EU AI Act vs. NIST AI RMF vs. ISO 42001: A 2026 Compliance Comparison

EU AI Act vs. NIST AI RMF vs. ISO 42001
If you are responsible for AI governance, three names come up in every conversation: the EU AI Act, the NIST AI Risk Management Framework, and ISO/IEC 42001. They are often mentioned in the same breath, which creates a costly misconception — that they are interchangeable, or that satisfying one satisfies the others. They are not, and it does not.
They operate at three different levels. One is binding law. One is a voluntary risk-management framework. One is a certifiable management-system standard. Understanding the distinction is the difference between a defensible compliance posture and an expensive false sense of security.
The Three at a Glance
| EU AI Act | NIST AI RMF | ISO/IEC 42001 | |
|---|---|---|---|
| What it is | Binding regulation | Voluntary framework | Management-system standard |
| Published by | European Union | NIST (US Dept. of Commerce) | ISO & IEC |
| Legal force | Law — enforceable with fines | None (voluntary) | None (voluntary) |
| Geographic reach | EU + anyone serving the EU market | Global (US-origin) | Global |
| Certifiable? | No (but requires conformity assessment) | No | Yes — by accredited bodies |
| Core structure | 4 risk tiers + obligations | 4 functions: Govern, Map, Measure, Manage | Plan-Do-Check-Act management system |
| First effective | In force 1 Aug 2024 | Released 26 Jan 2023 | Published 2023 |
The practical takeaway: only the EU AI Act carries the force of law. The other two are tools you adopt voluntarily — but they are the tools that help you demonstrate you are meeting the Act's obligations.
1. The EU AI Act — Binding Law
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies on a phased timeline. It has extraterritorial reach: if your AI system is used in the EU, the Act can apply regardless of where your company is based.
The Risk Tiers
The Act classifies AI systems into four risk tiers, and your obligations scale with the tier.
Prohibited practices (Article 5) are banned outright. High-risk systems — defined in Article 6 and Annex III — carry the heaviest compliance load. Annex III covers eight domains: biometrics; critical infrastructure; education and vocational training; employment and worker management; access to essential private and public services (including credit and insurance); law enforcement; migration, asylum and border control; and the administration of justice.
What High-Risk Providers Must Do
For high-risk systems, the Act (Chapter III, Articles 9–17) mandates a risk-management system, data governance, technical documentation, record-keeping, transparency to deployers, human oversight (Article 14), and accuracy, robustness and cybersecurity (Article 15) — plus post-market monitoring once deployed.
Before a high-risk system reaches the market, it must pass a conformity assessment (Article 43). There are two routes: internal control (Annex VI, provider self-assessment when harmonised standards are fully applied) or notified-body assessment (Annex VII, third-party review where standards are absent or only partly applied).
The Timeline
The Penalties
Fines are tiered to the severity of the violation, calculated as a fixed cap or a percentage of worldwide annual turnover — whichever is higher.
| Violation | Maximum fine |
|---|---|
| Prohibited practices (Art. 5) | €35M or 7% of global annual turnover |
| Other obligations (providers, deployers, notified bodies) | €15M or 3% |
| Supplying incorrect/misleading information to authorities | €7.5M or 1% |
| GPAI model provider violations (Art. 101) | €15M or 3% |
Figures per Article 99. For SMEs and start-ups, the lower of the fixed amount or the percentage applies.
Timeline note: these high-risk dates reflect the Digital Omnibus, which EU negotiators provisionally agreed on 7 May 2026. It defers Annex III (use-based) high-risk obligations from the original 2 August 2026 to 2 December 2027, and Annex I (product-embedded) high-risk from 2027 to 2 August 2028. The agreement is pending formal adoption by the Parliament and Council (expected before August 2026), so confirm against the official timeline before planning. The prohibited-practice (Feb 2025) and GPAI (Aug 2025) obligations are unaffected and already in force — the reprieve is on the clock, not the obligation.
2. NIST AI RMF — The Voluntary Backbone
The NIST AI Risk Management Framework 1.0 was released on 26 January 2023. It is explicitly voluntary and carries no legal force — but it has become the common vocabulary for AI risk in the US and beyond. It is organised around four functions.
NIST also publishes an AI RMF Playbook of suggested actions, and a Generative AI Profile (NIST-AI-600-1) released on 26 July 2024 that addresses risks specific to generative systems.
3. ISO/IEC 42001 — The Certifiable Standard
ISO/IEC 42001:2023 — "Information technology — Artificial intelligence — Management system" — was published in 2023 by ISO and IEC. It is the first AI Management System (AIMS) standard, and crucially, it is certifiable: an organisation can be independently audited and certified against it (with certification-body requirements set out in ISO/IEC 42006:2025).
Where the EU AI Act regulates systems and NIST offers a risk methodology, ISO 42001 governs the organisation — establishing a Plan-Do-Check-Act management system for how a company develops, deploys, and oversees AI. A certificate is tangible, third-party evidence that your AI governance is operating as designed.
How They Fit Together
These frameworks are complementary, not competing. A mature programme typically uses all three at different layers.
In practice: you adopt NIST AI RMF for a shared risk methodology, certify your governance under ISO/IEC 42001 to prove the system works, and treat the EU AI Act as the binding legal requirement you must satisfy. Only the EU AI Act is law — but ISO 42001 certification and NIST-aligned processes are how you build, and demonstrate, the underlying capability.
Where Independent Evaluation Fits
Every one of these frameworks converges on the same demand: evidence. The EU AI Act requires documented accuracy, robustness, and human oversight for high-risk systems. NIST's Measure function requires you to assess and benchmark risk. ISO 42001 auditors look for proof that your controls operate.
That evidence has to come from somewhere — and self-attestation is the weakest form of it. Independent, human-led evaluation produces exactly the artefact these frameworks reward: structured, auditable proof that an AI system was tested against defined criteria by qualified people, with findings, severity, and remediation documented. That is what a SingleAxis Evidence Report is built to be, and it is why independent evaluation maps cleanly onto all three frameworks at once.
Compliance is not a document you file once. It is a capability you demonstrate continuously — and the organisations that treat evaluation as evidence, not paperwork, are the ones that will deploy AI in regulated markets with confidence.