Europe's Dual AI Regulatory Framework: ISO 42001 and EU AI Act Compliance for Taiwan Enterprises

Winners Consulting Services Co., Ltd. advises executives of Taiwanese companies: In the summer of 2024, Europe finalized two AI regulatory frameworks almost simultaneously—the EU AI Act and the Council of Europe's Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law. These two documents have design differences between being "principle-oriented" and using risk-based regulation, which will create a direct compliance divergence for Taiwanese companies exporting to Europe and seeking ISO 42001 certification. Understanding the similarities and differences between these two frameworks is a necessary prerequisite for AI governance planning over the next 3 to 5 years.

About the Authors and This Research

Author Miguel Ángel Presno Linera is a Professor of Constitutional Law at the University of Oviedo in Spain, with a research focus on fundamental rights, digital law, and the EU legal framework. Co-author A. Meuwese has a background in Dutch academia, specializing in comparative regulatory theory and the quality of EU legislation. This paper, published in 2025, has already been cited 8 times as of this writing, making it an early, highly-cited work in the field of comparative AI regulation.

Notably, neither author comes from a purely technical background; they approach AI governance from the perspectives of constitutional law and regulatory theory. This allows their analysis to transcend technical details and address the fundamental institutional tensions between Europe's two AI regulatory instruments—a blind spot often overlooked by Taiwanese companies when planning cross-market AI compliance.

Three Key Comparative Axes of Europe's Dual-Track AI Regulatory Framework

The core contribution of this paper is its systematic comparison of two European AI regulatory documents finalized almost concurrently in the summer of 2024: the EU EU AI Act (applicable to EU member states) and the Council of Europe Framework Convention (with a broader scope covering non-EU signatory countries). The research compares them along three main axes, revealing the institutional gaps that companies must master for practical compliance.

Key Finding 1: Divergent "AI Definitions" Create Ambiguous Application Boundaries

The two documents use different technical and legal standards to define an "artificial intelligence system." The EU AI Act adopts the OECD's definition of AI as its basis, emphasizing machine learning and autonomous reasoning capabilities. The Framework Convention, however, takes a broader, functional definition, focusing on the impact of AI systems on human decision-making. This definitional divergence means that the same AI application might not be classified as a "high-risk AI system" under the EU AI Act but could require stricter fundamental rights scrutiny under the scope of the Framework Convention. For Taiwanese companies exporting to both EU member states and Council of Europe signatories (like the UK, Iceland, Norway), it is essential to assess applicability separately for each framework, as a single compliance document will not suffice.

Key Finding 2: Structural Differences in the Operational Logic of "Risk-Based Regulation"

Although both documents claim to adopt a risk-based regulation approach, their mechanisms for risk classification are fundamentally different. The EU AI Act uses an annex-based list to enumerate high-risk AI application scenarios and sets specific obligations for different risk levels (e.g., transparency requirements, technical documentation, Fundamental Rights Impact Assessment). The Framework Convention, on the other hand, favors principle-based provisions, leaving the discretion for risk assessment to the national legislative bodies of signatory countries. This design difference directly impacts corporate compliance strategies: the EU AI Act's list-based approach provides a relatively clear compliance boundary but risks becoming outdated as technology outpaces legislation. The Framework Convention's principle-based approach requires companies to have stronger autonomous risk assessment capabilities, which aligns well with the dynamic risk management framework required by ISO 42001.

Key Finding 3: The Overall Regulatory Structure Impacts the Global Competitive Landscape

The paper specifically points out that the coexistence of these two European AI regulatory instruments is a strategic move in Europe's competition for global leadership in AI regulation. The EU AI Act represents the EU's "Brussels Effect"—exporting regulatory standards through its single market size. The Framework Convention expands the geographical reach of the European regulatory model through transnational signatures. The synergy or friction between these two mechanisms will directly affect the compliance cost structure for non-European companies entering the European market over the next 3 to 5 years.

Strategic Implications for AI Governance Practices in Taiwan

Taiwanese companies cannot focus solely on the EU AI Act; they must also track the ratification progress of the Council of Europe's Framework Convention and the domestic legislative developments in various countries. This shift in awareness has three specific implications for AI governance planning in Taiwan.

First Layer: Expansion of Compliance Scope. Currently, Taiwanese companies' preparations for EU AI Act compliance are mostly focused on the 27 EU member states. However, if a company's AI products or services are exported to countries that are members of the Council of Europe but not the EU (such as the UK, Norway, Iceland, Turkey), the implementation of the Framework Convention will bring additional Fundamental Rights Impact Assessment obligations. The ISO 42001 management framework provides a common foundation across these frameworks—its risk identification process, required by Clause 6.1.2, can systematically cover the dual assessment needs of the EU AI Act's list-based risks and the Framework Convention's principle-based risks.

Second Layer: Alignment Direction for Taiwan's AI Basic Act. Taiwan's draft AI Basic Act is currently under review in the legislature, and its risk classification structure clearly references the design of the EU AI Act. However, based on this paper's comparative analysis, if Taiwan aims to align with the broader European regulatory system (and not just the EU AI Act), it will need to reserve flexibility for principle-based provisions in its domestic legislation to accommodate the human rights review requirements of the Framework Convention. Taiwanese companies can leverage the dynamic management mechanism of ISO 42001 to build internal governance capabilities that comply with this dual-track framework even before Taiwan's AI Basic Act is finalized.

Third Layer: Product Compliance Impact of AI Definitions. The definitional divergence highlighted in the paper has a direct impact on Taiwanese hardware and software exporters. A product classified as a "general-purpose AI system" under the EU AI Act's definition might be categorized as a high-impact system requiring additional human rights review under the Framework Convention's functional definition. It is recommended that Taiwanese companies incorporate AI risk classification assessments during the product design phase, rather than waiting for market entry to perform compliance remediation.

Winners Consulting Services Helps Taiwanese Companies Build Dual-Track Compliance Capabilities

Winners Consulting Services Co., Ltd. helps Taiwanese companies establish AI management systems that comply with ISO 42001 and the EU AI Act, conduct AI risk classification assessments, ensure that artificial intelligence applications comply with Taiwan's AI Basic Act, and proactively address the human rights impact assessment requirements of the Council of Europe's Framework Convention.

1. Dual-Framework AI Definition Mapping and Diagnosis: Based on the definitional differences between the EU AI Act and the Framework Convention revealed in the paper, we conduct a dual-framework applicability assessment of a company's existing AI products and services, clearly identifying high-risk items in the "definitional gray area" to prevent compliance gaps due to misinterpretation.
2. Establishment of an ISO 42001 Dynamic Risk Management System: Centered on Clause 6.1.2 of ISO 42001, we design a unified management process that addresses both list-based (EU AI Act) and principle-based (Framework Convention) risk assessments, establishing a quarterly review mechanism to ensure timely updates in line with European regulatory dynamics.
3. Internalization of Fundamental Rights Impact Assessment Capabilities: We assist companies in establishing standard operating procedures for Fundamental Rights Impact Assessment in the spirit of the Framework Convention and integrate them into the PDCA management cycle of ISO 42001, preparing them for future compliance audits in the European market.

Frequently Asked Questions

With both the EU AI Act and the Council of Europe's Framework Convention in place, do Taiwanese companies need to prepare two separate sets of compliance documents?

Not necessarily two completely separate sets of documents, but a management system capable of addressing the differences between the two frameworks is essential. The EU AI Act uses a list-based approach for risk classification, requiring technical documentation, transparency disclosures, and a Fundamental Rights Impact Assessment for high-risk AI systems. In contrast, the Framework Convention relies on principle-based provisions, leaving implementation details to national legislation. The ISO 42001 management framework can serve as a common foundation, as its dynamic risk assessment process systematically covers the core requirements of both. We recommend using ISO 42001 as the central system and adding specific supplementary documents for different markets, rather than building two separate systems from scratch. This approach controls costs while maintaining flexibility for future regulatory changes.

What are the most common EU AI Act compliance challenges for Taiwanese companies when implementing ISO 42001?

The three most common challenges are misclassifying AI system risk, structural deficiencies in technical documentation, and mapping compliance between local and EU laws. First, companies often assess risk based on product function rather than the actual application context, underestimating high-risk categories listed in Annex III of the EU AI Act, such as employment screening or credit scoring. Second, while ISO 42001's documentation overlaps with the EU AI Act's requirements, the latter demands more specific details on model descriptions and data governance, which need to be supplemented. Third, companies must create a clear mapping mechanism between Taiwan's AI Basic Act and the EU AI Act to avoid compliance conflicts. Winners Consulting Services recommends addressing these three checkpoints early in the ISO 42001 implementation process.

What are the core requirements for ISO 42001 certification, and how long does it typically take for Taiwanese companies to implement it?

ISO 42001, the only global standard for AI management systems, requires establishing an AI policy, defining organizational roles and responsibilities, identifying and assessing AI risks (aligning with the EU AI Act's logic), managing the AI system lifecycle, and ensuring continuous monitoring and improvement. For Taiwanese companies with an existing ISO 27001 or ISO 9001 foundation, implementation and certification can typically be completed in 6 to 9 months. Companies building a management system from scratch should plan for a 9 to 12-month period. The consulting process at Winners Consulting Services involves four stages: gap analysis (1 month), system design (2-3 months), implementation (3-4 months), and certification audit (1-2 months), with full support including document templates and expert consultation.

How can the costs and expected benefits of implementing ISO 42001 while aligning with the EU AI Act be assessed?

Implementation costs vary by company size and management maturity. For a mid-sized Taiwanese tech firm (200-500 employees), the total cost for ISO 42001—including consulting, internal resources, and certification fees—typically ranges from NT$800,000 to NT$2,000,000. Incorporating an EU AI Act compliance review adds approximately 15-30% to this cost. In terms of benefits, ISO 42001 certification provides a significant advantage in European market tenders, as some EU procurement rules now require it. A systematic AI risk management framework also reduces incident response costs and legal expenses from compliance disputes, with an expected return on investment of 200% to 350% over 3 to 5 years.

Why choose Winners Consulting Services for assistance with AI governance issues?

Winners Consulting Services Co., Ltd. is one of the few consulting firms in Taiwan with expertise in ISO 42001 implementation, EU AI Act analysis, and tracking Taiwan's AI Basic Act. Our team integrates expertise from information security management, legal compliance, and AI technology, employing a "Regulation-Standard-Practice" three-tiered approach. This ensures a company's AI governance framework not only meets international standards like ISO 42001 but is also effectively implemented in practice. We offer a complimentary initial mechanism diagnosis to help companies clarify their compliance priorities and reduce implementation risks before committing significant resources, guiding them to establish a compliant AI management system within 7 to 12 months.