EU AI Act vs. NIST AI RMF, ISO 42001 and the UK approach — how they fit together

If you operate AI across the US, the UK and the EU you are likely staring at three or four frameworks at once: the EU AI Act, the NIST AI RMF, ISO/IEC 42001 and the UK government’s principles. They are not contradictory — but they are different in nature, and that matters when you decide what to invest in first.

The four frameworks at a glance

• EU AI Act (Regulation (EU) 2024/1689): a binding law with risk-based obligations, conformity assessment and fines up to 7% of worldwide turnover. Extra-territorial.
• NIST AI RMF 1.0 (January 2023): a voluntary US framework with four functions — Govern, Map, Measure, Manage. Strong practice guidance; not a certification.
• ISO/IEC 42001:2023: the global voluntary standard for an AI management system. Certifiable by accredited bodies.
• UK approach: the white paper „A pro-innovation approach to AI regulation“ (Feb 2024) sets out five non-statutory principles delivered through existing sectoral regulators (ICO, MHRA, CMA, Ofcom). A dedicated UK AI bill is debated but not in force as of May 2026.

How they differ in nature

• Legal force — AI Act = law with fines. NIST, ISO 42001, UK principles = voluntary (with the UK partly enforced via existing sectoral regulators).
• Coverage — AI Act classifies systems by risk; NIST organises by lifecycle functions; ISO 42001 sets management-system requirements; UK works by sectoral application of high-level principles.
• Audience — the AI Act addresses regulators and operators; ISO 42001 addresses customers and certification bodies; NIST AI RMF addresses practitioners; UK principles address sectoral compliance officers.

How they fit together

For a non-EU company operating in the EU, the EU AI Act is the mandatory layer. A NIST-aligned practice or a UK-aligned governance posture does not by itself satisfy the AI Act — but it gives you a real head start, because most controls map across.

ISO/IEC 42001 is the most direct bridge: it asks for exactly the structures the AI Act expects — AI inventory, risk and impact assessment, human oversight, data governance and life-cycle control — and it is certifiable. A system built to ISO 42001 makes meeting the AI Act easier to demonstrate to authorities, customers and partners, and it aligns naturally with NIST AI RMF functions.

What this means in practice

• One AIMS, three or four narratives: build the management system once (ISO 42001), then map your evidence to AI Act articles, NIST functions and UK principles.
• Run a single AI impact assessment process — it satisfies AI Act human-oversight expectations and feeds the NIST Measure function.
• Use ISO/IEC 27001 as your information-security foundation; it underpins all four frameworks and is the natural prerequisite for trustworthy AI evidence.
• Document once, report many: keep a Statement of Applicability that cross-references the four frameworks, so the same artefact serves regulator, customer and auditor.

The frameworks are not a buffet. Treat them as one structure with different audiences: regulators want the AI Act, customers want ISO certificates, security teams want NIST functions, the UK wants sectoral evidence.

Note on scope: this article focuses on AI governance and certification. National rules outside AI Act scope — sectoral law, privacy enforcement, taxation — need their respective specialists.