prEN 18286, Artificial Intelligence - Quality management system for EU AI Act regulatory purposes

First harmonised standard reaches Enquiry stage

prEN 18286, 𝐀𝐫𝐭𝐢𝐟𝐢𝐜𝐢𝐚𝐥 𝐢𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞 - 𝐐𝐮𝐚𝐥𝐢𝐭𝐲 𝐦𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐬𝐲𝐬𝐭𝐞𝐦 𝐟𝐨𝐫 𝐄𝐔 𝐀𝐈 𝐀𝐜𝐭 𝐫𝐞𝐠𝐮𝐥𝐚𝐭𝐨𝐫𝐲 𝐩𝐮𝐫𝐩𝐨𝐬𝐞𝐬, reached Enquiry stage in the CEN-CENELEC systems.

This is a home-grown European Standard from CEN-CENELEC JTC 21, the committee responding to the EU’s AI Act. It has overtaken prEN ISO/IEC DIS 24970, which reached consensus, but the ballot won’t start for a few more weeks.

𝐓𝐡𝐢𝐬 𝐐𝐮𝐚𝐥𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐒𝐲𝐬𝐭𝐞𝐦 𝐢𝐬 𝐢𝐧𝐭𝐞𝐧𝐝𝐞𝐝 𝐭𝐨 𝐩𝐫𝐨𝐯𝐢𝐝𝐞 𝐩𝐫𝐞𝐬𝐮𝐦𝐩𝐭𝐢𝐨𝐧 𝐨𝐟 𝐜𝐨𝐧𝐟𝐨𝐫𝐦𝐢𝐭𝐲 𝐰𝐢𝐭𝐡 𝐀𝐫𝐭𝐢𝐜𝐥𝐞 17 𝐨𝐟 𝐭𝐡𝐞 𝐀𝐈 𝐀𝐜𝐭. 𝐐𝐮𝐚𝐥𝐢𝐭𝐲 𝐡𝐞𝐫𝐞, 𝐦𝐞𝐚𝐧𝐬 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐰𝐢𝐭𝐡 𝐭𝐡𝐞 𝐰𝐡𝐨𝐥𝐞 𝐀𝐜𝐭, 𝐰𝐡𝐢𝐜𝐡 𝐢𝐬 𝐩𝐫𝐨𝐝𝐮𝐜𝐭 𝐬𝐚𝐟𝐞𝐭𝐲 𝐫𝐞𝐠𝐮𝐥𝐚𝐭𝐢𝐨𝐧.

The draft standard has been circulated for public enquiry in CEN participating countries from 30 October 2025 to 22 January 2026.

Those countries also have 12 weeks to vote on the standard and send comments. Liaison organisations can also provide comments. In JTC 21, this includes 17 organisations with partner or liaison status (e.g. European Trade Union Confederation (ETUC), ANEC, NoLeFa and Equinet, European Network of Equality Bodies)

This draft standard represents a cornerstone element of the EU AI Act’s implementation framework. It is being developed in response to the Commission’s standardisation request C(2023)3215 issued in May 2023 (subsequently amended on 14 January 2025), which called for harmonised standards to operationalise the AI Act’s requirements. The draft standard is specifically designed to comprehensively address Article 17 of the AI Act, which mandates that providers of high-risk AI systems establish and maintain a quality management system (QMS).

Scope and Coverage

The standard is intended to provide detailed technical specifications for establishing, implementing, and maintaining a quality management system that ensures compliance with the AI Act. According to the Commission’s standardisation request, it must comprehensively cover Article 17, including:

Core QMS Elements (Article 17(1)):

1. Regulatory Compliance Strategy – procedures for managing conformity assessment and system modifications

2. Design and Development Controls – techniques, procedures, and systematic actions for:

   • System design and design control

   • Design verification

   • Development quality control and quality assurance

3. Testing and Validation Framework – examination, test, and validation procedures to be performed before, during, and after development, including frequency specifications

4. Technical Specifications and Standards – application of harmonised standards and alternative means of compliance where standards don’t fully cover requirements

5. Data Management Systems – comprehensive procedures for:

   • Data acquisition and collection

   • Data analysis and labelling

   • Data storage, filtration, and mining

   • Data aggregation and retention

   • All other data operations performed before placing systems on the market

6. Risk Management Integration – incorporation of the risk management system required under Article 9

7. Post-Market Monitoring – systems for ongoing surveillance as required by Article 72

8. Incident Reporting Procedures – processes for reporting serious incidents per Article 73

9. Communications Framework – handling of communications with:

   • National competent authorities

   • Data providers and supporting authorities

   • Notified bodies

   • Other operators, customers, and interested parties

10. Documentation and Record-Keeping – systems and procedures for maintaining all relevant documentation

11. Resource Management – including security-of-supply measures

12. Accountability Framework – defining management and staff responsibilities across all QMS aspects

Alignment Requirements

As specified in the Commission’s standardisation request, prEN 18286 must:

• Ensure clarity and consistency with standards developed for products under existing Union harmonisation legislation (Annex I)

• Align with other AI Act standards being developed concurrently, particularly those covering:

  • Risk management systems (Article 9)

  • Data governance (Article 10)

  • Record-keeping and logging (Article 12)

  • Transparency and deployer information (Article 13)

  • Human oversight (Article 14)

  • Accuracy, robustness, and cybersecurity (Article 15)

  • Conformity assessment procedures (Article 43)

• Consider existing international standards consistent with Union values and fundamental rights

• Support multi-stakeholder governance with balanced representation

Implications for Presumption of Conformity

Once adopted and, assuming its reference is published in the Official Journal of the European Union, compliance with prEN 18286 will hopefully confer a presumption of conformity with the requirements of Article 17. This means providers who implement their QMS in accordance with the standard can presume they meet regulatory obligations, significantly reducing legal uncertainty and facilitating market access. See the Annex ZA of the draft standard for more information.

Relationship to ISO/IEC 42001

Notably, whilst ISO/IEC 42001:2023 (Artificial Intelligence Management System) was published in December 2023, the AI Office indicated in May 2024 that ISO/IEC 42001 was not fully aligned with the final AI Act text. Consequently, ISO/IEC 42001 is not part of the EU harmonisation process, and prEN 18286 is being developed specifically to comprehensively address the EU AI Act requirements.

That said, the draft standard includes notes intended to help users who have already implemented ISO/IEC 42001, as well as Annexes that map the structure to both ISO/IEC 42001 and ISO 9001.

Key Features and Principles

Quality: Quality means compliance with the obligations of the AI Act for AI providers. This is surprising to many who are unfamiliar with regulatory quality management systems.

Proportionality: The standard must accommodate Article 17(2)’s requirement that implementation be proportionate to the provider’s organisational size, whilst maintaining the necessary rigour to ensure AI Act compliance. While there are no specific requirements based on company size, some attention has been paid to avoiding requirements that would be unsuitable for SMEs.

Integration with Existing Systems: Article 17(3) explicitly permits providers with existing quality management systems under sectoral Union law to integrate AI Act requirements into those existing frameworks. prEN 18286 must therefore be designed to work alongside:

• ISO 9001 (general quality management)

• Sector-specific quality standards

• Medical device quality systems

Relationship to Conformity Assessment

The QMS established according to prEN 18286 forms a critical component of two conformity assessment procedures:

Annex VI (Internal Control): Providers verify their QMS complies with Article 17 requirements as part of the self-assessment procedure available for most high-risk AI systems.

Annex VII (Third-Party Assessment): For high-risk biometric identification systems, notified bodies must assess whether the QMS satisfies Article 17 requirements. The assessment includes:

• Examination of QMS documentation covering all Article 17 aspects

• Procedures to ensure QMS remains adequate and effective

• Ongoing surveillance of the approved QMS

• Assessment of any proposed changes to the QMS

Integration with Technical Documentation

prEN 18286 must address how the QMS interfaces with the technical documentation requirements of Article 11 and Annex IV, particularly:

• How QMS processes generate and maintain technical documentation

• Quality control of documentation throughout the AI system lifecycle

• Documentation required to demonstrate QMS effectiveness

Standardisation Process Context

Development Timeline:

• May 2023: Commission standardisation request issued

• October 2024: New work item proposal for the stnadard approved

• October 2025: Enquiry phase commenced

• January 2026: Enquiry phase concludes

• Publication TBD, but Q4 2026 at the latest.

Coordination with Other Standards: prEN 18286 is being developed alongside related harmonised standards covering:

• Risk management systems (Article 9)

• Data governance (Article 10)

• Record-keeping and logging (Article 12)

• Transparency and information provision (Article 13)

• Human oversight (Article 14)

• Accuracy, robustness, and cybersecurity (Article 15)

• Conformity assessment procedures (Article 43)

All these standards must achieve coherence and avoid conflicts whilst providing distinct, implementable guidance.

Implementation Implications

For Providers:

• prEN 18286 will provide a clear, standardised pathway to Article 17 compliance

• Adoption will enable presumption of conformity, reducing assessment burden

• Integration guidance will support organisations with existing QMS

• The standard should clarify ambiguities in Article 17’s requirements

For Notified Bodies:

• Provides standardised assessment criteria for QMS evaluation under Annex VII

• Creates consistency across conformity assessments

• Reduces interpretation variability

For Market Surveillance:

• Establishes clear benchmarks for assessing QMS adequacy

• Facilitates enforcement actions

• Provides basis for market surveillance guidance

Critical Considerations

Challenges in Development:

1. Flexibility vs. Prescriptiveness: Balancing detailed guidance with necessary adaptability across different AI system types, sectors, and organisational sizes. It is not permitted to allow arbitrary decision making by the provider (such as selecting from a list of controls in ISO/IEC 42001 and 27001/2.

2. Technology Neutrality: Ensuring the standard remains applicable as AI technologies evolve.

3. Integration: Supporting incorporation into existing quality frameworks without creating conflicting requirements

4. Comprehensiveness: Covering all Article 17 elements whilst remaining implementable

Current Gaps: Until prEN 18286 is adopted and published:

• No harmonised standard exists for Article 17 compliance

• Providers must interpret Article 17 requirements directly

• Common specifications may be developed if standardisation deadlines are missed (Article 41)

• Conformity assessment faces greater uncertainty and variability

Future Outlook

The enquiry phase (ending January 2026) represents a critical opportunity for stakeholder input to refine the standard. Following this phase, the standard will undergo further development, formal vote, and eventual publication. Once published with its reference in the Official Journal, prEN 18286 will become the primary technical tool for demonstrating QMS compliance under the AI Act.

Note: This summary is based on the regulatory framework, Article 17 requirements, and the standardisation context. The detailed technical specifications of prEN 18286 are still under development through the CEN/CENELEC process and will be refined through the enquiry phase and subsequent standardisation stages.

Want to know more? Read on to hear about the distinctive structure of this draft standard!

Comments

[James Kavanagh]

Hi Adam, Thanks for the overview. Do you know if there’s somewhere the draft is published for public review, for those of us interested but not part of CEN processes?