Harmonised Standard

A harmonised standard is a European standard adopted at the European Commission's request for the application of EU harmonisation legislation. Under the EU AI Act, conformity with a harmonised standard whose reference has been published in the Official Journal of the EU creates a legal presumption that the covered high-risk AI system meets the corresponding requirements of the Act — the so-called presumption of conformity under Article 40 of Regulation (EU) 2024/1689.

For providers of high-risk AI systems, this presumption is the most direct path to demonstrating compliance. Rather than building a bespoke evidence dossier from scratch, a provider who applies a published harmonised standard can rely on the presumption to satisfy the relevant requirements of Chapter III, Section 2 without independently re-proving each one.

What a harmonised standard is

The term has a precise legal meaning, borrowed wholesale from EU standardisation law. The AI Act draws on the definition in Regulation (EU) No 1025/2012, the EU Standardisation Regulation: a harmonised standard is a European standard (EN) developed by a recognised European standardisation body — CEN, CENELEC, or ETSI — on the basis of a Commission request published in the Official Journal of the EU. Once the standard is finalised and its reference is published in the Official Journal, it acquires legal effect in the field of EU harmonisation legislation.

The standard itself remains voluntary. No provider is obliged to apply it. But that voluntariness is almost irrelevant in practice, because the benefit it unlocks — the presumption of conformity — is substantial. A provider who chooses not to apply a harmonised standard must still demonstrate compliance with the underlying requirements; the standard simply provides the most pre-validated route to doing so.

Two points are worth holding separately. First, a standard's existence does not, by itself, create the presumption: the Commission must publish the reference in the Official Journal. Until that publication, the standard may still be useful as technical guidance, but it carries no legal presumption. Second, the presumption is limited to the requirements covered by the standard. If a standard addresses data governance and transparency but says nothing about cybersecurity, the presumption of conformity does not extend to the Article 15 cybersecurity requirements.

The presumption of conformity (Article 40)

Article 40 of Regulation (EU) 2024/1689 sets out the core mechanism. Where a high-risk AI system conforms to a harmonised standard — or to relevant parts of one — whose reference has been published in the Official Journal, the system is presumed to conform to the requirements of the AI Act covered by that standard. The same presumption applies, under certain conditions, to GPAI models.

In practical terms, this de-risks the conformity assessment under Article 43 significantly. The Article 43 conformity assessment is the procedural gate a high-risk AI system must pass before it can be placed on the market or put into service. For most Annex III categories (points 2–8: critical infrastructure, education, employment, essential services, law enforcement, migration, justice), this takes the form of an internal self-assessment under Annex VI — essentially, the provider documents that its system meets each applicable requirement. Demonstrating that the system conforms to a published harmonised standard converts much of that evidentiary task into a standard-by-standard tick, with the standard itself providing the technical methodology.

For biometric systems (Annex III, point 1), the conformity assessment generally requires a notified body under the Annex VII route. Even there, a harmonised standard narrows the scope of what the notified body must independently verify.

The presumption is rebuttable, not absolute. A market-surveillance authority that finds actual non-compliance can challenge it. But the legal starting-point is conformity, and that matters: the burden of establishing a breach shifts to the authority.

One further point on scope: Article 40 states that the presumption applies to requirements covered by the standard. Providers must therefore check which AI Act requirements a given standard addresses and whether any gaps remain. A system that conforms to a standard covering Articles 9 (risk management), 10 (data governance), and 13 (transparency) still needs separate evidence for Articles 14 (human oversight) and 15 (accuracy, robustness, cybersecurity) if those are not within the standard's scope.

When standards aren't ready: common specifications (Article 41)

The standardisation landscape for the EU AI Act is still forming. CEN and CENELEC are developing the AI Act harmonised standards — designated under standardisation request M/606 — but the timeline for publication of official Journal references is not yet confirmed. Until those references appear, providers cannot rely on the Article 40 presumption.

Article 41 provides an alternative. Where harmonised standards do not yet exist, are not sufficient to cover the requirements, or where there are urgent safety concerns, the Commission may adopt common specifications by implementing act. Common specifications are not developed by standardisation bodies — they are Commission-drafted technical rules that carry their own presumption of conformity once published. They function as a legislative substitute for a missing or inadequate harmonised standard.

In practice, common specifications are most likely to appear in the early years of the Act's operation, covering the highest-risk areas where the standardisation process has not yet produced published references. Once a harmonised standard is published for the same requirements, it supersedes the common specification for providers who choose to apply it.

The distinction matters operationally. Harmonised standards are developed through an open, multi-stakeholder standardisation process (industry, civil society, national standards bodies) and tend to be more detailed in their technical implementation guidance. Common specifications are drafted directly by Commission services. Providers who want to influence what "conformity" looks like in technical practice have much more leverage in the CEN/CENELEC standardisation process.

For now, providers building compliance documentation for high-risk systems that apply from 2 December 2027 (stand-alone Annex III systems; the high-risk deadline under the Digital Omnibus agreed in May 2026) should monitor both tracks: CEN/CENELEC progress on the AI Act standards and any Commission moves toward common specifications. Neither is on a confirmed publication timeline as of mid-2026.

Why it matters for providers

The business case for applying a harmonised standard, once one exists, is straightforward. A provider who builds its system against the standard's requirements, tests against its benchmarks, and documents that conformity in the technical file is buying itself the cheapest and most legally defensible form of compliance evidence available.

"Cheapest" because the alternative — building a proprietary evidence framework to demonstrate conformity with each of Articles 9 through 15 — requires the provider to make the argument that its own methodology is adequate. A regulator or notified body may or may not agree. An argument grounded in a published harmonised standard is much harder to reject without pointing to specific technical deficiencies.

"Most defensible" because the presumption is built into the Act. If a market-surveillance authority challenges a finding, the provider's starting position is statutory conformity. The authority must rebut it.

While the standards are pending, providers have three realistic options. First, they can engage with the CEN/CENELEC process — standards committees are open to industry participation, and a provider with genuine technical depth in a high-risk use case has material to contribute. Second, they can watch for common specifications and apply those once published. Third, they can build their evidence framework against the Act's requirements directly, cross-referencing relevant technical standards from adjacent domains (ISO/IEC 42001 for AI management systems, ISO/IEC 27001 for information security) that are already available and may partially overlap with AI Act requirements — while accepting that this approach does not carry the Article 40 presumption.

Most providers in practice will mix the second and third options until harmonised standards arrive. The Article 11 / Annex IV technical documentation pack — the core of the conformity file — needs to be assembled regardless. The question is what evidence fills each section. Until a harmonised standard tells you precisely what "adequate" means for Article 9 risk management documentation, you are making a judgment call. Documenting that judgment call transparently is the only defensible approach.

Confir's structured assessment maps its four compliance areas — AIRC, AITR, AITO, AIGM — directly to the specific Articles that harmonised standards will eventually cover (Articles 9, 10, 11, 13, 14, 15 in particular). The output is an Annex IV-compliant technical documentation pack and a generated Article 47 / Annex V Declaration of Conformity. As harmonised standards are published, the mapping updates; the documentation structure stays stable.

Frequently Asked Questions

Is applying a harmonised standard mandatory for high-risk AI systems?

No. Harmonised standards are voluntary. A provider of a high-risk AI system can comply with the Act's requirements through any technically adequate means — the harmonised standard is simply the route that carries a statutory presumption of conformity under Article 40. Providers who do not apply a published harmonised standard must demonstrate compliance through their own evidence, which is harder to defend if challenged and cannot rely on the presumption.

What is the difference between a harmonised standard and a common specification?

Both can give rise to a presumption of conformity with AI Act requirements, but their origins differ. A harmonised standard is developed by CEN, CENELEC, or ETSI through a multi-stakeholder standardisation process, on the basis of a Commission request; its reference must be published in the Official Journal of the EU before the presumption applies. A common specification is drafted directly by the European Commission as an implementing act, and comes into play under Article 41 when harmonised standards do not exist or are insufficient. The Commission may also use common specifications where there are urgent safety or fundamental-rights concerns.

When will AI Act harmonised standards be available?

CEN and CENELEC are working on the standards under Commission request M/606, but no confirmed publication date for Official Journal references has been given as of mid-2026. The high-risk obligations for stand-alone Annex III systems apply from 2 December 2027 under the Digital Omnibus agreed in May 2026, so there is a window — but providers should not count on references appearing early in that period. The Commission may use common specifications under Article 41 to fill gaps before harmonised standards are finalised.

Does conformity with a harmonised standard mean a notified body is no longer required?

Not necessarily. For most Annex III categories (points 2–8), the conformity assessment is an internal self-assessment under Annex VI — a notified body is not required whether or not a harmonised standard is applied. For biometric systems (Annex III, point 1), the Annex VII notified-body route generally applies. Applying a harmonised standard reduces what the notified body needs to independently verify, but does not eliminate the requirement for a notified body where one is otherwise mandated under Article 43.

Can a provider apply only part of a harmonised standard?

Yes. Article 40 states that the presumption of conformity applies when a system "conforms to harmonised standards or relevant parts thereof." A provider can apply only those sections of a standard that are relevant to its system and claim the presumption for the requirements those sections cover. Any requirements not covered by the parts applied must be addressed through separate evidence in the technical documentation.

How does a harmonised standard interact with the Article 43 conformity assessment?

The conformity assessment under Article 43 is the procedure by which a provider demonstrates that a high-risk AI system meets the Act's requirements before placing it on the market. Conformity with a published harmonised standard feeds directly into that procedure: the provider records in its Annex IV technical documentation that the system was tested against and found to conform to the standard, and relies on the Article 40 presumption to satisfy the underlying requirements. The assessment is not dispensed with — it is completed more efficiently because the standard has done the technical work of specifying what adequate conformity looks like.

Related terms

• Conformity assessment (Article 43)
• Technical documentation (Article 11 / Annex IV)
• Annex IV — Technical documentation content areas
• Article 43 — Conformity assessment procedures
• Notified body
• Substantial modification