LawyerAILawyerAIIndependent Reviews
  • Search
  • Categories
  • Tag
  • Collection
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
LawyerAILawyerAI
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. Harmonised Standards (EU AI Act Compliance)

Harmonised Standards (EU AI Act Compliance)

Harmonised standards are voluntary EU technical specifications that, when followed, create a legal presumption that an AI system complies with the EU AI Act's requirements.

Last reviewed: 2026/05/22

Definition

Why It Matters for Lawyers

How AI Tools Handle It

Frequently Asked Questions

What is the difference between a harmonised standard and an ISO standard?
ISO standards are internationally developed through the International Organization for Standardization. Harmonised standards are specifically developed by EU standards bodies (CEN, CENELEC, ETSI) under a European Commission mandate and referenced in the Official Journal. ISO standards can inform or be incorporated into harmonised standards, but an ISO certification does not automatically provide EU AI Act presumption of conformity unless the ISO standard has been formally adopted as a harmonised standard through the EU process.
When will harmonised standards for the EU AI Act actually be available?
CEN-CENELEC JTC 21 is targeting key standards for completion in 2025–2026, but formal referencing in the Official Journal typically follows the standardisation process by twelve to eighteen months. Most practitioners expect the first wave of formally referenced harmonised standards for the EU AI Act to appear in the Official Journal in 2026–2027. Law firms evaluating AI tools now should rely on ISO 42001 and draft standard alignment as interim measures.
Do harmonised standards apply to law firms using AI, or only to AI developers?
Harmonised standards primarily address obligations of AI system providers — the companies that develop and place AI systems on the market. Law firms acting as deployers have their own obligations under Articles 26 and 29 of the EU AI Act, but these deployer obligations are not directly addressed by harmonised standards. Deployers benefit indirectly: when a vendor demonstrates harmonised standard conformity, it provides assurance about the system the law firm is deploying.

Related Concepts

Security

EU AI Act

Regulation 2024/1689, the world's first comprehensive AI law, classifying AI systems into four risk tiers with obligations applying to providers and deployers including law firms.

Security

AI Act Article 53 (GPAI Transparency)

EU AI Act Article 53 requires general-purpose AI providers to publish training data summaries, copyright policies, and technical documentation for EU market access.

Security

GDPR (General Data Protection Regulation)

EU Regulation 2016/679 governing personal data collection, processing, and transfer for EU residents — directly applicable to law firms using AI tools on EU client matters.

Related Tools

  • Legalfly

    European-compliant AI legal platform with built-in GDPR safeguards for contract review and research.

  • Legora

    Modern AI workspace for collaborative legal work, EU-grown.

  • Luminance

    Enterprise AI for portfolio-level contract analysis and institutional memory.

Related Reading

  • The EU AI Act and Legal AI: What Law Firms Must Know in 2026

Last reviewed: 2026/05/22. Definitions are written by the LawyerAI Editorial team. We do not accept affiliate commissions; Featured placement is clearly labeled and does not influence editorial content.

← All glossary terms
LawyerAILawyerAI

Independent Reviews

The independent directory of AI tools for lawyers — reviewed by methodology, not by ad budget.

X (Twitter)
Tools
  • Search
  • Categories
  • Tag
  • Collection
Resources
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
  • Suggest a Tool
  • Newsletter
Company
  • About Us
  • Studio
Legal
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Refund Policy
  • Editorial Independence
  • Sitemap
Editorially independent. Methodology open and versioned.
© 2026LawyerAI Editorial

Harmonised standards are voluntary technical specifications developed by European Standards Organisations — primarily CEN-CENELEC and ETSI — following a formal mandate from the European Commission. Under the EU AI Act (Regulation 2024/1689), when an AI provider implements a harmonised standard and that standard has been referenced in the Official Journal of the European Union, the provider benefits from a "presumption of conformity": regulators are presumed to treat the AI system as meeting the legal requirements covered by that standard.

This mechanism is not new. It underpins CE marking across dozens of EU product safety frameworks, from medical devices to machinery. The EU AI Act extends the same model to AI systems. The practical consequence is that harmonised standards translate complex, technology-neutral legal obligations in the AI Act into concrete, auditable technical and organisational requirements.

For law firms evaluating AI vendors, understanding harmonised standards is necessary to distinguish genuine compliance claims from marketing statements. A vendor claiming "EU AI Act compliant" should be able to specify which harmonised standards they follow and whether their conformity has been validated by an accredited conformity assessment body.

The compliance deadline pressure. The EU AI Act applies to high-risk AI systems in phases, with key obligations for deployers — including large law firms and corporate legal departments — applying from August 2026. Legal departments that procure AI tools classified as high-risk systems under Annex III of the AI Act have obligations under Article 26, including ensuring the tool is used in accordance with its instructions, monitoring its operation, and implementing human oversight. Harmonised standards translate these abstract obligations into verifiable practices.

The vendor vetting problem. As of 2026, dozens of legal AI vendors claim EU AI Act compliance. Without harmonised standards in place, these claims are difficult to verify. The harmonised standards framework — once fully operational — provides a structured basis for procurement due diligence. A law firm can ask: which harmonised standards have you implemented? Do you hold a certificate from an accredited conformity assessment body? These questions have objectively verifiable answers.

Liability allocation. Under the EU AI Act, both providers (the AI developer) and deployers (the law firm or legal department using the tool) bear obligations. Harmonised standards help delineate which party's obligations are addressed by which technical or organisational control. When a vendor demonstrates conformity with a harmonised standard, that addresses provider-level obligations; the deployer's obligations under Article 26 remain separate.

The standards gap problem as of 2026. A practical challenge for law firms today is that the harmonised standards development process is incomplete. CEN-CENELEC's Joint Technical Committee 21 (JTC 21) is developing the AI Act standards suite, but as of early 2026, few standards have been formally referenced in the Official Journal. This creates an interim period during which vendors and deployers must rely on alternative approaches — notably ISO/IEC 42001:2023 — without the full legal weight of presumption of conformity.

The CLOC 2025 Technology Survey found that 61% of corporate legal operations professionals cited "inability to verify vendor AI compliance claims" as a top procurement concern — a gap that harmonised standards are specifically designed to address.

How It Works (Technical)

The standardisation mandate process. The Commission issues a standardisation mandate to CEN-CENELEC and/or ETSI, specifying which AI Act requirements need to be addressed. The relevant technical committee — JTC 21 for the AI Act — develops draft standards through a consensus process involving industry, government, civil society, and academic stakeholders. Completed standards are submitted for Commission review. If accepted, they are referenced in the Official Journal, triggering the presumption of conformity.

CEN-CENELEC JTC 21: current status. JTC 21, the primary body responsible for EU AI Act standardisation, began substantive work in 2024. Key work items in development as of 2026 include: AI system transparency requirements, risk management processes for AI systems, data governance for AI training, robustness and accuracy testing methodologies, and human oversight mechanisms. Several of these work items draw on pre-existing ISO/IEC work, particularly from ISO/IEC JTC 1/SC 42.

ISO/IEC 42001:2023 and its relationship to harmonised standards. ISO/IEC 42001:2023 is an internationally recognised AI Management System (AIMS) standard, structurally similar to ISO 27001 (information security) and ISO 9001 (quality management). It was developed through ISO/IEC JTC 1/SC 42 and published in December 2023. Many regulators and legal commentators expect ISO 42001 compliance to be accepted as meeting — or substantially meeting — harmonised standard requirements once those standards are formally adopted, because JTC 21 is drawing on ISO 42001 as a reference framework. However, this equivalence has not been formally established as of 2026. A vendor holding ISO 42001 certification is not automatically presumed compliant with the EU AI Act.

How harmonised standards differ from GDPR's approach. GDPR contains no harmonised standards pathway. Under GDPR, organisations demonstrate compliance through records of processing activities, data protection impact assessments, codes of conduct (Article 40), and certification mechanisms (Article 42). GDPR's certification schemes are market-developed and do not carry presumption of conformity with specific GDPR requirements. The EU AI Act's harmonised standards model is more analogous to EU product safety law than to GDPR — it reflects the AI Act's classification as a product regulation statute.

Code of Practice for GPAI Models (Article 56) — a distinct track. For general-purpose AI model providers (such as foundation model developers), the EU AI Act's Article 56 establishes a voluntary Code of Practice developed under Commission facilitation. This Code addresses obligations under Articles 53 and 55 (transparency, copyright compliance, systemic risk assessment). The Code of Practice is soft guidance for GPAI providers; harmonised standards are the formal conformity pathway for high-risk AI system providers. These are parallel tracks targeting different obligations and different categories of AI actor.

Conformity assessment bodies (CABs). For high-risk AI systems not subject to third-party assessment (most are self-assessed), providers self-declare conformity. For systems in specific high-risk categories requiring third-party assessment — including biometric categorisation and certain law enforcement tools — an accredited CAB must verify conformity. For most legal AI tools, self-assessment against harmonised standards is the expected mechanism, but the self-assessment must be documented and auditable.

How Legal AI Vendors Address It

LegalFly publishes compliance documentation aligned with emerging harmonised standards and the draft CEN-CENELEC JTC 21 work items. Its technical documentation is structured to address AI Act Article 13 (transparency), Article 14 (human oversight), and Article 15 (accuracy, robustness, cybersecurity). Limitation: as harmonised standards are not yet formally referenced in the Official Journal, LegalFly's claims of alignment cannot yet be independently verified against a published standard — the alignment is to draft documents, not finalised specifications.

Legora, as an EU-native legal AI platform, monitors JTC 21 development actively and participates in consultation processes. Legora has structured its product documentation to anticipate harmonised standard requirements, particularly around transparency and human oversight. Limitation: Legora's compliance posture is self-assessed; no third-party CAB assessment is in place as of 2026, which is consistent with current requirements but means verification depends on reviewing Legora's own documentation.

Luminance, based in the UK, engages with both EU harmonised standards through CEN-CENELEC and UK equivalents developed through the British Standards Institution (BSI). Post-Brexit, the UK is developing its own AI assurance framework that tracks EU harmonised standards but diverges in some respects. Luminance has published technical documentation referencing both ISO 42001 and the UK AI Standards Hub guidance. Limitation: UK-framework compliance does not automatically satisfy EU harmonised standard requirements; law firms operating in both jurisdictions need to assess compliance under each regime separately.

What vendors cannot yet provide. As of 2026, no legal AI vendor can present a certificate of conformity with a formally adopted EU AI Act harmonised standard, because those standards do not yet carry Official Journal status. Any current compliance claim is an alignment claim — that the vendor's practices match the anticipated requirements of draft standards. This is a legitimate and useful compliance posture, but law firms should understand its current limitations when conducting procurement due diligence.

How Lawyers Should Verify / Apply It

  1. Ask vendors for their AI Act compliance roadmap, not just a current status claim. Given that harmonised standards are still in development, the right question is: what is the vendor's monitoring process for JTC 21 and ISO 42001 developments, and how do they plan to demonstrate conformity once standards are formally adopted? A vendor without a documented roadmap represents a procurement risk.

  2. Request a copy of the vendor's technical documentation under EU AI Act Article 13. High-risk AI system providers must prepare technical documentation per Article 11 and make a version of it available to deployers. This documentation should address the requirements that harmonised standards will eventually specify. Reviewing it tells you how seriously the vendor takes the compliance framework.

  3. Assess whether the AI tool you are evaluating is classified as high-risk. Not all legal AI tools qualify as high-risk systems under Annex III. Many research and drafting tools fall outside the high-risk classification and are not subject to harmonised standard conformity requirements. Conduct the Annex III classification analysis before requiring vendors to address harmonised standards.

  4. Evaluate ISO/IEC 42001 certification as a current proxy. While not equivalent to harmonised standard conformity, ISO 42001 certification from an accredited body indicates that a vendor has implemented a structured AI management system. It is the closest available third-party verified standard in the interim period.

  5. Record your vendor evaluation process. Under the EU AI Act's accountability framework, deployers must be able to demonstrate that they conducted appropriate due diligence. Maintain records of the questions asked, documentation reviewed, and compliance assessments made for each AI vendor. This protects the firm if compliance is later challenged.