CE marking for a medical AI tool means something specific. Most procurement teams evaluating AI vendors have not been told what it actually requires of the vendor or of them.
The CE mark appears on product pages, in pitch decks, and in tender responses as a signal of regulatory compliance. In isolation, the mark tells you that a conformity assessment process was completed. It does not tell you what that process involved, what classification was applied, what ongoing obligations the certification creates, or what it means for the platform that integrates the certified tool.
For CTOs and product directors making build-versus-embed decisions in healthcare, the answers to those questions matter. They determine whether a CE-marked tool provides genuine regulatory protection or simply provides a compliant-sounding answer to a procurement question.
What the EU Medical Device Regulation Actually Is
The EU Medical Device Regulation (MDR 2017/745) governs the classification and conformity assessment of medical devices in EU member states and, under separate UKCA framework, in the UK. Software that performs a medical function, including clinical decision support tools that influence clinical decisions, falls within its scope.
The MDR replaced the older Medical Devices Directive in May 2021 for new devices. It introduced stricter requirements across clinical evaluation, post-market surveillance, and Notified Body involvement. The transition from the old directive to MDR has been one of the more consequential regulatory shifts in health technology in recent years, and many AI tools marketed as CE-marked were certified under the older, less stringent directive.
This distinction matters for procurement teams. A CE mark issued under the old Medical Devices Directive is not equivalent to CE marking under MDR. The conformity assessment requirements are different, the clinical evaluation standards are more rigorous under MDR, and the ongoing post-market surveillance obligations are more demanding. A procurement question that asks only for CE mark certification without specifying the regulatory framework provides weaker assurance than it appears to.
The Risk Classification System and Why It Matters
Medical devices under MDR are classified from Class I (lowest risk) to Class III (highest risk). The classification determines the conformity assessment route and the level of Notified Body involvement required.
Class I devices can self-certify in most cases. The manufacturer completes the conformity assessment without independent third-party review. Class IIa and above require a Notified Body, an independent certification organisation accredited by a national authority, to assess the conformity of the device.
Software performing clinical decision support functions, including AI triage tools that influence routing or clinical decisions, typically falls into Class IIa or higher under the MDR classification rules. This means a Notified Body must assess the device before it can carry a valid CE mark under MDR.
For platforms evaluating AI triage vendors, the relevant procurement question is not simply whether the tool is CE marked. It is what class the tool is certified at, whether the certification is under MDR or the old directive, and whether a Notified Body was involved in the conformity assessment.
Klinik.AI holds Class I certification under current regulations and is actively transitioning to MDR Class IIa. That transition involves Notified Body assessment, clinical evaluation under MEDDEV 2.7/1 Rev 4 and MDR Article 61 requirements, and establishment of a Quality Management System meeting ISO 13485 standards. This is a more demanding and more meaningful certification than Class I self-certification.
What Clinical Evaluation Actually Involves
The clinical evaluation under MDR is one of the most significant departures from the old directive’s requirements. Under MDR Article 61, manufacturers must conduct a clinical evaluation that demonstrates the safety and clinical performance of the device through clinical data.
For an AI triage tool, this means demonstrating, with clinical evidence, that the system performs its intended clinical function safely and accurately across the patient populations it is designed to serve. The evaluation must be conducted by qualified clinicians, documented in a Clinical Evaluation Report, and reviewed by the Notified Body.
Self-assessed safety claims are not sufficient under MDR clinical evaluation requirements. The manufacturer must produce clinical data, from equivalent devices, literature evidence, or direct clinical investigation, that demonstrates safety and performance. The Notified Body reviews the clinical evaluation as part of the conformity assessment.
Klinik.AI’s clinical evaluation rests on more than 23 million patient interactions across European healthcare systems. The system’s emergency detection concordance of greater than 99% with healthcare professionals is a clinical performance metric of the type MDR clinical evaluation requires. Zero serious patient hazards reported across that interaction volume is the safety record that a clinical evaluation must demonstrate.
Post-Market Surveillance: The Ongoing Obligation
CE marking is not a one-time certification. Under MDR, manufacturers have ongoing post-market surveillance obligations that continue for the lifetime of the device.
Post-market surveillance requires the manufacturer to systematically collect and analyse data from real-world device use to identify any safety signals, performance issues, or adverse events. The manufacturer must maintain a Post-Market Surveillance Plan, produce regular Post-Market Surveillance Reports, and for Class IIa and above, complete a Periodic Safety Update Report.
For an AI triage tool, this means the manufacturer must monitor clinical outcomes, review flagged interactions, track adverse events, and demonstrate that the device continues to meet its clinical performance claims in real-world use. It is a substantive ongoing operational commitment, not a periodic audit.
This is directly relevant to platforms considering building their own medical reasoning capability. The CE marking process is the most visible milestone. The post-market surveillance commitment that follows it is where the ongoing operational cost sits. Platforms that embed Klinik.AI transfer that commitment to a team that has managed it for more than ten years.
What ISO 13485 Requires
ISO 13485 is the Quality Management System standard for medical device manufacturers. CE marking under MDR requires the manufacturer to operate a Quality Management System that conforms to ISO 13485 or an equivalent standard.
A QMS meeting ISO 13485 requires documented processes for design and development control, risk management under ISO 14971, clinical evaluation, post-market surveillance, complaints handling, corrective and preventive action, internal audit, and management review. Every change to the device that could affect safety or performance must go through documented change control.
For a software product, this means that every update to the AI logic, every change to the clinical algorithm, every modification to the question sequence or urgency classification, must be evaluated for safety impact, documented, and approved through the QMS before release. This is a materially different development process from the agile release cycles that software teams typically operate.
This is not a criticism of agile development. It is a description of why medical device development requires a different process. The QMS exists to ensure that changes to a safety-critical system are evaluated and documented before they affect patients.
For platforms building their own clinical reasoning capability, establishing and maintaining a QMS meeting ISO 13485 is a significant ongoing operational commitment. For platforms embedding Klinik.AI, the ISO 13485 compliance framework is already in place, and the platform interacts with a component that operates within that framework without needing to build one internally.
What CE Marking Means for the Platform That Integrates a Certified Tool
This is the question that procurement teams and product directors most often do not ask, and should.
Integrating a CE-marked medical device into a digital health platform does not automatically transfer the CE marking to the platform. The platform is a distinct product from the embedded device. If the platform itself influences clinical decisions, or if the way the platform presents clinical information could affect clinical outcomes, the platform may itself require medical device assessment.
The way Klinik.AI’s integration model addresses this is through clear architectural separation. Klinik.AI, as the CE-marked device, performs the clinical reasoning. The platform presents the outputs and manages the user journey. The clinical decision function sits within the regulated component. The platform does not need to acquire medical device status for the triage function because the triage function is performed by the embedded device.
This architectural separation is the practical reason why embedding a CE-marked medical reasoning engine provides regulatory protection that building a triage layer internally does not. When the clinical reasoning sits within a regulated component with its own certification, the platform is integrating a certified device rather than performing an uncertified clinical function.
The Procurement Question Worth Asking
When a procurement team is evaluating AI triage vendors and the CE mark appears in the tender response, the questions that provide meaningful assurance are more specific than the mark itself.
Under which regulatory framework was the certification issued? MDR or the old Medical Devices Directive?
What risk classification does the device carry? Class I, IIa, IIb, or III?
Was a Notified Body involved in the conformity assessment? If so, which one?
What is the post-market surveillance process, and who is responsible for it?
What does the ISO 13485 QMS cover, and how does it handle software updates?
Does the integration of this device into our platform create any medical device obligations for us?
These questions separate substantive regulatory compliance from a mark on a product page. The answers determine whether a platform is genuinely protected by embedding a certified medical device or simply embedding a claim.
Frequently Asked Questions
Does integrating a CE-marked medical AI tool make our platform a medical device?
Not necessarily. The key question is whether your platform performs a medical function independently of the embedded device. If the clinical reasoning sits within the CE-marked component and your platform presents the outputs without modifying the clinical logic, the clinical function is performed by the embedded device. Your platform integrates a certified component rather than performing an uncertified clinical function. You should take legal advice specific to your integration architecture and jurisdiction.
What is the difference between Class I and Class IIa CE marking for a medical AI tool?
Class I devices can largely self-certify. Class IIa and above require conformity assessment by an independent Notified Body. For clinical decision support software that actively influences clinical decisions, Class IIa is the appropriate classification under MDR. Class I self-certification provides weaker assurance for this type of tool because it does not require independent third-party review of clinical safety and performance claims.
What does ISO 14971 require and why is it relevant to AI triage?
ISO 14971 is the risk management standard for medical devices. It requires manufacturers to systematically identify hazards associated with the device, estimate and evaluate associated risks, control those risks, and monitor the effectiveness of controls. For an AI triage system, this means formal analysis of what happens when the system makes an incorrect urgency classification and documented controls to reduce the probability and consequences of that error.
How does Klinik.AI handle software updates within its QMS?
Every change to Klinik.AI’s clinical logic, question sequences, or urgency classification goes through documented change control within the ISO 13485 QMS. Changes that could affect safety or clinical performance are evaluated for risk impact, validated, and documented before release. This process is what MDR requires for changes to certified medical devices.
How does the regulatory landscape for health AI differ between the EU and UK?
The UK has its own UKCA framework following departure from the EU. For software as a medical device, the MHRA publishes separate guidance and the regulatory requirements broadly align with MDR, though there are specific differences in classification and conformity assessment requirements. Klinik.AI operates across both EU and UK regulated markets. Platforms should seek regulatory advice specific to the markets they operate in.
If you want to walk through what Klinik.AI’s certification covers, what it means for your integration, and what questions to put to any AI triage vendor, the conversation is worth having before you make a build-versus-embed decision.
