Quick answer

Article 40 of the EU AI Act provides that high-risk AI systems and general-purpose AI models which conform to harmonised standards cited in the Official Journal are presumed to comply with the corresponding legal requirements. The standards are being developed by CEN and CENELEC under a Commission standardisation request, and Article 41 lets the Commission adopt common specifications as a fallback.

Updated June 2026 · MmowW AI Compliance

EU AI Act Article 40: Harmonised Standards and the Presumption of Conformity

Overview: Why Standards Are the Real Compliance Currency

The EU AI Act states what high-risk AI must achieve — risk management, data quality, transparency, oversight, accuracy, robustness, cybersecurity — but legislation cannot specify how to test a dataset for bias or measure robustness in engineering terms. That translation is the job of harmonised standards. Article 40 makes the connection legally powerful: high-risk AI systems or general-purpose AI models which are in conformity with harmonised standards, or parts thereof, whose references have been published in the Official Journal of the European Union are presumed to be in conformity with the corresponding requirements of the regulation. For providers, that presumption converts open-ended legal obligations into an implementable engineering checklist — and it is the mechanism on which the entire New Legislative Framework tradition of European product law runs.

What a Harmonised Standard Is

A harmonised standard is a European standard developed by one of the recognised European standardisation organisations — CEN, CENELEC or ETSI — in response to a standardisation request from the European Commission, under Regulation (EU) 1025/2012. The standard becomes harmonised in the legal sense when its reference is cited in the Official Journal. Two consequences follow. First, the presumption of conformity attaches only to the cited version and only for the requirements the citation covers — using a standard before citation is good engineering but carries no legal presumption. Second, standards remain voluntary: a provider may always demonstrate compliance by other means, though in practice deviation shifts the burden of technical argument onto the provider, and for biometric systems the application of harmonised standards determines whether third-party conformity assessment can be avoided.

The AI Standardisation Programme

In May 2023 the Commission issued a standardisation request to CEN and CENELEC covering the requirements for high-risk AI. The work is carried out in the joint technical committee CEN-CLC JTC 21, which coordinates European work and adopts or adapts international standards where suitable. The requested deliverables map directly onto Chapter III Section 2: risk management systems, governance and quality of datasets, record keeping and logging, transparency and information to users, human oversight, accuracy specifications, robustness, and cybersecurity, together with quality management and conformity assessment standards. International work feeds the programme — ISO/IEC 42001 on AI management systems and the ISO/IEC SC 42 portfolio are reference points — but European standards must satisfy the specific legal requirements of the regulation, so adoption is not automatic and several deliverables are being written as homegrown European standards.

The timeline has been the programme's persistent difficulty. Standards development, consensus-building and the formal citation process take years, and the schedule has been revised repeatedly, with key deliverables expected around the time the high-risk obligations begin to apply in August 2026 rather than comfortably before. Providers should track the JTC 21 work programme and Official Journal citations as a standing compliance activity, and plan for a period in which obligations apply while the presumption-of-conformity toolkit is still arriving.

Common Specifications: The Article 41 Fallback

The legislator anticipated the timing risk. Article 41 empowers the Commission to adopt implementing acts establishing common specifications for the high-risk requirements or GPAI obligations where harmonised standards are not available — because the standardisation request was not accepted, the standards are delayed beyond the requested deadline, do not address fundamental rights concerns adequately, or do not comply with the request. Conformity with common specifications grants the same presumption of conformity. The Commission must withdraw or amend common specifications when a harmonised standard covering the same ground is later cited. Common specifications are a fallback, not the preferred route — European law gives primacy to the consensus standardisation process — but providers should monitor for them, because a common specification can arrive faster than a standard and immediately reshape the compliance baseline.

Who Should Care and What the Presumption Changes

Every provider of high-risk AI, and every GPAI model provider, has a direct stake. With cited standards in hand, a provider of an Annex III point 2 to 8 system can run internal control conformity assessment against a defined technical benchmark, dramatically reducing legal uncertainty. For Annex III point 1 biometric systems, full application of harmonised standards is what unlocks the choice of self-assessment instead of mandatory notified body involvement. Deployers and procurement teams gain too: requiring conformity with cited standards in contracts becomes the cleanest way to specify AI quality. And for non-EU providers, the standards are the practical export ticket — building to the European standards stack once is cheaper than maintaining separate compliance narratives per market.

Practical Steps for 2026

  1. Assign ownership for standards tracking: JTC 21 programme updates, Official Journal citations and any Article 41 common specifications
  2. Map each Chapter III requirement to your current engineering evidence, then to the corresponding draft standard, and gap-assess against drafts now rather than waiting for citation
  3. Adopt ISO/IEC 42001-style AI management discipline as scaffolding — it will not by itself create the presumption, but it organises the evidence the European standards will demand
  4. For biometric providers: model both conformity routes and keep the notified body option alive until standards citations are confirmed
  5. Version your technical documentation so that, when a cited standard lands, you can state precisely which clauses you meet and which parts of the presumption you claim

Concrete Example

A vendor of an Annex III recruitment screening system needs to demonstrate data governance under Article 10. Without standards, its documentation must argue from first principles that its bias examination methodology is adequate — defensible, but open to challenge by any market surveillance authority. Once a harmonised standard on data governance for AI is cited in the Official Journal and the vendor implements it, conformity with the standard is presumed to satisfy the corresponding parts of Article 10; an authority contesting the system must then engage with the standard itself or show the standard does not cover the issue at hand. The vendor's audit conversations shorten from methodology debates to clause-by-clause verification — which is precisely the efficiency the New Legislative Framework is designed to produce.

Action Before August 2, 2026

The strategic guidance is unglamorous: do not wait. Providers who postpone compliance engineering until final standards are cited will compress impossible amounts of work into the months after citation. The requirements of Articles 9 to 15 apply from August 2, 2026 with or without standards; drafts and international equivalents indicate their direction clearly enough to build against today, and documentation written in the structure of the emerging standards will be straightforward to map once citations arrive. Track the Official Journal, participate in national mirror committees if you have the expertise to contribute, and treat the standards stack the way mature hardware companies always have — as the place where regulation becomes engineering, and where early movers quietly set the terms their competitors will later have to meet.

How the Presumption Works Legally — and Its Limits

The presumption of conformity deserves precise understanding, because it is regularly overstated. It is partial: it covers only the requirements that the cited standard addresses, and citations in the Official Journal sometimes include restrictions excluding specific clauses. It is rebuttable: market surveillance authorities can still act against a standards-conformant system where evidence shows it presents a risk, and the formal objection mechanism of Regulation 1025/2012 allows a Member State or the Commission to challenge a standard that proves inadequate, leading to restricted or withdrawn citation. And it is version-specific: when a standard is revised and the new version cited, the presumption migrates on the timetable set in the citation, which forces providers to manage standard transitions like any other dependency upgrade. None of this diminishes the presumption's value — it remains the strongest compliance position available — but it explains why mature providers maintain a requirements-to-evidence map independent of any single standard. The standard is the route; the regulation is the destination. Teams that understand both can answer the only question an authority ultimately asks: show me that this system meets the law, clause by clause, version by version, today.

A practical footnote on participation: standardisation is open in ways regulation is not. National standards bodies run mirror committees for JTC 21, SMEs can join at reduced cost in most Member States, and Regulation 1025/2012 obliges the process to take account of SME, consumer and societal stakeholder input. For companies whose products depend on how a test method or metric gets defined, a seat in the mirror committee costs a fraction of what adapting to an ill-fitting standard will cost later.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.