Harmonised Standards and the AI Act Standards Landscape

As of early 2026, the CEN/CENELEC JTC 21 standards development process remains ongoing and the first tranche of harmonised standards is anticipated but not yet finalised. In the interim, reference to international standards provides a credible framework for demonstrating compliance. The most relevant international standards are ISO/IEC 42001:2023 on AI management systems, ISO/IEC 23894:2023 on AI risk management, ISO/IEC 25012:2008 on data quality, ISO/IEC 25010:2011 on system and software quality, ISO/IEC 27001:2022 on information security management, and ISO/IEC 38507:2022 on governance implications of AI.

Organisations should monitor the JTC 21 working groups closely. Once harmonised standards are published in the Official Journal, compliance with those standards creates a presumption of conformity under Article 40. This presumption significantly strengthens the internal conformity assessment, as it shifts the burden of proof from the provider demonstrating compliance to the competent authority demonstrating non-compliance. An organisation that can demonstrate conformity with the harmonised standard occupies a materially stronger position during a regulatory inspection.

The transition from reference to international standards to reliance on harmonised standards will itself require assessment updates. Organisations should plan for a re-mapping exercise once harmonised standards are published, tracing their existing compliance evidence to the new standard's requirements and identifying any gaps that the harmonised standard introduces beyond the international standard. This re-mapping is a significant effort that should be budgeted and scheduled as part of the ongoing compliance programme.

Article 48 requires high-risk AI systems to bear the CE marking after the Declaration of Conformity is signed. For digital systems, the marking is displayed in the user interface and accompanying documentation. The CE marking must be visible, legible, and indelible. It is affixed by the Conformity Assessment Coordinator before the system is placed on the market or put into service.

The CE marking signals to deployers, users, and competent authorities that the system has undergone conformity assessment and that the provider has declared compliance with the applicable requirements. It carries legal significance: affixing the CE marking to a non-conforming system is an offence under Article 49(5), carrying penalties under Article 99. The marking is not merely a visual indicator but a legal declaration backed by the full evidence chain of the aisdp and the conformity assessment process.

For systems deployed across the EU single market, the CE marking provides mutual recognition: a system bearing CE marking in one member state does not require separate certification in another. This is one of the key benefits of the EU AI Act's regulation-based approach compared to a directive-based approach that would require transposition into national law.

The transition from reference to international standards to reliance on harmonised standards will require assessment updates across the compliance programme. Organisations should plan for a re-mapping exercise once harmonised standards are published in the Official Journal, tracing their existing compliance evidence to the new standard's requirements and identifying any gaps that the harmonised standard introduces beyond the international standard.

The re-mapping traces each compliance claim in the aisdp to the specific international standard clause it currently relies upon. When harmonised standards are published, this mapping enables rapid identification of which claims remain valid under the new standard, which need additional evidence to satisfy new requirements, and which gaps must be addressed before the presumption of conformity under Article 40 can be claimed.