How does MHRA classify AI as a medical device?

MHRA classifies Software as a Medical Device (SaMD) based on intended purpose. If AI software is intended for diagnosis, prevention, monitoring, prediction, prognosis, or treatment of disease, it qualifies as a medical device. Classification follows MDR 2002 rules: Class I (low risk), Class IIa, Class IIb, or Class III (highest risk). AI providing clinical decision support typically falls into Class IIa or higher.

What is the MHRA AI Airlock and how does it work?

The AI Airlock is MHRA's regulatory sandbox for AI medical devices, launched in 2024. It provides a controlled environment where developers can test AI/ML medical devices with real patients under regulatory supervision. Phase 2 of the Airlock runs until April 2026 and feeds into a new MHRA regulatory framework for AI in healthcare due later in 2026, informed by the National Commission into the Regulation of AI in Healthcare. The sandbox allows MHRA to observe AI behaviour, gather real-world evidence, and develop proportionate regulatory approaches. Participants receive tailored regulatory advice and expedited market-access pathways.

What evidence does NICE require for AI health technologies?

NICE Evidence Standards Framework for Digital Health Technologies requires functional evidence (the technology works as intended), clinical evidence (clinical outcomes improve), and economic evidence (cost-effectiveness). For AI specifically, NICE emphasizes algorithmic transparency, training data quality documentation, ongoing performance monitoring, and evidence of generalizability across different populations and settings.

How does CQC oversee AI use in healthcare settings?

CQC assesses AI use through its fundamental standards framework, focusing on safe care and treatment, good governance, and staffing. Providers must demonstrate appropriate AI governance, staff training, clinical validation processes, and human oversight arrangements. CQC inspectors evaluate whether AI tools are properly integrated into clinical workflows and whether providers monitor AI performance and patient outcomes.

Where do NHS AI buyers and developers go for consolidated guidance in 2026?

The NHS AI and Digital Regulations Service (digitalregulations.innovation.nhs.uk) is the consolidated entry point in 2026, bringing together MHRA, NICE, NHS England and CQC guidance for people developing or planning to use AI and digital technologies in health and social care. It supersedes the previous reliance on the NHS AI Lab as a single-source view, and runs alongside the NHS AI strategic roadmap (2025–2028) which targets NHS-wide rollout of validated AI diagnostic tools and AI scribes from 2027.

Do UK healthcare AI regulations differ from EU MDR requirements?

Post-Brexit, UK operates its own medical device framework (UK MDR 2002, as amended). While broadly aligned with EU MDR principles, UK has flexibility to diverge. Key differences include UKCA marking instead of CE marking, MHRA as sole regulatory authority, and the AI Airlock sandbox unique to UK. However, many manufacturers pursue dual compliance for market access to both UK and EU.

What clinical validation is required for AI diagnostic tools in the UK?

AI diagnostic tools require clinical validation proportionate to their risk classification. This includes analytical validation (accuracy, sensitivity, specificity), clinical validation (performance in intended clinical setting), and ongoing performance monitoring. For higher-risk classifications, prospective clinical studies may be required. MHRA expects validation data to demonstrate safety and effectiveness across representative UK patient populations.

UK healthcare AI regulation, April 2026

01 — Regulatory landscape 02 — MHRA classification for AI 03 — AI Airlock and the new MHRA framework 04 — NHS adoption pathway 05 — How GLACIS helps

AI Airlock phase 2 closes April 2026. Outputs feed directly into a new MHRA AI medical device framework due later in 2026, informed by the recently created National Commission into the Regulation of AI in Healthcare.
MHRA International Reliance Framework launches Autumn 2026 — enabling greater MHRA reliance on approvals from comparator regulators (FDA, Health Canada). Expected to compress UKCA timelines for SaMD already cleared abroad.
NHS AI & Digital Regulations Service (digitalregulations.innovation.nhs.uk) is now the consolidated entry point bringing together MHRA, NICE, NHS England and CQC guidance. Replaces reliance on the older NHS AI Lab single-source view.
Joint MHRA–FDA–Health Canada principles on predetermined change control plans (PCCPs) and ML-enabled device transparency remain the international anchor — useful pre-positioning for the new UK framework.
NHS AI strategic roadmap (2025–2028): NHS-wide rollout of validated AI diagnostic tools and AI scribes targeted from 2027; investment in AI infrastructure runs through 2028.
DUAA in force from 5 February 2026 — new lawful basis of recognised legitimate interests for ADM, with safeguards. Section 103 right to complain commences 19 June 2026 and applies to ADM in clinical settings.

The UK’s healthcare AI framework operates through multiple specialised bodies. MHRA regulates AI as medical devices under UK MDR 2002 — classification drives the obligations. CQC oversees AI use within healthcare providers through its fundamental standards. NICE sets evidence standards for digital health technology adoption. The new NHS AI & Digital Regulations Service consolidates guidance for buyers and developers; the older NHS AI Lab brand sits behind it.

The AI Airlock regulatory sandbox, launched by MHRA in 2024, is now in phase 2 — closing April 2026 and feeding into a new framework due later in 2026. It provides a controlled pathway for novel AI medical devices to demonstrate safety and effectiveness with real patients, while informing regulatory policy development.

The path to compliance: (1) determine whether the AI qualifies as a medical device; (2) achieve appropriate MHRA classification and registration; (3) meet NICE evidence standards for NHS adoption; (4) ensure deploying organisations satisfy CQC governance requirements; (5) maintain post-market surveillance and continuous evidence. AI is in the clinical environment whether or not anyone is watching it — the framework is asking who is watching, with what record.

UK healthcare AI regulatory landscape

Unlike the EU’s horizontal AI Act, the UK regulates healthcare AI through existing sectoral frameworks — primarily medical device regulation for AI products and healthcare provider oversight for deployment settings. This approach sits inside the UK’s broader pro-innovation AI regulatory strategy.

MHRA

Medicines and Healthcare products Regulatory Agency

Regulates AI as medical devices under UK MDR 2002. Responsible for UKCA marking, classification, market surveillance, and the AI Airlock sandbox. Key authority for pre-market AI medical device approval.

CQC

Care Quality Commission

Inspects and rates healthcare providers in England. Assesses AI use through fundamental standards framework covering safe care, governance, and staffing. Evaluates whether providers properly govern and monitor AI tools.

NICE

National Institute for Health and Care Excellence

Sets evidence standards through the Evidence Standards Framework for Digital Health Technologies. Evaluates clinical and economic evidence for NHS adoption. Guidance informs commissioning decisions.

NHS AI & Digital Regulations Service

Consolidated entry point — formerly NHS AI Lab

Consolidated guidance for AI and digital tech in health and social care, bringing together MHRA, NICE, NHS England and CQC. Replaces the older NHS AI Lab single-source view and runs alongside the NHS AI strategic roadmap (2025–2028) and the AI in Health and Care Award.

Additional Oversight Bodies

ICO

Data protection and UK GDPR compliance for health data processing. Automated decision-making requirements under Article 22.

HRA

Health Research Authority oversees AI research involving NHS patients. Ethics approval for clinical studies.

AI Security Institute

Evaluates frontier AI safety, though healthcare-specific guidance remains with MHRA and NHS bodies.

MHRA medical device classification for AI

Under UK MDR 2002, software qualifies as a medical device if it has a medical intended purpose. AI used for diagnosis, monitoring, prediction or treatment recommendation is typically classified as Software as a Medical Device (SaMD). Classification determines regulatory requirements, from self-declaration for Class I to full conformity assessment for Class III.

Is the AI a medical device?

Likely yes, if it:

Diagnoses, prevents, monitors, predicts or treats disease
Provides clinical decision support that influences treatment
Analyses medical images, pathology slides or clinical data for diagnosis
Monitors physiological parameters with clinical implications

Probably not, if it:

Provides general health and wellness information only
Performs purely administrative functions (scheduling, billing)
Acts as a simple data repository without clinical analysis
Supports research without direct clinical application

SaMD classification under UK MDR 2002

Class	Risk Level	AI Examples	Requirements
Class I	Low	Wellness apps, symptom checkers providing general info only	Self-declaration, UKCA marking, register with MHRA
Class IIa	Medium-Low	Clinical decision support, triage tools, non-critical monitoring	Approved Body audit, QMS, clinical evidence
Class IIb	Medium-High	Diagnostic imaging AI, cancer detection, treatment planning	Full Approved Body review, clinical trials may be required
Class III	High	AI driving life-sustaining decisions, autonomous treatment	Stringent Approved Body review, prospective clinical studies

Clinical Evidence Requirements

Analytical validation: Accuracy, sensitivity, specificity on representative data
Clinical validation: Performance in intended clinical setting with UK population
Real-world performance: Post-market surveillance and monitoring
Algorithm change protocol: Re-validation requirements for model updates

Technical Documentation

Intended purpose: Clear statement of clinical use and user population
Training data: Description of data sources, quality, and representativeness
Risk analysis: FMEA or equivalent covering AI-specific failure modes
Cybersecurity: Threat model and security controls for connected devices

AI Airlock and the new MHRA framework

The AI Airlock is MHRA’s regulatory sandbox for AI medical devices, launched in 2024. Phase 2 runs to April 2026, with outputs feeding directly into a new MHRA AI medical device framework due later in 2026 — informed by the recently created National Commission into the Regulation of AI in Healthcare. The Airlock generates real-world evidence on safety, performance and adaptive-algorithm behaviour, and shapes the regulatory policy that follows.

How the AI Airlock works

Phased testing for AI medical devices, with phase 2 closing April 2026

Application and assessment

Developers apply with details of the AI device, intended use, and preliminary safety evidence. MHRA assesses suitability for sandbox participation.

Controlled testing

Approved devices enter controlled testing with real patients in selected NHS sites. MHRA provides ongoing oversight and tailored regulatory advice.

Evidence generation

Real-world evidence collected on safety, effectiveness and AI behaviour. Continuous monitoring identifies issues early.

Regulatory pathway

Successful sandbox participants receive an expedited pathway to full market authorisation. Evidence informs broader regulatory policy and the new framework due later in 2026.

Benefits for developers

Direct engagement with MHRA on regulatory requirements
Real-world evidence generation in NHS settings
Faster pathway to market for successful devices
Regulatory certainty and reduced development risk

Benefits for the NHS

Early access to promising AI innovations
Evidence on AI performance in UK clinical settings
Protected testing environment with MHRA oversight
Influence on regulatory standards development

AI Airlock eligibility

Suitable candidates:

Novel AI/ML medical devices
Adaptive or continuously learning algorithms
AI with limited real-world evidence
Innovative intended uses

Requirements:

Preliminary safety and performance data
Clear intended purpose and user population
Commitment to transparency with MHRA
NHS partner site for testing
PCCP-aligned change-control approach (per joint MHRA-FDA-Health Canada principles)

NHS adoption pathway

MHRA clearance is necessary but not sufficient for NHS adoption. AI vendors must also meet NICE evidence standards, NHS data and security requirements, and demonstrate value to commissioners. The NHS AI & Digital Regulations Service consolidates the cross-regulator guidance for the journey.

NICE evidence standards framework for digital health technologies

Functional evidence

The technology works as intended. Technical performance, usability, accessibility, and integration capabilities.

Clinical evidence

Clinical outcomes improve. Comparative effectiveness, safety profile, and benefits across patient populations.

Economic evidence

Cost-effectiveness demonstrated. Resource impact, value for money, and budget impact analysis.

AI-specific NICE considerations

Algorithmic transparency and explainability
Training data quality and representativeness
Ongoing performance monitoring plans
Generalizability across settings and populations

NHS data security requirements

DSPT Compliance: Data Security and Protection Toolkit assessment required
DCB0129/DCB0160: Clinical risk management standards for health IT
Cyber Essentials Plus: Cybersecurity certification typically required
UK GDPR: Lawful basis for health data processing

NHS AI & Digital Regulations Service resources

Buyer’s Guide: Procurement guidance for AI in health and care
Algorithm Assurance: Framework for AI governance in NHS
AI Ethics Initiative: Ethical guidance for health AI development
AI Award: Funding for promising AI health innovations

CQC oversight of healthcare AI

CQC assesses AI use through its fundamental standards, evaluating whether providers have appropriate governance, staff training, and monitoring in place. Key inspection focus areas:

AI governance structure and accountability
Staff training and competency assessment
Clinical validation and ongoing monitoring
Human oversight of AI-informed decisions

Incident reporting and response procedures
Patient information and consent processes
Integration with clinical workflows
Performance monitoring and audit trails

UK vs EU healthcare AI requirements

Aspect	UK Approach	EU Approach
Regulatory framework	Sectoral (medical devices, data protection)	Horizontal AI Act + MDR / IVDR
High-risk classification	Based on medical device class	AI Act Annex III + MDR class
Conformity marking	UKCA — MHRA International Reliance Framework Autumn 2026	CE + AI Act compliance
Regulatory sandbox	AI Airlock (MHRA) — phase 2 closes April 2026	AI Act regulatory sandboxes (member states)
Fundamental rights	UK GDPR, DUAA 2025, Human Rights Act	AI Act FRIA, EU Charter, GDPR
High-risk timing	New MHRA AI medical device framework due later 2026	Omnibus proposes 2 Dec 2027 (Annex III) and 2 Aug 2028 (Annex I product-embedded)
Market access	CE marking recognition until 30 June 2030; UKCA mandatory thereafter	Single market access

Dual compliance strategy: organisations seeking access to both UK and EU markets should plan for compliance with both frameworks. The EU Omnibus on AI is on track to push high-risk obligations to December 2027 (Annex III) and August 2028 (Annex I), giving more planning time — but only if the technical standards land. The new MHRA AI medical device framework due later in 2026 is the parallel UK clock. See our detailed UK vs EU AI Act comparison →

Key takeaways

For AI developers

1 Determine early whether your AI qualifies as a medical device and its likely classification
2 Consider the AI Airlock for novel or adaptive AI devices requiring real-world evidence
3 Build NICE evidence requirements into development from the start
4 Ensure robust documentation of training data, validation, and performance monitoring

For healthcare providers

1 Verify UKCA marking and MHRA registration before procuring AI medical devices
2 Establish AI governance structures that meet CQC expectations
3 Ensure clinical validation in your specific patient population
4 Implement ongoing performance monitoring and incident reporting

How GLACIS supports UK healthcare AI compliance

AI is in the clinical environment whether or not anyone is watching it. The MHRA, CQC, NHS and NICE each ask the same underlying question — is the AI safe, effective and well-governed — and each wants the answer in a different form. GLACIS provides one continuous evidence layer that feeds all of them, so the same observation produces the right artefact for the right regulator.

Post-market surveillance

MHRA post-market surveillance, in force since June 2025, requires continuous monitoring of AI medical device performance — and the new framework due later in 2026 is expected to tighten lifecycle and PCCP expectations. GLACIS continuously attests AI behaviour with timestamped, tamper-evident records, feeding vigilance reporting and trend analysis.

CQC inspection evidence

When CQC inspectors ask how AI is integrated safely into clinical workflows, evidence packs show what controls were active, when they triggered, and how outcomes were monitored — supporting fundamental-standards compliance.

NICE evidence requirements

The NICE evidence standards framework asks for ongoing performance monitoring. GLACIS generates cryptographically verifiable real-world performance evidence, supporting the functional, clinical and economic evidence dossier.

Algorithm assurance

The NHS AI & Digital Regulations Service surfaces consolidated assurance expectations — drift, bias, lifecycle. GLACIS samples AI outputs across patient cohorts, creating attestation records that demonstrate ongoing algorithmic fairness and stability without retrofitting governance after the fact.

Mapping GLACIS to UK healthcare regulatory requirements

Regulatory Requirement	GLACIS Capability
MHRA Post-Market Surveillance	Continuous monitoring with incident-correlated evidence. Trend analysis data for periodic safety reports.
CQC Safe Care & Treatment	Audit trail of AI recommendations, clinician overrides, and outcome tracking. Evidence of human oversight.
NICE Performance Monitoring	Real-world accuracy metrics with cryptographic integrity. Exportable for HTAs and procurement evaluations.
NHS algorithm assurance	Cohort-stratified sampling for bias detection. Model version tracking and drift alerts.
ICO ADM and DUAA rights	Individual decision retrieval for patient access requests. Meaningful human-involvement records. Section 103 complaints from 19 June 2026.

Related resources

UK · Hub

Stand-up the evidence layer before the framework lands

The new MHRA AI medical device framework is due later in 2026. The CQC, NHS and NICE all want continuous, attributable evidence. GLACIS provides one underlying receipt layer that feeds each.

Talk to us → Healthcare AI assessment →