How the acceleration of European AI standards makes compliance concrete and actionable
Important decision: In October 2025, CEN and CENELEC initiated an accelerated track for AI standards. Key standards are now expected in the fourth quarter of 2026, precisely when the high-risk requirements of the AI Act come into force.
What has been decided and why it matters
The EU AI Act is rapidly gaining technical foundation. Not only because the law is in force, but especially because CEN and CENELEC took exceptional measures in October to deliver core standards faster.
During a joint meeting of the technical boards of CEN and CENELEC from October 14-16, 2025, an accelerated track was chosen. If a draft receives positive feedback after the public Enquiry, it can be published directly without a separate Formal Vote. Additionally, a compact editorial group will finalize six delayed drafts before they return to working groups for comment.
Important milestone
The same announcement mentions that prEN 18286 Quality Management Systems is moving toward Enquiry as an important component of the future conformity assessment system. This quality management system standard bridges legal requirements and technical implementation.
The goal is to have key standards available in the fourth quarter of 2026. This is not isolated. In September 2025, a timeline overview circulated within the EU Council, stating that after a new standardization request in the second quarter of 2025, delivery of the first set of standards is projected for the third or fourth quarter of 2026.
This is important for organizations for two reasons. First, the AI Act provides a legal presumption of conformity when you comply with harmonized standards published in the Official Journal. This means you can demonstrate compliance with legal requirements by referencing these standards. Second, the upcoming European standards explicitly focus on protecting health, safety and fundamental rights, requiring demonstrable human oversight and verifiable outcomes, not just neat procedures on paper.
The building blocks of the new standards system
European standardization organizations are building a set that directly aligns with legal requirements. The trustworthiness framework forms an overarching framework for trustworthy AI systems that lays the foundation for all other standards. For AI risk management, specific methods are being developed for identifying, evaluating and mitigating AI-specific risks. The quality system prEN 18286 for AI Act purposes secures governance and processes. Additionally, technical specifications will appear for datasets, bias, cybersecurity, computer vision and other technical aspects.
Important to understand is the role of prEN 18286 as a quality system standard bridging legal and technical requirements. While a management system secures governance and processes, additional standards bring technical depth, such as data quality, logging, robustness and reproducibility of measurements.
The combination of a management system plus technical specifications is exactly what works in product regulation. CEN and CENELEC's announcement underscores this by naming prEN 18286 as an early milestone.
How this relates to ISO/IEC 42001
ISO/IEC 42001 is the international standard for an AI Management System. It describes how to establish policy, roles, processes and improvement cycles around AI. This is valuable because many AI Act requirements are not purely technical but organizational.
Important nuance: ISO 42001 is not a replacement for European hENs. Only when CEN and CENELEC publish an EN or harmonized version and it is cited in the Official Journal does the EU presumption of conformity arise.
Those implementing ISO/IEC 42001 establish a framework within which dataset governance, human control, model maintenance and supplier management consistently land. It is primarily a wise upfront investment that matures your governance and working arrangements, which can later seamlessly connect to European harmonized standards.
What the accelerated route means in practice
The Enquiry phase remains public and requires feedback through national standardization institutes. The accelerated route eliminates the additional formal vote after a positive Enquiry, shortening the time between public consultation and publication.
Balance between speed and quality
CEN and CENELEC emphasize that inclusivity and consensus remain guiding principles. Acceleration does not mean rushing at the expense of quality, but eliminating inefficient procedural steps.
For you as a provider, integrator or large customer, this means texts will move faster. The practical consequence is that your development and documentation choices should ideally already align with draft texts going to consultation. This prevents costly corrections later.
Between law and standard: presumption of conformity
The AI Act works like other product frameworks. Once a harmonized standard is designated, there is a presumption that you comply with the relevant legal requirements, to the extent the standard covers them.
The Joint Research Centre (JRC) clearly explains this, including the emphasis that European standards place greater weight on protecting fundamental rights than many international documents. Data governance requirements go beyond technical data quality to include representativeness and bias mitigation. Verifiable human control requires concrete requirements for human oversight, not just procedural agreements. Realistic testing is also important, particularly testing with natural persons when necessary.
Those who understand this line will seek attention in design reviews for measurable effectiveness early on, not exclusively for procedural completeness.
Timeline and milestones determining your agenda
Key dates for 2025-2026
The acceleration at CEN and CENELEC is therefore not standalone, but part of broader planning coordinated by the European Commission, the AI Office and standardization committees. For teams on the ground, this means 2025 and 2026 are years of making concrete, testing, adjusting and documenting.
What you can do now without waiting for the Official Journal
Work with a dual framework
Map your current or planned AI systems against both the AI Act and a management system based on ISO/IEC 42001. Use 42001 to structure roles, escalations, training, suppliers and improvement cycles. Connect this directly to legal themes such as data governance and data quality, human control and human oversight, accuracy and robustness, cybersecurity and logging, and transparency and documentation. This builds a backbone that can easily connect to European standards later.
Make technical documentation clickable and verifiable
The AI Act requires reproducible justification. Organize your repositories and documentation so that risk analyses are documented per use case and model version. Ensure test sets and results are representative with test outcomes and validation reports. Make decision trees clear showing how decisions are made. And document your human-in-the-loop procedures for human intervention and fallback. Think of an audit trail where per model version you see which requirements are covered, which assumptions apply and how fallback and human-in-the-loop are arranged.
Establish a measurement framework for performance and risk
Define per use case what an error is, how you find errors and how you record what you've improved. Make that measurement set representative of the context of use.
Important attention: The Council overview emphasizes that separate standards are coming for datasets and bias. If you follow that line now, you prevent rework later. Take the obligation to look deeply at bias and data quality seriously and plan tests aligned with your target audience.
Build your post-market surveillance proactively
Many teams focus on pre-market. The AI Act and upcoming standards also require attention to post-deployment monitoring, continuously observing how the system performs in production. Define clear criteria for what constitutes an incident and when escalation is needed. Ensure clear role distribution between engineering, operations, legal and communications. And implement a process for rapid response and system improvement when problems arise.
Engage with the Enquiry
Consultations run through national institutes. Ensure your professionals read along and provide practical feedback.
Why participation matters
Precisely case studies from your sector help make standards workable, saving time and discussion during audits later. By providing input now, you influence the final form of standards and prevent unworkable requirements.
Illustrative scenario: AI in customer contact
Suppose you develop an AI module that classifies and routes customer questions. Legally, that may not necessarily sound like high-risk, but the same module could also influence claims or requests with legal consequences. In practice, you begin by making explicit what the module is and is not used for. Document use cases, boundary conditions and exclusions clearly.
Then you describe the origin, quality and representativeness of your training data in a data governance plan. Document how you detect drift and what you do when deviations occur. Next, you establish human control in clear decision rules, including stop points for employees and a fallback process when the system is uncertain.
Measurable objectives are crucial: Define measurable objectives for accuracy and robustness, test these with realistic data and record what you do when performance drops below a threshold. Set up monitoring with incident categories, reporting routes and corrective actions. Ensure clear escalation paths.
When European standards for data quality, risk management and conformity appear, this design seamlessly connects and you mainly need to map rather than redesign.
Common misconceptions addressed
Misconception 1: "We'll wait until harmonized standards are available"
Reality: The direction is clear and draft texts going to Enquiry already provide sufficient guidance to align your approach. The acceleration at CEN and CENELEC shortens the time between consultation and publication. Those who engage now prevent fires later. Practice shows that organizations starting implementation early are better prepared and experience less stress when standards become final.
Misconception 2: "ISO 42001 is enough"
Right perspective
ISO 42001 as foundation: ISO 42001 matures your governance but does not itself provide European presumption of conformity. For that, you need hENs cited in the Official Journal. See ISO 42001 as a solid skeleton to which European standards will later add muscles and nerves. It's an excellent foundation, but not the endpoint.
Misconception 3: "This is just an IT party"
Reality: The AI Act affects legal teams, compliance, procurement, security, data science, operations and management. The Council presentation explicitly points to broad participation and inclusivity in standards development. Organize your own governance accordingly, with shared responsibility between different departments, periodic calibration between technical and non-technical stakeholders, and multidisciplinary teams combining legal, ethical and technical perspectives.
What to plan in the coming months
Plan review blocks along the Enquiry calendar to follow draft texts. Create a mapping between your current controls and themes from European documents. Reserve time for sharpening data quality, test methods and incident processes. Embed this in your AI Management System and connect it to release processes and supplier management. This way you maximally leverage the acceleration of the European standardization process without sacrificing quality or support.
Summary: from abstract to concrete
Europe is pushing forward on standards that make the AI Act actionable. With the chosen acceleration at CEN and CENELEC, the announced quality system standard and the clear timeline from Brussels, the playing field is no longer foggy.
Strategic approach: Use ISO/IEC 42001 to get your house in order. Engage with public consultations. Set up your documentation, measurements and monitoring now as you'll need them later anyway. Then the step toward European verifiable justification will be a logical next step, not a leap.
For developers, procurement professionals, lawyers and auditors, this means compliance is becoming increasingly concrete. The coming months are crucial for preparation. Start today by establishing your governance structure and technical documentation, so you're ready when standards are definitively published.
Sources and further reading
- CEN-CENELEC: Update on CEN and CENELEC's Decision to Accelerate the Development of Standards for Artificial Intelligence (October 23, 2025)
- Council of the EU: Standards in support of AI Act, timeline and building blocks (September 23, 2025)
- AI Watch - Joint Research Centre: Harmonised Standards for the European AI Act (October 25, 2024)
- ISO: ISO/IEC 42001:2023 - AI management systems
- CEN-CENELEC: Artificial Intelligence - Joint Technical Committee overview