A radiologist in Vienna opens a worklist. An AI triage tool has flagged three chest CTs as high priority. She reviews them, agrees with two, overrides one. Under European law, the tool must have undergone a conformity assessment, human oversight must be assigned to competent persons with authority to intervene, and system logs must be retained in line with applicable requirements.
If something goes wrong, there is a regulatory framework that governs what happens next.
A radiologist in Dubai opens the same worklist. The same tool, possibly from the same vendor, has flagged the same cases. Dubai is not an AI law vacuum. The UAE has national AI strategies, a Charter for the Development and Use of Artificial Intelligence, healthcare data rules, and Dubai Health Authority policy requirements. But these do not amount to an EU-style regime with statutory high-risk classification, AI-specific conformity assessment, mandatory log retention, and turnover-based penalties.
One technology, deployed across dozens of jurisdictions
This is the state of global medical AI regulation in mid-2026: one technology, deployed across dozens of jurisdictions, subject to frameworks ranging from one of the world's most comprehensive binding laws to voluntary guidelines that amount to aspirational prose. The practical consequence is already visible: whether an AI tool has been validated, monitored, and overseen depends not on the tool itself, but on where you happen to be treated.
That distinction matters for patients. A person undergoing the same AI-assisted chest CT triage in Vienna and Dubai may face the same clinical risk, but not the same rights to traceability, transparency, post-market monitoring, or regulatory redress. In Dubai, patients have rights to privacy and confidentiality, to know the providers involved in their care, and to receive understandable information on diagnosis, treatment, risks, and changes; but these sit within a framework that does not yet impose the same AI-specific auditability obligations as the EU.
Researchers and policy analysts have raised the question of regulatory arbitrage, whether the availability of lighter-touch markets creates structural incentives for vendors to develop or deploy AI systems to lower enforceable standards, leaving patients in those settings with less traceability, oversight, or recourse than they would have elsewhere.
Missing authorities for enforcement
The framework is already law. The EU AI Act entered into force in August 2024. Prohibitions on the most dangerous AI practices have applied since February 2025. Rules for general-purpose AI models have applied since August 2025. High-risk compliance obligations covering medical imaging AI are due from August 2026 at the latest, with extensions now provisionally agreed following the May 2026 Digital Omnibus deal: standalone high-risk systems face a deadline of 2 December 2027, and high-risk systems embedded in regulated products such as medical devices face 2 August 2028. Penalties for prohibited practice violations reach €35 million or 7% of global annual turnover, whichever is higher.
But the infrastructure to enforce those rules is largely missing. Many member states had not publicly completed designation of competent authorities by the August 2025 deadline. Germany only approved its implementing bill at cabinet level in February 2026, and it still requires parliamentary passage. Harmonized technical standards are still being written; the first may not publish until late 2026. The rules exist, but the awareness, the infrastructure, and in most member states the enforcement bodies, do not.
Other frameworks, other gaps
South Korea's AI Basic Act took effect on 22 January 2026. It requires user notification, mandatory impact assessments, documented human oversight, and domestic representative requirements for foreign companies. Financial penalties are modest -- around €21,000 maximum -- but the Act includes potential imprisonment for certain violations, changing the personal risk calculus for executives in a way a corporate fine does not.
South Korea has some of the highest CT and MRI utilization rates in the world, yet the law's practical effect on radiology procurement, deployment, or incident reporting remains largely invisible outside Korean-language legal and industry coverage.
Singapore has no binding AI law but operates a voluntary governance framework, a government-developed testing toolkit, and a regulatory sandbox running since 2019. In January 2026, it published a governance framework specifically addressing agentic AI. Japan's AI Promotion Act, in force since June 2025, contains no binding obligations. Australia abandoned proposed mandatory AI guardrails in December 2025.
The problem no framework has answered
Large language models are already being used in clinical settings across every jurisdiction discussed here, drafting radiology reports, supporting differential diagnosis, communicating with patients -- without CE marking or formal clinical validation. The EU AI Act's general-purpose AI provisions address these models at a systemic level but do not resolve their unregulated clinical use. No national competent authority has addressed it directly. No harmonized standard exists. The clinical reality is that it is happening daily, at scale, everywhere.
The radiologist in Vienna and the radiologist in Dubai are using the same tool. One sits under one of the most elaborate AI statutes in force anywhere. The other operates under a patchwork of sectoral rules and principled guidance. Neither of them, in all likelihood, has a clear answer to what happens when the tool is wrong.
