NIST AI RMF
NIST AI RMF vs. EU AI Act: Mapping the Two Frameworks
How the NIST AI RMF's four functions map to the EU AI Act's legal obligations, where the two frameworks align closely, and where they genuinely diverge.
April 28, 2026 · 7 min read
NIST AI RMF
One is voluntary US guidance with no legal penalty for skipping it. The other is binding EU law with fines up to €35M. Despite that gap in legal status, the two frameworks share enough underlying structure that most of the work satisfies both — here's exactly where they align and where they don't.
TL;DR
- The NIST AI RMF is voluntary in the US; the EU AI Act is binding law with real penalties — their legal status is not comparable.
- Conceptually, Govern maps loosely to quality-management obligations, Map and Manage to Article 9 risk management, and Measure to Article 15 accuracy/robustness requirements.
- The EU AI Act adds legally specific requirements the RMF doesn't have — Annex III risk classification, conformity assessment, and CE marking.
- The RMF's four functions provide a genuinely useful internal structure even for organizations whose primary legal obligation is the EU AI Act.
- One risk assessment, done well, can produce most of the evidence both frameworks separately ask for.
Different Legal Status, Comparable Underlying Work
The RMF carries no legal penalty for non-adoption. The EU AI Act carries fines up to €35M or 7% of global turnover for the most serious violations. Despite that gap, both frameworks ask organizations to do fundamentally similar work: understand context, assess risk, measure performance, and manage treatment decisions.
A Rough Conceptual Mapping
What's Specific to the EU AI Act
- Legal risk classification into Annex III high-risk categories, with real regulatory consequences
- Conformity assessment and CE marking before market placement
- EU database registration for high-risk systems
- A specific provider/deployer legal obligation split
What's Specific to the NIST AI RMF
- Explicit categorization into 19 categories and 72 subcategories across four functions
- The concept of a current vs. target risk profile
- A companion Generative AI Profile (NIST AI 600-1) with 12 GenAI-specific risk categories
Where the Same Evidence Satisfies Both
| Evidence type | Satisfies |
|---|---|
| Risk assessment methodology and results | NIST Map/Measure, EU AI Act Article 9 |
| Technical documentation of system design | NIST Govern, EU AI Act Article 11 |
| Testing and performance monitoring records | NIST Measure, EU AI Act Article 15 |
A Practical Recommendation
If the EU AI Act is your binding legal obligation, use it to set your minimum compliance bar, and use the RMF's four-function structure as your internal organizing framework for how the work gets done day to day — you get legal coverage and organizational clarity from one combined effort instead of running two separate programs.
Primary Sources
- NIST — AI Risk Management Framework
- EUR-Lex — Regulation (EU) 2024/1689
A Practical Mapping Example
Consider a hiring-screening AI system. Under the RMF, you'd Map its context (purpose, affected candidates), Measure bias-testing results, and Manage treatment decisions. Under the EU AI Act, the same system — if it affects EU candidates — falls under Annex III employment obligations, requiring an Article 9 risk management system, Article 10 data governance, and Article 14 human oversight. The underlying bias testing and risk documentation largely overlaps; the EU AI Act simply adds specific legal form and conformity requirements on top.
Who Tends to Use Which in Practice
| Organization profile | Typical approach |
|---|---|
| US-only company, no EU exposure | NIST AI RMF as the primary structure |
| EU-based or EU-facing company | EU AI Act as the binding requirement, RMF as internal structure |
| Global enterprise | Both, with one shared risk assessment process underneath |
Where Unorma Fits
Both frameworks, one evidence base
Frequently asked questions
Is the NIST AI RMF a substitute for EU AI Act compliance?
No — the RMF is voluntary guidance with no legal force, while the EU AI Act is binding law with specific requirements like conformity assessment and CE marking that the RMF doesn't address.
Can one risk assessment satisfy both frameworks?
Largely, yes — a well-built risk assessment covering context, scoring and treatment produces most of the evidence both frameworks separately expect, though EU AI Act-specific steps like conformity assessment still need to happen separately.
Should a US company with no EU exposure bother with the EU AI Act?
Only if the AI system's output could affect people in the EU — the Act applies extraterritorially based on effect, not headquarters location, so many US companies with EU customers are still in scope.
Which framework should shape our internal process design?
The NIST AI RMF's four-function structure is a genuinely useful internal organizing framework even if the EU AI Act is your binding legal requirement — you can use one for structure and the other for the compliance bar.
Can you give a concrete example of how the two frameworks overlap?
A hiring-screening system's RMF-driven bias testing and risk documentation (Map, Measure, Manage) largely satisfies the underlying evidence the EU AI Act's Articles 9, 10 and 14 also require — the Act just adds specific legal form and conformity steps on top.
Do global enterprises typically run both frameworks separately?
No — most run a single shared risk assessment process underneath, then layer framework-specific documentation (RMF profiles, EU AI Act conformity assessment) on top of that shared foundation.
Which framework should a company adopt first if starting from scratch?
Whichever is legally binding for your business first — the EU AI Act if you have EU exposure — then layer the NIST AI RMF's structure on top as an internal organizing model, or vice versa if there's no EU exposure at all.
Key terms in this article
About the author

Compliance Specialist
Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.
View full profileKeep reading
More from the blog
AI Compliance Software
AI Compliance Software
What Is AI Compliance Software? A Complete Guide for 2026
AI compliance software turns scattered spreadsheets and PDFs into a live system of record for every AI system you build or use. Here's what it does, who needs it, and how to evaluate it.
EU AI Act
EU AI Act
EU AI Act Deadlines in 2026 and 2027: What the Digital Omnibus Actually Changed
In May 2026, EU lawmakers provisionally agreed to delay the AI Act's high-risk deadlines. Here's exactly what changed, what didn't, and what's legally binding today.
ISO 42001
ISO 42001
ISO 42001 Certification Requirements: The Complete Checklist
ISO 42001 has 10 clauses and 38 Annex A controls. This is the complete, plain-language checklist for what you actually need to have in place before your audit.