v2.4.0 | Report Errata
docs governance docs governance

CEN/CENELEC JTC 21

CEN/CENELEC Joint Technical Committee 21 (JTC 21) is responsible for developing the harmonised standards under the EU AI Act. As of early 2026, the standards development process remains ongoing, with the first tranche anticipated but not yet finalised. The working groups are developing standards that will map to the AI Act’s requirements across risk management, data governance, transparency, human oversight, cybersecurity, and conformity assessment.

Organisations should monitor the JTC 21 working groups closely. Participation in national mirror committees (the national standards bodies that feed into CEN/CENELEC) provides early visibility into emerging standards and an opportunity to influence their content. The Legal and Regulatory Advisor maintains a standards monitoring register recording each relevant working group, its current status, the anticipated publication timeline, and the AISDP modules it will affect.

Once harmonised standards are published in the Official Journal, the compliance landscape changes significantly. Organisations that have built their compliance posture on international reference standards will need to conduct a re-mapping exercise to align with the harmonised standards.

Key outputs

  • JTC 21 monitoring through national mirror committee participation
  • Standards monitoring register with per-working-group status
  • Anticipated impact assessment on AISDP modules
  • Module 6 AISDP documentation

Interim Reference Standards

In the absence of harmonised standards, reference to international standards provides a credible compliance framework. Six standards form the interim foundation: ISO/IEC 42001:2023 (AI management systems), ISO/IEC 23894:2023 (AI risk management), ISO/IEC 25012:2008 (data quality), ISO/IEC 25010:2023 (system and software quality), ISO/IEC 27001:2022 (information security management), and ISO/IEC 38507:2022 (governance implications of AI).

These standards do not carry the presumption of conformity that harmonised standards provide under Article 40. They do provide a structured, internationally recognised framework that demonstrates a credible compliance approach. An assessor or competent authority will view compliance with relevant international standards more favourably than an ad hoc approach, even if the standards do not trigger the formal burden shift.

The AISDP’s standards compliance register records each standard applied, the specific clauses relied upon, and the mapping to the corresponding AI Act requirements. Where only part of a standard was applied, the register identifies the specific clauses and the rationale for partial application.

Key outputs

  • Six interim reference standards applied and documented
  • Standards compliance register with per-clause mapping
  • Partial application documented with rationale
  • Module 6 AISDP documentation

Presumption of Conformity (Art. 40) — Burden Shift

Article 40 provides that high-risk AI systems conforming to harmonised standards published in the Official Journal shall be presumed to conform to the requirements covered by those standards. This presumption significantly strengthens the provider’s compliance posture by shifting the burden of proof: rather than the provider demonstrating compliance from first principles, the competent authority must demonstrate non-compliance despite adherence to the harmonised standard.

The presumption is rebuttable. A competent authority can challenge the provider’s claim of standard compliance if the evidence does not support it. The presumption also covers only the requirements addressed by the specific harmonised standard; requirements not covered by the standard must still be demonstrated through other evidence.

For the AISDP, the practical implication is that compliance with harmonised standards should be documented meticulously. Each standard’s scope should be mapped to the AI Act requirements it covers, and evidence of compliance should be structured around the standard’s requirements. Where a harmonised standard does not fully cover an AI Act requirement, the gap and the supplementary evidence addressing it should be explicitly documented.

Key outputs

  • Burden shift from provider demonstration to authority challenge
  • Per-standard scope mapping to AI Act requirements
  • Gap identification for requirements not covered by standards
  • Module 6 AISDP documentation

Re-Mapping Exercise When Standards Published

The transition from interim international standards to harmonised standards requires a structured re-mapping exercise. Organisations trace their existing compliance evidence to the new standard’s requirements, identify gaps where the harmonised standard introduces requirements beyond the international standard, and plan remediation for any gaps identified.

The re-mapping exercise proceeds in three steps. First, the AI System Assessor maps each harmonised standard requirement to the existing compliance evidence, identifying which evidence satisfies the new requirement and which does not. Second, the Conformity Assessment Coordinator assesses the gaps and estimates the remediation effort. Third, the AI Governance Lead approves a remediation plan and timeline.

The re-mapping should be completed within six months of publication of the harmonised standard in the Official Journal, allowing sufficient time to benefit from the presumption of conformity. The exercise is documented as a Module 6 evidence artefact, demonstrating the organisation’s proactive response to the evolving standards landscape.

Key outputs

  • Three-step re-mapping (evidence mapping, gap assessment, remediation plan)
  • Six-month completion target from Official Journal publication
  • Gap remediation planned and tracked
  • Module 6 AISDP evidence
On This Page