Article 42 — Presumption of conformity with certain requirements (EU AI Act)

Article 42 of Regulation (EU) 2024/1689 — Presumption of conformity with certain requirements. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 42 of Regulation (EU) 2024/1689 (the EU AI Act) establishes a mechanism known as the presumption of conformity. Under this mechanism, a high-risk AI system that has been developed and tested in accordance with harmonised standards — or parts thereof — whose references have been published in the Official Journal of the European Union is presumed to comply with the requirements set out in Chapter 2 of Title III of the Regulation, to the extent that those harmonised standards cover those requirements.

The same presumption applies where a provider demonstrates conformity with common specifications adopted by the European Commission pursuant to Article 41 of the Regulation, again to the extent that those common specifications address the applicable requirements.

The presumption is conditional and proportionate: it operates only with respect to the requirements that the harmonised standard or common specification actually covers. Where a standard or specification addresses only part of a requirement, the presumption of conformity applies solely to that part. Providers remain responsible for demonstrating conformity with any requirements not addressed by the standard or specification through other appropriate means.

This article reflects the broader European approach to product regulation, mirroring similar presumption mechanisms found in existing Union harmonisation legislation (for example, the Machinery Directive and the Radio Equipment Directive), and integrates the AI Act into the established New Legislative Framework.

What This Means in Practice

For providers of high-risk AI systems, Article 42 creates a practical compliance pathway that reduces both the cost and the complexity of demonstrating conformity. Rather than constructing bespoke technical arguments for each applicable requirement from scratch, a provider can align its development and testing processes with published harmonised standards and rely on the resulting presumption to satisfy market surveillance authorities and notified bodies.

In concrete terms, a company developing an AI-powered medical device classified as high-risk under Annex III would review the harmonised standards published by the European Commission following standardisation mandates issued to bodies such as CEN-CENELEC. Where those standards have been published in the Official Journal, the company documents its conformity with them — for example, covering data governance, transparency, or robustness requirements — and records this in its technical documentation as required by Article 11 and Annex IV.

Where harmonised standards are not yet available — which remains a real-world constraint given the Act's novelty — providers may instead use the common specifications adopted by the Commission under Article 41 as an equivalent route to the presumption.

Importantly, the presumption does not remove the obligation to conduct a conformity assessment under Article 43. It simplifies the evidentiary basis for that assessment. Internal compliance teams, legal counsel, and notified bodies should treat Article 42 as a structured shortcut within the broader conformity assessment architecture, not as an exemption from it. Providers should maintain up-to-date monitoring of newly published harmonised standards, as conformity pathways will evolve significantly during the phased rollout period.

Key Obligations

• Monitor published harmonised standards: Providers must actively track the Official Journal of the European Union for references to harmonised standards covering the requirements of Chapter 2, Title III, and update their technical documentation accordingly when new or revised standards are published.
• Align development and testing with applicable standards: To invoke the presumption, the AI system must have been developed and tested in conformity with the relevant harmonised standard or common specification. Partial alignment triggers only a partial presumption.
• Document conformity with standards in technical documentation: Evidence of conformity with the harmonised standard or common specification must be recorded in the technical documentation required under Article 11 and Annex IV, with sufficient detail to allow reconstruction and verification.
• Identify and address gaps not covered by standards: Where a harmonised standard or common specification does not cover a requirement of Chapter 2 in full, providers must demonstrate conformity with the uncovered portion through alternative technical or procedural means, documented and defensible to market surveillance authorities.
• Remain prepared for rebuttal: The presumption is not absolute. Providers must retain sufficient underlying evidence — test results, data governance records, human oversight logs — to substantiate conformity if the presumption is challenged by a notified body or national authority.
• Consider Article 41 common specifications as a fallback: Where no harmonised standard has been published or mandated, providers should assess whether common specifications issued by the European Commission under Article 41 are available and apply them to secure equivalent legal standing under Article 42.

Relationship to Other Articles

Article 42 sits at the intersection of the Act's standardisation and conformity assessment architecture and cannot be read in isolation.

It depends directly on Article 41 (common specifications), which provides the fallback route to the presumption where harmonised standards are absent or incomplete. The presumption activated by Article 42 feeds directly into Article 43 (conformity assessment procedures), which determines the procedural route — internal control or third-party involvement — that a provider must follow.

The requirements against which conformity is presumed are set out in Articles 9 through 15 (Chapter 2, Title III), covering risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity. Article 11 and Annex IV govern the technical documentation in which standard conformity must be recorded.

Article 40 (harmonised standards) is the upstream counterpart: it describes how standardisation mandates are issued and how harmonised standards acquire their status under the Regulation. Article 42 is therefore the downstream legal effect of Article 40.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024 (twenty days after publication in the Official Journal on 12 July 2024). Application of its provisions is phased:

• 2 February 2025 — Prohibitions on unacceptable-risk AI practices (Article 5) became applicable.
• 2 August 2025 — Rules on general-purpose AI models (Title VIII) and governance obligations became applicable.
• 2 August 2026 — Obligations for high-risk AI systems listed in Annex III that are not safety components of products already covered by Union harmonisation legislation become applicable. Article 42 is directly relevant from this date for the majority of high-risk system providers.
• 2 August 2027 — High-risk AI systems that are safety components of products covered by existing Union harmonisation legislation (the "sectoral" category under Annex II) must comply.

For Article 42 specifically, the practical timeline is also driven by the European Commission's standardisation mandates to CEN-CENELEC and ETSI. Harmonised standards under the AI Act are not yet fully published as of mid-2026; providers should follow the Official Journal and the Commission's standardisation work programme closely. Until harmonised standards are available for a given requirement, reliance on common specifications under Article 41 is the primary alternative route.