EU AI Act Art.41 Common Specifications: Commission Fallback for High-Risk AI — Developer Guide (2026)
EU AI Act Article 41 is the Commission's contingency mechanism for the conformity baseline of high-risk AI systems. Where the European harmonised standards system fails to deliver — either because no standard has been published covering a particular Chapter II requirement, or because an existing standard is deemed inadequate — the Commission can step in directly and publish common specifications (CS) via implementing acts. Those CS carry the same legal weight for conformity purposes as harmonised standards under Art.40.
For developers, Art.41 is not a first-choice tool. The hierarchy is clear: harmonised standards (Art.40) come first; CS (Art.41) are the fallback. But Art.41 matters in 2026 precisely because the harmonised standards programme is still maturing — OJ references for AI Act–specific standards are not yet published. In this interim period, the Commission can and likely will use Art.41 to publish CS that fill critical conformity gaps, particularly for high-risk categories with imminent compliance obligations.
Understanding Art.41 also matters for a second reason: CS published under Art.41 are Commission-controlled rather than industry-controlled. Unlike harmonised standards, where CEN/CENELEC/ETSI translate industry expertise into EN norms, CS are written by Commission officials with expert input — meaning they can be narrower, less technically nuanced, and less attuned to implementation reality. Early engagement with CS consultations is how the industry shapes this output.
What Art.41 Does: Three Paragraphs
Art.41(1) — Commission Power to Adopt CS via Implementing Acts
Where harmonised standards referred to in Article 40 do not exist, or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to address specific safety concerns, the Commission may, by means of implementing acts, establish common specifications in respect of the requirements set out in Chapter 2 of this Title.
Three conditions trigger CS authority:
- No harmonised standard covering the relevant Chapter II requirement exists with an OJ reference; or
- Existing harmonised standards are insufficient — the Commission must make a positive determination that published standards do not adequately address the regulatory requirements; or
- Specific safety concerns are not addressed by existing standards — a safety-based override allowing CS even where standards nominally cover the area
Art.41(1) is explicit that CS take the form of implementing acts, adopted via the examination procedure of Art.5 of Regulation (EU) No 182/2011 (the EU Comitology Regulation). This is procedurally significant: implementing acts require a qualified majority of Member State representatives in the relevant committee — the AI Act's implementation committee — before the Commission can adopt them. Stakeholder consultation is part of the process, and drafts are typically published for comment.
The scope is Chapter II, Title III — exactly the same scope as Art.40. CS cover Arts.8–15: risk management (Art.9), data and data governance (Art.10), technical documentation (Art.11), record-keeping (Art.12), transparency and provision of information (Art.13), human oversight (Art.14), and accuracy, robustness and cybersecurity (Art.15). CS do not directly create obligations under Chapter III (provider/deployer duties) or Chapter IV (notified bodies), though they indirectly inform those chapters.
Art.41(2) — Legal Effect: Same as Harmonised Standards
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2). High-risk AI systems which are in conformity with the common specifications referred to in paragraph 1 of this article shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title, to the extent that those requirements are covered by such common specifications.
CS trigger the same presumption of conformity as harmonised standards under Art.40(1). A high-risk AI system built in accordance with an adopted CS is presumed compliant with the Chapter II requirements the CS covers — no additional independent demonstration is needed for those covered requirements.
The procedural reference is to Art.98(2) (the AI Act's implementing act procedure). Art.98(2) uses the examination procedure, meaning the committee must deliver a positive opinion (qualified majority) for the Commission to adopt. Where no opinion is delivered, the Commission may proceed or refer to the Appeal Committee. This is a higher bar than a simple advisory opinion, giving Member States meaningful input into CS content.
Art.41(3) — CS Review and Update
When common specifications have been established pursuant to this article, the Commission shall periodically review them, taking into account the evolution of technology and of the relevant market, and shall update them where necessary to address developments in AI technologies or to take account of new harmonised standards that have been published.
The Commission has a periodic review obligation for published CS. Two triggers for update are specified:
- Technology evolution — CS must remain current as AI architectures, training methods, and deployment patterns change
- New harmonised standards — when standards with OJ references are published covering areas the CS addressed, the CS may be narrowed or withdrawn since Art.40 becomes available
For developers, this creates an ongoing monitoring obligation analogous to monitoring OJ for new harmonised standard references. A CS in force today may be revised or superseded. Your conformity programme needs a CS-tracking mechanism parallel to your OJ-monitoring mechanism.
CS vs Harmonised Standards: The Key Differences
| Dimension | Art.40 Harmonised Standards | Art.41 Common Specifications |
|---|---|---|
| Instrument | European Standard (EN) by CEN/CENELEC/ETSI | Commission implementing act |
| Trigger | Commission standardisation request (mandate) | Gap or inadequacy in harmonised standards |
| Process | ESO technical committee → public enquiry → formal vote → EN publication → OJ reference | Commission drafts with expert input → examination committee → qualified majority → OJ publication |
| Industry input | High — industry experts in technical committees, mirror committees | Lower — stakeholder consultation but Commission retains control |
| Timeline | 3–5+ years from mandate to OJ reference | 12–24 months (implementing act procedure is faster) |
| Technical depth | High — detailed technical clauses, test methodologies, annexes | Moderate — regulatory requirements translated to specifications |
| Legal effect | Presumption of conformity for covered requirements | Same presumption of conformity |
| Revision trigger | Standards revision every 5 years typical; forced by technical evolution | Periodic Commission review + new harmonised standard publication |
| Preferred by | Industry (more nuanced, industry-driven) | Commission (faster, more control) |
| Preferred when | Standards exist and are technically adequate | Standards absent or inadequate — interim period |
When Art.41 CS Will Actually Be Published
In 2026, no Art.41 CS have been adopted for high-risk AI under the AI Act. The Commission has prioritised the harmonised standards route (mandating CEN-CENELEC JTC 21) and is monitoring whether harmonised standards will emerge in time for the August 2026 compliance dates for most high-risk AI systems under Annex III.
Several scenarios could trigger Art.41 CS publication:
Scenario A — JTC 21 Delay: If CEN-CENELEC JTC 21 fails to deliver OJ-referenced standards before August 2026, the Commission will likely adopt targeted CS to fill the gap. The Art.9 risk management requirements and Art.10 data governance requirements are the most likely candidates, as they are the most specific and most likely to be scrutinised in enforcement.
Scenario B — Standard Adequacy Challenge: National competent authorities or the AI Office could determine that published standards (such as EN ISO/IEC 42001 once OJ-referenced) inadequately address specific Art.9–15 requirements. This would trigger Art.41 CS to supplement rather than replace the harmonised standard.
Scenario C — Sector-Specific CS: High-risk categories with specific safety concerns — biometric identification (Annex III, pt.1), critical infrastructure (Annex III, pt.2), employment (Annex III, pt.4) — may receive sector-specific CS before general horizontal standards are complete.
Developer implication: Monitor the AI Office's publications and the EUR-Lex implementing acts database for Art.41 CS notices. Treat the absence of CS as a signal that independent conformity evidence (Art.9–15 self-assessment without a harmonised standard or CS) is currently required — not that compliance obligations are deferred.
Art.41 in the Conformity Framework
Art.41 × Art.40: The Hierarchy
Art.41 is explicitly triggered only where Art.40 harmonised standards "do not exist" or are "insufficient." The hierarchy is:
1. Harmonised standards (Art.40) — preferred, industry-driven
└─ OJ reference published? → Presumption of conformity
└─ OJ reference pending? → Use draft standard as evidence, no presumption
2. Common specifications (Art.41) — fallback, Commission-driven
└─ CS adopted? → Same presumption of conformity
└─ CS pending? → No presumption; independent conformity evidence required
3. Independent conformity evidence — baseline when neither Art.40 nor Art.41 available
└─ Art.9–15 self-assessment documentation
└─ Technical documentation under Annex IV
└─ Art.43 conformity assessment consuming that documentation
In practice, Art.40 and Art.41 are not mutually exclusive across different requirements. A harmonised standard might cover Art.9 risk management but not Art.15 cybersecurity; an Art.41 CS could fill the Art.15 gap while the Art.40 standard covers Art.9.
Art.41 × Art.43: Conformity Assessment
Art.43 governs the conformity assessment procedure — Annex VI (internal control) for most high-risk systems, Annex VII (notified body) for biometric identification and regulated product safety components. CS adopted under Art.41 feed into Art.43 in the same way harmonised standards do:
- Annex VI Track: The internal control self-assessment tests your system against Chapter II requirements. If an Art.41 CS is in force, conformity with the CS satisfies the corresponding requirement in your Art.43 assessment.
- Annex VII Track: Notified bodies conduct their assessment against the applicable requirements. CS serve as the technical specification against which the notified body assesses. Being in conformity with CS simplifies the notified body's assessment.
Key difference from Art.40: Harmonised standards often come with test methodologies, conformity assessment procedures, and certification schemes developed alongside the standard. CS may not. Where CS lack detailed assessment guidance, your Art.43 assessment may require more independent documentation of how you demonstrate conformity with the CS requirements.
Art.41 × Art.48: Declaration of Conformity
Art.48 requires providers to draw up an EU Declaration of Conformity (DoC) before market placement. When CS are in force and your system conforms to them, the DoC must reference the applicable CS — by title, number, and date of publication in the Official Journal. This is equivalent to the Art.40 requirement to reference harmonised standards in the DoC.
Art.48(2)(f) requires the DoC to list the relevant harmonised standards applied or the CS with which conformity is declared. Mixed references — some Art.40 standards, some Art.41 CS — are expected as the standards landscape matures.
Art.41 × Art.9 Risk Management
Art.9 requires high-risk AI providers to implement a risk management system covering identification, analysis, estimation, evaluation, elimination or mitigation of risks. If an Art.41 CS specifies the risk management requirements for a particular high-risk category, conformity with the CS satisfies Art.9 for covered risks.
Where CS are silent or gaps exist, Art.9 compliance remains self-assessed. The risk management documentation your Art.43 Annex VI assessment relies on must cover all Art.9 requirements — regardless of whether a CS addresses them.
Art.41 × CLOUD Act Jurisdiction Risk
CS evidence — your conformity programme documentation demonstrating alignment with Art.41 specifications — is subject to the same CLOUD Act compellability risk as all compliance documentation. Where CS evidence is stored on infrastructure subject to US jurisdiction (AWS, Azure GCP, and their enterprise tools), a US government request can compel disclosure without triggering GDPR notification.
For high-risk AI systems where CS evidence includes sensitive technical documentation (system architecture, training data lineage, risk assessment outputs), this creates jurisdictional exposure that EU-sovereign infrastructure avoids. The single-regime argument applies to CS evidence as strongly as to harmonised standards evidence.
2026 CS Landscape: Current Status
As of mid-2026, the Commission has not adopted any Art.41 implementing acts establishing CS for high-risk AI systems under the AI Act. The compliance timeline is:
| Timeline | Event |
|---|---|
| August 2024 | AI Act enters into force |
| February 2025 | Title I + II apply (prohibited practices) |
| August 2025 | GPAI model obligations + codes of practice |
| August 2026 | Most Annex III high-risk obligations apply (Arts.8–49) |
| August 2027 | Annex I regulated product AI obligations apply |
| August 2030 | Annex I legacy high-risk AI in service applies |
The window for Art.41 CS publication before the August 2026 cliff is narrow. If JTC 21 harmonised standards are not OJ-referenced by June 2026, expect Commission activity on Art.41 CS for the most enforcement-relevant requirements.
What to monitor:
- EUR-Lex implementing acts search for "AI Act" + "common specifications"
- AI Office publications at digital-strategy.ec.europa.eu/ai-act
- EUDOMED / NANDO for sector-specific CS in regulated product categories
- Commission committee documents for draft CS circulated for member state review
Python Implementation
from dataclasses import dataclass, field
from datetime import date
from typing import Optional
from enum import Enum
class CSStatus(Enum):
DRAFT = "draft" # Circulated for consultation
COMMITTEE_REVIEW = "committee_review" # Under examination committee
ADOPTED = "adopted" # Implementing act published in OJ
REVISED = "revised" # Updated version published
SUPERSEDED = "superseded" # Replaced by harmonised standard
@dataclass
class CommonSpecificationRecord:
"""Tracks an Art.41 common specification and its conformity coverage."""
cs_title: str # Official title from implementing act
oj_reference: str # OJ L/C reference, e.g. "OJ L 123, 2026-03-01"
adoption_date: date # Date implementing act entered into force
scope: str # High-risk AI categories covered
requirements_covered: list[str] # Art.9/10/11/12/13/14/15 coverage list
status: CSStatus = CSStatus.ADOPTED
review_date: Optional[date] = None # Next periodic review date
superseded_by_standard: Optional[str] = None # EN reference if HS now covers area
notes: str = ""
def is_active(self) -> bool:
"""CS is active if adopted and not yet superseded."""
return self.status in {CSStatus.ADOPTED, CSStatus.REVISED}
def coverage_gap(self, required_arts: list[str]) -> list[str]:
"""Returns requirements not covered by this CS."""
return [art for art in required_arts if art not in self.requirements_covered]
@dataclass
class CSConformityRecord:
"""Records a system's conformity with a specific Art.41 common specification."""
system_id: str # Internal system identifier
cs_reference: str # OJ reference of applicable CS
assessment_date: date
requirements_demonstrated: list[str] # Which CS requirements are satisfied
evidence_location: str # Where conformity evidence is stored
assessor: str # Internal team or external assessor
jurisdiction: str # Storage jurisdiction (EU/US/other)
doc_section: str # DoC section reference (Art.48(2)(f))
def has_jurisdiction_risk(self) -> bool:
"""Flag if evidence stored outside EU jurisdiction."""
return self.jurisdiction.upper() != "EU"
class CSConformityChecker:
"""
Validates conformity with Art.41 common specifications.
Integrates with Art.43 conformity assessment workflow.
"""
CHAPTER_II_REQUIREMENTS = [
"art_8", # Chapter II general requirements
"art_9", # Risk management system
"art_10", # Data and data governance
"art_11", # Technical documentation
"art_12", # Record-keeping
"art_13", # Transparency
"art_14", # Human oversight
"art_15", # Accuracy, robustness, cybersecurity
]
def __init__(self, active_cs: list[CommonSpecificationRecord]):
self.active_cs = [cs for cs in active_cs if cs.is_active()]
def coverage_map(self) -> dict[str, list[str]]:
"""
Returns map of requirement → CS references covering it.
Empty list means no CS covers the requirement (independent evidence needed).
"""
coverage = {req: [] for req in self.CHAPTER_II_REQUIREMENTS}
for cs in self.active_cs:
for req in cs.requirements_covered:
if req in coverage:
coverage[req].append(cs.oj_reference)
return coverage
def uncovered_requirements(self) -> list[str]:
"""Requirements not covered by any active CS — need independent evidence."""
coverage = self.coverage_map()
return [req for req, cs_refs in coverage.items() if not cs_refs]
def conformity_basis(self, requirement: str) -> dict:
"""
For a given requirement, returns the conformity basis:
- Art.41 CS if CS covers it (presumption applies)
- 'independent' if no CS covers it (independent evidence required)
"""
coverage = self.coverage_map()
cs_refs = coverage.get(requirement, [])
if cs_refs:
return {
"basis": "art_41_common_specification",
"presumption": True,
"cs_references": cs_refs,
}
return {
"basis": "independent_evidence",
"presumption": False,
"note": "No Art.40 standard or Art.41 CS covers this requirement — document independently",
}
def doc_cs_section(self) -> list[str]:
"""
Generates the CS reference lines for Art.48 DoC (Art.48(2)(f)).
Returns formatted strings for each applicable CS.
"""
lines = []
for cs in self.active_cs:
lines.append(
f"Common Specification: {cs.cs_title} ({cs.oj_reference}), "
f"covering: {', '.join(cs.requirements_covered)}"
)
return lines
# Example: 2026 interim period — no CS yet adopted
# This represents the state a developer should document when no CS are available.
interim_checker = CSConformityChecker(active_cs=[])
print("Uncovered requirements (no CS in force):", interim_checker.uncovered_requirements())
# Output: all Chapter II requirements — independent evidence needed for all
# Example: hypothetical CS for Art.9 + Art.10 (if Commission adopts)
hypothetical_cs = CommonSpecificationRecord(
cs_title="Common Specifications for Risk Management and Data Governance of High-Risk AI Systems",
oj_reference="OJ L 200, 2026-07-01, p.1",
adoption_date=date(2026, 7, 1),
scope="High-risk AI systems under Annex III, points 2–8",
requirements_covered=["art_9", "art_10"],
status=CSStatus.ADOPTED,
review_date=date(2028, 7, 1),
)
checker_with_cs = CSConformityChecker(active_cs=[hypothetical_cs])
print("Still uncovered:", checker_with_cs.uncovered_requirements())
# Output: ['art_8', 'art_11', 'art_12', 'art_13', 'art_14', 'art_15']
Art.41 × Art.40: Practical Decision Flow
START: Is there a harmonised standard with OJ reference covering this requirement?
│
├─ YES → Apply Art.40 presumption of conformity
│ → Reference standard in Art.48 DoC
│ → Art.43 assessment tests against standard
│
└─ NO → Has the Commission adopted an Art.41 CS covering this requirement?
│
├─ YES (CS adopted, OJ published) → Apply Art.41 presumption of conformity
│ → Reference CS in Art.48 DoC
│ → Art.43 assessment tests against CS
│
└─ NO (no CS) → Independent conformity evidence required
→ Self-assess against Art.9–15 text directly
→ Document in Annex IV technical documentation
→ Art.43 Annex VI assessment consumes documentation
Monitoring Art.41 CS: Practical Mechanics
EUR-Lex Alert Setup:
Search: https://eur-lex.europa.eu/search.html
Filter: Document type = Implementing regulation, Implementing decision
Keywords: "EU artificial intelligence" AND "common specifications"
Alert: Set up "My EUR-Lex" email alert for new hits
AI Office Monitoring: The AI Office publishes updates on standards and CS developments at the European Commission's digital strategy portal. Subscribe to AI Office newsletters and the AI Pact working group updates.
CELEX Pattern for CS:
Implementing acts under Art.41 will have CELEX numbers following the pattern 32026R???? (implementing regulations) or 32026D???? (implementing decisions). Filter EUR-Lex for 2026+ implementing acts citing "Regulation (EU) 2024/1689" (the AI Act) as legal basis.
30-Item Art.41 Common Specifications Compliance Checklist
CS Monitoring and Identification
- 1. EUR-Lex alert configured for Art.41 CS implementing acts (AI Act basis: Reg. 2024/1689)
- 2. AI Office newsletter subscription active for CS announcements
- 3. Responsible team member designated for CS monitoring (CS tracking owner)
- 4. Consultation participation process defined (respond to Commission CS draft consultations)
- 5. CS applicability assessment completed for your Annex III category
CS Coverage Analysis
- 6. All applicable Chapter II requirements listed (Art.9 through Art.15)
- 7. Active CS mapped to each requirement (coverage map produced)
- 8. Uncovered requirements identified — independent evidence required for each
- 9. Art.40 / Art.41 hybrid map produced (some requirements HS, some CS, some independent)
- 10. CS scope confirmed against your system's Annex III classification
Conformity Programme Integration
- 11. Art.43 conformity assessment procedure updated to consume applicable CS
- 12. Annex VI internal control self-assessment tests updated for CS requirements
- 13. Technical documentation (Annex IV) references applicable CS with OJ citations
- 14. Art.48 DoC updated to reference applicable CS under Art.48(2)(f)
- 15. Art.48 DoC version-controlled — CS reference includes OJ date and reference number
Evidence and Documentation
- 16. Conformity evidence per CS requirement created and stored
- 17. Evidence stored in EU-jurisdiction infrastructure (CLOUD Act risk mitigated)
- 18. Evidence linked to specific CS paragraphs (not general CS reference)
- 19. Gap evidence documented for uncovered requirements (independent self-assessment)
- 20. Art.18 retention: CS conformity records retained for 10 years post-market placement
CS Update Management
- 21. CS revision monitoring process in place (Art.41(3) periodic review)
- 22. New harmonised standard supersession monitoring active (Art.40 may displace Art.41)
- 23. CS version history tracked — DoC references the specific OJ version applied
- 24. Change management process: CS update → conformity re-assessment → DoC re-issue
- 25. Substantial modification (Art.3(23)) assessment triggers CS review
Risk Management Integration
- 26. Art.9 risk management programme references applicable CS risk requirements
- 27. Art.10 data governance documentation maps to CS data requirements
- 28. Art.15 robustness/cybersecurity documentation maps to CS technical requirements
- 29. Market surveillance response plan updated — CS conformity documentation retrievable within 5 days (Art.74)
- 30. Notified body (if Annex VII applies) briefed on applicable CS — assessment scope agreed
Key Takeaways for Developers in 2026
No CS in force yet (mid-2026): As of the August 2026 Annex III compliance date, no Art.41 CS have been adopted. This means the full burden of Arts.9–15 conformity falls on independent self-assessment documentation. Treat the Annex IV technical documentation requirement as your primary conformity instrument.
Art.41 is coming: The Commission has strong incentive to publish CS to reduce enforcement ambiguity and provide legal certainty before national authorities begin enforcement. Monitor Q3–Q4 2026 for implementing act proposals, particularly for Art.9 and Art.10.
CS lowers the bar, not the obligation: A CS in force means the conformity path is clearer, not that compliance effort is reduced. You still need to implement the requirements — the CS just specifies what implementing them looks like.
Build for both paths: Design your conformity programme to accommodate both Art.40 harmonised standards and Art.41 CS as they emerge. The CSConformityChecker pattern above — a coverage map that merges Art.40 standards and Art.41 CS into a unified view — is the right architectural pattern.
Infrastructure jurisdiction matters: CS evidence stored in EU-sovereign infrastructure avoids CLOUD Act compellability risk. For high-risk AI providers with enterprise customers requiring compliance guarantees, this is an infrastructure procurement decision, not just a legal footnote.