital health technologies.

CONTACT US