On 19 November 2025, the European Commission unveiled the Digital Omnibus package, a legislative proposal introducing targeted amendments to several EU digital regulations. This package includes proposed changes to the AI Act, the GDPR, and the Data Act, with the aim of reducing regulatory complexity and improving coherence across the EU digital framework.
Note: The implications of the recent proposals for changes to the MDR, IVDR, and the AI Act are not reflected within this blog post.
Implications for Medical Device Manufacturers and AI-Driven Technologies
For medical device companies and AI-enabled medical technologies in particular, understanding and complying with evolving EU data governance rules is becoming increasingly complex. The Digital Omnibus package includes proposals that may affect how regulations interact, including the Data Act, the GDPR, and the AI Act.
The proposal discusses ways to better align the application of the AI Act with existing sectoral frameworks, particularly where high-risk AI systems are embedded in regulated products such as medical devices. It does not introduce new approval pathways, but aims to reduce duplication and clarify how evidence generated under existing regulatory regimes may be taken into account.
Notably, the proposal refers to conditions under which development and testing activities may be supported within existing regulatory frameworks, including the use of real-world data where permitted under applicable law and with appropriate safeguards. For AI-enabled medical devices, this means that manufacturers should continue to rely on MDR and IVDR mechanisms when generating safety and performance evidence, while monitoring how future guidance may clarify the interaction with AI Act obligations.
The package further explores measures intended to reduce administrative burden, including better coordination between conformity assessment activities under the AI Act and MDR/IVDR, rather than creating a single or unified conformity assessment process. Any conformity assessment requirements for medical devices and AI systems would remain subject to existing notified body structures.
Post-market obligations are not merged or unified, but the proposal signals an intention to improve consistency between post-market monitoring and vigilance requirements across digital and product safety legislation, subject to further legislative discussion and implementation.
The package further clarifies that AI-enabled medical devices can leverage existing conformity assessments under the Medical Device Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR) for compliance with the AI Act through a single, coordinated Notified Body application (Article 28 amendment). SMEs gain priority access to EU AI regulatory sandboxes, reduced conformity assessment fees, and simplified technical documentation requirements. Post-market surveillance requirements are harmonized across MDR/IVDR and AI Act frameworks with unified vigilance reporting for AI medical device incidents. Transitional timelines for stringent AI Act obligations have been extended to 2028, while legacy devices on the market before August 2027, undergoing modifications, receive targeted relief from retroactive compliance. Additionally, a new GDPR derogation under Article 9(2)(k) aims to enable a more lenient use of health data in AI training when manufacturers have taken reasonable steps to avoid collecting special category data. On top of this, a change to the definition of personal data, seems to propose to exclude data processed by third parties who do not have access to the direct identification information, may consider such data to be anonymous, this would waive their need to comply with the GDPR entirely.
This targeted combination of regulatory flexibility and extended timelines balances innovation with safety, which is key for advancing AI-driven medical technologies in the EU.
Our regulatory experts provide comprehensive support to navigate these complex intersections, helping you ensure compliance not only with data governance reforms but also with the broader regulatory landscape affecting medical devices, software-as-a-medical-device (SaMD), and AI-enabled solutions.
Next Steps
The Digital Omnibus proposals will now proceed through the EU legislative process involving the European Parliament and the Council. Stakeholders across industries are invited to provide feedback and participate in consultations until 11 March 2026 (Source).
MedTech Europe has welcomed the package’s intent to streamline legislation and extend compliance timelines, supporting innovation while safeguarding patient access to advanced medical technologies.
For EU-based companies and regulated sectors like medical devices, including software and AI-enabled medical devices, these proposals warrant close monitoring rather than immediate operational changes. Companies should assess how potential amendments could affect their data strategies, particularly in relation to cloud infrastructure, data access, and cross-border data transfers, while continuing to comply with existing obligations.
At MedQAIR, we stay at the forefront of regulatory developments and are ready to support your organization in navigating this evolving digital landscape. Our experts provide comprehensive guidance on EU regulatory compliance, including data governance frameworks critical for medical technology innovation and market access.
For tailored regulatory compliance solutions and expert advice on medical device and AI regulations, schedule a call with our experts.
