The EU AI Act for biotech depends on the system's intended purpose, development stage, and role in a regulated product. Some scientific research falls outside the Act, while in-scope lab tools can face general or transparency duties without becoming high risk. The classification determines which controls and deadlines apply.
This guide is for founders, quality and regulatory leads, and the engineers building or buying AI for drug discovery, development, and the lab. It covers which systems the Act touches, when an exclusion applies, which obligations follow, and how to plan around the deadline amendment proposed in 2026. It is the regulatory companion to our broader look at the state of AI in biotech, which covers where adoption is delivering and where it stalls.
Which of your AI the Act touches
The European Commission describes the EU AI Act through four broad risk categories. Before assigning one, a biotech should check whether the system falls within the Act at all.
- Unacceptable-risk practices are banned outright and have little to do with biotech research.
- High risk covers qualifying AI in regulated products and the uses listed in Annex III.
- Limited risk brings transparency duties for systems that talk to people or generate content.
- Other in-scope AI avoids the high-risk regime but can still carry general duties such as AI literacy.
Article 2 of the Act excludes AI systems and models developed and put into service solely for scientific research and development. It also excludes research, testing, and development activity before a system is placed on the market or put into service, provided that the work follows applicable EU law. That second exclusion does not cover testing in real-world conditions. An internal literature assistant, target-ranking model, or generative chemistry tool may fit one of these exclusions, but the facts matter. A commercial tool, an operational system already put into service, or a system used beyond a solely scientific purpose needs a separate classification.
Scope does not stop at the EU border. Article 2 covers providers placing AI systems or general-purpose AI models on the EU market and providers or deployers outside the EU when a system's output is used in the Union. The Act also splits responsibility by role. A company developing an AI system and placing it on the market or putting it into service under its own name is a provider, while a company using a system under its authority is a deployer. Under Article 25, rebranding or substantially modifying a high-risk system can transfer provider obligations.
When biotech AI becomes high risk
Medical devices and in vitro diagnostics are the main product route into the high-risk regime for a biotech. Under Article 6(1), the AI must be a regulated product or safety component covered by Annex I, and that product must require third-party conformity assessment. An AI diagnostic, companion diagnostic, or clinical decision product can meet those conditions, depending on its intended purpose and classification under medical device or IVD law. The AI Act assessment is then integrated with the relevant product conformity procedure.
Regulated products are not the only route. Annex III covers defined uses such as recruitment, candidate screening, task allocation based on personal characteristics, and worker monitoring. A biotech using AI in those functions can have a high-risk system even when the software has no scientific or clinical purpose. The system's intended use matters more than the sector of the company operating it.
The EU AI Act timeline and proposed 2026 delay
The Act applies on a staggered schedule. Chapters I and II, including prohibited practices and the Article 4 AI-literacy duty, applied from 2 February 2025. General-purpose AI rules applied from 2 August 2025. Under the current Article 113 schedule, Article 50 and Annex III high-risk obligations apply from 2 August 2026, while Article 6(1) product systems follow on 2 August 2027.
The high-risk deadlines have not changed in law as of 12 June 2026. Council and Parliament negotiators reached a provisional Digital Omnibus agreement that proposes 2 December 2027 for Annex III systems and 2 August 2028 for Article 6(1) product systems. The amendment still requires formal adoption and publication. The European Parliament procedure file remained open on 12 June 2026, so compliance plans should retain the current statutory dates until the amendment takes effect.
Current law sets 2 August 2026 for Annex III high-risk obligations and 2 August 2027 for Article 6(1) product systems. The provisional Digital Omnibus agreement proposes 2 December 2027 and 2 August 2028. Those proposed dates are not effective until the amendment is formally adopted and published.
What this means for your lab software
Article 50 contains several distinct transparency duties. Providers of systems intended to interact directly with people must inform them that they are interacting with AI unless that fact is obvious. Providers of systems that generate synthetic audio, images, video, or text must add machine-readable marking, subject to stated exceptions. Deployers must disclose deepfakes and AI-generated text published to inform the public on matters of public interest, although the text duty has an exception for human review with editorial responsibility.
These duties can reach patient-facing chatbots, public content, and employee-facing assistants. Internal use is not a blanket exemption when a system interacts directly with scientists or other staff. Under the provisional Digital Omnibus text, providers would receive until 2 December 2026 to implement technical marking solutions for generated content. That transition is also part of the pending amendment, so teams should track the final text alongside the current 2 August 2026 application date.
When AI feeds a regulated process, the lab also needs records of model inputs, outputs, versions, human changes, and approvals. These records support validation and regulatory review even when the AI system is outside the Act's high-risk category. A LIMS or ELN can provide that traceability, while structured source data supports repeatable model performance. We have written about this constraint in why AI is not solving the lab bottleneck and lab software data lock-in.
A system built for 21 CFR Part 11 and EU Annex 11 starts with useful controls around audit trails, access, validation evidence, and electronic signatures. Those controls do not satisfy the AI Act by themselves. A high-risk AI system can also require AI-specific risk management, data governance, technical documentation, logging, human oversight, accuracy and cybersecurity controls, post-market monitoring, and incident reporting.
Where EMA expectations matter more than the Act
For a biotech moving a molecule through development, medicines regulation can impose the more immediate standard. Discovery and trial AI may fall outside the Act's scope or remain outside its high-risk category, depending on its intended use and development stage. The EMA's reflection paper on AI in the medicines lifecycle, adopted in September 2024, describes a risk-based approach tied to patient risk and regulatory impact, human oversight, data integrity under existing GxP standards, and early engagement when AI could affect a benefit-risk assessment.
Biotechs submitting in the US face a related framework from the US Food and Drug Administration (FDA). Its January 2025 draft guidance on AI in regulatory decision-making remained non-binding draft guidance on 12 June 2026 and ties model credibility work to the context of use. The EMA and FDA materials share themes around risk, data, and model oversight, but compliance with one does not establish compliance with the other.
Penalties and what to do now
The penalties are tiered under Article 99. Prohibited practices can draw fines up to 35 million euros or 7% of worldwide annual turnover, while breaches of listed provider, deployer, notified-body, and Article 50 obligations can reach 15 million euros or 3%. Supplying incorrect, incomplete, or misleading information can reach 7.5 million euros or 1%. For an undertaking the higher threshold applies, while SMEs, including start-ups, are subject to the lower threshold.
Start with an inventory that records each system's intended purpose, development stage, users, output, market, and whether the company acts as provider or deployer. Test scientific work against the Article 2 exclusions, then check Article 6 and Annex III before reviewing Article 50. A system used in a regulatory submission needs EMA or FDA review even when it is not high risk under the AI Act. Confirm that staff receive suitable AI-literacy support and that regulated workflows retain model records and human approval. Keep the current statutory dates in the plan while tracking formal adoption of the Digital Omnibus.
Conclusion
For a biotech, classification starts with scope and intended purpose. Solely scientific systems and pre-market research activity may fall outside the Act, while qualifying medical products and Annex III uses can become high risk. Article 50, AI literacy, and medicines-regulator expectations can still apply elsewhere. The proposed 2027 and 2028 deadlines are not yet law, so current planning should use the dates in Article 113 and track the pending amendment.
Map the EU AI Act to your lab systems and regulated workflows. CodePhusion builds custom LIMS, ELN, and data infrastructure for biotech and life sciences teams running AI in regulated environments. to discuss scope and architecture.
Frequently Asked Questions
Does the EU AI Act apply to a biotech doing drug discovery?
It depends on the intended use and stage of development. The Act excludes AI developed and used solely for scientific research, along with research, testing, and development before a system is placed on the market or put into service. An in-scope discovery tool may still avoid the high-risk rules, but general duties such as AI literacy or Article 50 transparency can apply.
Is my LIMS or ELN high risk under the EU AI Act?
A LIMS or ELN is not high risk merely because it contains AI. Classification depends on the intended purpose. AI that is a medical device, an IVD, or a safety component can be high risk when the product also requires third-party conformity assessment. Uses listed in Annex III, such as recruitment or worker management, can also qualify, while chatbot and generative features may trigger Article 50 transparency duties.
What are the current EU AI Act high-risk deadlines?
Under the law in force on 12 June 2026, obligations for Annex III high-risk systems apply from 2 August 2026, while obligations for high-risk systems covered by Article 6(1), including qualifying medical devices and IVDs, apply from 2 August 2027. A provisional Digital Omnibus agreement proposes 2 December 2027 and 2 August 2028 instead, but those dates do not take effect until the amendment is formally adopted and published.
How does the EU AI Act relate to 21 CFR Part 11 and EU Annex 11?
They are separate regimes. Part 11 and Annex 11 address electronic records, signatures, validation, and access controls, while the AI Act adds requirements tied to the AI system and its risk category. Existing regulated-system controls provide useful evidence, but they do not replace AI-specific work such as risk management, data governance, technical documentation, performance monitoring, incident reporting, and cybersecurity.
Last updated: June 13, 2026
