Blog

How the Brussels Effect Shapes Institutional Practice for Trustworthy AI-in-Health Research

Artificial intelligence in healthcare is often discussed through the lens of model performance, clinical usefulness and technological innovation. Yet even the most advanced AI system cannot be considered trustworthy if the institution developing it lacks the procedures, responsibilities and technical controls required to govern it properly.

Our new paper, “Institutional Operationalisation of the Converging EU Digital Rulebook for Trustworthy AI-in-Health Research,” (currently available as preprint at Zenodo) examines this less visible but essential dimension of AI innovation: the capacity of universities, research centres, hospitals and companies to translate European regulation into everyday institutional practice.

The study brings together four major elements of the European digital regulatory framework:

  • the General Data Protection Regulation, or GDPR;
  • the NIS2 Directive;
  • the EU AI Act;
  • the European Health Data Space, or EHDS.

Although these instruments were developed separately, institutions conducting AI-in-health research must comply with them simultaneously. A single research project involving clinical data may require lawful data processing under the GDPR, cybersecurity controls under NIS2, AI risk-management mechanisms under the AI Act and preparation for health-data access and interoperability under the EHDS.

The real challenge is not knowing the rules

European regulations describe what institutions are expected to achieve. However, they do not automatically create the internal structures needed to achieve it.

In practice, institutions must answer very concrete questions:

Who is responsible for data protection?
Who evaluates whether an AI system is high-risk?
Where is the AI-system register maintained?
How are cybersecurity incidents reported?
Which agreement governs access to clinical data?
What evidence must be prepared for an audit?
How long may research data be retained?

Without clear answers, regulatory compliance may exist formally but not operationally.

The paper therefore argues that the central challenge is not simply regulatory awareness. It is institutional operationalisation: converting legal obligations into defined roles, reusable templates, documented procedures, registers, technical safeguards and auditable workflows.

This distinction is especially important because AI systems are not developed by governments. They are developed and deployed inside institutions. Governments adopt laws and designate authorities, but the point at which an AI system actually meets—or fails to meet—the law is the university, hospital, research centre or company responsible for it.

A ChatMED benchmarking experience

The study emerged from the Short-Term Staff Exchange Program at the Jožef Stefan Institute in Ljubljana therefore became an opportunity for structured institutional benchmarking.

The exchange compared practices related to:

  • data protection and data retention;
  • cybersecurity governance;
  • AI Act preparedness;
  • EHDS readiness;
  • international project management;
  • financial traceability and audit preparation.

The purpose was not to present one institution as a perfect model. The comparison showed that many aspects of the emerging European digital rulebook remain operationally immature even in EU Member States. Instead, the exchange was used to identify transferable practices, examine institutional gaps and translate the findings into a practical governance framework.

The methodological pathway moved through three stages: a pre-exchange regulatory diagnostic, benchmarking at the partner institution and the translation of the findings into institutional mechanisms.

The Institutional Accountability Architecture

The main conceptual contribution of the paper is a six-layer Institutional Accountability Architecture, or IAA. Rather than creating a separate administrative system for every regulation, the architecture treats the GDPR, NIS2, the AI Act and the EHDS as parts of one connected governance environment.

Its central principle is artefact reuse. A single institutional document or control should, where possible, support several regulatory obligations at once.

For example:

  • a Data Management Plan can support GDPR accountability and EHDS secondary-use governance;
  • a cybersecurity control can contribute to both NIS2 compliance and GDPR Article 32;
  • an AI-system register can support AI Act documentation, institutional oversight and audit preparation.

1. Regulatory governance

The first layer includes the appointment of clearly mandated roles such as:

  • a Data Protection Officer;
  • an Information Security Officer;
  • an AI-Governance Lead;
  • an ethics contact;
  • the relevant project coordinator.

Each role requires a written mandate, reporting line and connection to institutional decision-making. Institutions should also maintain a map of the external authorities responsible for data protection, cybersecurity, AI oversight, health-data access and research ethics.

This is particularly important in candidate countries where national implementation structures may still be developing.

2. Data governance

The second layer connects the Data Management Plan and the Data Protection Impact Assessment within a single data-lifecycle process.

An institution should be able to document:

  • what data are collected;
  • why they are needed;
  • who may access them;
  • where they are stored;
  • how long they are retained;
  • when they are deleted or anonymised.

The layer also requires clear controller–processor arrangements and reusable data-sharing agreements. The role of an institution cannot be assumed in advance; it depends on who determines the purpose and means of each specific processing activity.

3. Cybersecurity governance

The third layer creates a common security baseline for research involving clinical or otherwise sensitive data.

This includes:

  • asset inventories;
  • role-based access controls;
  • encrypted storage;
  • system logging;
  • backups and business continuity;
  • incident-response and breach-notification procedures.

The paper emphasises that cybersecurity is not simply a technical responsibility assigned to IT staff. It is an organisational capability involving policies, ownership, reporting and management oversight.

4. Algorithmic governance

The fourth layer focuses on the AI system throughout its lifecycle.

Each AI application should undergo an internal risk-classification process. Where an AI system may qualify as software as a medical device, the AI Act analysis should be coordinated with the Medical Device Regulation rather than conducted separately.

Systems meeting the institutional governance threshold should be entered into an AI-system register containing information such as:

  • intended purpose;
  • data lineage;
  • model evaluation;
  • logging practices;
  • transparency measures;
  • human-oversight mechanisms.

The layer also includes AI-literacy training, reflecting the Article 4 AI-literacy obligation.

5. Health-data-space interoperability

The fifth layer prepares institutions for the emerging EHDS environment.

Lawful access to health data should be based on documented cooperation with health authorities and clinical data holders, rather than informal arrangements.

The architecture also encourages institutions to develop anonymisation and synthetic-data procedures and to orient their technical systems towards standards such as:

  • HL7 FHIR;
  • the OMOP Common Data Model;
  • DCAT-AP for dataset and metadata discoverability.

The paper treats interoperability not only as a technical requirement, but also as a governance requirement. Data that cannot be securely understood, exchanged or traced cannot be governed effectively.

6. Project management and audit readiness

The final layer integrates project administration into the accountability architecture.

International projects should be supported by a central registry covering:

  • budgets;
  • deliverables;
  • reporting deadlines;
  • responsible personnel;
  • accounting records;
  • procurement;
  • staff time allocation;
  • required approvals.

Institutions should also maintain pre-assembled audit packs. This reduces dependence on the memory or availability of individual staff members and makes evidence accessible before an audit request arrives.

Moving from fragmented compliance to a management system

The paper connects the architecture to international management-system standards.

ISO/IEC 42001 is particularly relevant because it provides an organisational framework for AI management. It can help institutions structure policies, responsibilities, risk assessment, lifecycle controls, monitoring, internal review and continuous improvement.

Other important references include:

  • ISO/IEC 27001 for information security;
  • ISO/IEC 27701 for privacy information management;
  • ISO/IEC 23894 for AI risk management.

Formal certification may not be immediately realistic or necessary for every university or laboratory. The value lies first in adopting the organisational discipline embedded in these standards.

The objective is to move from ad hoc, project-by-project compliance to a repeatable institutional capability.

Why this matters for Widening and candidate countries

The paper has particular relevance for institutions in EU Widening countries and candidate states.

These institutions often pursue the same scientific ambitions as established organisations across the European Union. However, they may operate with less developed national legislation, weaker supervisory structures and fewer internal compliance mechanisms.

At the same time, they already experience the practical influence of European regulation.

A research institution outside the EU that cannot demonstrate alignment with European data-protection, cybersecurity and AI-governance expectations may struggle to participate in leading consortia, clinical collaborations and cross-border data-sharing initiatives.

This is one institutional dimension of the Brussels Effect: European rules shape organisational behaviour beyond the formal borders of the Union.

However, the transition also creates an opportunity. Because many of the new frameworks are still being operationalised throughout Europe, institutions in candidate countries can build integrated governance structures from the beginning, instead of later attempting to repair fragmented and incompatible legacy procedures.

Research excellence now includes governance capacity

One of the paper’s central messages is that regulatory capacity building should not be treated as an administrative burden separated from research excellence.

For AI-in-health research, governance capacity is part of research capacity.

An institution may have highly skilled researchers, advanced computing infrastructure and promising AI models. But without clear responsibilities, lawful data-access procedures, security controls, AI documentation and audit-ready processes, those capabilities may never translate into safe and sustainable real-world deployment.

Trustworthy AI is therefore not produced by algorithms alone. It is produced by institutions capable of governing those algorithms throughout their lifecycle.

The proposed Institutional Accountability Architecture offers a practical starting point for building that capacity. It does not replace legal analysis, certification or system-specific risk assessment. Instead, it provides a transferable institutional foundation for connecting innovation with accountability under the converging requirements of the GDPR, NIS2, the AI Act and the European Health Data Space.

Through this work, ChatMED’s capacity-building mission expands beyond scientific knowledge transfer. It demonstrates how European research collaboration can also strengthen the institutional foundations needed for responsible and trustworthy AI in healthcare.

To top