Article 41 — Common specifications (EU AI Act)

Article 41 of Regulation (EU) 2024/1689 — Common specifications. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 41 of Regulation (EU) 2024/1689 establishes a mechanism by which the European Commission may adopt implementing acts laying down common specifications for high-risk AI systems listed in Annex III, and for AI systems covered by the legislation referenced in Annex I. This mechanism is activated under specific conditions: where harmonised standards do not yet exist, where existing harmonised standards are considered insufficient to cover the requirements of Chapter 2 of Title III, or where the Commission determines that published harmonised standards fail to fulfil the obligations of the Regulation.

Common specifications adopted under Article 41 carry the same legal weight as harmonised standards for the purpose of demonstrating conformity. High-risk AI systems that comply with applicable common specifications benefit from a presumption of conformity with the requirements addressed by those specifications. The Commission must consult relevant stakeholders — including national competent authorities, notified bodies, and standardisation bodies — before adopting common specifications, ensuring that the technical content reflects practical implementation realities.

Providers retain the right to deviate from common specifications, provided they document in their technical documentation that the alternative technical solutions adopted meet at least an equivalent level of protection. This ensures that common specifications function as a safe harbour rather than a rigid ceiling, preserving technical innovation within a compliant framework. Article 41 is an enabling provision that addresses the practical reality that standardisation processes may lag behind the pace of regulatory application.

What This Means in Practice

Article 41 is primarily relevant to providers and developers of high-risk AI systems operating in areas where the European standardisation bodies — CEN, CENELEC, and ETSI — have not yet published harmonised standards, or where published standards are incomplete or contested by the Commission. In practical terms, this means that during the critical early phase of the EU AI Act's application to high-risk systems, common specifications may function as the primary technical reference for conformity.

For providers of high-risk AI systems in sectors such as employment, education, critical infrastructure, or law enforcement, Article 41 means they should monitor the Official Journal of the EU for Commission implementing acts establishing common specifications in their domain. When such acts are published, providers must review whether their existing technical documentation, risk management systems, data governance practices, and accuracy benchmarks satisfy the specified requirements.

For example, a provider of an AI-assisted recruitment tool covered by Annex III, point 4, would need to check whether the common specifications address bias testing, transparency obligations, and human oversight mechanisms. If the provider's existing solution meets those requirements through a different technical approach, they must document the equivalence explicitly. Importers and authorised representatives must verify that systems they place on the EU market reference applicable common specifications in their conformity documentation. Notified bodies conducting third-party conformity assessments must use applicable common specifications as the technical baseline where harmonised standards are absent.

Key Obligations

• Monitor and apply implementing acts: Providers of high-risk AI systems must identify and apply any Commission implementing acts establishing common specifications relevant to their system category, as published in the Official Journal of the EU.
• Update technical documentation: Where common specifications exist, providers must reflect conformity with those specifications in their technical documentation as required under Article 11 and Annex IV.
• Presumption of conformity: Providers who comply with applicable common specifications may rely on the presumption of conformity with the requirements of Chapter 2 of Title III covered by those specifications, simplifying the conformity assessment process.
• Document deviations with equivalent justification: Providers who choose technical solutions that differ from common specifications must demonstrate and document, within their technical file, that their approach achieves at least an equivalent level of protection of the applicable requirements.
• Stakeholder participation: Standardisation bodies, notified bodies, and national competent authorities must be consulted by the Commission before common specifications are adopted, creating obligations for those entities to engage constructively in the drafting process.
• Respect for procedural hierarchy: Common specifications function subordinate to harmonised standards; providers must first assess whether applicable harmonised standards exist before falling back to common specifications as the conformity reference.

Relationship to Other Articles

Article 41 sits within Chapter 5 of Title III alongside Articles 40 (harmonised standards), 42 (presumption of conformity), 43 (conformity assessment procedures), 44 (certificates of conformity), and 47 (EU declaration of conformity). It must be read in close conjunction with Article 40, which governs the primary route to conformity via harmonised standards — Article 41 is expressly subsidiary to that route.

The presumption of conformity created by compliance with common specifications feeds directly into Article 42, which specifies the conditions under which presumption arises. Article 43 determines which conformity assessment procedure applies, and common specifications will influence whether self-assessment or third-party assessment by a notified body is required. The technical documentation requirements of Article 11 and Annex IV govern how conformity with common specifications must be recorded. Article 9 (risk management system) and Article 17 (quality management system) must also be read alongside Article 41, as common specifications may set concrete parameters for how those systems are implemented for particular AI system categories.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024. Its application is phased:

• 2 February 2025 — Prohibitions on unacceptable-risk AI practices (Article 5) became applicable.
• 2 August 2025 — Provisions on general-purpose AI models (Title VIII) and governance obligations became applicable. The Commission's standardisation request to CEN-CENELEC was issued in 2023, but harmonised standards relevant to high-risk systems are not expected to be fully published before mid-to-late 2026.
• 2 August 2026 — High-risk AI systems covered by Annex III (standalone) become subject to full conformity obligations under Chapter 2, including the requirement to comply with applicable harmonised standards or common specifications.
• 2 August 2027 — High-risk AI systems embedded in products covered by Annex I (e.g., machinery, medical devices) become subject to full obligations.

Article 41 is therefore of immediate practical relevance from mid-2025 onwards as providers prepare technical documentation for the 2026 deadline. Given that harmonised standards may not be available or complete in time, the Commission may adopt common specifications to fill the gap, making it essential for providers to track implementing acts actively during 2025 and 2026.