What the EU AI Act means for small digital health companies, and what to do now

The EU AI Act came into force on 1 August 2024, making it the first comprehensive legal framework for artificial intelligence anywhere in the world. For large technology companies with dedicated compliance teams, it has been on the radar for some time. For small and medium-sized digital health businesses, the picture is considerably less clear, and the window to act is closing.

The Act applies in phases rather than all at once. Prohibited AI practices became enforceable from February 2025. Obligations for general purpose AI models followed in August 2025. The main body of requirements for most operators, including transparency duties and obligations for high risk AI systems, becomes fully applicable on 2 August 2026. For AI embedded in regulated medical devices, the transition period extends to 2027 or 2028 depending on product classification. The European Commission's November 2025 Digital Omnibus package proposed further adjustments to these timelines and introduced some simplification measures for SMEs, though the regulatory landscape remains in active development.

Why the risk classification matters

What makes the Act particularly significant for digital health is the way it classifies risk. AI systems used in healthcare contexts, including clinical decision support tools, triage software, diagnostic aids, and patient risk stratification tools, are likely to be classified as high risk. High risk classification triggers a set of requirements that go well beyond a standard product review. These include risk management systems, high quality and representative training datasets, measures to ensure transparency and explainability, logging capabilities, human oversight mechanisms, and documentation robust enough to support third party conformity assessment.

For small companies, this creates a genuine tension. Research published in npj Digital Medicine has highlighted that the EU AI Act adds significant regulatory requirements on top of the already demanding EU Medical Device Regulation, and that new medical AI startups and small enterprises with limited resources may be disproportionately affected, despite provisions in the Act intended to support SMEs. Having to navigate two overlapping regulatory frameworks simultaneously, each with its own documentation, risk assessment, and quality management requirements, is a significant operational and financial challenge for companies still building their core product.

Provisions that ease the burden on smaller teams

There are provisions specifically designed to ease the burden on smaller organisations. The Digital Omnibus proposal extended simplified quality management system requirements to all SMEs, not just microenterprises. Regulatory sandboxes now exist at both EU and national level to allow smaller businesses to test high impact AI solutions under regulatory guidance before full market entry. The Act also explicitly aims to minimise administrative and financial burdens on SMEs while maintaining the core requirements that protect safety and fundamental rights.

The important point for small digital health companies is that the Act is not solely a concern for large technology platforms. If a product uses AI to influence a health related decision, recommendation, or outcome, it almost certainly falls within scope. The question is not whether the Act applies but what classification applies, what requirements follow from that classification, and how early in the product development cycle those requirements can be built in rather than retrofitted.

A practical first step

Starting with a clear eyed ethical and governance review of your AI system is a practical first step. This means understanding what your system does, who it affects, what could go wrong, and what documentation, oversight mechanisms, and safeguards need to be in place. It means reviewing your training data for representativeness and bias. It means mapping where human oversight sits in your workflow and whether that oversight is genuinely meaningful or merely nominal.

None of this is straightforward, and the regulatory environment will continue to evolve. But the companies that begin treating ethics, governance, and legal compliance as part of product design, rather than a procurement checklist to complete at the end, will be better placed to move quickly when NHS buyers, investors, or EU partners ask the questions that are now standard in any serious due diligence process.

Lemic Consulting supports digital health and AI teams with ethical, social and legal impact assessments, AI governance reviews, and pre launch risk assessments. If you are navigating the EU AI Act and need practical, independent input, get in touch.