[Medical ML] Regulatory Landscape for Medical AI: FDA, CE Marking, and Ukrainian MHSU

Posted on by Yoman
Regulatory Landscape for Medical AI

Regulatory Landscape for Medical AI: FDA, CE Marking, and Ukrainian MHSU

📚 Academic Citation: Ivchenko, O. (2026). Regulatory Landscape for Medical AI: FDA, CE Marking, and Ukrainian MHSU. Medical ML Diagnosis Series. Odesa National Polytechnic University.

Article #6 in Medical ML for Ukrainian Doctors Series

By Oleh Ivchenko | Researcher, ONPU | Stabilarity Hub | February 8, 2026

📋 Key Questions Addressed

  1. How do FDA, EU, and Ukrainian regulatory frameworks differ in their approach to AI-enabled medical devices?
  2. What are the pathways for market authorization of medical AI software in each jurisdiction?
  3. How can Ukrainian developers prepare for both domestic approval and international market access?

Context: Why Regulatory Understanding Matters

For ScanLab and any medical AI initiative targeting Ukrainian healthcare, regulatory compliance isn’t optional—it’s existential. Understanding the regulatory landscape determines:

  • Market access: Which markets can you legally enter?
  • Development priorities: What documentation and validation is required from day one?
  • Timeline and cost: Regulatory pathways vary from weeks to years and from thousands to millions in investment
  • Trust building: Physician adoption correlates strongly with regulatory approval status

As we noted in Article #5 on data requirements, medical AI development must build regulatory-ready documentation from the start. This article maps the three key regulatory environments relevant to Ukrainian medical AI developers.

1. United States: FDA Framework for AI/ML Medical Devices

The Regulatory Structure

The U.S. Food and Drug Administration (FDA) has been regulating medical devices since 1976 and has emerged as the global leader in AI-specific medical device regulation. The FDA defines Software as a Medical Device (SaMD) as software intended for medical purposes that performs without being part of a hardware device.

📊 Key Statistics

  • As of late 2025, the FDA has authorized over 1,200 AI/ML-enabled medical devices
  • Approximately 100 new approvals annually
  • Global SaMD market valued at $18.5 billion

Classification and Pathways

The FDA employs a risk-based classification system:

  • Class I (Low Risk): Fitness trackers, simple displays — Generally exempt
  • Class II (Moderate Risk): AI triage tools, ECG analysis — 510(k) pathway (~90 days)
  • Class III (High Risk): Autonomous diagnostic AI, mammography AI — PMA pathway (~180 days)
  • Novel Moderate: First-of-kind AI tools — De Novo pathway (~60 days)

📌 Key Finding: A 2015-2020 study found that of 222 FDA-approved AI/ML devices, 204 (92%) used the 510(k) pathway, 15 used De Novo, and only 3 required full PMA.

The 2024-2025 AI/ML Action Plan

In December 2024, the FDA finalized groundbreaking guidance introducing the Total Product Life Cycle (TPLC) approach specifically designed for AI/ML devices:

Predetermined Change Control Plans (PCCP)

  • Manufacturers can pre-specify allowed modifications to AI algorithms
  • Updates within the approved PCCP scope don’t require re-approval
  • Addresses the fundamental tension between AI’s adaptive nature and regulatory requirements for “locked” algorithms

Good Machine Learning Practice (GMLP) – 10 Principles

  1. Representative and unbiased training datasets
  2. Robust cybersecurity practices
  3. Transparent communication with end-users about algorithm updates
  4. Documented data management and retraining protocols

Transparency Gaps

Despite progress, studies reveal significant transparency issues:

  • Study design reported: 53.3% of devices
  • Training data size disclosed: 46.7% of devices
  • Demographic data included: 4.5% of devices
  • Randomized trial evidence: 1.6% of devices
  • Reported adverse events: 5.2% of devices

⚠️ Critical Concern: One study found that 9.4% of approved AI/ML devices have been recalled, though one-third were subsequently re-approved.

2. European Union: MDR and AI Act Double Regulation

The Regulatory Duality Challenge

European medical AI developers face a unique challenge: compliance with two overlapping regulatory frameworks:

  1. Medical Device Regulation (EU MDR 2017/745) – sector-specific medical device law
  2. EU AI Act (Regulation 2024/1689) – horizontal AI legislation

“Companies risk being caught between overlapping regulatory frameworks.” — MedTech Europe

EU AI Act Risk Classification

“`mermaid graph TD A[AI System Assessment] –> B{Medical Device?} B –>|Yes – Requires Notified Body| C[HIGH-RISK AI] B –>|No| D{General Purpose?} D –>|Yes| E[GPAI Requirements] D –>|No| F{Manipulation Risk?} F –>|Yes| G[PROHIBITED AI] F –>|No| H[LOW-RISK AI] C –> I[Full Compliance Obligations] G –> J[Banned Outright] E –> K[Transparency Requirements] H –> L[Minimal Obligations] style C fill:#dc3545,color:#fff style G fill:#000,color:#fff style E fill:#ffc107,color:#000 style H fill:#28a745,color:#fff “`

🔑 Critical Point: Any medical device with AI that requires notified body involvement under MDR/IVDR is automatically classified as high-risk under the AI Act.

Compliance Timeline

“`mermaid timeline title EU AI Act Compliance Milestones May 2025 : General-purpose AI obligations apply August 2025 : Prohibited AI practices enforced August 2026 : High-risk AI obligations (most systems) August 2027 : Full obligations for medical devices under MDR/IVDR “`

High-Risk AI Requirements (Beyond MDR)

  1. Risk Management System (Art. 9): AI-specific risk assessment aligned with MDR
  2. Data Governance (Art. 10): Requirements for training, validation, and testing datasets
  3. Technical Documentation (Art. 11): Comprehensive documentation of design, training, and validation
  4. Transparency (Art. 13): Clear disclosure of accuracy levels and limitations
  5. Human Oversight (Art. 14): Ensuring appropriate human control over AI outputs
  6. Quality Management System (Art. 17): AI QMS integrating with ISO 13485

CE Marking Pathway

“`mermaid graph TD A[1. Classification – MDR Annex VIII] –> B[2. Technical Documentation] B –> C[3. Quality Management System] C –> D[4. Conformity Assessment] D –> E[5. EU Declaration of Conformity] E –> F[6. CE Mark Affixation] “`

3. Ukraine: MHSU and EU Integration Path

Current Regulatory Framework

  • Ministry of Health of Ukraine (MHSU/MOH): Central executive body for technical regulation
  • State Service of Ukraine on Medicines and Drugs Control (SSMD): Market supervision authority
  • Technical Regulations: Based on Decrees No. 753, 754, 755 (October 2013)

⚡ Critical Limitation: Ukrainian regulations are currently aligned with older EU Directives (93/42/EEC, 98/79/EC, 90/385/EEC), not the current EU MDR. Harmonization with MDR is expected within approximately 2 years.

2025 Reform: State Regulatory Authority (SRA)

A major reform announced in 2025 establishes the State Regulatory Authority (SRA)—a single regulator that will:

  • Grant market access for medicines, medical devices, substances of human origin, and cosmetics
  • Replace the current fragmented regulatory structure
  • Align more closely with EU institutional practices

Medical Device Classification in Ukraine

  • Class I (non-sterile, no measuring): Self-declaration
  • Class I (sterile or measuring): Notified body examination
  • Class IIa/IIb: QMS examination
  • Class III: Design + QMS examination
  • IVD (general): Self-declaration (Lists A/B require notified body)

AI-Specific Considerations

🇺🇦 Current Status: Ukraine has no specific AI regulation for medical devices. AI-enabled devices are assessed under general medical device rules.

Practical Implications for ScanLab:

  1. Develop to EU AI Act standards from the outset (future-proofing)
  2. Maintain documentation that satisfies FDA requirements (optional but valuable)
  3. Leverage EC Certificate recognition pathway for faster Ukrainian market access
  4. Prepare for eventual MDR alignment in Ukrainian regulations

4. Comparative Analysis

Pathway Comparison

  • 🇺🇸 FDA: Most mature AI-specific framework; PCCP enables adaptive algorithms; 510(k) pathway accessible
  • 🇪🇺 EU: Dual regulation challenge; AI Act adds significant burden on top of MDR; August 2027 deadline for medical devices
  • 🇺🇦 Ukraine: Currently based on older EU Directives; SRA reform underway; EC recognition provides efficient market access; no AI-specific rules yet

Market Access Strategy for Ukrainian Developers

“`mermaid graph LR A1[ISO 13485 QMS] –> A2[MDR Documentation] A2 –> A3[AI Act Annex IV] A3 –> A4[GMLP Compliance] B1[Notified Body Selection] –> B2[Conformity Assessment] B2 –> B3[EU Market Entry] C1[Authorized Representative] –> C2[EC Certificate Recognition] “`

5. Practical Implications for ScanLab

Immediate Actions

  1. Establish ISO 13485 QMS: Foundation for all regulatory pathways
  2. Document AI development per GMLP: Training data, validation, testing—all from project inception
  3. Design for transparency: Build explainability features that satisfy both clinical and regulatory needs
  4. Plan for adaptive algorithms: Implement change control processes compatible with FDA PCCP concept

Regulatory Timeline Considerations for ScanLab

  • 🇺🇦 Ukrainian Market: 6-12 months (via CE recognition)
  • 🇪🇺 EU Market: 12-24 months (full CE marking + AI Act)
  • 🇺🇸 US Market: 12-18 months (510(k) pathway)

6. Open Questions for Future Research

5.5 Post-Market Surveillance and Continuous Compliance

Regulatory approval is not a one-time event but the beginning of continuous compliance obligations. Medical AI systems require robust post-market surveillance (PMS) frameworks that monitor real-world performance and detect drift, degradation, or unexpected failure modes.

FDA Post-Market Requirements

Under FDA regulations, manufacturers must maintain a comprehensive PMS system that includes:

  • Medical Device Reporting (MDR): Report serious injuries, malfunctions, and deaths within 30 days. AI-specific considerations include reporting when the algorithm produces erroneous outputs that lead to clinical harm, even if hardware functioned correctly.
  • Periodic reporting: Submit annual reports summarizing complaints, malfunctions, and performance metrics. For AI/ML-enabled devices, this includes reporting on model drift, retraining frequency, and validation results.
  • Corrections and removals reporting: Notify FDA within 10 days of initiating any correction or removal that could affect safety or effectiveness. Algorithm updates that change clinical decision logic typically trigger this requirement.

The FDA’s proposed PCCP framework adds requirements for Algorithm Change Protocol (ACP) reports, which document planned modifications, their rationale, validation methods, and expected impact on clinical performance. This creates a structured pathway for iterative improvement while maintaining regulatory oversight.

EU MDR Vigilance System

The EU’s vigilance requirements under MDR are more prescriptive than FDA’s framework:

  • Serious incident reporting: Report to national competent authorities within timeline based on severity (immediate for deaths, 30 days for serious injuries)
  • Trend reporting: Report statistically significant increases in incident frequency, even if individual events are minor. For AI systems, this means monitoring for systematic biases or performance degradation across patient populations.
  • Periodic Safety Update Reports (PSURs): Submit comprehensive safety reviews annually or upon request, analyzing all available safety data including scientific literature, clinical experience, and post-market clinical follow-up (PMCF) data.

Notified bodies conduct unannounced audits to verify PMS system effectiveness, reviewing complaint handling, incident investigations, and risk-benefit analyses. Non-compliance can result in certificate suspension.

Ukrainian Post-Market Obligations

Ukraine’s current system, based on older EU Directives, requires:

  • Vigilance reporting to the State Expert Center of the Ministry of Health
  • Corrective action notifications for safety-related changes
  • Annual registration renewal with updated safety data

As Ukraine moves toward EU MDR harmonization, these requirements will likely strengthen significantly. Developers should anticipate implementing full MDR-compliant PMS systems even before formal regulatory changes, as this documentation supports both current Ukrainian registration and future EU market access.

5.6 Compliance Costs and Resource Planning

Understanding the financial and human resource requirements for regulatory compliance is critical for feasibility assessment and business planning. Costs vary significantly based on device class, AI complexity, and chosen regulatory pathways.

FDA Pathway Costs

For a Class II AI-based imaging analysis device pursuing the 510(k) pathway:

  • FDA user fees: $21,590 (standard), $5,397 (small business) as of 2025
  • Quality system development: $80,000-$150,000 for ISO 13485 implementation and certification
  • Clinical validation studies: $200,000-$800,000 depending on dataset size, annotation costs, and multi-site requirements
  • Regulatory consulting: $50,000-$150,000 for submission preparation and FDA interaction management
  • Testing and verification: $30,000-$100,000 for software testing, cybersecurity assessments, and performance validation
  • Total estimated cost: $380,000-$1,200,000

Timeline: 12-18 months from submission to clearance, with 3-6 months for FDA review after submission acceptance.

EU CE Marking Costs

CE marking under MDR for a Class IIa AI medical device:

  • Notified body fees: €25,000-€60,000 annually for initial assessment and ongoing surveillance
  • ISO 13485 + ISO 14971: €60,000-€120,000 for implementation and certification
  • Clinical evaluation: €80,000-€250,000 for clinical evidence generation and evaluation report
  • Technical documentation: €40,000-€100,000 for comprehensive MDR-compliant technical file preparation
  • AI Act compliance (high-risk system): €50,000-€150,000 for conformity assessment, risk management documentation, and data governance framework
  • Total estimated cost: €255,000-€680,000 (~$280,000-$750,000)

Timeline: 18-24 months from start to CE certificate issuance, with 6-12 months for notified body assessment.

Ukrainian Registration Costs

For Ukrainian market access via EC Certificate recognition:

  • Registration application fee: ~$500-$1,500
  • Document translation and legalization: $2,000-$5,000
  • Local authorized representative: $3,000-$8,000 annually
  • MHSU assessment time: 2-4 months if EC Certificate is recognized; 6-9 months for direct assessment
  • Total cost (with existing EC Certificate): $5,500-$14,500

The dramatic cost difference makes the EC Certificate recognition pathway highly attractive for Ukrainian developers targeting multiple markets. Investing in EU compliance provides access to both European and Ukrainian markets while creating a strong foundation for subsequent FDA submission.

Staffing Requirements

Regulatory compliance requires dedicated personnel or external expertise:

  • Regulatory Affairs Specialist: 1.0 FTE during submission preparation; 0.3-0.5 FTE for ongoing compliance
  • Quality Assurance Manager: 0.5-1.0 FTE for QMS maintenance and document control
  • Clinical Affairs Lead: 0.5 FTE for clinical evaluation, validation studies, and post-market clinical follow-up
  • AI/ML Validation Engineer: 1.0 FTE for performance testing, bias analysis, and continuous monitoring

Small companies often outsource regulatory and quality functions to specialized consultants, with typical engagement costs of $15,000-$35,000 per month during active submission periods.

  1. How will Ukraine’s planned SRA handle AI-specific medical device requirements?
  2. What will be the timeline for Ukrainian MDR harmonization?
  3. How are notified bodies preparing for joint MDR/AI Act assessments?
  4. What predicate devices exist for AI-based X-ray analysis under FDA 510(k)?
  5. How should developers handle the gap between AI Act requirements and current Ukrainian regulation?

Key Insights Summary

How do FDA, EU, and Ukrainian frameworks differ? FDA leads in AI-specific guidance with TPLC/PCCP; EU creates dual regulatory burden with MDR + AI Act; Ukraine relies on older Directive-based rules with EC recognition pathway.

What are market authorization pathways? FDA: 510(k)/De Novo/PMA; EU: CE marking via notified body; Ukraine: Direct assessment or EC Certificate recognition.

How can Ukrainian developers prepare for international access? Develop to EU AI Act + MDR standards; this documentation base supports all three markets with minimal adaptation.

🎯 For Ukrainian Medical AI Developers

The optimal strategy is develop once, deploy globally:

  1. Build to the highest common denominator (EU AI Act + MDR)
  2. Use this documentation base for FDA and Ukrainian submissions
  3. Leverage EC Certificate recognition for Ukrainian market speed
  4. Plan for eventual Ukrainian MDR harmonization

Next in Series: Article #7 – US Experience: FDA-Approved AI Devices

Series: Medical ML for Ukrainian Doctors | Stabilarity Hub Research Initiative

Author: Oleh Ivchenko | ONPU Researcher | Stabilarity Hub