2026-04-16·12 min read·

EU AI Act Art.42 Presumption of Conformity: Training Data Geography & EUCS Cybersecurity — Developer Guide (2026)

EU AI Act Article 42 is the conformity shortcut article. Where Art.40 (harmonised standards) and Art.41 (common specifications) create broad presumptions of conformity covering multiple Chapter II requirements simultaneously, Art.42 is narrower and more surgical: it creates two specific, evidence-based presumptions that allow providers to satisfy discrete requirements without independent testing — one for training-data representativeness (Art.10(4)) and one for cybersecurity (Art.15).

For developers who have invested in geographically or functionally tailored training datasets, or who have obtained an EU Cybersecurity Act certification for their system, Art.42 converts those investments into legally recognised conformity shortcuts. The presumptions are rebuttable — a market surveillance authority can challenge them with contrary evidence — but they shift the evidential burden from provider to authority, which is a significant practical advantage.

Understanding Art.42 also matters for procurement and due-diligence workflows: when evaluating whether an acquired or licensed AI component is conformant, an Art.42 presumption backed by a documented EUCS certificate or a well-documented training-data geography brief is a faster compliance path than a full independent Chapter II audit.

What Art.42 Does: Two Paragraphs

Art.42(1) — Training Data Geography Presumption

"High-risk AI systems that have been trained and tested on data concerning the specific geographical, behavioural or functional setting within which they are intended to be used shall be presumed to be in compliance with the requirements set out in Article 10(4) where such data meets the specifications and conditions for data governance set out in Article 10."

Art.10(4) requires that training, validation and testing datasets be relevant, representative, free of errors, and complete to the extent possible. This is the most technically demanding data-governance requirement in Chapter II — it requires that datasets reflect the intended deployment setting with sufficient coverage to prevent systematic bias or performance gaps.

Art.42(1) offers a shortcut: if you can demonstrate that you trained and tested on data that actually reflects the specific geographical, behavioural or functional context of deployment, and that data satisfies the Art.10 data-governance framework, the conformity authority will presume Art.10(4) compliance. You do not need an independent auditor to certify representativeness — the training-data record itself carries the presumption.

Key requirements for Art.42(1) to apply:

Requirement	What to document
Geographic specificity	Data collection region(s) match intended deployment region(s). If deploying in Germany, training data must cover German demographic, linguistic, cultural distributions.
Behavioural specificity	Data reflects actual user behaviour patterns in the deployment context — not proxy datasets from analogous markets.
Functional specificity	Data covers the specific task domain (e.g., medical imaging from the relevant anatomical population, not generic radiological datasets).
Art.10 data-governance compliance	Provenance documentation, bias analysis, quality controls, and access-control records as per Art.10(2)–(3) are in place.
Training and testing	Both training and test splits must meet these criteria. A representative training set with a non-representative test set does not qualify.

What Art.42(1) does NOT cover:

Art.10(1)–(3): Data governance practices (design choices, pre-processing, documentation) — these remain direct obligations, not presumed.
Art.10(5): Special categories of personal data — these have additional controls not covered by the presumption.
Any other Chapter II requirement: Art.9 (risk management), Art.11 (technical documentation), Art.13 (transparency), Art.14 (human oversight), Art.15 (cybersecurity) — none are covered by Art.42(1).

Art.42(2) — EUCS Cybersecurity Presumption

"High-risk AI systems that have been certified or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to Regulation (EU) 2019/881 and the references of which have been published in the Official Journal of the European Union shall be presumed to be in compliance with the cybersecurity requirements set out in Article 15 of this Regulation in so far as the cybersecurity certificate or statement of conformity or parts thereof cover those requirements."

Art.15 requires high-risk AI systems to achieve appropriate levels of accuracy, robustness and cybersecurity — including resilience against adversarial manipulation, data poisoning, model inversion, and confidentiality breaches. These are demanding technical requirements with no single standard mandating precise implementation approaches.

Art.42(2) offers a shortcut: if your system holds a valid certificate (or statement of conformity) under a cybersecurity scheme adopted pursuant to Regulation (EU) 2019/881 (the EU Cybersecurity Act, EUCS), and the scheme's OJ reference has been published, then to the extent the certificate covers cybersecurity requirements corresponding to Art.15, you are presumed to be in compliance with those Art.15 requirements.

Key requirements for Art.42(2) to apply:

Requirement	What to document
Valid EUCS scheme	Certificate issued under a scheme pursuant to Reg. 2019/881 (not just any ISO 27001 or SOC2).
OJ reference published	The specific cybersecurity scheme must have its OJ reference published — check ENISA's Schemes Registry and EUR-Lex.
Coverage scope	The certificate must cover the specific cybersecurity aspects corresponding to Art.15 requirements (not just perimeter security or availability).
Certificate validity	Certificate must be current — expired certificates break the presumption.
Scope alignment	The certified system scope must match the deployed system scope — a certificate for System A cannot be applied to System B.

EUCS schemes relevant for AI systems in 2026:

In 2026, the EU Cybersecurity Act has produced several certification schemes. The European Union Common Criteria (EUCC) scheme (Commission Implementing Regulation 2024/482) covers ICT products and components, including AI software components. For cloud services hosting AI systems, the European Cybersecurity Certification Scheme for Cloud Services (EUCS) scheme is under finalisation.

EUCC (EUCS Implementing Reg. 2024/482): Covers ICT products. Applicable to AI software components deployed on-premises or as packaged products. Assurance levels: Substantial, High.
EUCS (Cloud Services): Under finalisation in 2026. Will cover cloud-delivered AI services. SaaS AI providers should monitor ENISA for OJ publication.
National schemes recognised under EUCS: Some national schemes (Germany BSZ, France ANSSI) may be recognised pending formal EUCS adoption. Check Art.57 of Reg. 2019/881 for recognition status.

What Art.42(2) does NOT cover:

Art.15 requirements not covered by the certificate scope.
Any other Chapter II requirement — accuracy, robustness, resilience requirements beyond the certificate scope remain direct obligations.
Post-market surveillance obligations under Art.30.

The Art.42 × Chapter II Intersection Matrix

Chapter II Article	Art.42(1) Presumption	Art.42(2) Presumption
Art.9 — Risk management	✗ Not covered	✗ Not covered
Art.10(1)–(3) — Data governance practices	✗ Direct obligation	✗ Not covered
Art.10(4) — Representativeness	✓ If geo/behav/func data matches	✗ Not covered
Art.10(5) — Special categories data	✗ Additional controls	✗ Not covered
Art.11 — Technical documentation	✗ Direct obligation	✗ Not covered
Art.12 — Record-keeping	✗ Direct obligation	✗ Not covered
Art.13 — Transparency/instructions	✗ Direct obligation	✗ Not covered
Art.14 — Human oversight	✗ Direct obligation	✗ Not covered
Art.15 — Accuracy/robustness/cybersecurity	✗ Not covered	✓ If EUCS cert covers scope

Practical implication: Art.42 never removes the need to comply with Art.9, Art.11, Art.13, or Art.14. It is a targeted shortcut for two specific requirements. The conformity assessment route (Art.43) still applies — Art.42 presumptions are inputs into the conformity assessment record, not replacements for it.

Art.42 vs. Art.40 vs. Art.41: Presumption Hierarchy

Art.40 Harmonised Standards → Broad: covers multiple Chapter II arts simultaneously.
                              Requires: OJ-published EN standard applicable to your system.
                              Status 2026: No OJ-referenced AI Act harmonised standards yet.

Art.41 Common Specifications → Broad: covers multiple Chapter II arts if CS adopted.
                              Requires: Commission implementing act with CS content.
                              Status 2026: No CS adopted yet.

Art.42(1) Training Data     → Narrow: covers Art.10(4) only.
                              Requires: Documented geo/behav/func data alignment.
                              Status 2026: AVAILABLE NOW if documentation in place.

Art.42(2) EUCS Certificate  → Narrow: covers Art.15 to extent of certificate scope.
                              Requires: EUCS-scheme cert with OJ-published references.
                              Status 2026: EUCC scheme operational; EUCS cloud finalising.

In 2026, because harmonised standards OJ references and common specifications are not yet available, Art.42 presumptions are the only regulatory shortcuts currently usable for high-risk AI conformity. This makes Art.42 disproportionately important in the 2024–2026 conformity window, even though it is the narrowest of the three presumption articles.

Qualifying for Art.42(1): Training Data Documentation

The Art.42(1) presumption stands or falls on your training data documentation. Market surveillance authorities reviewing compliance will look for evidence that:

Data collection geography is documented. Where was data collected? From what sources? Does the geographic distribution of training samples match the intended deployment region?
Behavioural representativeness is analysed. What user behaviour patterns does the data reflect? If deploying a recruitment AI in Germany, does training data reflect German hiring practice distributions — not US or generic EU proxies?
Functional coverage is mapped to deployment use cases. If deploying a medical-imaging AI for chest X-ray interpretation in EU hospitals, does training data include EU-acquired images from the relevant anatomical population, patient demographics, and imaging equipment configurations?
Test set geographic/behavioural/functional alignment mirrors training. A common error is maintaining a geographically representative training set but using a generic benchmark test set. Art.42(1) requires both to be representative.
Art.10 data governance controls are applied throughout. The presumption is conditional on the data meeting Art.10 specifications — which means data lineage, quality checks, bias measurement, and access controls must all be documented.

from dataclasses import dataclass, field
from datetime import date
from enum import Enum
from typing import Optional

class PresumptionStatus(Enum):
    QUALIFIED = "qualified"
    PARTIAL = "partial"
    NOT_QUALIFIED = "not_qualified"
    UNDER_REVIEW = "under_review"

@dataclass
class TrainingDataGeographyRecord:
    """
    Art.42(1) — Documentation for training-data geography presumption.
    """
    system_id: str
    deployment_region: str                    # e.g. "DE", "EU27", "France-Ile-de-France"
    training_data_regions: list[str]          # regions from which training data was collected
    test_data_regions: list[str]              # must match deployment_region
    behavioural_representativeness: str       # description of behaviour patterns captured
    functional_specificity: str              # description of task-domain coverage
    art10_governance_compliant: bool          # full Art.10(2)-(3) governance in place
    bias_analysis_completed: bool
    provenance_documented: bool
    special_categories_data: bool            # if True, Art.10(5) controls also required
    documentation_date: date
    review_date: Optional[date] = None

    def assess_art42_1_presumption(self) -> PresumptionStatus:
        """Assess whether Art.42(1) presumption applies."""
        # Geographic alignment check
        geo_aligned = any(
            r == self.deployment_region or self.deployment_region.startswith(r[:2])
            for r in self.training_data_regions
        ) and any(
            r == self.deployment_region or self.deployment_region.startswith(r[:2])
            for r in self.test_data_regions
        )

        if not geo_aligned:
            return PresumptionStatus.NOT_QUALIFIED

        # Art.10 governance prerequisite
        if not self.art10_governance_compliant:
            return PresumptionStatus.NOT_QUALIFIED

        if not self.bias_analysis_completed or not self.provenance_documented:
            return PresumptionStatus.PARTIAL

        return PresumptionStatus.QUALIFIED

    def conformity_evidence_summary(self) -> dict:
        return {
            "article": "42(1)",
            "presumption_target": "Art.10(4) representativeness",
            "system_id": self.system_id,
            "deployment_region": self.deployment_region,
            "training_regions": self.training_data_regions,
            "test_regions": self.test_data_regions,
            "status": self.assess_art42_1_presumption().value,
            "art10_governance": self.art10_governance_compliant,
            "bias_analysis": self.bias_analysis_completed,
            "documentation_date": str(self.documentation_date),
        }


@dataclass
class EUCSCertificateRecord:
    """
    Art.42(2) — EUCS certificate record for cybersecurity presumption.
    """
    system_id: str
    scheme_name: str                         # e.g. "EUCC", "EUCS-Cloud"
    scheme_oj_reference: str                 # OJ:L:2024:xxx:... or similar
    certificate_id: str
    issuing_body: str                        # accredited CAB
    assurance_level: str                     # "Substantial" or "High"
    valid_from: date
    valid_until: date
    scope_description: str                   # which components/functions are certified
    art15_coverage_aspects: list[str]        # which Art.15 cybersecurity aspects are covered
    deployed_system_in_scope: bool           # does deployed system match certificate scope?

    def is_certificate_valid(self, check_date: date = None) -> bool:
        check_date = check_date or date.today()
        return self.valid_from <= check_date <= self.valid_until

    def assess_art42_2_presumption(self, check_date: date = None) -> PresumptionStatus:
        """Assess whether Art.42(2) presumption applies."""
        if not self.scheme_oj_reference:
            return PresumptionStatus.NOT_QUALIFIED  # Scheme must have OJ reference

        if not self.is_certificate_valid(check_date):
            return PresumptionStatus.NOT_QUALIFIED  # Expired certificate

        if not self.deployed_system_in_scope:
            return PresumptionStatus.NOT_QUALIFIED  # Scope mismatch

        if not self.art15_coverage_aspects:
            return PresumptionStatus.PARTIAL  # Certificate doesn't cover Art.15 aspects

        return PresumptionStatus.QUALIFIED

    def conformity_evidence_summary(self) -> dict:
        return {
            "article": "42(2)",
            "presumption_target": "Art.15 cybersecurity requirements",
            "system_id": self.system_id,
            "scheme": self.scheme_name,
            "oj_reference": self.scheme_oj_reference,
            "certificate_id": self.certificate_id,
            "valid_until": str(self.valid_until),
            "art15_covered": self.art15_coverage_aspects,
            "status": self.assess_art42_2_presumption().value,
        }


class Art42ConformityPresumptionManager:
    """
    Manage Art.42 presumptions across training data and EUCS certificates.
    Integrates with the Art.43 conformity assessment record.
    """

    def __init__(self, system_id: str):
        self.system_id = system_id
        self.training_data_records: list[TrainingDataGeographyRecord] = []
        self.eucs_certificates: list[EUCSCertificateRecord] = []

    def add_training_data_record(self, record: TrainingDataGeographyRecord):
        self.training_data_records.append(record)

    def add_eucs_certificate(self, cert: EUCSCertificateRecord):
        self.eucs_certificates.append(cert)

    def art10_4_presumption_status(self) -> dict:
        """Check if Art.42(1) presumption covers Art.10(4)."""
        qualified = [
            r for r in self.training_data_records
            if r.assess_art42_1_presumption() == PresumptionStatus.QUALIFIED
        ]
        return {
            "requirement": "Art.10(4) representativeness",
            "presumption_article": "Art.42(1)",
            "qualified_records": len(qualified),
            "total_records": len(self.training_data_records),
            "status": PresumptionStatus.QUALIFIED.value if qualified else PresumptionStatus.NOT_QUALIFIED.value,
        }

    def art15_presumption_status(self, check_date: date = None) -> dict:
        """Check if Art.42(2) presumption covers Art.15."""
        check_date = check_date or date.today()
        valid_certs = [
            c for c in self.eucs_certificates
            if c.assess_art42_2_presumption(check_date) == PresumptionStatus.QUALIFIED
        ]
        all_aspects = []
        for c in valid_certs:
            all_aspects.extend(c.art15_coverage_aspects)
        return {
            "requirement": "Art.15 cybersecurity",
            "presumption_article": "Art.42(2)",
            "valid_certificates": len(valid_certs),
            "total_certificates": len(self.eucs_certificates),
            "art15_aspects_covered": list(set(all_aspects)),
            "status": PresumptionStatus.QUALIFIED.value if valid_certs else PresumptionStatus.NOT_QUALIFIED.value,
        }

    def remaining_direct_obligations(self) -> list[str]:
        """
        List Chapter II requirements NOT covered by Art.42 presumptions.
        These must still be demonstrated through direct evidence.
        """
        direct = [
            "Art.9 — Risk management system",
            "Art.10(1)-(3) — Data governance practices",
            "Art.10(5) — Special categories data controls (if applicable)",
            "Art.11 — Technical documentation (Annex IV)",
            "Art.12 — Record-keeping and logging",
            "Art.13 — Transparency and instructions for use",
            "Art.14 — Human oversight design",
        ]
        # If Art.42(1) doesn't qualify, Art.10(4) also remains direct
        if self.art10_4_presumption_status()["status"] != PresumptionStatus.QUALIFIED.value:
            direct.insert(1, "Art.10(4) — Data representativeness (no Art.42(1) presumption)")
        # Art.15 aspects not covered by certificate
        art15_status = self.art15_presumption_status()
        if art15_status["status"] != PresumptionStatus.QUALIFIED.value:
            direct.append("Art.15 — Accuracy, robustness, cybersecurity (no Art.42(2) presumption)")
        return direct

    def generate_conformity_report(self) -> dict:
        return {
            "system_id": self.system_id,
            "art42_presumptions": {
                "art10_4": self.art10_4_presumption_status(),
                "art15": self.art15_presumption_status(),
            },
            "direct_obligations_remaining": self.remaining_direct_obligations(),
        }

CLOUD Act Jurisdiction Risk for Art.42 Evidence

Art.42 presumptions are only as strong as the evidence backing them. Both types of evidence — training data documentation and EUCS certificates — carry jurisdiction risk if stored on US-controlled infrastructure.

Training data documentation (Art.42(1)):

Training data records, bias analyses, provenance logs, and Art.10 data-governance documentation are all sensitive compliance records. If stored on AWS, Azure or GCP, a US government subpoena under the CLOUD Act can compel production of these records even without EU judicial approval. This creates a scenario where a market surveillance authority investigating your Art.42(1) presumption finds your evidence has already been disclosed to US law enforcement — a reputational and regulatory problem.

EUCS certificate records (Art.42(2)):

EUCS certificates themselves are public records (registered with ENISA). But the underlying assessment documentation — vulnerability reports, penetration test results, cryptographic implementation records — is confidential and sensitive. If held by a US-headquartered notified body or on US infrastructure, CLOUD Act compellability applies.

Mitigation:

Store training data governance documentation, bias analyses, and provenance records on EU-sovereign infrastructure (EU-based providers without US ownership or control).
Prefer EU-headquartered conformity assessment bodies for EUCS certification to avoid assessment documentation crossing CLOUD Act jurisdiction.
Include an explicit Art.42 evidence-jurisdiction clause in your Art.43 conformity assessment record noting that all Art.42 evidence is stored EU-sovereign.

Common Mistakes

Mistake 1: Claiming Art.42(1) without Art.10 governance in place.

Art.42(1) explicitly requires that training data meets "the specifications and conditions for data governance set out in Article 10." Developers who have representative data but have not implemented Art.10's data governance framework (provenance documentation, bias analysis, pre-processing records) cannot claim the presumption. The presumption is conditional, not just geographic.

Mistake 2: Using a non-EUCS cybersecurity certificate for Art.42(2).

ISO 27001, SOC2, CSA STAR, and other industry certifications do not qualify for Art.42(2). Only schemes adopted pursuant to Regulation (EU) 2019/881 (the EU Cybersecurity Act) with published OJ references create the presumption. Presenting ISO 27001 as Art.42(2) evidence in a market surveillance investigation is a significant compliance error.

Mistake 3: Treating Art.42 presumptions as removing the Art.43 conformity assessment.

Art.42 presumptions are inputs to the Art.43 conformity assessment. The Art.43 procedure (internal control via Annex VI or notified body via Annex VII) must still be completed. Art.42 makes the Art.10(4) and Art.15 sections of that assessment easier to satisfy — it does not replace the procedure.

Mistake 4: Failing to document test-set geography for Art.42(1).

Many teams have well-documented training data geography but use generic benchmark test sets (e.g., MNIST derivatives, ImageNet subsets, public NLP benchmarks). Art.42(1) requires training and testing data to reflect the specific geographical, behavioural or functional setting. A non-representative test set breaks the presumption even if training data is fully representative.

Mistake 5: Ignoring certificate expiry for Art.42(2).

EUCS certificates have defined validity periods (typically 3–5 years). An expired certificate breaks the Art.42(2) presumption immediately. Build certificate expiry monitoring into your compliance management system — a missed renewal leaves you with an Art.15 direct-obligation gap.

Mistake 6: Applying Art.42 to systems outside Chapter II scope.

Art.42 only applies to high-risk AI systems (Annex III or Annex I product-safety components) subject to Chapter II obligations. General-purpose AI models (Chapter V) have separate requirements. Applying Art.42 presumptions to a GPAI model's Art.52–56 obligations is incorrect.

Art.42 Checklist — 30 Items

Training Data Geography Presumption (Art.42(1))

☐ Training data geography (collection regions) is documented per intended deployment region
☐ Behavioural patterns in training data are mapped to deployment-context user behaviour
☐ Functional specificity of training data is documented (task domain, use-case alignment)
☐ Test/validation split geography is documented separately and matches deployment region
☐ Test set is NOT a generic public benchmark — it is deployment-context representative
☐ Art.10(2) data-governance framework is in place (provenance, lineage, access controls)
☐ Art.10(3) data quality controls (error rates, missing data, labelling quality) are documented
☐ Bias analysis across protected characteristics in deployment region completed
☐ Art.10(5) special categories data controls applied if applicable
☐ Data collection dates and sources are recorded for temporal representativeness

Art.42(1) Presumption Activation 11. ☐ Art.42(1) claim is explicitly recorded in the Art.43 conformity assessment record 12. ☐ Supporting training data documentation is referenced in the Art.48 DoC 13. ☐ Training data documentation stored on EU-sovereign infrastructure 14. ☐ Jurisdiction notation (CLOUD Act risk) included in evidence file 15. ☐ Review schedule established for training data representativeness (at minimum annually)

EUCS Certificate Presumption (Art.42(2)) 16. ☐ Certificate issued under a scheme pursuant to Reg. 2019/881 (not just ISO 27001) 17. ☐ Scheme OJ reference is published in the Official Journal of the EU 18. ☐ Certificate is current (check expiry date — build monitoring alert) 19. ☐ Certificate scope covers the deployed system (not just a sub-component or test environment) 20. ☐ Certificate explicitly maps to Art.15 cybersecurity aspects (accuracy, robustness, adversarial resilience) 21. ☐ Certificate assurance level is appropriate for system risk profile (Substantial vs. High) 22. ☐ Issuing conformity assessment body is EU-headquartered (reduces CLOUD Act risk) 23. ☐ Assessment documentation (pentest results, vulnerability reports) stored on EU infrastructure

Art.42(2) Presumption Activation 24. ☐ Art.42(2) claim is explicitly recorded in Art.43 conformity assessment record 25. ☐ Certificate ID, OJ reference, and expiry date cited in Art.48 DoC 26. ☐ Art.15 aspects NOT covered by certificate are documented as direct obligations 27. ☐ Certificate expiry monitoring in place (automated alert ≥ 90 days before expiry) 28. ☐ Re-certification process initiated before expiry — no conformity gap

Combined Art.42 Governance 29. ☐ Direct obligations remaining under Art.9, Art.11, Art.13, Art.14, Art.10(1)–(3) are separately evidenced 30. ☐ Art.42 evidence package reviewed at each substantial modification trigger (Art.3(23))

How Art.42 Fits the Full Conformity Chain

Art.10(4) Representativeness obligation
    → Art.42(1) presumption (if geo/behav/func data documented + Art.10 governance)
    → Input to Art.43 conformity assessment record (Annex VI internal control)
    → Referenced in Art.48 Declaration of Conformity (§ mandatory content)
    → CE marking affixed under Art.49

Art.15 Cybersecurity obligation
    → Art.42(2) presumption (if EUCS cert with OJ reference, in scope, current)
    → Input to Art.43 conformity assessment record (cybersecurity section)
    → Referenced in Art.48 Declaration of Conformity (list of applied standards/certs)
    → CE marking affixed under Art.49

Remaining Chapter II obligations (Art.9, Art.11, Art.13, Art.14, Art.10(1)-(3))
    → Direct evidence required (no Art.42 shortcut)
    → May be supported by Art.40 harmonised standards (when OJ references published)
    → May be supported by Art.41 common specifications (when adopted)
    → Art.43 conformity assessment record must address all remaining obligations

2026 Status: What Art.42 Gives You Now

In the 2024–2026 conformity window, Art.42 is uniquely valuable precisely because Art.40 and Art.41 are not yet operational (no OJ-referenced harmonised standards, no adopted common specifications). This means:

Art.42(1) is the only regulatory shortcut for Art.10(4) that does not require an external standard. If you have good training-data documentation, you can activate this presumption now.
Art.42(2) is operational for ICT products under EUCC (Implementing Regulation 2024/482, OJ reference published). AI software components assessed under EUCC at Substantial or High assurance can use the Art.42(2) presumption for Art.15 cybersecurity requirements.
EUCS Cloud Services scheme is under finalisation. SaaS AI providers should monitor ENISA for OJ publication — when published, cloud-delivered AI systems with EUCS certificates can immediately activate Art.42(2) for Art.15.

The bottom line for developers in 2026: Invest in training-data documentation (geography, behaviour, function, Art.10 governance) and obtain an EUCC certificate for your AI software component if feasible. These are the only two conformity shortcuts currently usable while the harmonised standards programme matures.