The EU AI Act passed. The clock is running. But the compliance infrastructure that organizations need to actually meet the law’s high-risk AI requirements is still being built.
That’s the practical reality compliance teams face. European Parliament members and EU stakeholders continue to work through the implementation challenges of the AI Act, and the most consequential unresolved question isn’t about deadlines. It’s about technical standards.
Why Standards Matter More Than Deadlines Right Now
The EU AI Act’s high-risk classification framework under Article 6 creates specific compliance obligations for providers of systems in sectors like healthcare, critical infrastructure, education, and employment. Those obligations include conformity assessments, documentation requirements, and technical requirements for accuracy, robustness, and cybersecurity.
Here’s the problem: the harmonized technical standards that specify exactly how those requirements are met haven’t been finalized. The AI Act’s structure delegates standard-setting to standards bodies. Until those standards are published, providers of high-risk AI systems face a compliance target they can see but can’t fully aim at.
This isn’t a minor implementation detail. Harmonized standards under EU law serve a specific legal function, demonstrating conformity with them creates a presumption of compliance with the corresponding regulatory requirements. Without them, compliance teams are working from the regulation’s general principles rather than concrete technical specifications.
What This Means for Compliance Planning
Two categories of obligation are worth separating here. Some AI Act requirements don’t depend on harmonized standards, documentation obligations, transparency requirements, and fundamental rights impact assessments have enough regulatory text to work from now. Compliance teams can and should be building processes around these.
But technical requirements for accuracy, robustness, and cybersecurity in high-risk systems are where the standards gap creates real uncertainty. Organizations that want to demonstrate conformity through harmonized standards, the legally cleaner path, are waiting on standards that aren’t ready.
Compliance timelines for the AI Act’s various provisions remain subject to ongoing interpretation as technical standards are finalized. That framing isn’t a hedge. It’s the accurate description of where the regulatory implementation process actually stands.
What to Watch
The AI Act’s phased implementation timeline means this isn’t a single deadline problem. Different provisions apply to different system categories at different times. What compliance teams should track: publication timelines for harmonized standards from the relevant standards bodies, any European Commission guidance on interim compliance approaches, and the progression of the AI Office’s implementation work.
The EU AI Act’s existing published text and high-level summaries remain the most reliable reference point for understanding what the law currently requires, even as the implementing details are resolved.
TJS Synthesis
The gap between what the EU AI Act says and what compliance actually requires is a technical standards problem, not a political one. The law is settled. The practical specifications aren’t. For organizations building AI Act compliance programs now, the right approach is to build the documentation and governance structures that don’t depend on harmonized standards, and to maintain a watching brief on the standards process rather than waiting for it to complete before starting. The organizations that treat the standards gap as a reason to delay are the ones that will be behind when standards arrive.