CLASSICA D8.1 Regulatory Landscape

D8.1 ‘Regulatory Landscape’ provides an overview of the EU legislative framework applicable to the development and evaluation of medical AI devices and describes how the regulatory requirements have been implemented in the CLASSICA project, which aims to develop and clinically validate an AI-based support system for surgery.

The General Data Protection Regulation (GDPR) and the Medical Device Regulation (MDR) are key EU regulations relevant to the development and validation of the CLASSICA system. Additionally, if the CLASSICA system is placed on market after the general date of application of the AI Act (AIA) (approximately mid-2026), it must comply with this regulation, too.

The GDPR governs the processing of personal data. In the CLASSICA project, partners process data concerning health, such as interoperative videos and biopsy results, for research purposes. Under GDPR, “data concerning health” is a special category of personal data that demands higher protection. The lawful grounds for processing the data vary by partner and include consent and public task, in combination with fulfilling the conditions for processing a special category of data, that is explicit consent or compliance with research exemption provisions. The CLASSICA clinical sites (ZOL, VUmc, and BBGRAZ), ARCTUR (data analytics company) and UCD act as joint controllers, which means that they jointly determine the purposes and means of data processing. They have signed a joint controller agreement, which specifies the parties’ rights and obligations with regard to the processing activities, including data sharing. The CLASSICA partners have implemented GDPR-mandated security measures, such as pseudonymisation and encryption.

The MDR governs the development and evaluation of medical devices, including medical device software. The CLASSICA system qualifies as medical device under the MDR and falls into the risk class IIa (whereby class I is the lowest risk class and class III is the highest risk class). As such, it must undergo a third-party conformity assessment. The requirements of the MDR include, among other things, achieving performance intended by the manufacturer and demonstrating an acceptable benefit-risk ratio in the context of the state-of-the-art. The studies conducted within the CLASSICA project will be used to verify compliance with these requirements. Two CLASSICA studies qualify as clinical investigations under the MDR, that is, studies which involve human subjects and have a purpose of assessing the safety or performance of the medical device. The requirements for clinical investigation under the MDR include preparing study documentation (e.g., investigator’s brochure and clinical investigation plan), obtaining the Member State’s authorisation and informed consent of the study participants, among other things. After completing the clinical evaluation—which includes verifying that clinical data demonstrate compliance with the MDR's requirements—and fulfilling all other MDR stipulations, the manufacturer can seek the conformity assessment by a notified body. A positive outcome will allow the manufacturer to declare the conformity with the MDR, label the CLASSICA system with a CE mark and place the system on the EU market.

The AIA is a new EU regulation approved by the European Parliament in March 2024 and set to enter into force in mid-2024. The AIA will govern the market entry of AI systems. Medical AI software like the CLASSICA system, which fits the definition of “AI system” in the AIA, must comply with the AIA, if placed on the market after the general date of application of the AI Act (i.e., two years after entry into force). Compliance with the MDR and AIA will be verified through a single conformity assessment procedure by a notified body.