The Regulatory Uncertainty Was Real. It Just Wasn't the Kind OpenEvidence Meant.
What the EU requires, what the US exempts, and where OpenEvidence stands.
OpenEvidence pulled its clinical AI platform from the EU and the UK in April 2026. The reason was “mounting regulatory uncertainty “. That phrase is doing a lot of work. Let’s take a closer look at what the EU requires of a product like OpenEvidence, what the US exempts and how narrowly, what happens on both sides of the Atlantic if a vendor doesn’t qualify for that exemption, and what OpenEvidence itself did in the weeks around its exit.
As always, if you enjoy reading, subscribe and tell a friend.
Sam
On April 27, 2026, OpenEvidence pulled its clinical AI platform from the EU and UK. The notice that replaced it cited “mounting regulatory uncertainty regarding the treatment of AI systems in the European Union and the United Kingdom, including, among other rules, the EU Artificial Intelligence Act.”
What the EU Actually Requires
Let’s start with what “high-risk” means under the EU AI Act, because most coverage of this story treated it as a vague label. Annex III places clinical decision support software in the high-risk category regardless of whether it’s also regulated as a medical device. That status requires, under Chapter III, Section 2 (Articles 8-15), a conformity assessment before the product reaches the market, technical documentation covering training data characteristics and known limitations, a human oversight mechanism built into the product’s design rather than added as a disclaimer, data governance standards for training data, ongoing post-market monitoring, and mandatory reporting of serious incidents to national authorities within 15 days.
None of that is free. Industry estimates put ongoing compliance at roughly €29,000 a year per AI system, with certification running another €17,000 to €23,000. The penalties for getting it wrong in Article 99 sets fines up to €35 million or 7 percent of global turnover for the most serious violations, up to €15 million or 3 percent for ordinary high-risk violations. A US company weighing whether the exposure justifies the market has real numbers to weigh it against.
The obligation doesn’t stop at the vendor, either. A hospital or clinic that adopts a high-risk AI tool becomes a “deployer” under Article 26, which lists twelve distinct duties, including assigning a person with actual authority to override the system, monitoring its performance, retaining logs for at least six months, notifying affected patients that they’re subject to the system, and training staff to understand what the tool can and can’t do. If you’re a health system reader in the EU wondering whether any of this applies to you, it does the moment you adopt a high-risk AI tool, regardless of what the vendor has or hasn’t done on their end.
What the US Exempts, and How Narrowly
In the US, software like OpenEvidence can avoid FDA device regulation entirely under the Non-Device Clinical Decision Support carve-out in the 21st Century Cures Act. FDA’s final guidance, issued March 11, 2026, sets four criteria a product has to meet simultaneously to qualify:
It cannot acquire, process, or analyze a medical image, an in vitro diagnostic signal, or a pattern or signal from a signal acquisition system. FDA’s own guidance specifically names ECG waveforms as an example.
It has to be intended for displaying, analyzing, or printing medical information about a patient, such as literature or guidelines, rather than patient-specific signal data.
It has to support or recommend, not replace, a clinician’s judgment.
It has to let the clinician independently review the basis for its output rather than functioning as a black box. FDA’s guidance is blunt that this is difficult for large language models generally and close to impossible in time-critical situations.
Miss any one of these four, and the software is a regulated medical device.
This connects to something I tested myself back in May. I uploaded an ECG to OpenEvidence and received an AI-generated interpretation. That alone looks like a Criterion 1 problem: analyzing a signal from a signal acquisition system is exactly what the exemption excludes. I checked again this week to see whether the feature had changed. It hadn’t. OpenEvidence still accepts ECG image uploads and still generates an interpretation. On the same case I tested in May, it still produced an incorrect but very official-appearing reading.
If OpenEvidence Doesn’t Qualify, What Happens on Each Side?
Assume for a moment that the ECG function alone is enough to knock a product out of Non-Device CDS status. What would actually follow, in the US and in the EU, and does the comparison support “the US is the settled option”?
In the US, there’s already a precedent-setting path for exactly this function. AccurKardia’s AccurECG 2.0 cleared FDA review as a Class II device via 510(k) in January 2026. Tempus received 510(k) clearance for its ECG-Low EF software the same way. If OpenEvidence’s interpretation function is similar enough to an existing cleared device, it would likely follow the same 510(k) route, averaging 155 days as of mid-2026. If it’s different enough that no predicate applies, it would more likely need De Novo classification, averaging 341 days.
In the EU, this same feature would almost certainly count as a moderate-to-higher-risk medical device (what MDR calls Class IIa or IIb), the kind that needs an outside safety review before it can be sold. That review currently takes 13 to 18 months on average. A new rule adopted this May is supposed to shrink that to roughly 6 to 9 months, but only for agreements signed after February 2027, so it doesn't help anyone applying today. And crossing that medical-device threshold doesn't let a company trade one set of rules for another. It automatically pulls the product into the AI Act's high-risk category too, so it ends up answering to both frameworks at once: the device safety review, plus the AI Act's own requirements for data governance, incident reporting, and built-in human oversight.
On the two sides of the Atlantic, there is a real structural difference, not manufactured uncertainty.
Two More Differences Worth Examining
Data protection is not the same question as AI regulation, and the two get blurred together in most coverage of this story. OpenEvidence’s own privacy policy tells EU users not to use the product because its infrastructure is US-based and isn’t governed by EU safeguards. GDPR treats health data as a special category under Article 9, requiring explicit consent or a documented research basis before it can be processed at all, a stricter bar than HIPAA’s authorization-or-de-identification model.
The EU and the UK are also not the same problem, though OpenEvidence’s notice treats them as one. The EU has written binding rules that are simply demanding and expensive to satisfy. The UK, by contrast, has no binding AI-specific medical device framework at all yet. The MHRA’s version is still a voluntary pilot program, with a real framework promised sometime later in 2026. “Uncertainty” is the accurate word for the UK’s situation. For the EU, the accurate words are “burden” and “cost.”
What OpenEvidence Actually Did
None of this required OpenEvidence to leave in the specific week it left, and the run-up to its exit is worth walking through.
By the time OpenEvidence posted its notice on April 27, the relief it was asking for was already in motion and had been for months, none of it because of anything OpenEvidence did. EU officials had proposed a package of changes back in November 2025, five months earlier, specifically to ease the same high-risk AI rules OpenEvidence's notice pointed to. The EU's parliament had already voted, 569 to 45, to move that package forward on March 26, a full month before OpenEvidence acted, and the different EU bodies involved had already started hammering out the details. The one round of those talks that hit a snag, on April 28, the day after OpenEvidence's notice went up, got stuck on a technical point that had nothing to do with the kind of product OpenEvidence makes. OpenEvidence left in the middle of a process that was already headed toward the outcome it said it needed, on a schedule set months before the company made its decision.
Its own notice is worth reading closely too. The original version named two people, Brando Benifei and Michael McNamara, and invited clinicians to contact them along with CPME, the umbrella body for European medical associations. Benifei and McNamara aren’t random picks. They co-chair Parliament’s actual AI Act oversight working group, and McNamara went on to become the Rapporteur for the exact Omnibus package that delivered the deferral. CPME, for its part, had already co-signed letters in March and April arguing to keep the AI Act strict, the opposite of what OpenEvidence needed. That callout disappeared from the notice within 48 hours. A correspondence published in the Lancet in May read the episode as a scrubbed attempt at bottom-up lobbying, notable for what it suggests about the gap between OpenEvidence’s stated rationale and its own actions, regardless of what the callout was intended to accomplish.
And the technology itself never actually left. Although OpenEvidence’s own site still shows the same notice to anyone in the EU, Elsevier’s ClinicalKey AI, running on OpenEvidence’s own engine per their 2023 partnership and featuring The Lancet as a headline content source, is available to EU subscribers. The AI didn’t leave Europe. It just stopped answering to OpenEvidence’s name.
So, Why Did OpenEvidence Really Leave?
Probably not because the EU is uncertain. The EU’s rules are written down, phased in on a public schedule, and expensive to satisfy, which is a different problem than uncertainty and a more honest one for OpenEvidence to have named. The timeline it cited resolved in a direction it didn’t need to lobby for. And its own underlying technology kept working in the exact market OpenEvidence says it can no longer serve, just under someone else’s name.
The clinicians who lost access to OpenEvidence didn’t get any of that. They got one sentence, a since-deleted prompt to contact officials who didn’t need the push, and a tool that, as best I can tell, may already be operating past the line the FDA draws around what doesn’t need to be regulated at all.




