Executive Summary

  • CEN-CLC/JTC 21, the EU standards body responsible for artificial intelligence, operates behind the scenes yet wields significant influence over AI governance implementation across Europe.
  • Technical standards developed by JTC 21 translate legal AI Act requirements into practical design specifications, bridging the gap between abstract regulation and engineering reality.
  • The committee occupies a critical intermediary position, connecting the language of regulatory law with the demands of real-world application and system design.
  • Major harmonized standards are anticipated by the end of 2026, directly supporting compliance obligations under the EU AI Act and shaping the regulatory landscape for years to come.
  • JTC 21’s work will become integral to how EU AI regulation functions operationally, making the committee’s processes, composition, and outputs matters of broad public interest.

Context and Recent Developments

CEN-CLC/JTC 21 represents a joint technical committee established by Europe’s primary standardization organizations, CEN and CENELEC. The committee develops AI-related standards addressing shared terminology, risk management, trustworthiness, system robustness, and human oversight. Its mandate encompasses the full breadth of challenges that arise when translating high-level regulatory principles into concrete, implementable technical requirements.

The committee’s relevance has increased substantially alongside EU regulatory momentum, particularly following the European Commission’s November 2025 Digital Omnibus proposal. Under the “New Legislative Framework,” companies following harmonized standards gain a presumption of legal compliance—a powerful incentive that positions JTC 21 as crucial infrastructure connecting legal principles to technical requirements. In practice, this means that the standards JTC 21 produces are not merely advisory: they carry significant legal and commercial weight, shaping how organizations design, deploy, and govern AI systems across the European market.

However, rapid AI advancement creates a persistent tension: foundation models and automated decision systems evolve faster than consensus-based standardization processes allow. The pace of technological change challenges the committee’s ability to produce standards that remain current and relevant. Standards drafted today may need revision before they are formally adopted, raising questions about whether traditional standardization timelines can keep pace with a technology whose capabilities shift quarter by quarter.

Technical standards developed by JTC 21 translate legal AI Act requirements into practical design specifications, bridging the gap between abstract regulation and engineering reality.

Standardization in a Regulatory Context

JTC 21’s work increasingly intertwines with binding EU law. When the European Commission mandates standards referenced in the Official Journal of the European Union, those standards begin functioning as regulatory instruments—not in a formal legal sense, but in practical effect. Organizations that comply with harmonized standards enjoy a presumption of conformity with the underlying legislation, while those that deviate must demonstrate compliance through alternative means. This dynamic transforms what might appear to be voluntary technical documents into de facto compliance pathways.

This shift raises critical questions about responsibility allocation, process transparency, and influence distribution when technical decisions carry legal weight. Who decides what constitutes “adequate” risk management or “sufficient” human oversight? When a standard defines the acceptable threshold for system robustness, that definition acquires regulatory force. The boundary between technical specification and legal requirement becomes blurred, and decisions made within standards committees effectively shape the meaning and reach of legislation passed by elected bodies.


Europe vs. Global Standards Landscape

JTC 21 operates alongside international bodies such as ISO/IEC JTC 1/SC 42, the primary global committee responsible for AI standardization. While coordination between these bodies exists, their approaches diverge significantly. The EU emphasizes fundamental rights and risk-based governance more strongly than many international counterparts, reflecting a regulatory philosophy rooted in precaution and democratic accountability rather than purely market-driven innovation.

These differences reflect broader global dynamics where standards function as vehicles for exporting regulatory values and influence internationally. Just as the General Data Protection Regulation created a “Brussels effect” in data privacy, European AI standards have the potential to shape global norms. Companies operating across borders often find it more efficient to adopt the most stringent standard as a baseline, extending European requirements far beyond EU jurisdiction. Conversely, divergence between European and international standards could create fragmentation, increasing compliance costs and complicating interoperability for organizations that operate in multiple regulatory environments.


Who Gets a Seat at the Table?

JTC 21 includes national standards bodies, industry representatives, technical experts, and limited civil society participation. The process is theoretically open, but participation practically depends on resources, time, and expertise—factors that strongly favor large, well-funded organizations while systematically disadvantaging smaller actors, startups, academic researchers, and public interest groups. The result is a participation gap that risks producing standards reflecting the priorities and capabilities of dominant market players rather than the broader range of stakeholders affected by AI governance.

The consensus approach that governs standards development encourages compromise, but it can also obscure difficult issues—particularly where ethical or societal concerns conflict with engineering perspectives. Technical experts dominate discussions within working groups, potentially marginalizing legal, social, or rights-based viewpoints. When risk management frameworks become the primary lens through which AI governance is examined, alternative ways of thinking about accountability, justice, and power can be sidelined. The vocabulary of standards—tolerances, conformity assessments, performance metrics—does not easily accommodate questions about dignity, fairness, or democratic legitimacy.

Institutionally, JTC 21 occupies a complex position: neither fully independent nor directly controlled by any single authority, its influence depends on political mandates from the European Commission and adoption choices made by regulators and companies alike. The committee derives authority from its technical expertise and procedural legitimacy, yet it operates within a political landscape where competing interests—industrial competitiveness, fundamental rights protection, innovation promotion, and consumer safety—must be continually balanced.

Implications

Technical standards have become central to European AI governance despite developing outside traditional legislative processes. They significantly shape how legal obligations are interpreted, operationalized, and applied across diverse sectors and use cases. The practical meaning of the EU AI Act’s requirements—from transparency obligations to conformity assessments for high-risk systems—will be determined in substantial part by the standards that JTC 21 produces.

The developing standard PrEN 18286 provides a concrete example of both the promise and the limitations of this approach. PrEN 18286 has the potential to shape EU AI Act implementation by establishing requirements for AI quality management systems. However, it examines these systems primarily during the early stages of an AI product’s lifecycle—system design, dataset collection and governance, validation and development—while overlooking critical post-deployment issues. Training-serving skew, drift (whether data drift, model drift, or concept drift), and edge cases emergent within production environments remain largely unaddressed. This gap is significant: many of the most consequential risks associated with AI systems manifest not at the point of design or initial deployment, but over time as systems interact with shifting real-world conditions.

Several unresolved questions remain at the heart of this evolving landscape. Whether European standards can match the velocity of technological change is an open question, as is whether fundamental rights—concepts rooted in law, philosophy, and political theory—can be meaningfully translated into technical specifications and quantifiable metrics. Equally uncertain is whether genuinely inclusive participation can coexist with the efficiency demands of timely standard-setting, or whether the process will continue to privilege those with the resources to engage consistently.

Broader questions of legitimacy also demand attention. How much authority should technical committees possess in defining what regulatory requirements actually mean in practice? How transparent and contestable should these increasingly governance-shaping processes become? As standards evolve from voluntary best practices into essential components of the regulatory architecture, the democratic accountability of standardization itself becomes a question that policymakers, civil society, and the public can no longer afford to overlook.