AI Governance Frameworks in Comparison

EU AI Act, ISO 42001, NIST AI RMF and GDPR — how they are interconnected

EU AI Act REQUIRED ISO 42001 VOLUNTARY NIST AI RMF VOLUNTARY GDPR REQUIRED

Two laws already in force — and two frameworks that help with implementation.

Legal Requirement
EU AI Act
Regulation 2024/1689
LAW since August 2024 (AI Literacy: Feb 2025) All AI operators in the EU
Penalties: up to €35 million or 7% of revenue
Focus

Risk classes, obligations, prohibitions

  • AI Literacy (Art. 4): Mandatory since 02.02.2025
  • 4 risk classes: prohibited / high / limited / minimal
  • High-risk obligations from August 2026
GDPR
Regulation 2016/679
LAW since May 2018 All processors of personal data
Penalties: up to €20 million or 4% of turnover
Focus

Data protection, automated decisions

  • Art. 22: automated individual decisions
  • Data Protection Impact Assessment for AI
  • Applies in parallel to the EU AI Act
Voluntary Frameworks
ISO 42001
ISO/IEC 42001:2023
STANDARD (VOLUNTARY) since 2023 All organizations with AI
Focus

Management System for AI (AIMS)

  • Certifiable (TÜV, BSI, DQS)
  • Complementary to the EU AI Act
  • Systematic governance framework
NIST AI RMF
NIST AI 100-1
FRAMEWORK (VOLUNTARY) since 2023 All organisations
Focus

Risk management process

  • GOVERN / MAP / MEASURE / MANAGE
  • Practical Implementation Guide for EU AI Act
  • Internationally recognized
EU AI Act
REQUIRED
+
ISO 42001
COMPLEMENTARY
+
NIST AI RMF
COMPLEMENTARY
+
GDPR
REQUIRED