EU AI Act vs NIST AI RMF vs ISO 42001: How They Compare

The core distinction

The EU AI Act is a binding law, NIST AI RMF is a voluntary US framework, and ISO/IEC 42001 is a certifiable international standard. That single distinction explains most of the practical differences: the EU AI Act can fine you, NIST AI RMF and ISO/IEC 42001 cannot, but the latter two can be demanded by your customers as a condition of doing business.

The EU AI Act (Regulation (EU) 2024/1689) applies by force of law to anyone placing AI on the EU market or whose AI output is used in the Union, regardless of where the company is based. NIST AI RMF (NIST AI 100-1) is guidance published by the US National Institute of Standards and Technology that organisations adopt by choice. ISO/IEC 42001, published in 2023, is a management-system standard that an organisation can be independently audited and certified against.

Side-by-side comparison

How each one is structured

• EU AI Act: a risk-based law. Every system falls into one of four tiers - unacceptable (prohibited under Article 5), high risk (Annex III, governed by Articles 9-15), limited risk (transparency duties under Article 50), or minimal risk. The tier sets the obligations.
• NIST AI RMF: an outcomes-based framework built on four functions. Govern sets the culture and accountability, Map establishes context for each system, Measure analyses and monitors risk, and Manage prioritises and acts on it.
• ISO/IEC 42001: a management-system standard. It asks you to run an AI management system (AIMS) - policy, roles, risk and impact assessment, the Annex A controls, and continual improvement - the AI counterpart to ISO 27001 for information security.

Where they overlap

Despite the different legal status, the three converge on the same substance: know what AI you run, assess its risk, govern the data behind it, keep humans in the loop, document decisions, and monitor systems over time. A risk-management process built for Article 9 of the EU AI Act is most of what NIST AI RMF's Map and Measure functions ask for, and it slots directly into the ISO/IEC 42001 Annex A controls.

Because they share this backbone, work done for one is rarely wasted on the others. The data-governance evidence, human-oversight design and technical documentation you produce for an EU high-risk system are the same artefacts an ISO/IEC 42001 auditor and a NIST-aligned customer questionnaire want to see.

Classify once, map across all three

The expensive mistake is treating the three as separate projects. The single hardest step - deciding what an AI system is and how risky it is - is shared, so do it once and reuse the result. ComplyAgent classifies each system once against the EU AI Act, with citations to Annex III and Article 5, then maps that same classification onto the NIST Govern, Map, Measure and Manage functions and the ISO/IEC 42001 Annex A controls.

1. Inventory the AI systems your team actually uses, including embedded AI features and third-party tools.
2. Classify each system once under the EU AI Act to fix its risk tier and obligations.
3. Generate the EU evidence (Annex IV technical documentation, Articles 9, 14 and 47) from that classification.
4. Map the same evidence onto NIST AI RMF functions and ISO/IEC 42001 Annex A controls without redoing the analysis.

Which one applies to you

If you place AI on the EU market or your AI output reaches EU users, the EU AI Act is mandatory and time-bound: prohibited practices and AI-literacy duties (Article 4) have applied since 2 February 2025, general-purpose AI and governance rules since 2 August 2025, most high-risk obligations from 2 August 2026, and high-risk AI embedded in regulated products from 2 August 2027. NIST AI RMF and ISO/IEC 42001 are optional but often decisive in winning US and enterprise deals.

A proposed Digital Omnibus package has been discussed that would adjust some EU AI Act timelines, but it is PROPOSED and has NOT been adopted. Treat the dates above as the law in force and plan against them.