Article 40 of Regulation (EU) 2024/1689 — Harmonised standards and standardisation deliverables. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 40 of Regulation (EU) 2024/1689 establishes the role of harmonised standards in demonstrating conformity with the requirements applicable to high-risk AI systems under the EU AI Act. Where providers of high-risk AI systems apply harmonised standards — or relevant parts thereof — whose references have been published in the Official Journal of the European Union, those systems are presumed to conform with the requirements of Title III, Chapter 3, insofar as those requirements are covered by the applicable harmonised standards.
The article empowers the European Commission to issue standardisation requests to the European standardisation organisations (CEN, CENELEC, and ETSI) in accordance with Regulation (EU) No 1025/2012 on European standardisation. These requests direct the ESOs to develop harmonised standards that operationalise the substantive requirements of the Act.
Article 40 also addresses situations where harmonised standards do not yet exist or their references have not been published. In such cases, the Commission may adopt common specifications pursuant to Article 41, ensuring that providers have a defined technical pathway to demonstrate conformity even in the absence of formal harmonised standards.
The provision draws a clear distinction between voluntary application of standards and mandatory compliance with the underlying legal requirements. Applying a harmonised standard is not obligatory, but it provides a rebuttable presumption of conformity, reducing the evidentiary burden on providers during conformity assessment procedures conducted under Articles 43 and 44.
What This Means in Practice
For providers of high-risk AI systems, Article 40 is a central compliance tool. Rather than constructing an entirely bespoke technical argument for how each legal requirement is satisfied, providers can align their systems with published harmonised standards and benefit from the presumption of conformity. This significantly simplifies the conformity assessment process, particularly for systems subject to third-party assessment by notified bodies.
In practice, a provider developing an AI-based medical device falling under Annex I of the Act would consult the Official Journal to identify which harmonised standards have been published for the relevant requirements — for example, standards addressing risk management, data quality, or cybersecurity. Implementing those standards as part of the system's design and quality management process allows the provider to assert conformity with the corresponding articles of the Act without requiring the notified body to independently verify compliance from first principles.
For providers who choose not to apply harmonised standards — or where no applicable standard yet exists — the burden falls on them to document, through technical files and conformity assessment evidence, how the equivalent level of protection is achieved. This is a viable but more demanding path, requiring close engagement with the notified body and potentially more extensive testing and documentation.
Importers and deployers should verify that the providers whose systems they place on the market or put into service have correctly identified and applied the relevant standards, as this affects the validity of the EU declaration of conformity and the CE marking.
The practical impact of Article 40 will grow progressively as the standardisation pipeline matures. Early in the Act's application, limited harmonised standards will be available, placing greater reliance on common specifications and bespoke technical assessments.
Key Obligations
- Identify applicable harmonised standards: Providers of high-risk AI systems must monitor the Official Journal of the European Union for published references to harmonised standards relevant to their system and the requirements under Title III, Chapter 3.
- Apply standards to trigger the presumption of conformity: Where a provider chooses to rely on the presumption of conformity, the harmonised standard must be applied in full for the requirements it covers; partial application does not extend the presumption to uncovered elements.
- Document application of standards in technical documentation: The technical documentation required under Article 11 and Annex IV must clearly identify which harmonised standards have been applied and how they map to the corresponding legal requirements.
- Address gaps where standards do not exist: Where no harmonised standard covers a specific requirement, providers must demonstrate conformity through alternative means, including common specifications adopted under Article 41 or independent technical evidence, and must document this approach in their conformity assessment file.
- Maintain awareness of updated or withdrawn standards: When a harmonised standard is revised or its reference is withdrawn from the Official Journal, providers must assess whether their existing compliance documentation remains valid and update their systems and technical files accordingly.
- Engage with standardisation processes: Providers, particularly those in sectors with rapidly evolving AI applications, should engage with relevant standardisation bodies and industry working groups to ensure that emerging standards reflect real-world technical practice and support meaningful compliance pathways.
Relationship to Other Articles
Article 40 operates as the procedural bridge between the substantive requirements of Title III, Chapter 3 (Articles 9–15 and 17) and the conformity assessment procedures in Chapter 5. It should be read alongside Article 41, which provides for Commission-adopted common specifications as an alternative when harmonised standards are absent or insufficient. Article 43 governs the conformity assessment procedures in which the presumption created by Article 40 is relied upon, and Article 44 covers the role of notified bodies in third-party assessments.
The article also connects to Article 11 and Annex IV on technical documentation, since evidence of standard application must appear in the technical file, and to Article 17 on quality management systems, which must incorporate processes for identifying and applying relevant standards. Article 48, covering the EU declaration of conformity, is the downstream instrument through which the provider formally asserts the presumption of conformity established under Article 40. For GPAI model providers, standardisation is addressed separately under Title VIII; Article 40 applies specifically to high-risk AI systems under Title III.
Compliance Timeline
Article 40 entered into force on 1 August 2024, the date the EU AI Act was published in the Official Journal of the European Union and became binding law. However, its practical application is tied to the phased rollout of obligations:
- August 2024: Act enters into force; standardisation mandates to CEN, CENELEC, and ETSI begin or accelerate.
- February 2025: Prohibited AI practices under Article 5 become applicable; Article 40 is not directly implicated at this stage.
- August 2025: GPAI model obligations under Title VIII become applicable; Article 40 remains specific to high-risk AI systems and does not govern GPAI standards.
- December 2026: High-risk AI systems listed in Annex III (other than those covered by Annex I product legislation) must comply with Title III requirements. Providers should have identified and applied relevant harmonised standards by this date; where published standards are available, conformity assessments relying on them must be completed.
- August 2027: High-risk AI systems embedded in products governed by Annex I sectoral legislation (medical devices, machinery, aviation, etc.) must comply. Full harmonised standard coverage is expected to be more developed by this date, though providers should not assume complete coverage and must plan for gaps.
Providers are strongly advised to monitor the Commission's standardisation requests and the work programmes of CEN-CENELEC JTC 21 (the joint technical committee for AI standardisation) to anticipate which standards will be available and when, allowing compliance timelines to be planned accordingly.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 40 establishes that harmonised standards adopted by European standardisation organisations (ESOs) — CEN, CENELEC, and ETSI — create a presumption of conformity with the requirements of the EU AI Act for high-risk AI systems. Providers who apply these standards can demonstrate compliance without undergoing a full independent conformity assessment for those requirements covered by the standard.
No. Compliance with harmonised standards is voluntary. However, applying harmonised standards whose references have been published in the Official Journal of the European Union triggers a presumption of conformity with the corresponding requirements of the EU AI Act. Providers who choose alternative means of compliance must demonstrate equivalence through their technical documentation and conformity assessment.
When no harmonised standard exists or its reference has not yet been published in the Official Journal, providers may rely on common specifications adopted by the European Commission under Article 41, or demonstrate compliance through other technical means. The Commission is empowered to request standardisation bodies to develop standards for specific requirements where gaps exist.
Harmonised standards are developed by the European standardisation organisations: CEN (European Committee for Standardisation), CENELEC (European Committee for Electrotechnical Standardisation), and ETSI (European Telecommunications Standards Institute). They act upon standardisation requests (mandates) issued by the European Commission, often in coordination with international standards bodies such as ISO and IEC.
Harmonised standards can cover any or all of the high-risk AI system requirements set out in Chapter 3 of Title III of the EU AI Act, including requirements on risk management systems (Article 9), data and data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), human oversight (Article 14), accuracy, robustness and cybersecurity (Article 15), and quality management systems (Article 17).
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.