Unorma

NIST AI RMF

NIST AI RMF vs. EU AI Act: Mapping the Two Frameworks

How the NIST AI RMF's four functions map to the EU AI Act's legal obligations, where the two frameworks align closely, and where they genuinely diverge.

Zofia Kubiak
Zofia Kubiak

April 28, 2026 · 7 min read

NIST AI RMF

One is voluntary US guidance with no legal penalty for skipping it. The other is binding EU law with fines up to €35M. Despite that gap in legal status, the two frameworks share enough underlying structure that most of the work satisfies both — here's exactly where they align and where they don't.

TL;DR

  • The NIST AI RMF is voluntary in the US; the EU AI Act is binding law with real penalties — their legal status is not comparable.
  • Conceptually, Govern maps loosely to quality-management obligations, Map and Manage to Article 9 risk management, and Measure to Article 15 accuracy/robustness requirements.
  • The EU AI Act adds legally specific requirements the RMF doesn't have — Annex III risk classification, conformity assessment, and CE marking.
  • The RMF's four functions provide a genuinely useful internal structure even for organizations whose primary legal obligation is the EU AI Act.
  • One risk assessment, done well, can produce most of the evidence both frameworks separately ask for.

The RMF carries no legal penalty for non-adoption. The EU AI Act carries fines up to €35M or 7% of global turnover for the most serious violations. Despite that gap, both frameworks ask organizations to do fundamentally similar work: understand context, assess risk, measure performance, and manage treatment decisions.

A Rough Conceptual Mapping

GovernArt. 17 (Quality mgmt system)MapArt. 9 (Risk mgmt — context)MeasureArt. 15 (Accuracy, robustness)ManageArt. 9 (Risk mgmt — treatment)
Rough conceptual mapping — the two frameworks aren't clause-for-clause identical, but the underlying work overlaps substantially.

What's Specific to the EU AI Act

  • Legal risk classification into Annex III high-risk categories, with real regulatory consequences
  • Conformity assessment and CE marking before market placement
  • EU database registration for high-risk systems
  • A specific provider/deployer legal obligation split

What's Specific to the NIST AI RMF

  • Explicit categorization into 19 categories and 72 subcategories across four functions
  • The concept of a current vs. target risk profile
  • A companion Generative AI Profile (NIST AI 600-1) with 12 GenAI-specific risk categories

Where the Same Evidence Satisfies Both

Evidence typeSatisfies
Risk assessment methodology and resultsNIST Map/Measure, EU AI Act Article 9
Technical documentation of system designNIST Govern, EU AI Act Article 11
Testing and performance monitoring recordsNIST Measure, EU AI Act Article 15

A Practical Recommendation

If the EU AI Act is your binding legal obligation, use it to set your minimum compliance bar, and use the RMF's four-function structure as your internal organizing framework for how the work gets done day to day — you get legal coverage and organizational clarity from one combined effort instead of running two separate programs.

Primary Sources

A Practical Mapping Example

Consider a hiring-screening AI system. Under the RMF, you'd Map its context (purpose, affected candidates), Measure bias-testing results, and Manage treatment decisions. Under the EU AI Act, the same system — if it affects EU candidates — falls under Annex III employment obligations, requiring an Article 9 risk management system, Article 10 data governance, and Article 14 human oversight. The underlying bias testing and risk documentation largely overlaps; the EU AI Act simply adds specific legal form and conformity requirements on top.

Who Tends to Use Which in Practice

Organization profileTypical approach
US-only company, no EU exposureNIST AI RMF as the primary structure
EU-based or EU-facing companyEU AI Act as the binding requirement, RMF as internal structure
Global enterpriseBoth, with one shared risk assessment process underneath

Where Unorma Fits

Both frameworks, one evidence base

Unorma’s EU AI Act and NIST AI RMF frameworks share the same underlying evidence vault, so one risk assessment maps to both automatically. Read the NIST AI RMF Playbook explained for the framework's underlying structure.

Frequently asked questions

Is the NIST AI RMF a substitute for EU AI Act compliance?

No — the RMF is voluntary guidance with no legal force, while the EU AI Act is binding law with specific requirements like conformity assessment and CE marking that the RMF doesn't address.

Can one risk assessment satisfy both frameworks?

Largely, yes — a well-built risk assessment covering context, scoring and treatment produces most of the evidence both frameworks separately expect, though EU AI Act-specific steps like conformity assessment still need to happen separately.

Should a US company with no EU exposure bother with the EU AI Act?

Only if the AI system's output could affect people in the EU — the Act applies extraterritorially based on effect, not headquarters location, so many US companies with EU customers are still in scope.

Which framework should shape our internal process design?

The NIST AI RMF's four-function structure is a genuinely useful internal organizing framework even if the EU AI Act is your binding legal requirement — you can use one for structure and the other for the compliance bar.

Can you give a concrete example of how the two frameworks overlap?

A hiring-screening system's RMF-driven bias testing and risk documentation (Map, Measure, Manage) largely satisfies the underlying evidence the EU AI Act's Articles 9, 10 and 14 also require — the Act just adds specific legal form and conformity steps on top.

Do global enterprises typically run both frameworks separately?

No — most run a single shared risk assessment process underneath, then layer framework-specific documentation (RMF profiles, EU AI Act conformity assessment) on top of that shared foundation.

Which framework should a company adopt first if starting from scratch?

Whichever is legally binding for your business first — the EU AI Act if you have EU exposure — then layer the NIST AI RMF's structure on top as an internal organizing model, or vice versa if there's no EU exposure at all.

About the author

Zofia Kubiak
Zofia Kubiak

Compliance Specialist

Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.

View full profile