Multi-Framework AI Governance: EU AI Act, ISO 42001, NIST AI RMF, and GDPR
Map EU AI Act, ISO 42001, NIST AI RMF, and GDPR onto one control set. Crosswalk table, deadline 2 Dec 2027, and what each framework legally requires.
Four frameworks. Two legally binding. Two voluntary. One compliance programme.
If you operate AI systems inside the EU, you are almost certainly subject to at least three simultaneously: the EU AI Act (Regulation (EU) 2024/1689), the GDPR, possibly ISO/IEC 42001 if your organisation has adopted it, and NIST AI RMF if your US parent or enterprise customers require alignment. The instinct is to run four parallel workstreams. That instinct is expensive and unnecessary.
This guide maps what each framework requires, where they overlap, and how a single control set — written once against the EU AI Act's mandatory obligations — satisfies most of what the others ask for.
What Each Framework Is (and What It Is Not)
Two are binding law; two are voluntary guidance. Getting that distinction right is the starting point.
EU AI Act — binding law, risk-based, conformity-assessed. Regulation (EU) 2024/1689 is directly applicable in all EU member states. It attaches hard obligations to high-risk AI systems: a risk management system (Article 9), data governance (Article 10), technical documentation (Article 11), human oversight (Article 14), a quality management system (Article 17), and a conformity assessment under Article 43 before market entry. Non-compliance carries fines of up to €15 million or 3% of worldwide turnover (Article 99(4)). The deadline for stand-alone high-risk Annex III systems is 2 December 2027, after the Digital Omnibus deferral agreed in May 2026.
GDPR — binding law, data-protection-focused. Regulation (EU) 2016/679 is not an AI regulation, but most high-risk AI systems process personal data, so GDPR obligations apply automatically. The most relevant mechanism is Article 35: a Data Protection Impact Assessment (DPIA) is required when processing is likely to result in high risk to individuals' rights. The two regulations are cumulative; you satisfy both or neither.
ISO/IEC 42001 — voluntary, certifiable AI management system. ISO 42001 specifies requirements for an Artificial Intelligence Management System (AIMS). No law mandates its adoption, but an accredited body can certify conformity. Its structure — governance, risk assessment, data management, monitoring — maps closely to the AI Act's Article 17 quality management system requirement. Certification does not equal EU AI Act compliance, but it substantially advances it.
NIST AI RMF — voluntary US guidance, non-certifiable. Published by the US National Institute of Standards and Technology (January 2023), this framework carries no legal weight in the EU and has no certification mechanism. Its four functions — Govern, Map, Measure, Manage — are widely adopted by US-headquartered organisations and by companies demonstrating AI risk maturity to enterprise customers. Compatible with the AI Act's obligations; not a substitute for them.
Where the Frameworks Overlap
The overlap is substantial. All four address some version of risk management, data governance, documentation, and oversight. That is the basis for the single-control-set approach.
The Core Crosswalk
The table below maps the EU AI Act's mandatory high-risk obligations to their ISO 42001, NIST AI RMF, and GDPR counterparts. Where no direct equivalent exists, the cell is left blank.
| EU AI Act obligation | Article | ISO 42001 clause | NIST AI RMF function | GDPR provision |
|---|---|---|---|---|
| Risk management system | Art 9 | 8.1–8.4 (AI risk assessment and treatment) | Map + Manage | Art 35 DPIA (partial) |
| Data and data governance | Art 10 | 8.2, Annex A.6 (data for AI) | Map + Measure | Art 5 data quality; Art 25 data minimisation |
| Technical documentation | Art 11 | 7.5 (documented information) | Govern (policies/docs) | Art 30 records of processing |
| Record-keeping / logging | Art 12 | 7.5 (documented information) | Manage (monitoring logs) | Art 5(2) accountability |
| Transparency to deployers | Art 13 | Annex A.8 (transparency) | Govern | Art 13/14 (information to data subjects) |
| Human oversight | Art 14 | Annex A.9 (human oversight) | Manage | Art 22 automated decision-making |
| Accuracy, robustness | Art 15 | Annex A.10 (performance) | Measure | — |
| Quality management system | Art 17 | Entire AIMS structure | Govern | — |
| Post-market monitoring | Art 72 | 10.1 (monitoring, measurement, analysis) | Manage | — |
| Serious incident reporting | Art 73 | 10.2 (nonconformity and corrective action) | Manage | Art 33 breach notification (analogous) |
The pattern is clear: a well-built Article 9 risk management system covers most of ISO 42001 clauses 8.1–8.4. Solid Article 11 technical documentation satisfies ISO 42001's documented-information requirements and most of NIST's Govern function. One programme; multiple output formats.
The Case for a Single Control Set
Start with the EU AI Act. It is the only binding framework that is EU-specific, deadline-driven, and fine-enforced. Build your control set to satisfy its requirements first, then annotate each element with the ISO 42001 clause and NIST function it also satisfies. That annotation takes a few hours and produces a crosswalk document auditors, customers, and enterprise procurement teams can read directly.
The same logic applies to GDPR. A credit-scoring model that undergoes an Article 9 risk assessment has already done most of the analytical work a GDPR Article 35 DPIA requires. The DPIA is a focused lens on data subjects' rights applied to work you have already done — not a separate exercise from scratch.
One caveat: ISO 42001 certification confirms that your management system meets the standard. It does not confirm that your AI system complies with the EU AI Act. Treat certification as strong evidence of governance maturity, not as a substitute for the Article 43 conformity assessment.
What GDPR Adds That the AI Act Does Not Cover
The AI Act focuses on AI system risk to health, safety, and fundamental rights in aggregate. GDPR focuses on individual data subjects' rights. Both require transparency and oversight, but GDPR adds duties the AI Act does not replicate: a lawful basis for processing (Article 6 GDPR), a Data Protection Impact Assessment where processing is likely to result in high risk (Article 35 GDPR), data subject rights including access, rectification, and erasure, and the right to human review of solely automated decisions under Article 22 GDPR.
That last point is where the two regimes intersect most visibly. A recruitment tool must satisfy Article 22 GDPR — candidates' right not to be subject to purely automated decisions with significant effects — alongside Article 14 AI Act, which requires human oversight capable of overriding the system's output. A single, well-designed override mechanism serves both. GDPR also requires a record of processing activities under Article 30, which overlaps substantially with Article 11 AI Act technical documentation.
What ISO 42001 and NIST AI RMF Add
ISO 42001's real value is structural governance scaffolding: defining AI use context (clause 4), setting objectives (clause 6), establishing roles and responsibilities (clause 5), and running a management review cycle (clause 9). These elements are implied by Article 17's quality management system requirement but spelled out more concretely in the standard. For organisations already holding ISO 9001 or ISO 27001, adopting ISO 42001 is an incremental extension — the architecture is identical, and ISO 27001 controls (access controls, incident management, audit logs) directly support AI Act Articles 12 and 15.
For a 30-person SaaS company with no prior ISO certification, the decision to pursue ISO 42001 certification should be driven by commercial need — typically an enterprise procurement requirement — rather than by the EU AI Act alone.
NIST AI RMF's Govern function is the most useful addition for multi-jurisdictional organisations: it emphasises organisational culture, leadership accountability, and stakeholder engagement. Map overlaps with Article 6 classification; Measure maps to Article 15 accuracy and robustness testing; Manage maps to Articles 9 and 72. NIST AI RMF does not address EU-specific obligations — conformity assessment, CE marking, EU database registration under Article 49 — so it cannot substitute for AI Act compliance, but it provides a useful vocabulary for the qualitative risk analysis Article 9 requires.
The Deadline and What It Means for Multi-Framework Planning
Under the Digital Omnibus agreed in May 2026, Annex III stand-alone high-risk systems must comply by 2 December 2027. Annex I systems embedded in regulated products have until 2 August 2028. Neither date is as far away as it looks: a realistic Article 9 risk management system, Article 11 technical documentation, and Article 17 QMS take six to twelve months to build properly. Add ISO 42001 certification and allow another four to eight months for the audit cycle.
Start the AI Act compliance work first and layer ISO 42001 and NIST mapping in as you go. It costs relatively little extra effort; the commercial return — enterprise procurement approvals, demonstrated governance maturity — is real.
How Confir Helps
Confir's assessment is rule-based and deterministic: the same inputs produce the same outputs, and every finding traces back to a specific Article. It cross-maps controls across ISO/IEC 42001, NIST AI RMF, and GDPR alongside the EU AI Act — covering classification under Articles 5 and 6, the full high-risk obligation stack, and the Article 27 Fundamental Rights Impact Assessment for qualifying deployers. One assessment. Audit-ready output.
Frequently Asked Questions
Does ISO 42001 certification satisfy EU AI Act requirements?
No. ISO 42001 certification confirms that your AI management system meets the standard — a genuine signal of governance maturity, but not a conformity assessment under Article 43. It does not satisfy the specific requirements of Articles 9, 10, 11, 14, or 17 of the EU AI Act. The controls overlap substantially, so pursuing both simultaneously is efficient. Do not present a certificate to regulators as a substitute for AI Act compliance.
Is NIST AI RMF legally required in the EU?
No. It is voluntary US guidance with no certification mechanism and no legal weight in the EU. Its value for EU-based organisations is commercial — enterprise customer alignment — and structural: its four functions (Govern, Map, Measure, Manage) map usefully onto the AI Act's obligations and help technical teams work in a consistent vocabulary across jurisdictions.
Which obligations do the AI Act and GDPR share for high-risk AI systems?
The most significant shared territory is risk assessment and oversight. Both require transparency: Article 13 AI Act (providers to deployers) and GDPR Articles 13–14 (to data subjects). Both address automated decisions: Article 14 AI Act (human oversight) and GDPR Article 22 (right to human review). Both require documented records: Article 11 AI Act technical documentation and GDPR Article 30 processing records. A well-structured compliance programme generates both sets of evidence from a single body of work.
What is the difference between Article 9 and Article 43?
Article 9 is a continuous lifecycle process — identifying, analysing, and mitigating risks throughout the system's operation. Article 43 is a pre-market verification step: a formal check, either internal (Annex VI) or by a notified body (Annex VII), that the system meets all Chapter III requirements before it goes to market. The Article 9 risk management system is an input to the Article 43 assessment, not a substitute for it.
Are the penalty tiers the same under the AI Act and GDPR?
No. The AI Act's main fine tier for high-risk violations is €15 million or 3% of worldwide turnover, whichever is higher (Article 99(4)). GDPR's Article 83(4) reaches €10 million or 2%; Article 83(5) reaches €20 million or 4% for core principles breaches. Enforcement sits with different authorities — national market-surveillance authorities for the AI Act, data-protection authorities for GDPR — so exposure under both regimes is cumulative, not capped.
Does the 2 December 2027 deadline apply to all four frameworks?
Only the EU AI Act carries a legally mandated deadline. The 2 December 2027 date applies to stand-alone high-risk Annex III systems under the Digital Omnibus deferral agreed in May 2026. GDPR obligations apply now, immediately, to any current personal-data processing. ISO 42001 and NIST AI RMF have no deadlines — they are adopted on your organisation's own timeline, usually driven by certification goals or customer requirements.
Related guides
- NIST RMF vs EU AI Act comparison
- responsible AI governance obligations
- ISO 42001 high-risk classification guide
- ISO 42001 Annex A control mapping
- NIST AI RMF framework alignment
- risk classification framework Articles 6-11
- ISO 42001 and EU AI Act alignment
- Article 6 high-risk classification criteria
- ISO 42001 management system controls
- Article 6 classification decision tool
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →