Mike King, Senior Director, Product & Strategy (Quality, Regulatory, Safety & Detect), Digital Products & Solutions at IQVIA and Alex Denoon, Partner at Bristows Law Firm, explore the challenges of implementing the EU AI Act and the impact of GDPR requirements in life sciences.
When the General Data Protection Regulation (GDPR)1 came into effect in 2018, this appeared to accelerate the migration out of Europe for pharmaceutical clinical trials. This was not so much due to non-compliance but stemmed from regulatory ambiguity. As the EU now sets its sights on the regulation of artificial intelligence (AI) through the EU Artificial Intelligence Act (EU AI Act),2 similar questions arise regarding the implementation and enforcement of the regulation. For life sciences organisations, particularly those with AI in medical devices, diagnostics and drug discovery, concerns have been raised as to whether the complexity and uncertainty of the regulatory landscape could hinder innovation in Europe.
Regulations rife with inconsistency
The EU AI Act’s lack of precise definitions mirrors issues seen in the early days of the GDPR. Undefined terms like “undue delay” and “disproportionate effort” add layers of uncertainty, which are further compounded by the fact that enforcement will rely on varying capacities and interpretations, as the EU relies on 27 independent data protection authorities3 to enforce regulations. Each Member State’s interpretation and enforcement can vary significantly, adding complexity for companies that operate across borders and desire consistency in compliance requirements.
A complex, layered regulatory landscape
The life sciences sector is no stranger to regulatory layers. With the Medical Device Regulation (MDR), the In Vitro Diagnostic Medical Device Regulation (IVDR) and now the EU AI Act, companies in this field are finding themselves navigating what has become a regulatory “jigsaw puzzle.”
Are you looking to explore how lipid formulations in softgels can enhance drug absorption and bioavailability. Register for our upcoming webinar to find out!
3 September 2025 | 3:00 PM BST | FREE Webinar
This webinar will delve into the different types of lipid formulations, such as solutions, suspensions, emulsions, and self-(micro)emulsifying systems. Applications span diverse therapeutic areas including HIV therapy, oncology, immunosuppressants, and emerging treatments like medicinal cannabis (eg, CBD).
What You’ll Learn:
Lipid formulation development and screening tools for optimisation
Key steps in scale-up and industrialisation to ensure consistency and efficiency
Impact of lipid-based softgels on drug delivery and patient outcomes.
Originally intended to streamline AI regulation, the EU AI Act requires companies to secure a CE marks under a dual framework — one for the medical device itself and another specifically for the AI component. This dual-layer certification process can create significant delays, as each framework involves extensive assessments for safety and performance under separate requirements specific to medical device and AI-specific criteria.
The added requirements will not only prolong approval timelines but also increase operational costs, as companies must invest in specialised compliance teams and detailed documentation for each certification layer. For organisations focused on speed and efficiency in getting innovative, AI-powered medical products to market, this growing complexity is likely to act as a deterrent, as each additional regulatory hurdle impacts both time-to-market and budget.
Consequently, some companies may look to other regions where regulatory paths are less burdensome and more streamlined to develop and test their products. Companies will look to jurisdictions that allow them to innovate and bring products to market faster.
If Europe’s regulatory landscape continues to grow in complexity, there is a real risk that these stringent requirements will push life sciences innovation outside of Europe, as companies seek more flexible environments for advancing AI in medicine and medical devices. If successful in other jurisdictions, such product will eventually make their way to Europe for approval. However, in the meantime patients will be deprived access to the most innovative products and R&D will migrate out of Europe.
EU AI Act – infrastructure and expertise gaps
A significant barrier to the EU AI Act’s success is the current lack of AI-specific skills at notified bodies: the organisations that assess and approve software medical devices in Europe. While these bodies are experienced with traditional medical devices, the demand for expertise in AI applications and regulatory assessment of machine learning (ML) technologies is relatively new.
A significant barrier to the EU AI Act’s success is the current lack of AI-specific skills at notified bodies”
Due to the complex and technical aspects of AI, there are worries that notified bodies may lack the necessary skills and resources to assess AI-driven medical software effectively. This shortage of skilled personnel is expected to slow down the assessment and approval process, further complicating the compliance landscape for life sciences companies.
The absence of adequate infrastructure mirrors the issues encountered by MDR and IVDR, leading to delays because notified bodies were not adequately prepared and did not have adequate capacity. Without sufficient support systems and experienced reviewers, the implementation timelines were extended, with final compliance dates now pushed to December 2028 (from May 2024 originally). This situation raises concerns that similar delays could impact the EU AI Act, creating uncertainty for companies relying on clear, consistent timelines.
Overlapping regulations and data governance challenges
A particularly complex intersection arises between the GDPR and the EU AI Act, especially concerning data governance. While the GDPR centers on privacy (including data minimisation and purpose limitation) and user consent, the AI Act emphasises data governance, bias management and transparency. Compliance can become especially challenging for companies when the GDPR’s consent requirements collide with the AI Act’s demand for representative datasets.
Without harmonised guidelines or clear pathways for navigating… overlapping regulations, [GDPR, MDR and EU AI Act] life sciences companies are left grappling with unclear compliance requirements”
For instance, if certain demographic groups opt out of data sharing, organisations may struggle to maintain a representative dataset required by the AI Act, thus facing potential compliance issues from both regulations. For many years, controllers have been encouraged to only hold personal data that is necessary and for the shortest period possible (under the principles of data minimisation and purpose limitation). This collides with the EU AI Act requirements to have as broad and as deep a data set as possible.
This overlap also extends to the need for organisations to create governance structures that satisfy both privacy and transparency. Balancing the requirements of the GDPR, MDR and EU AI Act creates an intricate regulatory framework that many organisations find difficult to manage. Without harmonised guidelines or clear pathways for navigating these overlapping regulations, life sciences companies are left grappling with unclear compliance requirements.
A path forward with the EU AI Act: harmonising standards and supporting innovation
For the EU AI Act to be effective without stifling innovation, adjustments will be necessary to address the regulatory gaps, infrastructure challenges and skill shortages”
For the EU AI Act to be effective without stifling innovation, adjustments will be necessary to address the regulatory gaps, infrastructure challenges and skill shortages. A practical approach might involve harmonising existing quality management processes, allowing companies to build on certifications like ISO 134854 to meet the incremental demands of the AI Act. Additionally, grace periods could help companies transition to new compliance standards without facing immediate penalties, thereby encouraging early adoption without the risk of sanctions.
Ensuring scalability and operational efficiency within the regulatory framework is another critical factor. Companies benefit from streamlined processes that avoid duplicative efforts, helping them focus on innovation and patient outcomes rather than navigating redundant compliance steps. Without these adjustments, the EU AI Act may inadvertently lead to increased operational costs and prolonged timelines, pushing companies to pursue market opportunities outside Europe.
A broader perspective: Europe’s global influence on AI regulation (the ‘Brussels Effect’)
The EU has long been a leader in setting global regulatory standards and the EU AI Act is expected to influence AI legislation worldwide, much like the GDPR did for data privacy. Many countries adopted GDPR-like data protection laws to facilitate trade with Europe; a similar domino effect is likely as nations begin aligning their AI regulations to the EU framework. While these standards may serve as a global benchmark, over-ambitious regulations can also create a deterrent for innovation if they are too rigid or costly.
the EU AI Act is expected to influence AI legislation worldwide, much like the GDPR did for data privacy”
An adaptable approach to regulation, focusing on achievable standards that encourage safe and innovative AI use, would be beneficial for Europe. By fostering innovation within a flexible compliance framework, the EU could enable the life sciences sector to thrive within its borders rather than being compelled to seek opportunities abroad.
Balancing innovation with regulation in life sciences
The EU AI Act represents an ambitious regulatory step toward managing AI across multiple industries, including life sciences. Yet, without sufficient infrastructure, harmonised standards and consistent enforcement mechanisms, the Act could inadvertently push life sciences innovation out of Europe. Addressing these regulatory gaps with harmonised standards and realistic compliance expectations could position Europe as a leader in AI while retaining its competitiveness in the life sciences sector.
For organisations in life sciences, the path forward requires a balance between meeting regulatory demands and fostering innovation. In refining its regulatory strategy, the EU should prioritise establishing a nurturing environment that fosters progress in AI within a transparent and easily navigable compliance structure.
About the authors
Mike King is Senior Director, Product & Strategy (Quality, Regulatory, Safety & Detect), Digital Products & Solutions at IQVIA. He is particularly focused on optimsing business workflows through intelligence-driven simplification and automation within and across the safety, regulatory and quality functions. Michael has nearly 20 years of knowledge and experience leading localised and global teams in regulatory affairs and quality assurance.
Alex Denoon is Partner at Bristows Law Firm. Alex heads the life sciences regulatory team at Bristows. He has more than 25 years’ experience advising clients in the sector. In addition to his LLB, Alex spent more than five years in-house, including as GC and Company Secretary of Biotech Australia. He works with clients to devise and implement regulatory strategies throughout the product life cycle of pharmaceuticals and medical devices, and advises clients in relation to more challenging issues including: genomics, cell therapies, tissue and cells requirements, borderline products, combination products, 3D printing, healthcare apps and remote diagnostics, and has been involved in the development of a number of regulatory frameworks and guidelines. Alex has a BSc in Human Genetics.
References
1. General Data Protection Regulation GDPR. [Internet] intersoft consulting. Available from: https://urldefense.proofpoint.com/v2/url?u=https-3A__usw2.nyl.as_t1_157_6tjv5ohpyj0vl1xrvnhktc45s_0_6f043b58437718d3ec4f7cf752d4d32417b113b1af62cd1910a2f1704a148c87&d=DwMFAw&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=E6FB4ZjMF0bBNSzFcuKXjR5Z0EUqj6y14Sr502jGyH8&m=hxiC0vAO6Ki87uF3mS8UXxZ2CiqNkzroFSKFiWUeJgOUa4VjCTQNVshbLN_Q5MGw&s=vRqbVy3AboE-EoHgC6ynPOYK52Cu4WEauagIjr9r7SY&e=
2. The EU Artificial Intelligence Act – Up-to-Date Developments And Analyses Of The EU AI Act. [Internet] Future of Life Institute. Available from: https://artificialintelligenceact.eu/
3. The General Data Protection Regulation. [Internet] European Council Council of the European Union. Available from: https://www.consilium.europa.eu/en/policies/data-protection/data-protection-regulation/#:~:text=Application%20of%20data%20protection%20rules,-The%20regulation%20confirms&text=The%20GDPR%20establishes%20that%20a,rights%20of%20complainants%20and%20parties
4. ISO 13485 Medical Devices. [Internet] ISO. Available from: https://www.iso.org/iso-13485-medical-devices.html
This website uses cookies to enable, optimise and analyse site operations, as well as to provide personalised content and allow you to connect to social media. By clicking "I agree" you consent to the use of cookies for non-essential functions and the related processing of personal data. You can adjust your cookie and associated data processing preferences at any time via our "Cookie Settings". Please view our Cookie Policy to learn more about the use of cookies on our website.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorised as ”Necessary” are stored on your browser as they are as essential for the working of basic functionalities of the website. For our other types of cookies “Advertising & Targeting”, “Analytics” and “Performance”, these help us analyse and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these different types of cookies. But opting out of some of these cookies may have an effect on your browsing experience. You can adjust the available sliders to ‘Enabled’ or ‘Disabled’, then click ‘Save and Accept’. View our Cookie Policy page.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Cookie
Description
cookielawinfo-checkbox-advertising-targeting
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertising & Targeting".
cookielawinfo-checkbox-analytics
This cookie is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance
This cookie is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Performance".
PHPSESSID
This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
zmember_logged
This session cookie is served by our membership/subscription system and controls whether you are able to see content which is only available to logged in users.
Performance cookies are includes cookies that deliver enhanced functionalities of the website, such as caching. These cookies do not store any personal information.
Cookie
Description
cf_ob_info
This cookie is set by Cloudflare content delivery network and, in conjunction with the cookie 'cf_use_ob', is used to determine whether it should continue serving “Always Online” until the cookie expires.
cf_use_ob
This cookie is set by Cloudflare content delivery network and is used to determine whether it should continue serving “Always Online” until the cookie expires.
free_subscription_only
This session cookie is served by our membership/subscription system and controls which types of content you are able to access.
ls_smartpush
This cookie is set by Litespeed Server and allows the server to store settings to help improve performance of the site.
one_signal_sdk_db
This cookie is set by OneSignal push notifications and is used for storing user preferences in connection with their notification permission status.
YSC
This cookie is set by Youtube and is used to track the views of embedded videos.
Analytics cookies collect information about your use of the content, and in combination with previously collected information, are used to measure, understand, and report on your usage of this website.
Cookie
Description
bcookie
This cookie is set by LinkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
GPS
This cookie is set by YouTube and registers a unique ID for tracking users based on their geographical location
lang
This cookie is set by LinkedIn and is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc
This cookie is set by LinkedIn and used for routing.
lissc
This cookie is set by LinkedIn share Buttons and ad tags.
vuid
We embed videos from our official Vimeo channel. When you press play, Vimeo will drop third party cookies to enable the video to play and to see how long a viewer has watched the video. This cookie does not track individuals.
wow.anonymousId
This cookie is set by Spotler and tracks an anonymous visitor ID.
wow.schedule
This cookie is set by Spotler and enables it to track the Load Balance Session Queue.
wow.session
This cookie is set by Spotler to track the Internet Information Services (IIS) session state.
wow.utmvalues
This cookie is set by Spotler and stores the UTM values for the session. UTM values are specific text strings that are appended to URLs that allow Communigator to track the URLs and the UTM values when they get clicked on.
_ga
This cookie is set by Google Analytics and is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. It stores information anonymously and assign a randomly generated number to identify unique visitors.
_gat
This cookies is set by Google Universal Analytics to throttle the request rate to limit the collection of data on high traffic sites.
_gid
This cookie is set by Google Analytics and is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
Advertising and targeting cookies help us provide our visitors with relevant ads and marketing campaigns.
Cookie
Description
advanced_ads_browser_width
This cookie is set by Advanced Ads and measures the browser width.
advanced_ads_page_impressions
This cookie is set by Advanced Ads and measures the number of previous page impressions.
advanced_ads_pro_server_info
This cookie is set by Advanced Ads and sets geo-location, user role and user capabilities. It is used by cache busting in Advanced Ads Pro when the appropriate visitor conditions are used.
advanced_ads_pro_visitor_referrer
This cookie is set by Advanced Ads and sets the referrer URL.
bscookie
This cookie is a browser ID cookie set by LinkedIn share Buttons and ad tags.
IDE
This cookie is set by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
li_sugr
This cookie is set by LinkedIn and is used for tracking.
UserMatchHistory
This cookie is set by Linkedin and is used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
VISITOR_INFO1_LIVE
This cookie is set by YouTube. Used to track the information of the embedded YouTube videos on a website.
Mike King is Senior Director, Product & Strategy (Quality, Regulatory, Safety & Detect), Digital Products & Solutions at 
Alex Denoon is Partner at 
