When Prof. Ahmed, our Senior Partner, wrote about AI regulations in healthcare in December 2024, he described a fragmented, fast-moving, and globally inconsistent landscape. Eighteen months later, much of that landscape has changed beyond recognition, and yet, in important ways, the central challenge remains the same. The technology continues to outrun the rulebook.
This is a May 2026 refresh on where global AI regulation in healthcare actually stands today, what has worked, what has not, and where we believe the next two years will take us.
The Stakes Have Risen
When we last wrote on this subject, OpenAI's o1-preview was barely two months old. Today the world has lived through GPT-5.5, Claude Opus 4.7, and DeepSeek's open-weight cascade. More consequential for healthcare, the first three months of 2026 saw OpenAI launch ChatGPT Health, Anthropic launchClaude for Healthcare and Life Sciences, and Microsoft launch Copilot Health. OpenAI now reports that more than 230 million people each week ask health and wellness questions through ChatGPT, a figure roughly equivalent to the combined populations of the United Kingdom, France, and Germany.
When more people consult a chatbot each week than visit a primary care physician, the question is no longer whether healthcare AI requires regulation. The question is whether our regulators can keep pace.
Where Each Region Stands in May 2026
The European Union: Proven Theory, Painful Practice
The EU AI Act, which entered into force in August 2024, has now moved through its first major implementation phase. Prohibitions on unacceptable-risk systems took effect in February 2025, the General-Purpose AI Code of Practice was finalised in mid-2025, and high-risk obligations (which include the majority of clinical AI) are scheduled to apply from August 2026. The Act has succeeded as a normative anchor: it has set the global vocabulary for risk classification, post-market surveillance, transparency, and human oversight.
Implementation, however, has been bumpy. Hospital trusts and small developers across Europe report compliance fatigue, and the European Commission has had to issue multiple clarifications on what constitutes a high-risk medical AI system. Industry coalitions are openly lobbying for delays or simplifications, particularly regarding foundation model documentation duties.
Even so, the Brussels Effect, a phenomenon where EU regulations become de facto global standards, remains real. From Brazil to Canada, regulators are quietly importing the AIA's structural logic.
The United Kingdom: Pro-Innovation, Now With Teeth
The UK has continued its principles-based, regulator-led path. The MHRA's Software and AI as a Medical Device Change Programme has issued substantive guidance across the AI lifecycle, including the long-awaited frameworks on Predetermined Change Control Plans for adaptive learning models. NHS England's procurement standards have been sharpened by an updated Algorithmic Transparency Recording Standard, which is mandatory for any AI deployed in the NHS. A targeted UK AI Bill, narrower than the EU AIA, has yet to be introduced by the government and is widely expected to follow the May 2026 King’s Speech (at the earliest). The country has moved from declarations of intent to enforceable expectations without strangling innovation.
However, are the regulations too stringent or indeed too difficult to navigate? OpenEvidence has withdrawn its AI-powered clinical evidence and decision-support platform from the UK and European markets, citing increasing regulatory uncertainty, particularly around the EU AI Act. The key issue appears to be how advanced clinical AI systems will be classified and regulated under the EU’s new AI framework. The EU Artificial Intelligence Act categorises many healthcare AI tools as “high-risk,” which brings significant requirements around transparency, validation, governance, post-market monitoring, and liability. OpenEvidence reportedly felt that the compliance pathway for a rapidly evolving generative AI clinical tool was too unclear and operationally burdensome for the European market at this stage. Commentators noted that the combination of the EU AI Act, medical device regulations, and differing UK guidance created uncertainty around deployment, accountability, and certification. This is significant because OpenEvidence has become one of the most widely adopted physician AI tools in the United States, reportedly used by more than 40% of US physicians across over 10,000 hospitals and medical centres.
On the other hand, Skin Analytics’ DERM platform represents a landmark moment in the regulation of artificial intelligence in healthcare. The company became one of the first in Europe to achieve EU MDR Class III CE marking for an autonomous AI system capable of assessing skin lesions and helping rule out skin cancer without direct dermatologist review in selected pathways. This is highly significant because Class III certification is the highest level of medical device regulation in Europe and is typically reserved for technologies that carry substantial clinical risk. DERM’s approval demonstrates that advanced AI systems can achieve the rigorous standards required for safety, clinical validation, governance, and post-market surveillance under the new European regulatory framework. The milestone is being viewed as an important test case for the future of regulated clinical AI in Europe. At a time when some AI companies are withdrawing from European markets because of regulatory complexity, Skin Analytics has shown that autonomous AI can still gain approval if supported by strong evidence, robust quality systems, and clear clinical accountability.
The United States: Still Fragmented, Newly Realigned
The American picture has shifted dramatically. The previous administration's executive order on AI was rescinded shortly after the change of government in early 2025 and replaced by a deregulatory framework emphasising domestic innovation and reduced friction. The FDA, however, has continued (independently) to evolve its lifecycle approach to AI/ML-enabled Software as a Medical Device. As of this spring, the agency lists over 1,300 AI-enabled medical devices with marketing authorisation, up from roughly 950 at the time of our December 2024 piece. The FDA's January 2025 draft guidance on lifecycle management and marketing submissions for AI-enabled device software functions, is the most consequential federal document on healthcare AI in a generation.
Outside Washington, the states have rushed to fill the vacuum. Colorado's AI Act, originally due to take effect in February 2026, was postponed by the legislature to June 2026 and is now subject to an April 2026 federal court order pausing enforcement pending the Attorney General’s rulemaking, California's AB-3030 disclosure law for generative AI in clinical communications continues to bite, and New York, Texas and Illinois have all enacted health-AI-specific statutes. The result is, predictably, the most fragmented regulatory environment among major economies.
China: Codified Caution, Strategic Intent
China has continued its distinctive twin-track approach: rapid deployment paired with prescriptive rule-making. The 2023 Generative AI Measures have been actively enforced, and the Cyberspace Administration's algorithm registry now holds over 4,000 entries. New medical-AI-specific rules issued by the National Medical Products Administration have tightened approval pathways for adaptive systems and explicitly require Chinese-population training data for safety-critical use cases. We should resist the Western temptation to dismiss this work as protectionism. Some of it is. Some of it is genuinely thoughtful regulation that the rest of us would do well to study.
Guidance for the Global South
The WHO published an updated Ethics and Governance of AI for Health guidance on large multi-modal models in early 2024, with a republication in 2025, which has become an unexpected anchor document for low- and middle-income countries unable to write their own.
Common Ground Has Quietly Emerged
Despite the fragmentation, there is now broad international agreement on five principles for healthcare AI: a risk-based classification of clinical applications; mandatory algorithmic transparency in some form; post-market surveillance with continuous performance monitoring; explicit human oversight, particularly for diagnostic and therapeutic recommendations; and bias mitigation through diverse, representative training data.
The Coalition for Health AI, the African Union AI Continental Strategy, and the Global Partnership on AI have all converged around versions of these principles. The disagreement is now about how, not whether.
What We Got Right, What We Got Wrong
Eighteen months on, two predictions from our 2024 piece have held up. The Brussels Effect did indeed propagate. And the fragmentation of US regulation has, if anything, deepened. But we underestimated the speed at which generative and agentic AI would move from the clinical periphery to the clinical core. We assumed regulation would lead deployment. In practice, a 230-million-user-per-week consumer health-AI surface has emerged largely outside the medical-device regulatory perimeter, governed instead by general consumer-AI rules and platform terms of service. That is the gap that worries us most.
The Real Frontier: Foundation Models, Agents, and Liability
Three regulatory frontiers will define 2026 and 2027:
- Foundation models. The EU AIA's GPAI obligations are the world's first serious attempt to regulate them, and the rest of us are watching closely. Whether transparency duties, training-data summaries, and systemic-risk evaluations prove workable in practice will shape every subsequent jurisdiction's approach.
- Agentic AI in clinical workflows. Multimodal, agentic systems that take actions on behalf of clinicians - ordering tests, drafting referrals, escalating deterioration - raise novel liability questions that existing medical-device frameworks were never designed to answer.
- Liability for probabilistic systems. The unresolved question of who is responsible when a probabilistic system causes harm - the developer, the deploying institution, or the clinician who relied on it - must be answered honestly. Until it is, frontline clinicians will continue to bear unreasonable risk for systems they did not build and cannot inspect.
A Final Reflection
In December 2024 we closed by writing that the future of healthcare involves a synergy between human expertise and artificial intelligence. We still believe that. What we would add today, after watching three of the world's most powerful technology companies plant their flags in human health within ten weeks, is that synergy must be earned. It must be earned through transparent, accountable, and humane regulation that places patients at the centre - not as data sources, not as users, but as people.
The pace of innovation will not slow. Our regulatory imagination must rise to meet it.
