The missing harmonised standards: why CEN-CENELEC's delay reshaped the AI Act timeline
Adopted 2026-06-17 · ≈ 3 min read · 
edited by Dirk Baaijen
High-risk AI Act compliance rests on harmonised European standards granting a presumption of conformity. CEN-CENELEC's JTC 21 missed its 2025 deadline; October 2025 emergency measures target Q4 2026 delivery — a stated reason the Digital Omnibus pushed Annex III to December 2027.
Most of the AI Act's high-risk obligations are written at the level of outcomes — risk management, data quality, human oversight, robustness — not of methods. The methods live somewhere else: in harmonised European standards. Understanding why those standards are late, and what was done about it in 2026, explains a timeline shift that otherwise looks arbitrary.
What a harmonised standard buys you
Under Article 40 of the AI Act, a high-risk system that conforms to a harmonised standard whose reference has been published in the Official Journal of the EU enjoys a presumption of conformity with the corresponding requirements. This is the same legal device that underpins CE marking across EU product law: the regulation sets the essential requirements; the standard supplies the testable specification; and a provider that follows the standard is presumed to meet the law, shifting the burden of proof. Without the standard, a provider must still meet the requirement — but has to demonstrate it from first principles, with far more legal uncertainty. For the conformity assessment that high-risk providers face, the harmonised standards are not a nicety; they are the practical route to compliance.
Who writes them, and why they are late
The European Commission tasked CEN and CENELEC — the EU's private standardisation bodies — through Standardisation Request M/593 (later amended by M/613) to deliver the AI Act's harmonised standards. The drafting runs through their joint technical committee, CEN-CLC/JTC 21 "Artificial Intelligence," active since 2021. The original delivery deadline was 30 April 2025. It was missed: writing testable specifications for concepts as contested as "robustness" or "bias" in general-purpose technology proved far harder than for cement or pressure vessels, and consensus among industry, academia, SMEs and civil society moved slowly.
The October 2025 emergency measures
At the joint Technical Boards meeting of 14–16 October 2025, CEN and CENELEC adopted an exceptional package to accelerate delivery and target availability by Q4 2026. Two measures stand out. First, where an Enquiry vote is positive, the boards allowed direct publication of the draft without a separate Formal Vote — collapsing two voting rounds into one. Second, a small drafting group of existing experts was set up to finalise six delayed drafts before wider working-group review. Among the key deliverables is prEN 18286, a standard for AI quality management systems that supports the conformity-assessment framework.
The link to the Digital Omnibus
The standards gap did not stay inside the standardisation world. When the Commission proposed the Digital Omnibus simplification package on 19 November 2025, the late arrival of harmonised standards was a stated reason for pushing the high-risk start dates back. As covered in our Digital Omnibus file, the application date for Annex III high-risk systems moved from 2 August 2026 to 2 December 2027. The causal chain is worth stating plainly: no standards, no presumption of conformity; no presumption of conformity, no realistic way for thousands of providers to certify on the original schedule; therefore the schedule moved.
Standards you can already use
The harmonised standards are not the only ones in play. The international EN ISO/IEC 42001:2026 — the European adoption of the ISO/IEC 42001 AI management-system standard — is available now and certifiable, and an organisation that builds an AI management system on it lays much of the groundwork a future harmonised QMS standard will demand. A 42001 certificate does not by itself grant the Article 40 presumption of conformity — only the harmonised standards listed in the Official Journal do that — but the overlap is substantial. The practical advice for a high-risk provider is therefore unchanged by the delay: build the management system now, and treat the harmonised standards, when they land in 2026–2027, as the formal specification to map onto work already done. See also our overview of high-risk obligations.
Sources
- https://www.cencenelec.eu/news-events/news/2025/brief-news/2025-10-23-ai-standardization/
Emergency measures (14–16 October 2025) to deliver AI Act standards under request M/593 (amendment M/613) by Q4 2026. - https://www.cencenelec.eu/areas-of-work/cen-cenelec-topics/artificial-intelligence/
CEN-CENELEC JTC 21 "Artificial Intelligence", operating since 2021, develops the harmonised standards underpinning AI Act conformity assessment. - https://eur-lex.europa.eu/eli/reg/2024/1689/oj
AI Act, Article 40: high-risk systems conforming to harmonised standards published in the Official Journal enjoy a presumption of conformity.
Read next
The Digital Omnibus file: what shifts, what stands, and what remains to be done
The 7 May 2026 political agreement on the Digital Omnibus shifts the heaviest AI Act dates. On 16 June 2026 the European Parliament adopted the text (423-57-174); only the Council's adoption and Official Journal publication remain. What shifts, what stands, and what is still to be done.
The AI Act timeline of obligations: what applies when
The AI Act takes effect in stages between 2025 and 2028. This timeline sets out which obligations apply on which date, and marks which dates are shifted by the Digital Omnibus agreement of 7 May 2026 — and which expressly are not.
Right to explanation of an AI decision: what Article 86 of the AI Act gives you
If you are affected by a decision based (in part) on a high-risk AI system, Article 86 of the AI Act gives you the right to a clear explanation of the AI system's role and the main elements of the decision — from the deployer, on top of your GDPR rights.