Understanding the different types of standards relevant to EU AI Act compliance

This is one of the mostly widely misunderstood concepts in the NLF. If you think harmonised standards provide presumption of conformity, you are wrong, and this article is for you!

Nov 30, 2025

When navigating the EU’s regulatory landscape for products, including AI systems under the AI Act, practitioners encounter various types of standards with fundamentally different legal effects. Confusion between these categories can lead to misguided compliance strategies, so clarity is essential.

Harmonised Standards

A harmonised standard is developed by a European standardisation organisation (ESO, i.e. CEN, CENELEC, or ETSI) at the European Commission’s formal request, issued through a standardisation request under Regulation (EU) No 1025/2012. This request specifies which essential requirements of which legislation the standard should address.

The critical feature of harmonised standards is that they are developed under mandate to support specific EU legislation. For the AI Act, the CEN-CENELEC Joint Technical Committee 21 (JTC 21) is developing harmonised standards in response to the Commission’s standardisation request. These standards are designed with explicit traceability to the Act’s requirements.

BUT, the ESOs can theoretically adopt standards that are gibberish, blank, or plain wrong.

Citation in the OJEU: Presumption of Conformity Achieved

A harmonised standard only confers presumption of conformity once its reference is published in the Official Journal of the European Union (OJEU). This publication represents the Commission’s formal recognition that the standard adequately addresses the essential requirements specified in the standardisation request.

Before OJEU citation, a harmonised standard is merely a European standard. It may be technically sound and widely adopted, but it carries no special legal status. The OJEU citation transforms it into a legal tool: AI providers who conform to a cited harmonised standard benefit from the rebuttable presumption that they comply with the corresponding essential requirements of the AI Act.

This distinction matters rather a lot. Standards currently under development by CEN-CENELEC JTC 21 will not provide presumption of conformity unless cited in the OJEU, which typically occurs months or even years after publication.

Normatively Referenced Standards: Compliance by Incorporation

When a harmonised standard makes a normative reference to another standard, that referenced standard becomes part of the compliance pathway, but only to the extent incorporated through the normative reference. The Blue Guide explains this clearly: “Where a harmonised standard refers normatively to another standard..., compliance with the latter standard is deemed to be a way to comply with the relevant requirements of the harmonised standard in question.”

A normative reference is a requirement (shall) that refers to another standard in a way that makes the other standard indispensable. Normative references are always listed in Clause 2 of any ISO/IEC or CEN-CENELEC standard.

Consider prEN 18286, the draft AI quality management system standard. It deliberately avoids normative references to other standards, instead using informative annexes with mapping tables. This architectural choice preserves implementation flexibility: organisations can demonstrate QMS conformity without being bound to specific technical approaches mandated by normatively referenced standards.

When a harmonised standard includes normative references, those referenced standards effectively become part of the presumption of conformity pathway. Still, their legal effect flows entirely through the citing harmonised standard (assuming it is cited in the OJEU), not through independent OJEU citation.

Standards Used to Demonstrate Conformity: The Voluntary Route

Finally, AI providers may choose to use any standard — European, international, national, sector-specific, or even company-internal specifications — as evidence of conformity with the essential requirements, even if that standard is neither harmonised nor cited in the OJEU. This represents voluntary standardisation at work. They can also use other technical specifications that are not standards in the commonly understood way.

Such specifications carry no presumption of conformity. Instead, AI providers must demonstrate the connection between the standard’s requirements and the legislation’s essential requirements in their quality management system documentation. This imposes a heavier burden of proof but offers significant flexibility.

For AI systems, this category will be particularly important during the transitional period before harmonised standards achieve OJEU citation. Organisations may reference ISO/IEC standards, sector-specific frameworks, or emerging best practices as supporting evidence in their technical documentation, whilst acknowledging that these references do not trigger presumption of conformity.

Practical Implications

These distinctions shape compliance strategy fundamentally. Harmonised standards cited in the OJEU offer the safest path; presumption of conformity with clear regulatory recognition. During the transitional period, however, organisations must build their compliance cases using standards that lack this special status, which demands more rigorous documentation of the conformity assessment rationale.

Understanding these categories prevents the common error of treating all European standards as equivalent. Only those developed under mandate and cited in the OJEU unlock presumption of conformity - and even then, only for the essential requirements explicitly covered by the citation notice.

I’ll cover now how EN ISO/IEC 12792, Information technology — Artificial intelligence (AI) — Transparency taxonomy of AI systems, fits into this picture. Read here.

AI regulation, standards and reality

Discussion about this post

Ready for more?