The role of harmonised standards under the AI Act

Posted by timmreardon on 02/19/2024
Posted in: Uncategorized.

Leon Doorn | Feb 14, 

In this blogpost I explore the risk associated with not having harmonised standards in place in time under the AI Act.

Why is this relevant?

Without harmonised standards (or common specifications), devices covered by:

1. Annex III point 1 (biometrics devices used for remote identification, categorisation and emotion recognition); and

2. Manufacturers covered by Annex II Section A who are capable of demonstrating compliance applying harmonised standards only (the majority of these products), may also do under the AI Act, but only if there are harmonised standards or common specifications available to support the AI Act

Will require third party conformity assessment, e.g. with a Notified Body.

Without harmonised standards, there will be a significant increase on the demand of resources on the end of already burdened Notified Bodies.

Harmonised standards

The concept of Harmonised Standards as included in the AI Act is not new, and is widely applied in European Legislation. When a standard (for example, and ISO or IEC standard) is considered ‘harmonised’, organisations are presumed compliant with the requirements the standard is linked to (in a so-called ‘Annex Z’ of the standard). The concept is simple, the European Commission drafts a ‘standardisation request’ to standardisation organisations, requesting those standardisation organisations to develop standards which can be used to demonstrate compliance. These standardisation requests are publicly available and can be found here. The ‘draft’* standardisation request for the AI Act is M/593, which has been sent to CEN/CENELEC’s JTC 21.

The standards organisation consequently develops a work program and the standards and proposes the final standards to the European Commission, who outsources the review to HAS consultants who review the proposed standards (and who can reject them) and create a so-called ‘Annex Z’ to demonstrate which part of the regulation are addressed in the standard, after which the standard is Published in the Official European Journal.

An update of the standardisation request is due upon publication of the AI Act in the Official European Journal

High-Risk AI requirements & Harmonised standards

Within the ‘draft’ standardisation request for the AI Act, the European Commission has already set out a number of standards to be developed by CEN/CENELEC, and due to the trilogue outcome, additional requests for harmonised standards are expected in the ‘final’ Standardisation Request, e.g. addressing General Purpose AI (GPAI).

This is of relevance to all High-Risk AI, where these AI Systems and their developers will need to demonstrate compliance with Title III (chapters 2 & 3) of the AI Act. These Chapters 2 and 3 document the requirements on risk management (article 9), data governance (article 10), Record-Keeping (article 12) quality management (article 17), to name a few.

In total 10 standards in relation to these requirements in the AI Act have been requested by the European Commission so far.

Conformity assessment & harmonised standards

Conformity assessment of High-Risk AI Systems per Annex III point 1 must be executed per Article 43 by either following a:

1. Conformity assessment based on internal control as referred to in Annex VI (e.g. issuing a Declaration of Conformity), or;

2. Conformity assessment procedure based on an assessment of the Quality Management System and Technical Documentation by a Notified Body as referred to in Annex VII.

Article 43 further explains that in the absence of harmonised standards or common specifications developers will have to apply 43(a), thus involving a Notified Body for their assessment.

For providers of High-Risk AI covered by Annex II Section A (e.g. machinery, toys, watercraft, etc) Article 43.3 (last paragraph) clarifies that devices who can opt out from notified body assessment under their legislation if:

• it is acceptable under such legislation to demonstrate compliance through compliance with harmonised standards; and


• they applied available harmonised standards or common specifications set out in Chapter 2 of Title III.

In conclusion, these providers will also need to undergo third-party conformity assessment if harmonised standards or common specifications are unavailable.

Timelines

The AI Act will most likely enter into force mid 2024, with a transition period for Annex III devices of 2 years, and Annex II devices 3 years. As CEN-CENELEC has only recently confirmed a proposed work program for standards, where existing ISO standards may not be sufficient to demonstrate compliance with the requirements of the AI Act (e.g. the Management System standard ISO 42001), the timeline to develop standards in due time is becoming short.

Taking note that the average timeline to develop a standard (excluding the harmonisation process) takes 3 years from the first proposal up to publication, it is unlikely to have a full set of harmonised standards to demonstrate compliance prior to the end of the transition period of 2 years for Biometric systems and potentially within the 3 years for devices covered under Annex II Section A applying harmonised standards.

Implications

Without having harmonised standards or common specifications to demonstrate compliance against the High-Risk AI Act’s requirements, these Annex III (point 1) devices and Annex II Section A devices applying harmonised standards, will all require Notified Body conformity Assessment if they make use of AI.

The window for these devices to become certified will be small with a 2-year transition timeline for Annex III point 1 devices and 3- year transition timeline for those covered under Annex II Section A.

Considering that:

1. Notified Bodies will need to be accredited to issue CE certificates against the AI Act for certifying these devices covered by Annex III point 1, and

2. Developers will need to have fulfilled all relevant requirements set out in the AI Act.

Consequently, the pressure on Notified Bodies, which is already intense will increase, and if not managed properly can lead to numerous consequences that have been previously witnessed with the transition of the MDD to the MDR, and IVDD to IVDR. For those involved in Medical Devices and In-Vitro Diagnostics, the frustrations and delays due to a lack of Notified Body resources is unfortunately still on-going.

Additionally, it is questioned whether in the background the European Commission should start development of Common Specifications to avoid situations that the Medical Device industry is already familiar with. While Common Specifications can have drastic consequences (e.g. lack alignment with international frameworks), the alternative of having no harmonised may not be attractive either.

Article link: https://www.linkedin.com/pulse/role-harmonised-standards-under-ai-act-leon-doorn-qqime