Weekly AI Governance Brief #10 — March 2026

European Commission clarifies and updates AI Act standardisation framework

On 10 March 2026, the European Commission (DG CONNECT) updated a web-based FAQ titled Understanding the standardisation of the AI Act. The document explains how harmonised standards are intended to support compliance with the AI Act, including the role of “presumption of conformity” where such standards are referenced in the Official Journal.

The FAQ outlines that European harmonised standards are developed by recognised European standardisation organisations and are expected to cover a range of requirement areas under the AI Act. These include risk management, data governance and quality, logging, transparency information, human oversight, accuracy, robustness and cybersecurity, quality management systems, and conformity assessment procedures. It also describes the Commission’s role in issuing standardisation requests and reviewing standards prior to their citation in the Official Journal.

This clarification is complemented by a Commission policy page update published on 11 March 2026 on Standardisation of the AI Act. The page summarises the role of standards in supporting implementation and provides an institutional update on ongoing standardisation activity. It indicates that harmonised standards are being developed to support requirements applicable to high-risk AI systems and notes that at least one draft European standard intended for AI Act purposes has entered the public enquiry stage.

Why this matters

Taken together, these publications provide an implementation-oriented view of how technical standards are expected to operationalise AI Act requirements. The clarification of “presumption of conformity” is relevant for structuring conformity assessments and supporting documentation, while the policy update signals progress in the availability of standards that may underpin such claims. These developments also illustrate the institutional coordination between the European Commission and European standardisation bodies in translating regulatory obligations into technical specifications.

EU data protection authorities address AI in health-related regulatory proposal

On 12 March 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), both European Union-level data protection authorities, published Joint Opinion 3/2026 on the European Commission’s proposal for a European Biotech Act. The opinion was adopted on 10 March 2026 and subsequently published in the EDPB register.

The document sets out data protection considerations related to the proposal, including aspects relevant to AI in clinical trials and health-sector data processing. Within this context, the opinion refers to coordination and synergies with AI Act regulatory sandboxes, as described in the underlying legislative proposal.

Why this matters

This joint opinion provides an EU-level institutional view on the intersection between data protection law and AI use in a regulated health context. The reference to AI Act sandboxes indicates how different regulatory instruments may interact in practice. For governance and compliance functions, this highlights the need to consider both GDPR requirements and AI Act mechanisms when assessing AI-enabled health applications involving sensitive data.

ISO/IEC AI cybersecurity standard advances to final approval stage

On 12 March 2026, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), international standard-setting bodies, recorded that ISO/IEC FDIS 27090 — Cybersecurity — Artificial Intelligence — had entered the Final Draft International Standard (FDIS) stage, with the final text registered for formal approval. The preceding stage, approval of the Draft International Standard (DIS) for FDIS registration, occurred on 11 March 2026.

The standard is described as addressing security threats and compromises specific to AI systems. It aims to provide guidance on the consequences of such threats, as well as on detection and mitigation measures across the AI system lifecycle. The document is intended to apply to organisations of varying sizes that develop or use AI systems.

Why this matters

This lifecycle milestone indicates that an AI-specific cybersecurity standard is approaching finalisation. Cybersecurity and robustness are recurring requirements within AI governance frameworks, including under the EU AI Act. The progression of ISO/IEC 27090 reflects the development of technical guidance that organisations may use to structure controls, risk management processes, and supporting documentation.

NIST updates AI standards page with cross-framework references

On 10 March 2026, the U.S. National Institute of Standards and Technology (NIST), a federal agency within the United States Department of Commerce, updated its AI standards webpage. The updated page outlines NIST’s role in supporting the development and use of AI technical standards and references its international engagement activities.

The page notes that NIST hosted a webinar on 6 March 2026 addressing the international AI standards landscape. It also describes ongoing work to promote the integration of the NIST AI Risk Management Framework (AI RMF) into international standards. The update references crosswalks linking the AI RMF to ISO/IEC AI risk management guidance and to other frameworks, including the OECD AI Recommendation and the proposed EU AI Act.

Why this matters

This update reflects ongoing activity in the United States related to AI standards coordination and framework alignment. The reference to crosswalks between frameworks indicates efforts to map AI risk management approaches across jurisdictions and governance instruments. For organisations operating within the EU, this provides context for how international frameworks may intersect with EU regulatory requirements.

Looking ahead

Developments during this period show continued institutional focus on the implementation infrastructure surrounding the EU AI Act, particularly in relation to standardisation. Commission publications provide clarification on how harmonised standards are expected to function within the regulatory framework, while updates indicate ongoing progress in their development.

At the same time, EU data protection authorities continue to engage with AI-related regulatory proposals in sector-specific contexts. International standardisation and framework alignment activity also continues across multiple jurisdictions.

Sources

European Commission FAQ on AI Act standardisation: https://digital-strategy.ec.europa.eu/en/faqs/understanding-standardisation-ai-act
European Commission policy page on AI Act standardisation: https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation
EDPB–EDPS Joint Opinion 3/2026 register entry: https://www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-32026-proposal-european_en
EDPB–EDPS Joint Opinion 3/2026 PDF: https://www.edpb.europa.eu/system/files/2026-03/edpb_edps_jointopinion_202603_biotechact_en.pdf
ISO catalogue entry for ISO/IEC FDIS 27090: https://www.iso.org/standard/56581.html
NIST AI standards page update: https://www.nist.gov/artificial-intelligence/ai-standards