On February 13, 2026, Adam Leon Smith reported that prEN 18286 had failed its Enquiry vote. Smith is the standard’s own Project Leader. The draft did not achieve the required approval on either national member count or weighted population criteria. 1,288 comments had been submitted.
prEN 18286 was not an obscure technical document. It was the standard designed to map directly to the EU AI Act’s 13 mandatory quality management system elements under Art. 17. It entered public enquiry on October 30, 2025, under exceptional acceleration measures that had themselves provoked a formal protest letter from six JTC 21 officers who threatened to walk out. The acceleration was supposed to deliver standards before the August 2, 2026 deadline. Instead, it delivered a failed vote, 1,288 unresolved comments, and a timeline that now extends into 2027.
This is the state of EU AI Act standardisation in April 2026. Zero harmonised standards published in the Official Journal. Zero common specifications adopted under Art. 41. Zero notified bodies designated in NANDO for AI Act assessments. The presumption of conformity that the entire compliance architecture was built around does not exist. The institution responsible for creating it is in crisis. And the deadline is four months away.
What Standards Are Supposed to Do
The EU AI Act was designed around a mechanism that has worked for decades across European product safety law. Art. 40 creates a “presumption of conformity”: if a provider follows a harmonised standard that has been published in the Official Journal of the European Union, they are presumed to comply with the requirements that the standard covers. This is the same principle behind CE marking on medical devices, machinery, toys, and dozens of other product categories.
The Commission issues a standardisation request to CEN-CENELEC specifying which requirements need standards. CEN-CENELEC develops the standards through its technical committees. The Commission reviews them. If accepted, they are published in the Official Journal and become the compliance recipe.
If harmonised standards are not available, Art. 41 gives the Commission a fallback: it can adopt “common specifications” through implementing acts. These carry similar legal weight.
For conformity assessment under Art. 43, the presence or absence of standards has a direct structural consequence. Biometric AI systems classified under Annex III point 1 can use self-assessment (Annex VI) only when harmonised standards are fully applied. Without them, a mandatory third-party assessment by a notified body (Annex VII) is required. Since no harmonised standards exist and no notified bodies are designated, this is a double infrastructure failure for biometric AI providers.
The design assumption was that standards would be ready before obligations took effect. That assumption has failed.
What Exists Today
The Commission issued standardisation request C(2025)3871 with amendment M/613 to CEN-CENELEC, covering ten requirement areas mapped to the AI Act’s core provisions. JTC 21, the joint technical committee responsible for AI standardisation, has over 300 experts from more than 20 countries working across four working groups.
Here is the status of every standard as of April 2026:
| Standard | AI Act Mapping | Status | Expected |
|---|---|---|---|
| prEN 18286 (AI QMS) | Art. 17 (13 QMS elements) | Failed Enquiry vote (Feb 2026). 1,288 comments. Scope amended Mar 2026. Re-vote pending. | 2027 at earliest |
| AI Trustworthiness Framework | Art. 9-15 (foundational) | Under development | 2027+ |
| AI Risk Management | Art. 9 (risk identification) | Under development (based on ISO/IEC 23894) | 2027+ |
| AI Conformity Assessment | Art. 43 (assessment procedures) | Under development | 2027+ |
| AI Data Governance | Art. 10 (training data quality) | Under development | 2027+ |
| AI Transparency | Art. 13 (transparency requirements) | Under development | 2027+ |
| AI Cybersecurity | Art. 15 (security requirements) | Under development | 2027+ |
| AI Robustness & Accuracy | Art. 15 (performance) | Under development | 2027+ |
| AI Human Oversight | Art. 14 (oversight mechanisms) | Under development | 2027+ |
| AI Record-Keeping | Art. 12 (logging) | Under development | 2027+ |
Harmonised standards published in the Official Journal: 0 out of 10.
Common specifications adopted under Art. 41: 0.
Notified bodies designated in NANDO for AI Act assessments: 0.
Three normative references (building blocks used within the draft harmonised standards) have reached publication stage, but none of the six primary harmonised standards have been cited in the Official Journal. Until they are, the presumption of conformity under Art. 40 does not exist for any AI Act requirement.
Source: ai-act-standards.com (updated March 26, 2026).
The Political Crisis Behind the Delay
The standards gap is not simply a matter of technical complexity. It is the product of a political crisis between the Commission, CEN-CENELEC, and the international standards community.
The Acceleration Measures
At its meeting on October 14-16, 2025, the CEN-CENELEC Bureau of Technical Experts adopted exceptional measures to speed up the six most delayed standards. These included skipping the Formal Vote stage entirely, allowing direct publication after a positive Enquiry vote. Small drafting groups were created outside the normal working group process to finalize delayed drafts. According to reporting by Luca Bertuzzi, consultation comments on nine standards were disregarded.
The Protest Letter
Six JTC 21 officers, including senior experts responsible for specific work items, sent a formal protest letter to CEN-CENELEC leadership, the AI Office, and Commissioner Virkkunen. They argued that bypassing the Formal Vote and creating parallel drafting structures undermined the quality and legitimacy of the standards process. JTC 21 Chair Sebastian Hallensleben acknowledged the pressure from the Commission’s timeline but denied that working groups had been replaced.
The protest was not symbolic. It reflected a genuine tension between two imperatives: the Commission needed standards before August 2026, and the standards body needed enough time to produce standards that would survive legal and technical scrutiny. The prEN 18286 failure, four months after the acceleration was adopted, suggests the standards body was right about the timeline.
The ISO/IEC Breakdown
CEN-CENELEC had adopted an “international first” approach: where ISO/IEC standards aligned with EU requirements, they would be adapted into European standards rather than built from scratch. This approach collapsed when ISO/IEC refused to continue parallel development of two key standards. The breakdown has implications beyond Europe. Global AI standards convergence, which would allow multinational companies to use one framework across jurisdictions, is now less likely.
The Democratic Accountability Question
Standards developed by private bodies effectively define what compliance with public-interest regulation means. CEN-CENELEC membership includes industry participants. Civil society organizations have limited representation. Five academic papers now analyze this structural tension. The Tandfonline paper “Standards and the EU AI Act” (2025) and the Cambridge EJRR paper “European AI Standards” (2025) both examine the legitimacy gap: private standards that become legally significant under Art. 40 are developed through processes that do not meet the same transparency and participation standards as legislation.
The Digital Omnibus as Admission
The Commission’s Digital Omnibus proposal (COM(2025) 836), published November 19, 2025, effectively acknowledges the infrastructure failure. It proposes delaying Annex III high-risk AI obligations from August 2, 2026 to December 2, 2027, and Annex I obligations from August 2, 2027 to August 2, 2028. The Council agreed its negotiating position on March 13, 2026. Parliament adopted its position on March 26. Trilogue negotiations are underway, with a provisional deal expected by July 2026.
Until the Digital Omnibus is adopted, the legal deadline remains August 2, 2026. Companies cannot rely on a legislative proposal that has not been enacted.
Three Compliance Pathways
Without harmonised standards, organizations have three options. They differ dramatically in cost, legal certainty, and practical feasibility.
Pathway 1: Wait for Harmonised Standards
Status: Unavailable. Zero published. prEN 18286 failed its vote. The remaining nine standards are under development with realistic timelines extending into 2027 and beyond.
If available, harmonised standards would provide the presumption of conformity under Art. 40. Compliance cost would be primarily implementation and audit: approximately EUR 20-50K for SMEs, EUR 50-150K for enterprises.
Risk of waiting: If the Digital Omnibus passes, the deadline moves to December 2027. If it does not pass, the August 2026 deadline stands and companies that waited have nothing. Even if the Omnibus passes, standards may still not be ready by December 2027 given the current trajectory.
Pathway 2: Wait for Common Specifications
Status: Unused. The Commission has the power under Art. 41 to adopt common specifications as implementing acts when harmonised standards are not available. It has not exercised this power. The Commission appears to be waiting for the Digital Omnibus rather than activating the fallback.
If adopted, common specifications would provide a presumption of conformity similar to harmonised standards. The Commission would define the technical requirements directly, bypassing CEN-CENELEC.
Risk of waiting: There is no indication the Commission will activate Art. 41 before the August 2026 deadline. If the Digital Omnibus passes, the urgency to adopt common specifications decreases further.
Pathway 3: Direct Demonstration Against the Regulation Text
Status: Available now. This path has always been available under EU product safety law. You prove compliance requirement by requirement against the regulation text, without relying on standards to create a presumption.
What it requires: A documented methodology for each requirement under Arts. 9-15. Your own testing and validation procedures. Technical documentation per Annex IV. Legal review of your compliance case. A technical file that a market surveillance authority can audit.
Cost estimate: EUR 80-300K depending on system complexity and whether external consultants are used. The high end applies to organizations with multiple high-risk AI systems and no existing compliance framework.
Legal certainty: Low. Your compliance case is a professional judgment call. It will only be tested when a market surveillance authority reviews it, and there are no precedents for what “adequate” direct demonstration looks like under the AI Act specifically.
This is currently the only available path.
The ISO Bridge
International standards cannot substitute for harmonised European standards under Art. 40. ISO/IEC 42001 (AI management systems), ISO/IEC 23894 (AI risk management), ISO/IEC 38507 (AI governance), and ISO/IEC 25059 (AI system quality) are all published and available, but none create a presumption of conformity under the EU AI Act. The Commission itself has noted that ISO 42001 certifies organizations while the AI Act requires product-level conformity: different objects of assessment.
What ISO standards provide is structure for Pathway 3. Organizations can build their direct demonstration using ISO frameworks as a skeleton, document the gaps between ISO requirements and AI Act requirements, and fill those gaps with system-specific evidence. Three ISO standards are normative references within the draft harmonised standards, meaning they will be indirectly required once those standards are published. Using them now positions organizations to map their existing documentation to future harmonised standards with minimal rework.
Companies that build compliance cases now, using ISO frameworks and direct demonstration, will have a structural advantage when harmonised standards eventually arrive. Their documentation will already cover much of what the standards require. Companies that wait will be starting from scratch.
What This Means for Your System
The standards gap affects different system types differently.
Biometric AI (Annex III point 1): Without harmonised standards, the self-assessment path under Annex VI is not available. A mandatory third-party assessment under Annex VII is required, but zero notified bodies are designated in NANDO for AI Act assessments. For health-sector biometric AI, medical device notified bodies can assess AI Act requirements under Art. 74 conditions. For all others, the infrastructure simply does not exist.
Employment and HR AI (Annex III area 4): Self-assessment under Annex VI is available regardless of standards status. But without standards, the self-assessment has no recipe. You must build your own methodology per Pathway 3. This is more work but structurally possible.
Financial AI (Annex III area 5): Same self-assessment path. Sector regulators (EBA, national authorities) may issue supplementary guidance that partially fills the standards gap, particularly for credit scoring and fraud detection systems.
GPAI models: GPAI obligations under Chapter V (Art. 51-55) operate on a separate track. The GPAI Code of Practice, finalized July 2025, is the functional equivalent of standards for GPAI providers. The harmonised standards gap does not directly affect GPAI compliance, though it affects downstream deployers who integrate GPAI models into high-risk AI systems.
Sources
Official Sources
- EU AI Act (Regulation (EU) 2024/1689) — Art. 40, 41, 43
- Commission Standardisation Request C(2025)3871 / M/613
- CEN-CENELEC JTC 21 Work Programme
- ai-act-standards.com — Living tracker of harmonised standards status (updated March 26, 2026)
- NANDO Database — Notified body designations
Insider Sources
- Adam Leon Smith — prEN 18286 Project Leader, Enquiry vote failure report, February 13, 2026
Academic Sources
- “Standards and the EU AI Act: Legitimacy, State of Play, and Future Challenges” — Tandfonline, 2025
- “European AI Standards: Technical Standardisation and Implementation Challenges” — Cambridge European Journal of Regulation and Governance, 2025
Analysis
- Luca Bertuzzi — Reporting on JTC 21 protest letter and acceleration measures controversy
- AI Standards Lab — Trilogue recommendations (April 7, 2026)
Last reviewed: April 9, 2026. This article reflects the standardisation landscape as of the review date. Zero harmonised standards have been published. The Digital Omnibus trilogue is underway but the August 2, 2026 deadline remains legally binding until amended.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel for compliance planning. Reg Intel is not a law firm and does not provide legal services.