Digitalisierung

What does the EU AI Act mean for your medical practice?

Are you considering using artificial intelligence in your practice—for documentation, patient communication, or handling phone calls? The benefits are becoming clear every day. Yet, few people realize the actual obligations that come with it. This article explains what the EU AI Act means for your practice, which deadlines are currently in effect, and how to remain compliant without getting bogged down in bureaucracy.

16.7.2026
Julien Sara Lorenz
Reading time
output:  Moderner Krankenhausflur mit Empfang und Pflanzen.

Practice
Type
Specialty
Location
Website
About the practice

Challenge

In this article, you'll read:

The essentials at a glance

  • As soon as your practice uses an AI system professionally, you are legally considered an "operator"—this affects almost every practice that uses AI.
  • Two obligations apply regardless of any deadline extensions: AI literacy for your team (since February 2025) and transparency toward your patients (starting August 2026).
  • With three clear steps—assessment, training, and documentation—you can ensure compliance without disrupting your daily practice routine.

You might recognize the situation: at conferences and among colleagues, AI is suddenly everywhere—voice recognition for documentation, automated appointment reminders, and support for treatment plan communication. Thinking about introducing such a solution yourself? Before you start, you should know one thing: as soon as AI is used in your dental practice, you become subject to the EU AI Act. Most practice owners just don't know what that means in practice. 

Does the EU AI Act actually apply to your practice?

The EU AI Act applies to every medical and dental practice that uses an AI system—not just hospitals or AI developers.

The EU AI Act (Regulation (EU) 2024/1689) distinguishes between two roles: the provider, who develops and markets an AI system, and the operator, who uses it. As a physician in private practice or an MVZ owner, you are generally considered an operator. This applies regardless of whether the software merely transcribes conversations or makes independent suggestions.

This clears up the first common misconception: "We aren't developing AI, so it doesn't affect us." It does. As soon as you professionally use an AI-supported solution in patient care or practice management, you are subject to the regulation. Even a solo practice with an AI-supported telephone assistant falls under these rules.

The good news: as an operator, you have significantly fewer obligations than the manufacturer. There are additional simplifications for small practices, especially regarding documentation.

Which deadlines actually apply to your practice now?

The EU AI Act has been in effect since August 1, 2024, and is being implemented in stages—some obligations apply today, while others will take effect in the coming years.

There is a lot of confusion in many practices, and that is understandable. The legislator has chosen a staggered schedule. This overview shows you what applies and when:

The stricter obligations for high-risk systems were also originally scheduled to apply from August 2026. However, the timeline has shifted: with the so-called Digital Omnibus, EU institutions agreed in the spring of 2026 to push these deadlines back. It is important to note: postponed does not mean abolished. The substantive requirements remain, and until the final publication, the original schedule formally remains in effect (as of June 2026).

The key takeaway for you: don't wait until 2027. The two obligations that affect every practice—AI literacy and transparency—are already in effect or will be starting in August 2026, regardless of any postponements.

Is your AI a high-risk system?

Whether an AI system in a medical practice is considered high-risk depends on whether it influences diagnostic or therapeutic decisions—purely administrative and documentation solutions generally do not.

The AI Act follows a risk-based approach: the higher the risk to the patient, the stricter the requirements. It is therefore worth checking this classification when selecting a solution. For practical purposes, systems can be divided into two camps:

Where is the line drawn in everyday practice?

The distinction is not always clear-cut. A solution that transcribes and documents a doctor-patient conversation remains in the administrative realm. However, if the same software independently suggests diagnostic codes or therapies, the threshold for a medical device may have been crossed. 

Therefore, the rule is: document the intended purpose of each system in writing, request the risk classification from the manufacturer, and classify conservatively in case of doubt.

What do you need to do as an operator?

As the operator of an AI system, your primary responsibilities are ensuring trained staff, human oversight, and traceable documentation.

The list of obligations may sound extensive at first, but it can be broken down into a manageable checklist for daily practice. For purely administrative solutions, only the first three points are relevant:

  • Ensure AI literacy: Your team understands the functionality, limitations, and risks of the systems in use. Formal certification is not required, but training should be documented.
  • Guarantee human oversight: The final decision regarding diagnosis and treatment always remains with the human. Appoint a professionally qualified person to review the AI results.
  • Create transparency: Your patients know when they are interacting with an AI. This applies especially to automated communication and chatbots.
  • Check input data (high-risk only): The data provided is relevant and sufficiently representative.
  • Monitor operation and report incidents (high-risk only): Anomalies are identified and reported.
  • Keep logs (high-risk only): At least six months; conduct a data protection impact assessment if necessary.

These obligations do not exist in a vacuum. In parallel, the GDPR applies to the handling of health data, as does medical confidentiality under Section 203 of the German Criminal Code (StGB). Anyone who puts patient data into an unprotected cloud system risks running into trouble here—regardless of the AI Act.

This is precisely where the choice of your solution determines your workload. Nelly's AI documentation, for example, is designed as a supportive tool: it transcribes the conversation and creates a draft documentation including billing suggestions—the final professional approval always remains with you. 

This ensures that the final human decision remains structurally anchored, and the solution operates in the administrative domain rather than the high-risk category.

Learn more about it here: https://www.getnelly.de/produkte/ki-dokumentation 

What happens if you ignore these obligations?

Violations of the EU AI Act can have consequences on three levels simultaneously: fines, civil liability, and professional disciplinary measures.

The risks are distributed across three levels, which can all apply simultaneously in the event of a claim:

A clear example: An AI diagnostic tool misses a finding, and the patient sues. Suddenly, three questions arise at once—those of the public prosecutor's office, the medical association, and the market surveillance authority. And one of them is: Why was no risk analysis conducted?

Important context: The AI Act does not provide for direct fines for an isolated violation of the AI literacy requirement. However, a lack of AI literacy can be viewed negatively during an official audit and can contribute to liability in the event of a claim. Taking care of this is therefore worthwhile, regardless of potential fines.

How do you keep track of your AI obligations in everyday practice?

With a structured inventory, documented training, and a solution that inherently incorporates transparency and human oversight, the EU AI Act can be met without significant extra effort.

The requirements seem cumbersome in theory. In practice, you can handle them in three steps:

  1. Conduct an inventory: Get an overview of which AI models are already in use in your practice or which you would like to introduce—from documentation solutions and telephone assistants to patient chats. Record the intended purpose for each system in writing.
  2. Train your team and document it: Ensure that everyone working with the systems understands how they function and what their limitations are. Note the date and the participants—this is sufficient as proof.
  3. Opt for transparent solutions: Choose partners who have already integrated patient transparency and human oversight into their workflows. This includes the ability to deactivate the AI at any time upon a patient's request: if a patient does not want the AI running during their treatment, it can simply be turned off. Before treatment begins, you can see at a glance if a patient has not provided consent. This allows you to fulfill key obligations without needing to retrofit your systems.

The right choice pays off, especially in this third step. Nelly's AI Plan Agent handles all communication regarding treatment plans – from transmission to follow-up. Patient communication is transparent by design, and you retain full control over the content of the treatment plan within your practice.

Learn more here: https://www.getnelly.de/produkte/ki-plan-agent 

"We were genuinely worried that the new AI regulations would create additional bureaucratic work for us. In fact, the opposite was true, as documentation and patient communication run flawlessly thanks to Nelly's solutions. We barely had to change a thing."

Helen Stürmer, former practice manager

Conclusion: Now is the time to clarify your AI obligations

The EU AI Act is neither a reason for panic nor a topic you should postpone until 2027. As soon as you use AI, you are immediately subject to two obligations: ensuring your team's AI literacy and maintaining transparency with your patients. Both can be met with manageable effort – provided you get an overview now and rely on solutions that incorporate compliance from the start. 

As the operator, you bear the responsibility – but you don't have to carry it alone. Choosing the right provider determines how much effort this requires in practice. Nelly's solutions are GDPR-compliant, TÜV-certified, and hosted on German servers. They are designed so that human oversight and transparency do not need to be added as an afterthought. They are built in from the beginning. 

Get information without obligation: Find out in a personal consultationhow Nelly's solutions can relieve your practice in documentation and patient communication – in a way that is data-compliant and transparent. 

FAQs about the EU AI Act in medical practices

Does the EU AI Act also apply to small, single-physician practices?

Yes. As soon as you use an AI system professionally – for example, for documentation or appointment scheduling – you are considered an operator under the regulation. The size of your practice does not affect whether you are subject to the rules. However, smaller practices are subject to simplified requirements, particularly regarding documentation.

Is an AI-supported documentation solution considered a high-risk system?

Generally, no. As long as the solution transcribes and documents the conversation without independently making diagnoses, it remains in the administrative domain. It is only when it independently suggests diagnostic or therapeutic decisions that it may be classified as a high-risk system. When in doubt, ask the manufacturer about the intended purpose.

Do I have to inform my patients that I am using AI?

Starting in August 2026, your patients must be able to recognize when they are interacting with AI or when content has been AI-generated. This primarily applies to chatbots and automated communication. Transparent patient communication meets this requirement while simultaneously building trust.

Julien Sara Lorenz

Marketing @Nelly Solutions

Julien Sara Lorenz has been involved in the digitalization of healthcare for almost four years and has a deep understanding of the challenges faced by dental practices in everyday life. Her goal is to show how well-thought-out digital processes can sustainably relieve dentists and their teams.

Want to know more?

Get all the details - completely free and with no obligation.

Let's talk

You might also be interested in: