The EU AI Act: will regulation drive life science innovation away from Europe?

When the General Data Protection Regulation (GDPR)¹ came into effect in 2018, this appeared to accelerate the migration out of Europe for pharmaceutical clinical trials. This was not so much due to non-compliance but stemmed from regulatory ambiguity. As the EU now sets its sights on the regulation of artificial intelligence (AI) through the EU Artificial Intelligence Act (EU AI Act),² similar questions arise regarding the implementation and enforcement of the regulation. For life sciences organisations, particularly those with AI in medical devices, diagnostics and drug discovery, concerns have been raised as to whether the complexity and uncertainty of the regulatory landscape could hinder innovation in Europe.

Regulations rife with inconsistency

The EU AI Act’s lack of precise definitions mirrors issues seen in the early days of the GDPR. Undefined terms like “undue delay” and “disproportionate effort” add layers of uncertainty, which are further compounded by the fact that enforcement will rely on varying capacities and interpretations, as the EU relies on 27 independent data protection authorities³ to enforce regulations. Each Member State’s interpretation and enforcement can vary significantly, adding complexity for companies that operate across borders and desire consistency in compliance requirements.

A complex, layered regulatory landscape

The life sciences sector is no stranger to regulatory layers. With the Medical Device Regulation (MDR), the In Vitro Diagnostic Medical Device Regulation (IVDR) and now the EU AI Act, companies in this field are finding themselves navigating what has become a regulatory “jigsaw puzzle.”

Originally intended to streamline AI regulation, the EU AI Act requires companies to secure a CE marks under a dual framework — one for the medical device itself and another specifically for the AI component. This dual-layer certification process can create significant delays, as each framework involves extensive assessments for safety and performance under separate requirements specific to medical device and AI-specific criteria.

The added requirements will not only prolong approval timelines but also increase operational costs, as companies must invest in specialised compliance teams and detailed documentation for each certification layer. For organisations focused on speed and efficiency in getting innovative, AI-powered medical products to market, this growing complexity is likely to act as a deterrent, as each additional regulatory hurdle impacts both time-to-market and budget.

Consequently, some companies may look to other regions where regulatory paths are less burdensome and more streamlined to develop and test their products. Companies will look to jurisdictions that allow them to innovate and bring products to market faster.

If Europe’s regulatory landscape continues to grow in complexity, there is a real risk that these stringent requirements will push life sciences innovation outside of Europe, as companies seek more flexible environments for advancing AI in medicine and medical devices. If successful in other jurisdictions, such product will eventually make their way to Europe for approval. However, in the meantime patients will be deprived access to the most innovative products and R&D will migrate out of Europe.

EU AI Act – infrastructure and expertise gaps

A significant barrier to the EU AI Act’s success is the current lack of AI-specific skills at notified bodies: the organisations that assess and approve software medical devices in Europe. While these bodies are experienced with traditional medical devices, the demand for expertise in AI applications and regulatory assessment of machine learning (ML) technologies is relatively new.

Due to the complex and technical aspects of AI, there are worries that notified bodies may lack the necessary skills and resources to assess AI-driven medical software effectively. This shortage of skilled personnel is expected to slow down the assessment and approval process, further complicating the compliance landscape for life sciences companies.

The absence of adequate infrastructure mirrors the issues encountered by MDR and IVDR, leading to delays because notified bodies were not adequately prepared and did not have adequate capacity. Without sufficient support systems and experienced reviewers, the implementation timelines were extended, with final compliance dates now pushed to December 2028 (from May 2024 originally). This situation raises concerns that similar delays could impact the EU AI Act, creating uncertainty for companies relying on clear, consistent timelines.

Overlapping regulations and data governance challenges

A particularly complex intersection arises between the GDPR and the EU AI Act, especially concerning data governance. While the GDPR centers on privacy (including data minimisation and purpose limitation) and user consent, the AI Act emphasises data governance, bias management and transparency. Compliance can become especially challenging for companies when the GDPR’s consent requirements collide with the AI Act’s demand for representative datasets.

For instance, if certain demographic groups opt out of data sharing, organisations may struggle to maintain a representative dataset required by the AI Act, thus facing potential compliance issues from both regulations. For many years, controllers have been encouraged to only hold personal data that is necessary and for the shortest period possible (under the principles of data minimisation and purpose limitation). This collides with the EU AI Act requirements to have as broad and as deep a data set as possible.

This overlap also extends to the need for organisations to create governance structures that satisfy both privacy and transparency. Balancing the requirements of the GDPR, MDR and EU AI Act creates an intricate regulatory framework that many organisations find difficult to manage. Without harmonised guidelines or clear pathways for navigating these overlapping regulations, life sciences companies are left grappling with unclear compliance requirements.

A path forward with the EU AI Act: harmonising standards and supporting innovation

For the EU AI Act to be effective without stifling innovation, adjustments will be necessary to address the regulatory gaps, infrastructure challenges and skill shortages. A practical approach might involve harmonising existing quality management processes, allowing companies to build on certifications like ISO 13485⁴ to meet the incremental demands of the AI Act. Additionally, grace periods could help companies transition to new compliance standards without facing immediate penalties, thereby encouraging early adoption without the risk of sanctions.

Ensuring scalability and operational efficiency within the regulatory framework is another critical factor. Companies benefit from streamlined processes that avoid duplicative efforts, helping them focus on innovation and patient outcomes rather than navigating redundant compliance steps. Without these adjustments, the EU AI Act may inadvertently lead to increased operational costs and prolonged timelines, pushing companies to pursue market opportunities outside Europe.

A broader perspective: Europe’s global influence on AI regulation (the ‘Brussels Effect’)

The EU has long been a leader in setting global regulatory standards and the EU AI Act is expected to influence AI legislation worldwide, much like the GDPR did for data privacy. Many countries adopted GDPR-like data protection laws to facilitate trade with Europe; a similar domino effect is likely as nations begin aligning their AI regulations to the EU framework. While these standards may serve as a global benchmark, over-ambitious regulations can also create a deterrent for innovation if they are too rigid or costly.

An adaptable approach to regulation, focusing on achievable standards that encourage safe and innovative AI use, would be beneficial for Europe. By fostering innovation within a flexible compliance framework, the EU could enable the life sciences sector to thrive within its borders rather than being compelled to seek opportunities abroad.

Balancing innovation with regulation in life sciences

The EU AI Act represents an ambitious regulatory step toward managing AI across multiple industries, including life sciences. Yet, without sufficient infrastructure, harmonised standards and consistent enforcement mechanisms, the Act could inadvertently push life sciences innovation out of Europe. Addressing these regulatory gaps with harmonised standards and realistic compliance expectations could position Europe as a leader in AI while retaining its competitiveness in the life sciences sector.

For organisations in life sciences, the path forward requires a balance between meeting regulatory demands and fostering innovation. In refining its regulatory strategy, the EU should prioritise establishing a nurturing environment that fosters progress in AI within a transparent and easily navigable compliance structure.

References

1. General Data Protection Regulation GDPR. [Internet] intersoft consulting. Available from: https://urldefense.proofpoint.com/v2/url?u=https-3A__usw2.nyl.as_t1_157_6tjv5ohpyj0vl1xrvnhktc45s_0_6f043b58437718d3ec4f7cf752d4d32417b113b1af62cd1910a2f1704a148c87&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=E6FB4ZjMF0bBNSzFcuKXjR5Z0EUqj6y14Sr502jGyH8&m=hxiC0vAO6Ki87uF3mS8UXxZ2CiqNkzroFSKFiWUeJgOUa4VjCTQNVshbLN_Q5MGw&s=vRqbVy3AboE-EoHgC6ynPOYK52Cu4WEauagIjr9r7SY&e=
2. The EU Artificial Intelligence Act – Up-to-Date Developments And Analyses Of The EU AI Act. [Internet] Future of Life Institute. Available from: https://artificialintelligenceact.eu/
3. The General Data Protection Regulation. [Internet] European Council Council of the European Union. Available from: https://www.consilium.europa.eu/en/policies/data-protection/data-protection-regulation/#:~:text=Application%20of%20data%20protection%20rules,-The%20regulation%20confirms&text=The%20GDPR%20establishes%20that%20a,rights%20of%20complainants%20and%20parties
4. ISO 13485 Medical Devices. [Internet] ISO. Available from: https://www.iso.org/iso-13485-medical-devices.html