The European Union has set ambitious goals with the AI Act, especially in high-risk sectors like healthcare. However, a new report presented at the World Economic Forum, titled “Harnessing AI for Health and Economic Competitiveness: Translating the EU AI Act into Action” by HealthAI, issues a stark warning: a critical implementation gap exists between regulatory expectations and the actual preparedness of member states.
The report, based on 20 semi-structured stakeholder consultations and in-depth policy analysis, reveals that the development of infrastructure required for compliance is slower than the deadlines dictate. As Dr. Ricardo Baptista Leite, CEO of HealthAI, stated:
Do you have a question about AI security? You can reach us here:
“Our analysis identifies a critical implementation gap: the infrastructure required to support compliance obligations is arriving later than the deadlines themselves.”
From an AIQ standpoint, this situation is not merely an administrative issue but a primary business and technological risk for any company developing or deploying AI in the healthcare sector. Uncertainty is the greatest enemy of innovation and investment.
Four Member States, Four Different Paths: The Compliance Maze
HealthAI’s analysis focused on four key member states—Germany, France, Italy, and Spain—and uncovered significant differences in their preparedness and strategic approaches.
- Spain has acted proactively, establishing Europe’s first AI supervisory agency (AESIA) and launching the continent’s first regulatory sandbox.
- Italy has adopted the EU’s first comprehensive national AI law.
- Germany is pursuing separate implementation legislation.
- France is embedding AI governance into its existing healthcare regulatory frameworks.
While these steps are individually progressive, the fragmentation poses a serious challenge. A multinational company could potentially need to develop four different compliance strategies for the same EU regulation. The situation is further complicated by the report’s finding that market access, not authorization, may be the real bottleneck. Currently, only Germany and France have structured reimbursement pathways for AI tools, meaning that a technology approved in Spain or Italy might face budgetary and legal barriers to adoption.
In a corporate context, this means that compliance doesn’t end with a CE mark. The product development lifecycle must also account for member-state-specific market realities. From an OWASP LLM Top 10 perspective, this situation amplifies the risk of LLM08: Supply Chain Vulnerabilities. Managing data, pre-trained models, and compliance documentation across a fragmented legal landscape is a complex and error-prone process.
The Role of Auditing in an Age of Uncertainty
A key message of the report is the need to “transform regulatory requirements into a competitive advantage.” But how is this possible in an environment where the rules of the game are still being written? The answer lies in proactive, continuous risk assessment and independent auditing.
Amanda Leal, AI Governance & Policy Specialist at HealthAI, emphasized the importance of institutional coordination and enforcement capacity. Companies cannot afford to wait for Notified Bodies (of which 51 are designated under the Medical Device Regulation by October 2025) to be fully operational or for all implementing acts to be finalized.
The AIQ position is that companies must prepare now, and an internal AI Act compliance audit is the best starting point. During such an audit, we:
- Assess existing AI systems for their classification as high-risk.
- Identify gaps in documentation, data governance (with a GDPR focus), risk management systems, and human oversight.
- Simulate the compliance process based on currently known requirements, preparing for future, more specific guidance.
- Conduct LLM Red Teaming exercises to test system resilience, with a particular focus on risks critical in a healthcare context, such as LLM07: Insecure Output Handling and LLM04: Model Poisoning.
What Can You Do Now?
The HealthAI report is not a prophecy of doom but a call to action. The implementation gap is a real risk, but it is also an opportunity for companies that take responsible AI development seriously. In uncertain times, the most reliable strategy is to strengthen internal systems, proactively identify risks, and seek independent expert evaluation. Organizations that invest in robust AI governance and security audits now will not only avoid penalties but will also build more trustworthy, secure, and ultimately more competitive products for the future European market.