NIST AI RMF to EU AI Act: Side-by-Side Compliance Mapping
Map NIST AI RMF controls to EU AI Act requirements. Learn which NIST functions satisfy which Articles and where gaps remain before August 2026 enforcement.
If you're building AI systems for global markets, you're facing two major frameworks: NIST AI RMF (voluntary in the US, increasingly referenced in federal procurement) and the EU AI Act (mandatory in the EU, enforceable August 2, 2026). The good news: they overlap significantly. The bad news: overlap is not equivalence. You cannot assume NIST compliance automatically satisfies EU AI Act obligations.
This guide provides a side-by-side mapping of NIST AI RMF functions to EU AI Act articles, identifies where NIST controls satisfy EU requirements, and flags gaps you must close before enforcement begins. Fines for EU AI Act non-compliance reach €35M or 6% of global turnover — getting the mapping right is not optional.
Framework Overview: NIST AI RMF vs. EU AI Act
| Dimension | NIST AI RMF | EU AI Act |
|---|---|---|
| Legal status | Voluntary (US); referenced in federal procurement | Mandatory (EU); legally binding regulation |
| Scope | All AI systems (risk-based guidance) | High-risk AI (Annex III) + prohibited AI (Article 5) + GPAI |
| Structure | 4 functions (Govern, Map, Measure, Manage) + 23 categories | 85 articles + 13 annexes (technical requirements, conformity) |
| Enforcement | None (voluntary); contractual in procurement | EU member state authorities; fines up to €35M or 6% revenue |
| Focus | Risk management process | Legal compliance (documentation, conformity, market surveillance) |
| Timeline | Published Jan 2023; ongoing updates | Enforcement begins Aug 2, 2026 (high-risk AI); Feb 2, 2027 (full) |
Key insight: NIST AI RMF is a process framework (how to manage AI risk). EU AI Act is a compliance framework (what you must document and prove). NIST helps you build good practices; EU AI Act tells you what's legally required.
High-Level Mapping: NIST Functions to EU AI Act Titles
| NIST AI RMF Function | Primary EU AI Act Mapping | Coverage |
|---|---|---|
| Govern | Title III, Chapter 2 (Articles 8–15: governance, risk mgmt, transparency, oversight) | ~70% overlap |
| Map | Article 9 (risk management), Article 10 (data governance), Annex IV (technical documentation) | ~60% overlap |
| Measure | Article 9 (risk management), Article 15 (accuracy, robustness, cybersecurity), Article 10 (data quality) | ~65% overlap |
| Manage | Article 9 (risk management), Article 61 (post-market monitoring), Article 72 (incident reporting) | ~50% overlap |
Critical gap: NIST AI RMF does not address conformity assessment (Article 43), CE marking (Article 49), registration in EU database (Article 71), or instructions for use (Article 13). These are EU-specific legal obligations with no NIST equivalent.
Detailed Mapping: NIST Categories to EU AI Act Articles
NIST Govern Function → EU AI Act Governance Requirements
| NIST Category | EU AI Act Article | Overlap | Gap |
|---|---|---|---|
| GOVERN 1.1: AI risk management policy | Article 9 (risk management system) | High | NIST is voluntary; EU requires documented, auditable risk mgmt system |
| GOVERN 1.2: Roles and responsibilities | Article 16 (provider obligations), Article 26 (authorized representatives) | Medium | EU requires legal accountability (named natural/legal persons); NIST is role-based |
| GOVERN 1.3: Organizational risk tolerance | Article 9.2 (risk management throughout lifecycle) | Medium | EU requires specific risk thresholds for high-risk AI; NIST is general |
| GOVERN 2.1: Accountability structures | Article 16 (provider obligations), Article 29 (deployer obligations) | Medium | EU assigns legal liability; NIST assigns process ownership |
| GOVERN 3.1: Legal/regulatory compliance | Articles 8–51 (entire Title III) | Low | NIST references compliance generally; EU specifies exact requirements |
| GOVERN 4.1: Organizational culture | No direct mapping | None | EU does not regulate culture; focuses on documented processes |
Key takeaway: NIST Govern establishes process governance. EU AI Act requires legal accountability with named responsible parties, documented policies, and conformity evidence. If you've implemented NIST Govern, you have a foundation — but you must add legal accountability, documentation, and conformity procedures to satisfy the EU AI Act.
NIST Map Function → EU AI Act Risk & Data Requirements
| NIST Category | EU AI Act Article | Overlap | Gap |
|---|---|---|---|
| MAP 1.1: Context of use | Article 9.2(a) (intended purpose, reasonably foreseeable misuse) | High | EU requires documented intended purpose in technical documentation (Annex IV) |
| MAP 1.2: Categorize AI system | Annex III (high-risk AI systems list) | Medium | NIST uses risk tiers; EU uses binary (high-risk vs. not) + prohibited AI (Article 5) |
| MAP 1.3: Impact assessment | Article 27 (fundamental rights impact assessment for high-risk AI) | Medium | EU requires specific FRIA format for certain deployers; NIST is general |
| MAP 2.1: Data quality | Article 10 (data governance: relevance, representativeness, bias) | High | Strong overlap; EU adds legal requirements (documented bias audits, provenance) |
| MAP 2.2: Data sources | Article 10.3 (data provenance, licensing) | High | EU requires documented data sources in technical documentation (Annex IV.2(d)) |
| MAP 3.1: Capabilities and limitations | Article 13 (transparency: capabilities, limitations, accuracy) | High | EU requires disclosure in instructions for use; NIST is internal assessment |
Key takeaway: NIST Map helps you understand your AI system. EU AI Act requires you to document and disclose that understanding in technical documentation (Annex IV) and instructions for use (Article 13). If you've completed NIST Map, you have the content — but you must format it for EU compliance.
NIST Measure Function → EU AI Act Testing & Validation
| NIST Category | EU AI Act Article | Overlap | Gap |
|---|---|---|---|
| MEASURE 1.1: Validation methodology | Article 9.4 (testing procedures), Article 15 (accuracy, robustness) | High | EU requires documented validation in technical documentation (Annex IV.4) |
| MEASURE 1.2: Test datasets | Article 10.3 (validation/test data quality) | High | EU requires statistical independence of test data from training data |
| MEASURE 1.3: Metrics | Article 15 (appropriate accuracy metrics), Article 13 (disclosure of accuracy) | High | EU requires disclosure of metrics in instructions for use |
| MEASURE 2.1: Bias evaluation | Article 10.2(g) (bias detection and mitigation) | High | EU requires documented bias audits in technical documentation |
| MEASURE 2.2: Fairness metrics | Article 10.2(g) (bias), Article 9.2(d) (eliminate/reduce discriminatory outcomes) | Medium | EU does not specify fairness metrics; requires bias mitigation evidence |
| MEASURE 3.1: Performance monitoring | Article 61 (post-market monitoring), Article 72 (serious incident reporting) | Medium | EU requires ongoing monitoring plan and incident reporting to authorities |
| MEASURE 4.1: Robustness testing | Article 15 (robustness, cybersecurity) | High | EU requires documented robustness testing in technical documentation |
Key takeaway: NIST Measure provides testing methodology. EU AI Act requires documented test results in technical documentation (Annex IV) and ongoing monitoring (Article 61). If you've implemented NIST Measure, you have the tests — but you must document results and establish post-market monitoring.
NIST Manage Function → EU AI Act Lifecycle Management
| NIST Category | EU AI Act Article | Overlap | Gap |
|---|---|---|---|
| MANAGE 1.1: Risk response | Article 9.2 (risk management measures), Article 9.4 (testing, validation) | High | EU requires documented risk mitigation in technical documentation (Annex IV.3(c)) |
| MANAGE 1.2: Risk tracking | Article 9.5 (risk management system updates) | Medium | EU requires version-controlled risk management documentation |
| MANAGE 2.1: Incident response | Article 73 (corrective actions), Article 20 (automatic correction, withdrawal) | Medium | EU requires notification to authorities within specific timelines |
| MANAGE 2.2: Change management | Article 43.4 (substantial modification triggers new conformity assessment) | Low | EU defines "substantial modification" legally; NIST is process-based |
| MANAGE 3.1: Monitoring plan | Article 61 (post-market monitoring plan) | High | EU requires documented plan filed with technical documentation |
| MANAGE 4.1: Continuous improvement | Article 9.5 (risk management system updates throughout lifecycle) | Medium | EU requires documented update procedures and version control |
Key takeaway: NIST Manage establishes continuous improvement processes. EU AI Act requires documented lifecycle management with legal triggers (substantial modification, incident reporting, corrective actions). If you've implemented NIST Manage, you have the process — but you must add legal triggers and authority notification procedures.
Critical Gaps: What NIST AI RMF Does NOT Cover
Even if you've fully implemented NIST AI RMF, you still have EU AI Act gaps:
| EU AI Act Requirement | NIST AI RMF Coverage | What You Must Add |
|---|---|---|
| Article 11: Technical documentation (Annex IV) | Partial (content exists, format does not) | Compile NIST outputs into Annex IV format (16-section document) |
| Article 13: Instructions for use | None | Write user manual with accuracy, limitations, oversight procedures |
| Article 14: Human oversight controls | Partial (GOVERN mentions oversight) | Implement override controls, stop buttons, audit logging |
| Article 43: Conformity assessment | None | Engage notified body or self-assess (depending on Annex III category) |
| Article 49: CE marking | None | Affix CE mark after conformity assessment |
| Article 51: Registration in EU database | None | Register high-risk AI system in EU database before market placement |
| Article 61: Post-market monitoring plan | Partial (MEASURE/MANAGE cover monitoring) | Document plan in Annex IV format; file with authorities |
| Article 72: Serious incident reporting | Partial (MANAGE covers incidents) | Implement 15-day reporting to national authorities |
Bottom line: NIST AI RMF gives you the substance of compliance (risk management, testing, monitoring). EU AI Act adds legal formalities (documentation format, conformity assessment, registration, CE marking). You cannot skip the formalities.
Worked Example: Mapping NIST to EU AI Act for a Recruitment AI
System: AI-powered CV screening tool (high-risk under Annex III.4)
NIST AI RMF implementation (existing):
- Govern: AI risk policy, roles (AI product owner, data scientist, HR lead), risk tolerance defined
- Map: Intended purpose documented, high-risk classification confirmed, bias impact assessment completed, training data sources logged
- Measure: Validation on 10,000 CVs, accuracy 88%, bias audit on gender/age, fairness metrics (demographic parity difference <5%)
- Manage: Monthly performance monitoring, incident response plan, quarterly model retraining
EU AI Act gaps identified:
-
Article 11 (technical documentation): NIST outputs exist but not in Annex IV format.
Action: Compile into 16-section Annex IV document (32 pages). Effort: 24 hours. -
Article 13 (instructions for use): No user manual.
Action: Write 20-page user manual covering accuracy, limitations, oversight procedures, input requirements. Effort: 16 hours. -
Article 14 (human oversight): Informal review process exists; no documented controls.
Action: Implement override buttons in UI, add audit logging, write oversight protocol. Effort: 40 hours (engineering + documentation). -
Article 43 (conformity assessment): Not started.
Action: Self-assessment (Annex VI checklist), draft EU declaration of conformity. Effort: 12 hours. -
Article 49 (CE marking): Not applicable until conformity assessment complete.
Action: Affix CE mark to product page and documentation after conformity. Effort: 2 hours. -
Article 51 (EU database registration): Not started.
Action: Register system in EU database (online form, attach technical documentation summary). Effort: 4 hours. -
Article 61 (post-market monitoring plan): Monitoring exists; plan not documented in EU format.
Action: Write post-market monitoring plan (6 pages) and file with technical documentation. Effort: 8 hours. -
Article 72 (incident reporting): Incident response plan exists; no authority notification procedure.
Action: Add 15-day reporting procedure to incident response plan, identify national authority contact. Effort: 4 hours.
Total effort to close gaps: 110 hours (3 weeks for a small team).
Cost: Internal labor only.
Alternative: Traditional EU AI Act audit would cost €15,000–€30,000 and take 10–14 weeks.
How Vigilia Automates NIST-to-EU Mapping
Vigilia's EU AI Act audit includes a NIST AI RMF gap analysis:
- Automated questionnaire that recognizes NIST AI RMF outputs and maps them to EU AI Act articles
- Gap detection for EU-specific requirements (technical documentation format, conformity assessment, CE marking, registration)
- Remediation roadmap with effort estimates for each gap
- Explainable scoring — shows which NIST controls satisfy which EU articles and where gaps remain
The audit takes 20 minutes and costs €499 — versus €5,000–€40,000 for a traditional compliance review.
If you've implemented NIST AI RMF, you're 60–70% of the way to EU AI Act compliance. Vigilia tells you exactly what's left and how to close the gaps before August 2, 2026.
Generate your NIST-to-EU gap analysis now: www.aivigilia.com
This article is for informational purposes only and does not constitute legal advice. Consult a qualified EU AI Act attorney for binding guidance on your specific system.
Ready to check your own AI system against the EU AI Act?
Get your compliance report in 20 minutes, not 3 months.
Start free audit →