42
AI Gov Mapper
ISO × NIST × EU
← Home
EU AI ActEuropean Union · 2024

Regulation (EU) 2024/1689

Binding law across the EU. Risk-tiered: prohibits unacceptable uses, imposes heavy obligations on high-risk AI, transparency duties on limited-risk, and special rules for general-purpose AI models. Fines up to €35M / 7% turnover.

Open in explorer →Take guided tour
// On this page
Chap I - GeneralChap II - ProhibitedChap III - High-risk classificationChap III §2 - High-risk requirementsChap III §3 - ProvidersChap III §3 - Supply chainChap III §3 - DeployersChap IV - TransparencyChap V - GPAIChap IX - Post-marketChap XII - Penalties
// Walkthrough

Read EU AI Act as a step-by-step path

Section 1 of 11

Chap I - General

2 items
// Why this section exists

Scope, definitions and the cross-cutting AI literacy duty (Art.4) that applies to every provider and deployer.

// Step-by-step
  1. 1Confirm whether the regulation applies to you (provider, deployer, importer, distributor).
  2. 2Implement AI literacy across staff dealing with AI.
// In the other frameworks
ISO 42001

Cl.7.2/7.3 cover competence and awareness.

NIST AI RMF

GOVERN 3 covers workforce.

Step 1Article 3
Definitions (AI system, provider, deployer)
Defines AI system, GPAI model, provider, deployer, distributor, importer.
// Maps to
ISO 42001Clause 4.3
NIST AI RMFMAP 1.1
Step 2Article 4
AI literacy
Providers and deployers must ensure sufficient AI literacy of staff dealing with AI systems.
// Maps to
ISO 42001Clause 7.2Clause 7.3Annex A.4.6
NIST AI RMFGOVERN 3.1GOVERN 3.2
Section 2 of 11

Chap II - Prohibited

1 items
// Why this section exists

A short list of AI uses that are simply banned. The hard floor of the regime.

// Step-by-step
  1. 1Screen every use case against Article 5 before design.
  2. 2Document the screen and keep evidence.
// In the other frameworks
ISO 42001

No direct equivalent - ISO will not stop you doing something unethical that is technically conformant.

NIST AI RMF

GOVERN 1 captures legal obligations; the rest is left to the organisation.

Step 1Article 5
Prohibited AI practices
Bans manipulative AI, social scoring, untargeted scraping for face DBs, certain biometric uses, etc.
// Maps to
ISO 42001No direct equivalent in ISO 42001.
NIST AI RMFNo direct equivalent in NIST AI RMF.
Section 3 of 11

Chap III - High-risk classification

1 items
// Why this section exists

The core of the Act. Classification (Art.6 + Annex III), then a stack of obligations: risk management, data, documentation, logs, transparency, oversight, accuracy.

// Step-by-step
  1. 1Classify the system against Annex III and Art.6.
  2. 2Run a risk-management system continuously (Art.9).
  3. 3Meet data-governance duties (Art.10).
  4. 4Produce technical documentation (Art.11 + Annex IV).
  5. 5Build in logging (Art.12), transparency (Art.13), oversight (Art.14).
  6. 6Demonstrate accuracy, robustness, cybersecurity (Art.15).
  7. 7Operate a QMS (Art.17).
  8. 8Pass conformity assessment and register (Art.43/49).
  9. 9Deployers: oversight + FRIA where required (Art.26/27).
// In the other frameworks
ISO 42001

ISO 42001 + Annex A gives you most of the management-system evidence: Cl.6 → Art.9; Cl.7.5 → Art.11; A.7 → Art.10; A.6.2.4 → Art.15; A.8/A.9 → Art.13/14.

NIST AI RMF

MAP/MEASURE/MANAGE cycle satisfies most of the substantive content but NIST will not produce a conformity dossier on its own.

Step 1Article 6
Classification rules for high-risk AI
Defines what counts as high-risk AI (Annex I product safety + Annex III use cases).
// Maps to
ISO 42001No direct equivalent in ISO 42001.
NIST AI RMFMAP 1.1
Section 4 of 11

Chap III §2 - High-risk requirements

8 items
8 items in this section. Click any item to see its cross-framework mapping in the explorer.
Step 1Article 8
Compliance with high-risk requirements
High-risk AI must comply with requirements in Section 2 (Art. 9–15).
// Maps to
ISO 42001Clause 4.4
NIST AI RMFGOVERN 1.1
Step 2Article 9
Risk management system
Continuous, iterative risk management process across the AI lifecycle.
// Maps to
ISO 42001Clause 6.1.1Clause 6.1.2Clause 6.1.3Clause 8.2+4
NIST AI RMFMAP 5.1MEASURE 1.1MANAGE 1.1GOVERN 1.4+2
Step 3Article 10
Data and data governance
Training/validation/test datasets must be relevant, representative, error-free, complete; bias examined.
// Maps to
ISO 42001Annex A.4.2Annex A.7.2Annex A.4.3Annex A.7.3+3
NIST AI RMFMAP 2.3MEASURE 2.10MEASURE 2.11
Step 4Article 11
Technical documentation
Technical documentation drawn up before placing on market, kept up to date (Annex IV).
// Maps to
ISO 42001Clause 7.5Annex A.4.2Annex A.6.2.3Annex A.6.2.7
NIST AI RMFGOVERN 1.4MAP 4.2MEASURE 2.1MAP 2.1
Step 5Article 12
Record-keeping (logs)
High-risk AI must automatically log events for traceability throughout its lifecycle.
// Maps to
ISO 42001Clause 7.5Annex A.6.2.8
NIST AI RMFMEASURE 2.5MANAGE 4.1
Step 6Article 13
Transparency & info to deployers
Instructions for use enabling deployers to interpret output and use the AI appropriately.
// Maps to
ISO 42001Annex A.8.2Clause 7.4Annex A.8.5
NIST AI RMFGOVERN 5.1MEASURE 2.8MEASURE 2.9GOVERN 1.2+2
Step 7Article 14
Human oversight
Designed to be effectively overseen by natural persons during use.
// Maps to
ISO 42001Annex A.9.2Clause 7.2Annex A.9.4
NIST AI RMFMAP 5.2MANAGE 1.2MANAGE 2.3GOVERN 1.2+1
Step 8Article 15
Accuracy, robustness & cybersecurity
Appropriate level of accuracy, robustness and cybersecurity throughout lifecycle.
// Maps to
ISO 42001Annex A.6.2.4Clause 9.1Annex A.4.5
NIST AI RMFMEASURE 2.5MEASURE 2.6MEASURE 2.7MAP 2.3+3
Section 5 of 11

Chap III §3 - Providers

4 items
4 items in this section. Click any item to see its cross-framework mapping in the explorer.
Step 1Article 16
Obligations of providers of high-risk AI
Providers must ensure compliance, name, QMS, documentation, registration, etc.
// Maps to
ISO 42001Clause 4.3Clause 4.4Annex A.6.2.5
NIST AI RMFGOVERN 1.1
Step 2Article 17
Quality management system
Providers establish a QMS covering compliance, design, testing, post-market, etc.
// Maps to
ISO 42001Clause 4.4Clause 5.2Clause 8.1Clause 9.2+7
NIST AI RMFGOVERN 1.1
Step 3Article 18
Documentation keeping
Providers keep technical documentation, QMS docs, declarations for 10 years.
// Maps to
ISO 42001Clause 7.5Annex A.6.2.7
NIST AI RMFGOVERN 1.4
Step 4Article 20
Corrective actions and duty of information
Providers must take corrective action and inform authorities of non-conforming AI.
// Maps to
ISO 42001Clause 10.2
NIST AI RMFMANAGE 4.3
Section 6 of 11

Chap III §3 - Supply chain

1 items
1 items in this section. Click any item to see its cross-framework mapping in the explorer.
Step 1Article 25
Responsibilities along the AI value chain
Distributors, importers, deployers may become providers under conditions.
// Maps to
ISO 42001Annex A.10.2Annex A.10.3Annex A.10.4
NIST AI RMFGOVERN 6.1GOVERN 6.2MAP 4.1
Section 7 of 11

Chap III §3 - Deployers

2 items
2 items in this section. Click any item to see its cross-framework mapping in the explorer.
Step 1Article 26
Obligations of deployers
Deployers use AI per instructions, ensure human oversight, monitor and log.
// Maps to
ISO 42001Clause 5.1Clause 5.3Annex A.3.2Annex A.9.2+5
NIST AI RMFGOVERN 2.1GOVERN 2.2GOVERN 2.3
Step 2Article 27
Fundamental rights impact assessment (FRIA)
Certain deployers of high-risk AI must perform a Fundamental Rights Impact Assessment.
// Maps to
ISO 42001Clause 6.1.4Clause 8.4Annex A.5.2Clause 4.2+3
NIST AI RMFMAP 3.1MAP 5.1GOVERN 5.1MAP 1.2+1
Section 8 of 11

Chap IV - Transparency

1 items
// Why this section exists

Limited-risk obligations: tell people they are interacting with AI and label AI-generated content.

// Step-by-step
  1. 1Add user-facing notice for chatbots and similar systems.
  2. 2Label deepfakes and synthetic media.
// In the other frameworks
ISO 42001

Annex A.8.

NIST AI RMF

MEASURE 2.8 (explainability) + MANAGE 2.3.

Step 1Article 50
Transparency for certain AI systems
Disclose AI interaction, label deepfakes, mark synthetic content.
// Maps to
ISO 42001Annex A.8.2Annex A.8.3Annex A.8.5
NIST AI RMFMEASURE 2.8
Section 9 of 11

Chap V - GPAI

3 items
// Why this section exists

General-purpose AI models have their own duties - documentation, downstream info, copyright policy, and stricter rules for systemic-risk models.

// Step-by-step
  1. 1Determine if you're a GPAI provider; if yes, prepare the Art.53 info pack.
  2. 2Assess whether your model has systemic risk (Art.51).
  3. 3If systemic: model evaluations, mitigation, incident reporting, cybersecurity (Art.55).
// In the other frameworks
ISO 42001

Annex A.10 + 7.5 cover the supplier and documentation angle.

NIST AI RMF

GOVERN 6 + MAP 4.

Step 1Article 51
Classification of GPAI with systemic risk
Defines when a general-purpose AI model has systemic risk (compute threshold etc.).
// Maps to
ISO 42001No direct equivalent in ISO 42001.
NIST AI RMFNo direct equivalent in NIST AI RMF.
Step 2Article 53
Obligations for providers of GPAI models
Technical docs, info to downstream providers, copyright policy, training data summary.
// Maps to
ISO 42001Annex A.10.2Clause 7.5Annex A.10.4
NIST AI RMFGOVERN 6.1MAP 4.1
Step 3Article 55
Obligations for GPAI with systemic risk
Model evaluations, systemic risk assessment & mitigation, incident reporting, cybersecurity.
// Maps to
ISO 42001Annex A.6.2.4
NIST AI RMFMEASURE 2.6MEASURE 2.7MANAGE 4.1
Section 10 of 11

Chap IX - Post-market

2 items
// Why this section exists

Once on the market, you keep watching the system and report serious incidents.

// Step-by-step
  1. 1Operate a post-market monitoring plan (Art.72).
  2. 2Report serious incidents to authorities within the statutory window (Art.73).
// In the other frameworks
ISO 42001

Cl.9.1 + 10.2 + Annex A.6.2.8.

NIST AI RMF

MANAGE 4.

Step 1Article 72
Post-market monitoring by providers
Active, systematic collection of data on performance of AI throughout lifetime.
// Maps to
ISO 42001Clause 9.1Clause 10.1Annex A.6.2.8Clause 8.2+1
NIST AI RMFMEASURE 2.5MEASURE 3.1MEASURE 3.3MANAGE 4.1+1
Step 2Article 73
Reporting of serious incidents
Providers report serious incidents to market surveillance authorities.
// Maps to
ISO 42001Clause 10.2Annex A.8.4
NIST AI RMFMANAGE 4.3
Section 11 of 11

Chap XII - Penalties

1 items
// Why this section exists

The enforcement teeth: up to €35M or 7% of worldwide turnover for prohibited practices.

// Step-by-step
  1. 1Treat penalty exposure as a board-level risk; map every prohibited / high-risk obligation to an owner.
// In the other frameworks
ISO 42001

No equivalent - ISO 42001 is voluntary.

NIST AI RMF

No equivalent - NIST AI RMF is voluntary.

Step 1Article 99
Penalties
Fines up to €35M or 7% of worldwide turnover for prohibited practices.
// Maps to
ISO 42001No direct equivalent in ISO 42001.
NIST AI RMFNo direct equivalent in NIST AI RMF.