As artificial intelligence moves into routine healthcare, regulation is evolving to address safety, effectiveness, data, and accountability. In regions such as Europe, the United States, Australia, and China, AI is mainly governed under existing medical device laws. These frameworks provide structure, but only partially address the dynamic nature of machine learning and generative AI.
Balancing innovation and regulation
Regulation of AI in healthcare is shaped by a structural tension between enabling innovation and ensuring safety, which directly influences how different regions design their frameworks. This tension is driven by concrete risks, including biased clinical decisions from non-representative data, limited transparency of “black-box” models, cybersecurity vulnerabilities, unclear accountability when errors occur, and the ability of systems to evolve over time without oversight. As a result, regulators must continuously balance the need for rapid deployment with the requirement to protect patient safety.
In the United States, this balance is reflected in a flexible, iterative regulatory model. The Food and Drug Administration (FDA) has built its framework since 2019 through guidance on Software as a Medical Device (SaMD), the AI/ML Action Plan, and Good Machine Learning Practices. The introduction of Predetermined Change Control Plans (PCCPs) addresses a core risk of AI: uncontrolled evolution after deployment. By requiring developers to define in advance how systems can be updated, regulators allow continuous improvement while maintaining oversight.
China applies a more controlled approach. The National Medical Products Administration (NMPA) classifies most AI medical devices as Class III, the highest risk category, reflecting concerns about safety, data quality, and system reliability. At the same time, China is scaling AI across its healthcare system through national strategies, including large-scale deployment of AI-assisted diagnostics. Regulation and industrial policy are closely aligned, combining strict oversight with rapid adoption.
The European Union focuses on mitigating systemic risks through comprehensive legislation. Under the Medical Device Regulation (MDR), AI is treated as a medical device, requiring clinical evidence and conformity assessment. The AI Act adds a second layer, classifying medical AI as high-risk and introducing requirements for transparency, human oversight, and risk management across the lifecycle. This framework directly targets risks such as opacity, bias, and lack of accountability.
Other regions apply variations of this balance. Japan addresses the risk of uncontrolled system updates through the Post-Approval Change Management Protocol (PACMP), enabling predefined changes under regulatory supervision. Australia follows a technology-agnostic model, focusing on intended use and risk classification, while updating guidance to address software-specific challenges.
Across all jurisdictions, stricter regulation in healthcare compared to other sectors reflects the direct impact of AI on diagnosis, treatment, and patient outcomes. Regulatory frameworks are designed to mitigate clinical, technical, and ethical risks while allowing controlled innovation within defined boundaries.
Risk-based regulation as the global standard
A defining characteristic of AI governance in healthcare is the use of risk-based classification systems. In Canada, AI-enabled tools are regulated under the Food and Drugs Act and Medical Devices Regulations. Devices are classified from Class I (low risk) to Class IV (highest risk). Higher-risk devices require licensing and submission of detailed documentation, including clinical evidence, software validation, and risk management plans.
The United States applies a three-tier classification system (Class I–III). Most AI devices are classified as Class II and cleared through the 510(k) pathway, indicating moderate risk. This pathway relies on demonstrating substantial equivalence to an existing device. High-risk devices require Premarket Approval (PMA), which involves more extensive evidence and longer review times.
The European Union uses a four-tier classification system under MDR (Class I, IIa, IIb, III), combined with the AI Act’s risk categories (unacceptable, high, limited, minimal). Medical AI is explicitly categorized as high-risk, triggering strict regulatory requirements, including conformity assessments, technical documentation, and ongoing monitoring.
Japan operates a four-class system (Class I–IV), with many AI applications, such as diagnostic imaging tools, classified as Class III or IV. Australia uses a three-class system (Class I–III), while India applies Classes A to D under the Medical Device Rules (2017).
China also uses a Class I–III system, but with a distinctive pattern: most AI medical devices are assigned to Class III. This reflects a cautious regulatory stance toward emerging technologies.
Across jurisdictions, classification determines the level of scrutiny. Higher-risk devices require extensive documentation, including safety and performance data, clinical validation, software verification, and quality management systems.
This convergence toward risk-based classification reflects a shared regulatory principle: the level of oversight should correspond to the potential impact on patient health.
Approval pathways and lifecycle control
Approval pathways for AI medical devices are built on existing regulatory processes, with increasing emphasis on lifecycle management.
In the United States, the 510(k) pathway is the primary route for AI devices, with review times typically around six months. High-risk devices requiring Premarket Approval may take one to two years. The FDA also promotes lifecycle oversight through PCCPs, allowing controlled updates to algorithms without requiring full re-approval.
Canada follows similar timelines, with review periods of approximately 75 to 120 days for Class II–IV devices. Health Canada’s 2026 guidance on Machine Learning–Enabled Medical Devices emphasizes lifecycle management, including how algorithms are updated, validated, and monitored over time.
Japan introduced the Post-Approval Change Management Protocol (PACMP) in 2020, making it one of the first jurisdictions to formally address adaptive AI. PACMP allows predefined updates within a controlled framework, reducing regulatory burden while maintaining safety.
In the European Union, devices must obtain CE marking under MDR. For Class II and III devices, this involves assessment by Notified Bodies. AI systems must also comply with AI Act requirements, including risk management systems, transparency obligations, and human oversight mechanisms. The combination of MDR and AI Act creates a dual regulatory layer.
Australia requires inclusion in the Australian Register of Therapeutic Goods (ARTG). Approval timelines vary by risk class, with lower-risk devices often processed within 30 to 60 days. Higher-risk devices require external conformity assessment.
China requires registration for Class II and III devices through the NMPA, with review timelines typically ranging from 8 to 12 months. Regulatory guidance issued between 2019 and 2022 provides specific requirements for algorithm validation, data quality, and lifecycle management.
India mandates licensing for higher-risk devices (Class C and D), with approval timelines typically between 90 and 120 days. Recent initiatives, such as the Strategy for AI in Healthcare (SAHI) and the BODH benchmarking platform, support validation and deployment of AI systems.
Across all regions, lifecycle control is becoming a central regulatory focus. Mechanisms such as PCCP and PACMP address the challenge of adaptive AI, where systems evolve based on new data. Regulators are increasingly requiring predefined update protocols, continuous validation, and real-world performance monitoring.
Data governance, monitoring, and enforcement
Data governance is a fundamental component of AI regulation in healthcare, as AI systems depend on large-scale data for training and operation.
In the European Union, the General Data Protection Regulation (GDPR) establishes strict rules for processing personal data, including health data. The European Health Data Space (EHDS) aims to enable cross-border data sharing for research and AI development while maintaining safeguards for privacy and security.
The United States applies the Health Insurance Portability and Accountability Act (HIPAA), which governs the use and disclosure of health information in clinical settings. Canada uses the Personal Information Protection and Electronic Documents Act (PIPEDA), supplemented by provincial laws.
Japan enforces the Act on the Protection of Personal Information (APPI), which regulates data use, consent, and cross-border transfers. China applies the Personal Information Protection Law (PIPL) and the Data Security Law, both of which impose strict requirements on data processing and storage.
India currently relies on provisions under the Information Technology Act and is developing a comprehensive data protection framework. The National Digital Health Mission supports interoperability and digital infrastructure.
Post-market monitoring is mandatory across jurisdictions. Manufacturers must report adverse events and maintain quality management systems. Regulatory authorities such as the FDA, NMPA, PMDA, TGA, and European national bodies conduct inspections and enforce compliance.
Monitoring systems include databases for adverse event reporting, periodic re-evaluation requirements, and audits of quality systems. In Japan, higher-risk devices require re-examination within three to five years after approval. In the United States, adverse events are reported through the MAUDE database.
Liability frameworks are generally based on existing product liability and negligence laws. Manufacturers are responsible for ensuring safety and performance. In the European Union, the updated Product Liability Directive strengthens accountability for defective products, including AI systems.
Scalability or safety? That’s the dilemma
The current landscape of AI governance in healthcare is extensively documented in recent international analyses, including the AI Governance in Health: Global Landscape report by HealthAI and the OECD report “Scaling Artificial Intelligence in Health.” They provide a detailed comparison of regulatory approaches and highlight key structural trends.
They show that AI is already widely used in healthcare systems, particularly in administrative functions and specific clinical applications such as imaging. At the same time, large-scale deployment remains limited. According to OECD data, while AI is used in administrative processes in all member countries, adoption at the national scale for clinical applications, such as medical imaging, remains low.
The reports identify governance as a primary limiting factor. Fragmented regulatory frameworks, insufficient data infrastructure, and gaps in lifecycle oversight constrain scalability. They also highlight the importance of coordinated policy approaches, including alignment between regulators, healthcare providers, and industry stakeholders.
Across all regions analyzed, there is convergence toward risk-based regulation, use of established medical device frameworks, and increasing emphasis on lifecycle management. Differences remain in regulatory strictness, approval timelines, data governance models, and strategic priorities. These variations reflect broader economic, legal, and political contexts shaping how AI is integrated into healthcare systems.
At the same time, regulation largely focuses on officially approved medical AI tools, even though the speed of AI development makes continuous oversight increasingly challenging. A growing share of AI use in healthcare takes place outside these frameworks, through consumer tools such as chatbots and general-purpose AI systems used directly by patients and, increasingly, by healthcare professionals. This “shadow AI” operates beyond formal regulatory boundaries, influencing health decisions, triage, and clinical workflows without undergoing the same validation or supervision. Due to its scale, accessibility, and rapid evolution, this segment remains difficult to monitor and regulate within existing structures.
