EU AI Act / NIST AI RMF / ISO 42001

Interactive Compliance Crosswalk Tool

Select a framework and control to see how it maps across all three regulatory frameworks, including mapping strength indicators, source links, and gap analysis showing where EU AI Act obligations have no equivalent in NIST or ISO 42001.

30 Controls Mapped
3 Frameworks
5 True Gaps
EU

EU AI Act

Regulation (EU) 2024/1689. Binding law for AI systems in the EU. High-risk obligations enforceable from 2 August 2026.

Read full text
+
NIST

NIST AI RMF

Voluntary AI Risk Management Framework from NIST. Four functions: Govern, Map, Measure, Manage. Free to use.

Read full text
+
ISO

ISO 42001

International standard for AI Management Systems published in 2023. Certifiable and increasingly required in procurement.

View standard

Mapping Strength Guide

Strong - Direct equivalent covering the same obligation
Partial - Covers some but not all aspects
Indirect - Related concept, significant gaps exist
No Equivalent - EU AI Act obligation not covered by this framework

Interactive Control Lookup

Select a framework and a specific control to see the full mapping, strength indicators, and links to source documents.

Select a framework and control above to see the crosswalk mapping.

Full Crosswalk Matrix

All 30 controls mapped across EU AI Act, NIST AI RMF, and ISO 42001 with mapping strength indicators and links to source documents.

30 of 30 controls
Topic EU AI Act NIST AI RMF ISO 42001

Gap Analysis

These are EU AI Act obligations that have no direct or indirect equivalent in NIST AI RMF or ISO 42001. Companies relying solely on these voluntary frameworks will not meet these specific EU AI Act requirements.

Article 48

CE Marking and Declaration of Conformity

The EU AI Act requires high-risk AI systems to bear the CE marking before market placement. Neither NIST AI RMF nor ISO 42001 include equivalent mandatory market access requirements.

Article 49

EU AI Database Registration

High-risk AI systems must be registered in the EU public database before market placement. No voluntary framework requires registration in a government database.

Article 44

Notified Body Third Party Assessment

Certain high-risk AI systems require mandatory conformity assessment by an accredited notified body. ISO 42001 certification is voluntary; NIST has no equivalent at all.

Article 55

GPAI Systemic Risk Assessment

Providers of high-impact GPAI models with systemic risk must conduct adversarial testing and report to the EU AI Office. Neither framework addresses societal-scale systemic AI risk.

Article 74

Market Surveillance and Enforcement

The EU AI Act creates legally binding enforcement powers including fines up to 35 million euros or 7% of global turnover. Voluntary frameworks create no legal liability.

!

This tool provides technical guidance only. It does not constitute legal advice and does not replace qualified legal consultation. Mapping strength assessments are based on publicly available documentation of each framework as of 2026.