If you ship AI into the EU, you face the EU AI Act. If you're a financial entity, add DORA. If you're critical infrastructure, NIS2. If you sell connected products, the CRA. Then your buyers ask about ISO/IEC 42001 and your US counsel about NIST AI RMF.
Treating each framework as a separate project is how compliance becomes a seven-figure line item. The frameworks overlap enormously — they just use different words for the same controls:
| Control | EU AI Act | ISO/IEC 42001 | NIST AI RMF | |---|---|---|---| | Risk management | Art 9 | 6.1 / 8.2 | MANAGE 1–4 | | Transparency | Art 13, Art 50 | 7.4, A.8 | GOVERN 4, MAP 4 | | Human oversight | Art 14 | A.9.2 | GOVERN 3 | | Data governance | Art 10 | A.7 | MAP 2, MEASURE 2 | | Technical documentation | Art 11 + Annex IV | 7.5 | GOVERN 1 |
CSOAI maintains the crosswalk corpus across 20+ frameworks — from the EU AI Act and ISO 42001 to the UNESCO Recommendation, the Council of Europe AI Convention, the Korea AI Basic Act, and the OpenAI Model Spec / Anthropic Constitutional AI on the lab side. One assessment maps your evidence to every framework simultaneously, and the result ships as a signed Watchdog Certificate.
The crosswalk is the standard. The certificate is the proof. The dates that matter right now: 2 Aug 2026 (Art 50, new generative) · 2 Dec 2026 (legacy generative) · 2 Dec 2027 (Annex III high-risk) · 11 Dec 2027 (CRA full effect).
→ The full table: csoai.org/standards