A Buyer’s Guide to AI-Triage Devices in the EU and UK

What is AI-driven triage?

AI-driven triage tools are software systems that leverage artificial intelligence algorithms to assess patient symptoms and prioritise care. These tools play an increasingly vital role in modern healthcare by guiding patients to the right level of care (e.g. self-care, primary care, or emergency services) and aiding clinicians in initial clinical assessment. For example, an AI-triage system might collect a patient’s symptoms via an online questionnaire and suggest differential diagnoses or urgency levels, helping clinical staff streamline decision-making and allocate resources efficiently. By automating the first step of patient interaction, AI-triage tools can reduce wait times, flag critical cases sooner, and ease the burden on overstretched medical teams.

The word “triage” can have a broad definition and not all triage tools are made equal. A very simple triage tool might allow a patient to complete a digital questionnaire which is then communicated without change to a clinician for triaging. At the other end of a spectrum, advanced AI-triage devices may output differential diagnoses and prioritise patients with minimal to no clinician input.

Key Point: AI-triage software that influences clinical decisions must be regulated as a medical device. Influencing clinical decisions may come from performing summarisation of clinical data, providing recommended urgencies, or even potential diagnoses. In the EU and UK, any such software intended for diagnosis or treatment recommendation qualifies as a Software as a Medical Device (SaMD). It is illegal for manufacturers to market SaMD without appropriate regulatory compliance. Buyers should conduct their own due diligence to ensure a device has appropriate certification before purchasing to maintain patient safety and legal use.

In this guide, we provide an overview of how to evaluate AI-driven triage software for compliance, safety, and effectiveness, equipping you with the knowledge to ask the right questions and make informed decisions when comparing AI-triage solutions.

Navigating EU and UK Medical Device Regulations

Most AI-triage tools are medical devices under EU and UK regulations. Since 2021, medical devices in the EU have been governed by the EU Medical Device Regulation (MDR, Regulation (EU) 2017/745). The EU MDR replaced the older Medical Device Directive (MDD) and introduced more stringent requirements for software. Compliance with EU MDR is demonstrated by the “CE mark” label. After Brexit, the UK established its own regulatory system of “UKCA marking” (under the UK MDR 2002) which implements the older MDD in law, and covers Great Britain. Under transitional arrangements, the UK continues to recognise CE-marked medical devices until June 2030 at the latest. By 2026, the UK medical device regulations are expected to be updated to align with the EU MDR, however the UKCA mark is not recognised by the EU, EEA or NI markets.

In practice, this means buyers in the EU must ensure the product has a CE mark under the EU MDR, while buyers in Great Britain will look for a UKCA mark or a valid CE mark. Devices on the EU market, which were CE marked under the old MDD, have until 2028 at the latest to become compliant with the stricter EU MDR - as long as they can prove they have a contract with a Notified Body. Buyers should check that vendors have started this process already or risk loss of service continuity.

Key point: For an AI-triage device on the EU or UK market currently self-certified as a Class I device under the old EU MDD, the vendor should already have started the transition to up-classification under the EU MDR. This process can take several years. Check whether the manufacturer has a contract with a Notified Body for a Class II audit. Class I MDD CE-certification is now only valid until expiry or until 2028, whichever is earlier.

Medical device risk classification

Medical devices in the UK and EU are categorised by 4 risk classes. For AItriage tools, Class IIa or IIb are common classifications depending on the potential harm of erroneous advice. For instance, Visiba's Red Robin triage system is CE-marked Class IIa medical device under the EU MDR, one of the first AI-triage solutions to achieve this certification. Moderate and high risk devices must undergo an independent Notified Body audit to vet the product’s safety and performance. In practical terms, a Class IIa or above device assures buyers that the software has undergone external audit, meets rigorous safety requirements, and is backed by clinical evidence – in short, it is not just the vendor’s word, but also a regulator-sanctioned review vouching for the tool’s safety.

In the context of triage software, there are a number of things to consider that will affect the risk class of the device:

1. AI-triage tools should typically be at least Class IIa medical devices in the EU, since they provide information that influences decisions around subsequent diagnosis, investigation or treatment of patients. It would be highly unlikely for an AI-triage tool to be Class I under the EU MDR and buyers should be very wary of vendors claiming otherwise.
   
   
2. There may be some Class I triage tools under the old EU regulations and current UK regulations, but as explained in the previous section, these regulations are being deprecated in favour of more stringent regulations. Buyers should be aware of this shifting regulatory landscape which may affect the long-term compliance of Class I tools they are considering.
   
   
3. Buyers should be aware that a Class IIb certificate is required for triage situations where the triage decision may have an impact which may cause a serious deterioration in a person’s state of health, or surgical intervention.
   
   
4. There may be a small number of triage devices that fall in Class III, but these would be limited to tools which influence decisions that may result in death or irreversible deterioration in a person’s state of health.

Aligning intended use with buyer needs

What is an Intended Use Statement (IUS)?
An IUS is a formal description by the manufacturer of what the device is intended to do, and in what context. It typically defines the target patient population, the clinical setting, and the device’s purpose. For example, for an AI-triage device this might look like:

“Intended to be used by healthcare professionals for the triage of adult patients reporting symptoms, in order to recommend appropriate care or urgency”.

The IUS matters because it sets the boundaries of how the device should (and should not) be used, and it is the basis on which regulators assess the device. Buyers should ensure an AI-triage tool’s intended use matches the unmet need they are trying to solve. For example, if you are a primary care network, you want a tool intended for primary care triage, not a tool intended only for hospital emergency departments or vice versa. Some tools may only be certified for a limited patient population (e.g. adults/over 18s) or exclude certain symptoms (e.g. those suggesting an emergency, such as severe crushing chest pain). It’s important to ask the vendor for their full Intended Use and Instructions for Use (or User Manual) to ensure the AI-triage device is suitable for your needs. The IUS should be several pages long, and provide a detailed description of the approved conditions of use.

Where to check information

Buyers can find information on manufacturer and device registration via regional regulatory databases. These databases can be useful when performing due diligence on vendors to confirm device registration, classification, and intended use (where available).

• The EUDAMED database¹ covers devices on the EU market.
• The MHRA PARD² database covers devices on the UK market.

It is mandatory for manufacturers to register on MHRA PARD before placing their device on the UK market. While currently voluntary, from 2026 it will become mandatory for manufacturers to register devices on EUDAMED.

¹https://ec.europa.eu/tools/eudamed/#/screen/home
² https://pard.mhra.gov.uk/

Local and national requirements

There may be additional local requirements to consider when procuring AI-triage software, including clinical risk management, cybersecurity, information security and clinical governance. For example, in the UK, there are several additional standards required for all software used in the health system including:

DCB 0160: Clinical risk management for organisations that use health IT systems and involves conducting a clinical risk analysis on the technology and having a risk management system.

DCB 0129: Clinical risk management for manufacturers of health IT systems.
DTAC: The Digital Technology Assessment Criteria are a set of criteria for NHS and UK social care organisations to use when introducing a new digital technology covering clinical safety, data protection, technical security, interoperability, usability and accessibility.

Data Security and Protection Toolkit (DSPT), Cyber Essentials/ PLUS: Both the manufacturer and healthcare organisation must comply with relevant data protection and cybersecurity requirements when adopting a digital health software product to ensure all legal and regulatory requirements are met.

Across Europe, there are various national and region-specific regulatory requirements and processes to be aware of. For example, the Nordic countries are implementing the Nordic Digital Health Evaluation Criteria (NordDEC)³ , which sets common standards for data privacy, technical security, usability, accessibility, and professional and clinical assurance for digital technologies to meet. In Germany, some digital therapeutic health applications can follow the fast-track DiGA⁴ process to qualify for reimbursement through the health system. In France, the PECAN5 system offers a similar route to reimbursement but extends also to remote monitoring devices. Both of these routes require compliance with additional security, privacy and interoperability standards. Buyers must be aware of any additional local or national requirements when procuring AI-triage software and involve relevant team members from information technology, information governance and clinical safety early to ensure all aspects of implementing a new technology are considered.

³ https://norddec.org/
⁴ https://www.bfarm.de/EN/Medical-devices/Tasks/DiGA-and-DiPA/_node.html
⁴https://gnius.esante.gouv.fr/en/financing/reimbursement-profiles/digital-advance-care-pecan

Post-market surveillance (PMS)

Achieving product regulatory certification is only the start of its lifecycle. Post-Market Surveillance (PMS) refers to the monitoring that a manufacturer must do after the device is on the market, to ensure it continues to be safe and effective in real-world use. Under the EU MDR (and similarly in the new UK Post-Market regulations which will be enforced in June 2025), PMS is not optional – it’s a stringent, proactive process. As a buyer, you should be aware of and even inquire about the vendor’s PMS practices because they impact long-term safety and service quality.

Key elements of post-market surveillance for AI-triage devices include:

• Collecting User Feedback: The manufacturer should have channels to gather feedback from clinicians and patients who are using the AI tool.
  
  
• Monitoring Performance Metrics: AI systems can drift or encounter rare cases in real world use, so vigilance is key. Vendors should have clear mechanisms for collecting and acting on this data.
  
  
• Adverse Event Reporting: Manufacturers (and users) are required to report certain serious device malfunctions or errors to regulators (like the MHRA in the UK or national competent authorities in the EU) within specified timeframes.
  
  
• Periodic Safety Updates: Class IIa/IIb devices under MDR require a Periodic Safety Update Report (PSUR) to be produced at least every 2 years. While buyers won’t usually see the PSUR, you can ask if any safety notices or updates have arisen from these reviews.
  
  
• Post-Market Clinical Follow-up (PMCF): Some companies run ongoing studies to gather clinical data to further validate the tool’s effectiveness in various settings or update their algorithms. As a buyer, you might be offered to participate in such studies.

The upcoming EU AI Act and what to prepare for

In parallel to device regulations, the EU is finalising the Artificial Intelligence Act (EU AI Act), a law focused on all artificial intelligence systems. The act entered into force in 2024 and is gradually being applied over a transition period. The AI Act will impose additional requirements on “high-risk AI systems”, including AI medical devices that already undergo conformity assessment. AI used for medical triage or diagnosis will therefore be classified as high-risk, meaning vendors must comply with transparency, risk management, and data governance requirements in addition to MDR requirements. All sections of the AI Act are expected to be fully applied by August 2026 . Buyers can ask vendors about their EU AI Act compliance plans.

Decoding symbols, standards and acronyms

Quick reference guide:

Top 6 regulatory questions for buyers to ask AI-triage vendors.

1. Is the product a certified medical device?
   • Is it CE-marked (for EU/NI, or UK until 2030) or UKCA-marked (for GB only) and what class (I, IIa, IIb) is it? As a buyer you can ask to see evidence. If it is Class I what are the manufacturer's plans for up-classifying to class IIa? You can also check CE certifications on the EUDAMED and MHRA PARD databases. • Buyers should consider whether the risk classification of the tool is correct for its intended use. See the “medical device risk classification” section in this document for more detail on what functionalities might change the class from IIa to IIb or III.
   
   
2. What is the intended use of the AI tool?
   • Have the vendor describe it and ensure it matches your use-case. For example, who are the intended users, patient population and are there any contraindications?
   
   
3. What clinical evidence supports the tool’s performance?
   • Medical devices require clinical evidence to support their regulatory certification. As a buyer, ask for any published papers or validation reports. Has the tool been tested in a similar population to yours? How are errors handled?
   
   
4. What data does the AI use and how is data privacy maintained?
   • Ensure compliance with GDPR in EU/UK Data Protection – patient data must be handled lawfully. Don’t forget to ask about IT integration and cybersecurity.
   
   
5. How do you monitor and maintain the tool’s safety & performance in real world use?
   •How are updates delivered? How quickly can they respond to a critical issue found in the software? What support and training is provided to users? Have they ever issued a Field Safety Notice (a public declaration of an adverse event or bug that should be disseminated to all customers)?
   
   
6. Is the manufacturer prepared for the upcoming EU AI Act?
   • Are they aware of the timelines and requirements for both suppliers and deployers? What actions are they taking to prepare?

This checklist is not exhaustive but the goal of these questions is to reveal whether the vendor truly understands and meets medical device regulation requirements. A strong vendor will have ready answers, documentation to back claims, and will appreciate these questions because they indicate an informed buyer.

Don’t hesitate to dive deep – buying an AI-Triage system is not just procuring a piece of software, it’s adopting a clinical tool that will interact with your patients and staff. Ensuring it is safe, effective, and compliant is paramount to patient safety.


Co-produced by Hardian Health and Visiba May 2025

Authors:
Dr Hugh Harvey, Dr Ankeet Tanna, Dr Felicity Lock, Dr Katherine Leung, Hannah Gibson, Angela Norton-Bilsby