Chapter V — Standards, Conformity Assessment, Certificates, RegistrationArticle 40

Article 40: Harmonised Standards and Standardisation Deliverables

Applies from 2 Aug 20266 min readEUR-Lex verified Apr 2026

Article 40 is a cornerstone of the AI Act's compliance architecture. High-risk AI systems or general-purpose AI (GPAI) models that conform to harmonised standards — or the relevant parts thereof — whose references have been published in the Official Journal of the EU shall be presumed to be in conformity with the requirements of Chapter III Section 2 (for high-risk systems) or Chapter V obligations (for GPAI), to the extent those standards cover those requirements. The Commission may request European standardisation organisations (CEN, CENELEC, ETSI) to develop such standards. This creates the critical "presumption of conformity" bridge between technical standards and legal requirements.

Start free assessment All articles

Who does this apply to?

-Providers of high-risk AI systems who can use harmonised standards to demonstrate presumption of conformity with Chapter III Section 2 requirements
-European standardisation bodies (CEN, CENELEC, ETSI) developing AI-specific harmonised standards at the Commission's request
-Conformity assessment bodies evaluating whether providers have correctly applied harmonised standards

Scenarios

A provider of a high-risk AI system for credit scoring applies the harmonised standard EN XXXXX (developed by CEN/CENELEC for AI risk management) whose reference has been published in the Official Journal. The standard covers Article 9 risk management and Article 15 accuracy and robustness requirements.

The provider enjoys a presumption of conformity with Articles 9 and 15 to the extent the standard covers those requirements. The conformity assessment body can rely on the standard as evidence, streamlining the assessment.

Ref. Art. 40

The Commission requests CEN/CENELEC to develop a harmonised standard for AI data governance. The standard is adopted but its reference has not yet been published in the Official Journal.

Until the reference is published in the Official Journal, the standard does not trigger the presumption of conformity under Article 40. Providers may still use the standard as supporting evidence but cannot rely on the presumption.

Ref. Art. 40

The presumption of conformity mechanism

Article 40 establishes the presumption of conformity — a well-established concept in EU product-safety law (the "New Legislative Framework"). The mechanism works as follows:

1. The Commission requests European standardisation organisations (CEN, CENELEC, ETSI) to develop harmonised standards for the AI Act 2. The standardisation bodies adopt the standards through their consensus-based processes 3. The Commission publishes the references of the adopted standards in the Official Journal of the EU 4. Once published, compliance with the standard (or relevant parts) creates a legal presumption that the corresponding AI Act requirements are met

This presumption is rebuttable — market surveillance authorities can still challenge conformity if they have evidence that the system does not actually meet the requirements despite claiming to follow the standard.

What standards are being developed

The Commission issued a standardisation request to CEN/CENELEC in May 2023. Key work items under CEN/CENELEC JTC 21 include standards addressing:

Risk management (aligned with Article 9)
Data governance and data quality (aligned with Article 10)
Record-keeping and logging (aligned with Article 12)
Transparency and information provision (aligned with Article 13)
Human oversight (aligned with Article 14)
Accuracy, robustness, and cybersecurity (aligned with Article 15)
Quality management systems (aligned with Article 17)

Providers should monitor the progress of these standards and participate in public consultations where possible. The timeline for publication in the Official Journal is critical — until then, the presumption of conformity is not available.

Scope limitations of the presumption

The presumption of conformity applies only to the extent the harmonised standard covers the relevant AI Act requirements. If a standard addresses only risk management (Article 9) but not data governance (Article 10), compliance with the standard provides no presumption for data governance.

Providers must therefore: - Map each AI Act requirement to the applicable harmonised standard (or part thereof) - Identify gaps where no harmonised standard exists or where the standard does not fully cover the requirement - Address gaps through alternative means — potentially using common specifications under Article 41 or direct demonstration of conformity

How Article 40 connects to the compliance toolbox

Article 8 — General compliance obligation for high-risk AI systems with Chapter III Section 2 requirements.
Article 41 — Common specifications as a fallback where harmonised standards do not exist or are insufficient.
Article 43 — Conformity-assessment procedures where harmonised standards serve as the evidential baseline.
Article 51 — GPAI model obligations that may also benefit from harmonised standards.
Article 113 — Application dates.

Compliance checklist

Monitor CEN/CENELEC JTC 21 work items and publication timelines for AI Act harmonised standards.
Check the Official Journal for published references — only published references trigger the presumption of conformity.
Map each Chapter III Section 2 requirement to the applicable harmonised standard (or part thereof) and identify coverage gaps.
Where gaps exist, consider Article 41 common specifications or direct demonstration of conformity.
Document which version of each standard you applied and when — standard versions evolve and the applicable version at time of assessment matters.
Prepare for conformity assessment bodies to verify correct application of claimed harmonised standards.
If you are a GPAI model provider, check whether harmonised standards have been published for Chapter V obligations.

Read the official text on EUR-Lex

Map your standards coverage to AI Act requirements — start the free assessment.

Start Free Assessment

Article 8: Compliance with the requirements

Article 41: Common Specifications

Article 43: Conformity Assessment for High-Risk AI Systems

Article 51: Classification of GPAI Models with Systemic Risk

Article 113: Entry into Force and Application Dates

Frequently asked questions

Is compliance with a harmonised standard mandatory?

No. Harmonised standards are voluntary. Providers may choose to demonstrate conformity through other means. However, using a harmonised standard whose reference is published in the Official Journal provides a presumption of conformity that significantly simplifies the assessment process.

What happens if no harmonised standard exists for a requirement?

Where harmonised standards do not exist or are insufficient, Article 41 allows the Commission to adopt common specifications as a fallback. Providers can also demonstrate conformity directly without relying on either mechanism.

Do ISO standards (e.g., ISO/IEC 42001) count as harmonised standards?

Not automatically. A harmonised standard under the AI Act must be developed by a European standardisation organisation (CEN, CENELEC, ETSI) and have its reference published in the Official Journal. ISO standards may be adopted as the basis for a European harmonised standard, but the ISO standard alone does not trigger the Article 40 presumption.

On this page

Key terms

Harmonised standard: A European standard adopted by CEN, CENELEC, or ETSI at the request of the Commission, whose reference is published in the Official Journal and which provides a presumption of conformity with the corresponding regulatory requirements.
Presumption of conformity: A legal mechanism whereby compliance with a harmonised standard (or common specification) is presumed to satisfy the corresponding regulatory requirement, shifting the burden to authorities to prove otherwise.
CEN/CENELEC JTC 21: The Joint Technical Committee of the European standardisation bodies CEN and CENELEC responsible for developing AI-related standards, including those supporting the EU AI Act.

At a glance

Article: 40
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now