1 Introduction

The European regulatory framework for Medical Devices (MD) and In Vitro Diagnostics (IVD) has been going through consecutive changes since the 1970s, moving from a substantially national, subjective, and prescriptive approach towards a more international across all Member States and an objective approach, assigning more responsibilities to the manufacturer since the 1990s, and putting patients in the centre. This evolution was moved by the highest principles, ensuring the highest patient safety and defining clear responsibilities for manufacturers, but with the goal of building a unique EU marketplace and ensuring free circulation of MDs. Many authors refer to this shift using the expression “New Approach”. According to the “new approach,” the responsibility of the manufacturer is balanced with the principle of free movement of products and the protection of health as a priority [1]. The journey started with the Directive on active implantable MD (i.e., 90/385/EEC), followed by the Directive on MD (i.e., 93/42/EEC), and later the Directive on IVD (IVDs − 98/79/EC). These Directives were supplemented by several Guidance documents on MD Classification, Vigilance and, in 2007, by a substantial amending Directive to resolve points related to the reclassification of implants, data confidentiality, clinical evaluation, post-market surveillance, and software validation (i.e., 2007/47/EC). Since 2007, medical software has been definitively equated to medical devices. In 2017, the EU MD Regulation (MDR 2017/745) and the IVD Regulation (IVDR 2017/746) replaced former directives, incorporating medical software into the definition of MD [2].

Scholars interested in impactful AI applications in medicine, and not only theoretical speculations, should familiarise with MDR, IVDR, but also with the General Data Protection Regulation (i.e., GDPR, EU Regulation 2016/679) as well as recent initiatives such as the European Health Data Space (EHDS) and the AI-Act, which are supposed to become Regulations within the end of 2024 (Fig. 1). EHDS and AI-Act perimeters have now been well defined and are clearly understandable in their principles and substance to those who are familiar with MDR, IVDR, and GDPR. In order to help scholars familiarise with this complex framework, the current paper offers historical prospectives, starting from the authors’ assumption that the European Union was forged by the historical and economic challenges that Europe faced in the past 80 years, thereby providing an understanding of the regulations in the context of this journey may help readers in facing the present and anticipating future regulatory changes.

Fig. 1
figure 1

Historical evolution of regulations

2 The journey from steel to medical devices

2.1 Europe in the Post-WWII reconstruction

After World War II, European Nations sought to rebuild their economies and establish stability. In 1951, with the Treaty of Paris, the European Coal and Steel Community (ECSC) was formed, aiming to integrate the coal and steel industries of six founding countries. This was a visionary and at the same time pragmatic idea: in order to reconstruct Europe after WWII, there was a significant need for coal and steel. Moreover, steel and coal were essential also to build weapons and move war, and with a shared management of those essential resources, no single country can make the weapons of war to turn against others, as in the past. Nowadays data are the new coal, and war leverage more and more on AI. Therefore, it is urgent that a new alliance on those two assets is defined in Europe and beyond.

2.2 Treaty of Rome and the vision of a common market

The so called ‘Swinging Sixties’ was a period of unprecedented economic growth in Europe. In this context, the Treaty of Rome in 1957 established the European Economic Community, posing the bases for a common European market. This phase saw the elimination of trade barriers among member states and the gradual creation of a customs union. Economic integration deepened with the formation of the Common Agricultural Policy and the European Regional Development Fund, which were essential instrument in consideration of the economic and demographic shift that Europe was going through, including the baby boom, internal migration among wester EU countries, increased life expectation, urbanization. Yet, in the sixties, the cold war exacerbated the economic divide among eastern and western EU countries, with a significant tension escalation since August 1961, when the first barriers of the Berlin Wall were built. Meanwhile, the EU expanded with the accession of new Western members, facing economic challenges such as oil crises and stagflation in the seventies. Efforts were made to address economic disparities among member states.

3 The end of totalitarianism in Europe and the need for new movements for goods and people

The eighties came with the first signs of the collapse of totalitarianism in Europe, since Solidarność trade union historical actions in Poland. There is nothing better than a common space for research, goods trade, and workers’ free movement to consolidate Europe. On the 13th of June 1987, the Erasmus program was launched. This program has given so far to more than 10 million people the chance to study, train, volunteer, and gain work experience abroad, significantly contributing to the making of a new European citizen generation. On the 9th of November 1989, when the Berlin Wall fell and with it, Germany was united after more than 40 years, and its Eastern half joined the European communities in October 1990. In the nineties, the former Yugoslavia began to break apart.

Now, there was a renewed need in Europe for a new model of freedom, allowing people, capital, goods, and ideas to move around European countries without barriers.

A major milestone was posed the 7th of February 1992, when the Maastricht Treaty was signed in the Netherlands, setting clear rules for the future single currency, foreign and security policy and close cooperation in justice and home affairs. The European Union was officially created, entering into force on the 1st of November 1993. The European Economic Area was created, entering into force on the 1st of January 1994, and with the Schengen Agreement; since 1995, in the first 7 countries (today 26), EU travelers were allowed to move with no passport controls at the frontiers. The euro was introduced in 1999 for electronic transactions, followed by physical banknotes and coins in 2002.

4 With great freedom comes great responsibility: the need for common rules on MD and data

With the creation of a common space for citizens, industries, goods, and workers, goods produced in one country could be sold and used in another EU Country. This posed new challenges, especially in the family of products, bringing potential risks for end-users. This was the case with medical devices, where a significant knowledge asymmetry created a significant divide among designers, manufacturers, lead users, and end-users.

There was now a renewed need for specific rules for the MD common market, too. Therefore, few months after the enforcement of the Maastricht Treaty, there was the need to harmonize EU rules on MD with the three Directives regulating the common market and use of active implantable MD (i.e., 90/385/EEC), MD (i.e., 93/42/EEC) and in vitro diagnostics (IVDs − 98/79/EC), replaced my MDR 2017/745 and the IVDR 2017/746 in 2017. Conversely, national regulations on hospitals and other health settings are regulated by member states and not equally harmonized in Europe, although Cross-Border Healthcare Directive (2011/24/EU) establishes patients’ rights to receive healthcare services in another EU member state and seeks to facilitate cooperation and coordination between member states in the provision of healthcare. This finds legal basis in the Maastricht treaty (article 152), which recognizes the autonomy of national health systems and promotes dialogue between social partners, eventually materialized through the so-called “Open Coordination method”.

There is already a significant bulk of literature describing the innovative contributions of the MDR with respect to the former 3 MD regulations, which readers can deepen [3]. The 2017 EU MDR ensures the safety and efficacy of MDs pursuing the highest level of protection for patient health, safety, and rights. Its primary purpose is establishing a comprehensive regulatory framework for medical devices within the European Union. The MDR introduces a more stringent risk-based classification system for MDs, leading to increased scrutiny and regulation for higher-risk devices. There is a heightened focus on clinical evaluation and post-market surveillance, requiring manufacturers to provide more comprehensive and transparent clinical data throughout the device’s lifecycle. The regulation mandates using a Unique Device Identification (UDI) system, enabling the traceability and identification of medical devices throughout the supply chain. Notified Bodies, responsible for assessing conformity with MDR for riskier MD, undergo more stringent evaluation and oversight, ensuring higher standards and consistency in device assessments. Those stringent requirements for the MD market pose challenges for manufacturers operating in a global market: meeting the MDR’s criteria might not align with the regulations in other regions or countries, creating a disparity in compliance standards and significant problems for lower-income countries surrounding Europe and during emergencies [4]. Moreover, MDR does not mention AI, while AI has the potential to significantly impact several aspects of the regulation of MDR. This may require a reconsideration, and few amendments to the MDR, when the AI-act will be enforced. Conversely, the U.S. Food and Drug Administration (FDA) published dedicated plans for AI in relation to Medical Devices [5].

5 From coil to data: the new value generation in medicine

When Europe started moving from an “industrial economy” to a so called “knowledge economy” [6], raw data became the new coil, and in order to generate value, there was a clear need to transform raw data into intellectual capital, innovation, information, education, training, research and development of new technologies. Therefore, again, it is not surprising if principles for data protection were defined with the European Union’s Data Protection Directive 95/46/EC in 1995 (two years after the MD Regulation), which was then replaced in 2016 (one year before MDR) with the General Data Protection Regulation (GDPR), which came into effect in 2018.

5.1 Legal based of fair free movement of data in Europe: GDPR

Regulation 2016/679 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly called General Data Protection Regulation (GDPR), then enforced the 25th of May 2018. The GDPR defines individuals’ fundamental rights in the digital age; the obligations of those processing data (i.e., collecting, storing, sharing, analyzing data, etc.); methods and costs for ensuring compliance and sanctions for those in breach of the rules [7]. Even if the referral to AI is not explicit, the GDPR is relevant for AI, because it includes the roles for fair data management and explanatory automated decision making and because it establishes the need for data protection impact assessments. However, GDPR is not an AI regulation; in fact, it is not specific to AI and does not cover AI aspects, except the process of personal data that AI uses. It is worth noticing that although the ambition of this directive was to regulate the free movement of data, to the extent that this was clearly mentioned in the title, too, there is a common impression that this regulation is mainly intended to protect data and limit their exchange. This resulted in many challenges, creating the need for further regulations, specifically in the sharing of health data.

5.2 The infrastructure for sharing health data: EHDS

Now that AI is promising to revolutionize many sectors, including medicine, in parallel with the need for a shared market of coil and steel, Europe is in huge need of sharing health data in order to maintain competitiveness and, in some areas, the leadership in medical research and MD manufacturing sector. The COVID-19 pandemic contributed to creating awareness in this regard. In 2020, it emerged a strong discussion around the need for the European Health Data Space (EHDS), aimed at creating a unified and interoperable ecosystem for health data management and exchange to improve healthcare outcomes, foster medical research, and enhance healthcare delivery, facilitating the secure and standardized sharing of health data across EU member statesFootnote 1. A core element of the EHDS is the distinction between primary use (clinical care) and secondary use (research, policy-making). The proposal of primary use is based on the building of a voluntary infrastructure named MyHealth@EU, not touching the national rules but prevising a new common legislative framework, where it is expected to provide better access to and exchange of electronic health data, with the final goal of providing better health outcomes, better evidence and saved costs. For secondary use, it establishes common EU rules on permits and common safeguards and unlocks the health sector’s data economy potential through evidence-based policy-making and regulatory activities [8].

A further key element of the EHDS is the proposal of an “opt-in/opt-out” mechanism for using data following the GDPR. In this system, for primary use, the “opt-in” approach is required: the patient can control and, therefore, explicitly consent/dissent to the use of his data. An opt-in system is often seen as more respectful of individual autonomy and privacy, but it may result in further complexity in large dataset creation as it requires active consent registration from each individual. Conversely, for the secondary use of data is prevised an “opt-out” approach, where the individual can withdraw his consent, beyond the primary purpose of healthcare delivery, e.g., for research purposes. An opt-out system may lead to larger datasets creation as it does not require active consent from each individual. However, it may raise concerns about privacy and the awareness of individuals regarding the use of their data. The specific implementation of these mechanisms within the EHDS would need to carefully consider the balance between enabling robust research and innovation and safeguarding individual rights and privacy, which is a reflection of a more complex balance among citizens’ right: right to the privacy vs. the right to have more effective medicine, as result of impactful research [9].

EHDS is a pillar for the European Health strategy aimed at overpassing the rules existing fragmentation for building an overarching infrastructure for better health data management which can help in facing healthcare emergencies as the Covid-19 one. However, even the EHDS presents its limitations, in particular for the protection of sensitive information across borders, interoperability and data standardization because varied systems and practices among healthcare providers may hinder the seamless exchange and use of health data and the difference in national legislation can impede the harmonization of health data governance.

5.3 Regulating AI for medicine: the AI-act

The above scenario is completed by the recent news regarding the fact that the EU Parliament and Council reached a deal on comprehensive rules for trustworthy AI. In fact, the AI-Act is the first-ever comprehensive legal framework on Artificial Intelligence worldwide. It was proposed by the EU Commission in April 2021, published for feedback and in December 2023 it was reached a political agreement between the EU Parliament and the Council. Based on this political agreement, the new regulation is expected to be voted within 2024, and enforced after three years (i.e., by 2027) as per any other EU Regulation. Yet, four years in this domain can be too long, therefore, readers may like to familiarise with the key elements of this regulation, which can be already deepened basing on the available AI-act documents. The main new elements of the provisional agreementFootnote 2 which are related to medical applications are three: AI definition, AI EU regulation scope and perimeter, and the adoption of a risk-based approach as per MDR.

Regarding the AI definition, the AI-act will adopt a specific AI definition, distinguishing AI from simpler software systems. The scope and perimeter of the AI-act has also been defined by the political agreement reached in December 2023, which clearly clarified that this regulation does not apply to areas outside the scope of EU law and exclusively demanded to member states, and clarification that the AI-Act will not apply to systems used for the sole purpose of research and innovation, or for people using AI for non-professional reasons.

Finally, as per MDR, the AI-act will adopt a risk-based approach for AI. The Ai-act defines clearly that AI applications that will not be permitted in EU. This includes AI applications for social scoring, for face recognition in public spaces, and for people manipulations. Yet, there are high risk AI applications, such as AI applications for educations, employment, justice, immigration, which are permitted, pending a conformity assessment, in parallel with Class II and Class III medical devices. The path for the conformity assessment will have to be carefully defined, but an equivalent of Notifying Body will have to be involved, after an accreditation procedure. Moreover, the AI-act will regulate limited-risk AI applications, such as chat bot, deep fakes, emotion recognition systems not entering in the definition of unacceptable or high risk. For those applications, transparency will be crucial, with manufacturers required to use clear labelling, or disclosure that content has been manipulated [10]. In line with the GDPR which already requires controllers processing personal data to be transparent about use of profiling and automated decision-making. Finally, minimal-risk AI applications will include AI use for spam filters or videogames, and for those applications the adoption of a code of conduct will be required, requesting manufacturers to adopt a code of conduct and avoiding any complicated CAP (Conformity Assessment Procedure).

5.4 The contribution of the global community of biomedical engineers and clinical engineering

The European community of biomedical and clinical engineering has been proactive contributing to the development of the legal framework depicted in this paper. Founded in 2023, the European Alliance of Medical and Biological Engineering and Science (EAMBES; https://eambes.org/), a non-for-profit NGO, federates 67 biomedical engineering scientific societies and research institutions from 31 European countries, representing the European ecosystem of clinical and biomedical engineering. EAMBES is a member of the International Federation for Medical and Biological Engineering (IFMBE; https://ifmbe.org/), which affiliates 6 international (IEEE MBES, AAMI, ACCE, CAHTMA, CORAL and EAMBES) and 77 national scientific societies from 74 countries, representing the global ecosystem of clinical and biomedical engineering. In this role, EAMBES supports the European Parliament and Commission in shaping the regulatory framework impacting patient safety and medical devices. Founded in 1959 in the UNESCO building in Paris, the IFMBE is a non-for-profit NGO in official relations with the UN World Health Organization (WHO), working with several UN agencies (UNESCO, ILO, WHO). Since their foundation, EAMBES and IFMBE have helped European and international policymakers in shaping the regulatory frameworks pertaining medical devices and allied technologies. In particular, since 2015, EAMEBS has been continuously supporting the European Parliament and the European Commission in developing relevant reports, such as the report on the Economic and Social impact of BME (Published in the Union Journal Eur-Lex, 2015/C 291/07), regulations, such as the Medical Device Regulations (2017/745 and 2017/746), the EHDS and the AI-Act, and in the creation of the first European Parliament Interest Group on Biomedical EngineeringFootnote 3 [11]. While BME community maintains its fingerprint and roots deeply into research, teaching and innovation, the fast evolution of medical device field requested those organizations to assume a growing and proactive role in supporting policymakers for shaping regulations with a significant impact on patient health and well-being.

6 Challenges

Each regulation mentioned in this paper plays a crucial role in shaping the landscape of healthcare, data privacy, and technology in the EU, with their specific focus areas and regulatory approaches. However, all these regulations started aiming at facilitating the creation of a unique EU market, for competing with emerging economies and large international players, by standardizing European practices, ensuring fairness, safety, privacy, and ethical standards across member states.

In particular, both the GDPR and EHDS deal extensively with data exchange, protection and privacy right. The MDR and AI-Act, while not primarily focused on data privacy, also have to take these aspects into account, particularly when dealing with health data or AI systems that process personal data.

About the regulatory approach used for MDR, GDPR, EHDS and AI-Act, there are differences which must be taken into account. The MDR and AI-Act include an explicit classification system based on low/high risk and the EHDS add the difference among minimal/limited/high/unacceptable risk. This then cascade CAP, defining clear path for ensuring safety and efficacy of products and services used in Europe. Conversely, the GDPR only refers to “simple” and “complex” data, with the result that people often interpret it in a “conservative” way this regulation in relation to health data sharing. GDPR does not explicitly define a low-risk use case, with an agile CAP, generating huge heterogeneity in its interpretation among each member state, and withing each member state among regions and hospitals. Figure 2 presents a comparative analysis among mentioned Regulations.

Fig. 2
figure 2

Comparative analysis among mentioned regulations

The MDR published in 2017, incorporated the 2007 amendment regarding medical software. Yet, it presented many limitations in regard to medical software, which will be exacerbated when most of MD will incorporate some AI. MDR regulation will require significant amendments and agile procedures for CE marking will be required considering novelties introduced by EHDS and the EU AI Act. MDR did not address AI, although AI applications in medicine were already significant in 2017.

A common limitation to MDR, EHDS and AI-act is the lack of explicit attention to the environmental aspect and social inclusion. Training AI algorithms has a significant CO2 footprint {de Vries, 2023 #4155} and sharing and storing data is a quite energy-intensive industry. As per MDR, it is surprising that after 30 years from the adoption of the first MD directives, there is now classification for MD regarding their CO2 emission. We need to make extra effort for ensuring that MD, EHDS and AI are green as other goods and services accessible in EU, and their production is aligned with EU net-zero emissions targets.

Equally important is the principle of leaving no-anyone behind, strength also by the 2030 Sustainable Development Goals (SDG). Instead MDR and GDPR created many de-facto barriers. CE marking for MD as defined in MDR is often used as a requirement for accepting MD in non-EU markets, as it is the case of many countries in Africa. Yet, most of African hospitals do not meet the same minimum-criteria as European hospitals, which are assumed as granted for EU MD manufacturers, exposing local patients and health-care operators to unnecessary risks.

The AI Act responds to the need of a unique regulatory framework, but this is quite European-centric, while AI is a global challenge. EHDS cannot be a lever to increase the digital divide with Low Resource Settings (LRSs) surrounding Europe, such as African countries. The risk is to repeat the mistakes of the past where universal regulatory frameworks fail to consider local and country context and specificity and were suffered from some areas. EHDS should already consider the integration of high-quality data from Africa with cooperation instruments. European innovators should use AI to reduce the digital divide among Europe and LRSs but this regulation does not open in this sense.

The origin of Europe and its institutions can be traced due to progressive historical-economic challenges: the urgency of post-war reconstruction, for which coal and steel were necessary, and the need to end the warlike climate pushed the countries to unite, sharing the management and circulation of those valuable goods. Subsequent historical developments confirm the growing need to facilitate the mobilization of goods and people within the European context.

Dematerialization of goods, services and values increased the importance of data: once again, wars of dominance and oppression must be avoided, and Europe needs to reaffirm its central positioning.

However, from the 1990s to 2017, many things have changed, and European legal framework initially emerged for an economic purpose have been refined, while others still need to be reviewed. MD become increasingly digital and software-dependent, paving the way for the transformation that is about to happen with AI, but with a substantial difference: when MDR was reformulated in 2017, the state of the art described in ISO standard and UNI norms was already wide and strong. Now EU policymakers are regulating AI, when the state of the art for this transformative technology is not yet well defined and far from being established. It is therefore natural for Europe to equip itself with strong instruments for health data sharing in to maintain competitiveness in respect to large American corporation and emerging Asian economies, which have different systems for protecting human rights.

The AI Act follows the now established method of European directives, which is the risk-based approach and clear CAP path, providing clear examples of what can/cannot be done and what can only be done following a strong control by notified bodies, which has worked well for MDs. In contrast, GDPR does not have an explicit risk-based approach, does not define explicitly low-risk cases, and is prone to heterogeneous interpretations.