← All articles

The Role of Harmonised Standards (and Why None Exist Yet)

The EU AI Act frequently references “harmonised standards” — technical standards that, when followed, create a presumption of conformity with the Act’s requirements. In theory, these standards tell you exactly how to meet each obligation: what to test, how to measure, what thresholds to hit.

In practice, as of early 2026, most of these standards don’t exist yet. The ones that do are still in draft or have only recently been published. This creates a genuine compliance challenge: the regulation is enforceable, but the detailed technical guidance is still being written.

What harmonised standards are

Harmonised standards are technical standards developed by European Standardisation Organisations (CEN, CENELEC, and ETSI) at the request of the European Commission. When a harmonised standard is published in the Official Journal of the EU and its reference is listed, compliance with that standard creates a presumption of conformity with the corresponding legal requirements.

This means: if you follow the harmonised standard, you are presumed to comply with the AI Act requirement it covers. The burden of proof shifts. A regulator would need to demonstrate that your approach doesn’t meet the legal requirement, rather than you needing to prove that it does.

This mechanism isn’t unique to the AI Act. It’s the standard approach across EU product safety legislation (machinery, medical devices, radio equipment, etc.). The New Legislative Framework, which the AI Act builds on, is designed around this interplay between legislation and standards.

The current state of play

The European Commission issued standardisation requests to CEN-CENELEC in May 2023, asking for standards covering the AI Act’s key requirements. The work is being done primarily by CEN-CENELEC Joint Technical Committee 21 (JTC 21) on Artificial Intelligence.

Key standards under development include:

  • Risk management (covering Article 9)
  • Data governance and quality (covering Article 10)
  • Record-keeping and logging (covering Article 12)
  • Transparency and information to users (covering Article 13)
  • Human oversight (covering Article 14)
  • Accuracy, robustness, and cybersecurity (covering Article 15)
  • Quality management systems (covering Article 17)
  • Conformity assessment (covering Articles 40–49)
  • Post-market monitoring (covering Article 72)

As of April 2026, several of these are available as draft or published EN standards, but the full suite has not been finalised and listed in the Official Journal. The standards development timeline has been ambitious, and delays are common in standardisation processes of this complexity.

Some existing international standards provide partial coverage:

  • ISO/IEC 42001 — AI management systems
  • ISO/IEC 23894 — AI risk management guidance
  • ISO/IEC 22989 — AI concepts and terminology
  • ISO/IEC 38507 — governance of AI

These are useful reference points, but they are not harmonised standards under the AI Act. Following them doesn’t create the presumption of conformity.

What this means for compliance

You can’t wait for standards

The AI Act’s obligations become applicable in August 2026. If the harmonised standards aren’t finalised and listed by then (a real possibility for some of them), you still need to comply. The absence of a standard doesn’t suspend the obligation.

Article 40(2) addresses this directly: where harmonised standards don’t exist or are insufficient, the Commission may adopt common specifications through implementing acts. These serve as a temporary bridge, providing technical requirements that create the same presumption of conformity as harmonised standards.

Whether common specifications are available by August 2026 for all requirements is also uncertain. The practical reality is that many organisations will need to demonstrate compliance without the benefit of either harmonised standards or common specifications for at least some requirements.

Demonstrating compliance without standards

Without harmonised standards, you lose the presumption of conformity. But you can still comply — you just need to demonstrate it through other means. This typically involves:

Documenting your methodology. For each requirement, describe the approach you’ve taken, the reasoning behind it, and the evidence that supports your claim of compliance. The more rigorous and well-documented your approach, the stronger your position.

Using existing frameworks. While ISO/IEC standards aren’t harmonised under the Act, they represent recognised good practice. Aligning your approach with ISO/IEC 42001 (AI management systems) or ISO/IEC 23894 (AI risk management) strengthens your position even without the formal presumption of conformity.

Referencing published guidance. The EU AI Office, national competent authorities, and industry bodies are publishing guidance documents. While not legally binding, they indicate regulatory expectations and demonstrate that your approach aligns with the emerging consensus.

Conducting thorough testing. For requirements like accuracy, robustness, and fairness, empirical evidence is your best friend. Comprehensive testing across relevant scenarios, demographics, and edge cases provides concrete evidence of compliance.

Engaging with industry peers. Industry associations and working groups are developing shared approaches to compliance. Participating in these efforts demonstrates good faith and helps you benchmark your approach against peers.

The conformity assessment challenge

The absence of harmonised standards is particularly acute for conformity assessment. For high-risk AI systems requiring third-party assessment by a notified body, the notified body needs criteria to assess against. Without harmonised standards, they’ll use common specifications, existing standards, or their own expertise — which introduces variability.

For internal conformity assessment (self-assessment), the challenge is similar but under your control. You need to define assessment criteria for each requirement, apply them rigorously, and document the results. The criteria should be conservative — in the absence of a standard, err on the side of more rigorous assessment.

What to do now

Follow emerging standards closely

Even if harmonised standards aren’t finalised, their drafts are informative. JTC 21’s working drafts indicate the direction of travel and help you align your compliance approach with what will eventually be the accepted standard.

Access is typically available through your national standards body (BSI, DIN, AFNOR, etc.). If you’re a member of the relevant technical committees, you can access working drafts directly.

Build to the Act’s requirements, not to a standard

The legal requirements are in the Act itself — Articles 9 through 15 for high-risk systems, Article 50 for transparency, etc. Standards operationalise these requirements, but the requirements exist independently. Build your compliance programme against the Act’s text, then adjust as standards are published.

This approach ensures you’re compliant from August 2026 regardless of the standards timeline, and allows you to refine your approach once standards provide more specific guidance.

Plan for iteration

Your compliance approach in August 2026 will not be your final approach. As harmonised standards are published, you’ll need to review your practices, identify gaps between your current approach and the standard, and adjust. Budget for this iteration.

The good news is that harmonised standards typically codify emerging best practice rather than inventing entirely new requirements. If your current approach is well-reasoned and documented, the adjustments required to align with a published standard should be incremental, not fundamental.

Document everything

In the absence of standards, documentation is your primary evidence of compliance. For every requirement:

  • What approach did you take?
  • Why did you choose this approach?
  • What alternatives did you consider?
  • What evidence supports your claim of compliance?
  • What frameworks or guidance did you reference?

If a regulator reviews your compliance before harmonised standards are available, they’ll assess your approach on its merits. Thorough documentation demonstrates that you’ve made a genuine, well-reasoned effort to comply. The absence of a standard isn’t a defence for non-compliance, but a well-documented, good-faith approach to compliance is strong evidence of diligence.

The standards gap is temporary. The compliance obligation is not. Build now, refine later.

Free Resource

Free EU AI Act Priority Checklist

The 5 most critical compliance items before the August 2, 2026 deadline. Delivered to your inbox.