EU AI Harmonised Standards: 6-Month Gap & ISO 42001 Action Guide for Taiwan

Winners Consulting Services Co., Ltd. alerts Taiwanese business leaders: a recent empirical study of 23 top European AI companies found that the implementation period for harmonised standards under the EU AI Act is less than 6 months, far shorter than the 12 months businesses actually need. This structural gap will directly impact Taiwanese AI providers planning to enter the EU market, making the early adoption of an ISO 42001 governance framework an urgent strategic decision.

About the Authors and This Study

This paper was co-authored by R. Kilian, Linda Jäck, and D. Ebel and published on the arXiv preprint platform (2025). Although Kilian and Jäck have h-indices of 1, the study has already garnered over 10 citations, indicating significant attention within the EU AI regulation compliance community. More importantly, the research employed in-depth qualitative interviews with 23 major European AI developers from diverse industries, including Mistral (a leading French generative AI company) and Helsing (a European defense AI startup), spanning six major sectors: transportation, finance, manufacturing, healthcare, defense, and legal tech. This first-hand approach of "directly asking the industry" makes its conclusions far more practical than purely legal text analysis.

This study is one of the most systematic empirical analyses to date on the technical standardisation challenges of the EU AI Act. Its policy recommendations have been noted by EU standardisation bodies, making it highly relevant for Taiwanese companies planning their AI governance and compliance roadmaps.

Six Months Is Not Enough: The Four Structural Contradictions of EU AI Harmonised Standards

The central question of this study is: when the EU AI Act requires companies to comply with nearly 30 technical standards, how much time and capacity do they actually have to achieve compliance? The findings reveal four interconnected structural problems, each with specific implications for the export strategies of Taiwanese AI companies.

Key Finding 1: Severely Insufficient Implementation Period—Around 30 Standards, Less Than 6 Months to Prepare

The study found that under the current AI Act timeline, the effective implementation period for companies—from the publication of draft standards to the compliance deadline—is likely to be less than 6 months. However, the interviewed companies widely reported that fully understanding and implementing approximately 30 (some still undrafted) technical standards would require at least 12 months. This gap between "institutional time" and "practical time" is particularly detrimental to resource-constrained startups and Small and Medium-sized Enterprises (SMEs). While large corporations can deploy multiple legal and technical teams simultaneously, SMEs often must proceed sequentially, multiplying the time pressure. As SMEs constitute the vast majority of Taiwan's export-oriented AI companies, this finding directly highlights an institutional inequity.

Key Finding 2: Imbalanced Participation in Standard-Setting Committees, with SMEs and Non-EU Companies Almost Absent

The research points out that the committees of standard-setting organisations (such as CEN and CENELEC) are currently dominated by large European corporations and a few multinational groups. Startups struggle to participate effectively in draft standard discussions due to a lack of time, personnel, and language capabilities; Taiwanese companies are almost entirely absent. This could result in finalised harmonised standards that are more aligned with the technical architectures of large enterprises, creating hidden barriers for smaller AI suppliers using different tech stacks. For Taiwanese AI firms, this is not just a matter of compliance costs but a strategic intelligence issue concerning their ability to grasp rule-making trends in the global AI competitive landscape.

Key Finding 3: Overlapping Dual Regulations—Regulated Industries Like Healthcare and Finance Face Double Compliance Burdens

In sectors with well-established regulatory frameworks, such as healthcare and finance, the requirements of the EU AI Act significantly overlap with existing industry regulations (e.g., the Medical Device Regulation (MDR), Markets in Financial Instruments Directive II (MiFID II)). Companies must maintain two sets of technical documentation systems, leading to substantial redundant compliance costs. The study's interviewees explicitly stated that this "dual regulation" problem still lacks clear official coordination guidance, forcing companies to interpret the scope of application themselves. Taiwanese companies planning to enter the EU market with medical AI or financial AI tools must specifically assess the challenge of integrating technical documentation for this dual compliance.

Key Finding 4: Substantial Annual Compliance Costs for Harmonised Standards Create Market Entry Barriers

The study reveals that the annual expenditure for purchasing and maintaining harmonised standard documents, combined with costs for technical implementation, internal training, and third-party audits, creates a significant market entry barrier for smaller enterprises. The research particularly emphasizes that this cost structure will have a "reshaping" effect on the global AI competitive landscape. Companies that can afford the compliance costs of harmonised standards will gain a systemic advantage in accessing the EU market, while those with insufficient resources may be passively excluded.

Strategic Implications for AI Governance in Taiwan: The Window of Opportunity is Closing

The most direct takeaway from this research for Taiwanese companies is that compliance preparations must begin now, not after the EU standards are officially finalised.

First, regarding the strategic value of ISO 42001, during the transitional period before the harmonised standards are fully finalised, the ISO 42001 AI management system standard provides a foundational governance framework that companies can start building immediately. Clauses 6 (Planning) and 8 (Operation) of ISO 42001 require companies to establish a systematic AI risk assessment mechanism, which is highly compatible with the EU AI Act's risk classification requirements. If Taiwanese companies can achieve ISO 42001 certification in advance, they can not only demonstrate their governance capabilities to EU clients but also rapidly align with new requirements using their existing management framework when the harmonised standards are released, significantly shortening the compliance implementation time.

Second, concerning the practical application of EU AI Act risk classification, the "dual regulation" issue revealed by this study is particularly critical for Taiwan's medical AI, fintech AI, and industrial AI providers. It is recommended that companies complete an inventory of their AI systems now, cross-referencing the high-risk categories in Annex III of the EU AI Act to assess the risk levels of their existing products and plan a dual-track compliance path for technical documentation in advance.

Third, in terms of alignment with Taiwan's AI Basic Act, the Act establishes risk-based AI governance principles, consistent with the core framework of the EU AI Act. If Taiwanese companies can build upon the governance mechanisms required by the AI Basic Act, systematically align them with ISO 42001 requirements, and then extend them to EU AI Act export compliance, they can create an efficient "one framework, three-layer coverage" compliance model, rather than building three separate, disconnected documentation systems.

It is worth noting the methodological limitation of this study: although the 23 interviewed institutions are representative, they are almost all European companies. The compliance challenges faced by Asian companies (including those from Taiwan) were not systematically included in the analysis. Taiwanese firms may face higher practical hurdles than their European counterparts in areas such as language barriers, channels for purchasing standards, and accessibility of third-party certification bodies. This contextual difference should be considered when directly applying the study's conclusions.

How Winners Consulting Services Can Help Taiwanese Companies Seize the Initiative

Winners Consulting Services Co., Ltd. helps Taiwanese companies establish AI management systems that comply with ISO 42001 and the EU AI Act, conduct AI risk classification assessments, and ensure that artificial intelligence applications adhere to the regulations of Taiwan's AI Basic Act. In response to the "insufficient 6-month implementation period" dilemma revealed by this study, we recommend that Taiwanese companies take the following three steps:

1. Immediately initiate an AI system inventory and preliminary risk classification: Conduct a preliminary high-risk assessment of existing AI applications based on Annex III of the EU AI Act, while simultaneously establishing a risk register compliant with Clause 6.1 of ISO 42001. This creates an institutional interface for future alignment with harmonised standards. This crucial preparatory step is recommended to be completed within 3 months.
2. Establish a dual-track technical documentation framework to proactively address dual regulation issues: For AI systems in healthcare, finance, or industrial applications, design an integrated framework that can simultaneously meet the technical documentation requirements of the EU AI Act and existing industry regulations. This avoids resource wastage from redundant work in the future. Winners Consulting Services can assist companies in building an explainability documentation system compliant with Clause 8.4 of ISO 42001.
3. Use ISO 42001 certification as a governance credential for exporting to the EU: Before the harmonised standards are officially released, ISO 42001 certification is the most credible international standard for demonstrating AI governance capabilities to EU buyers. We recommend that companies plan for a 7 to 12-month certification implementation timeline to ensure they can quickly complete the final compliance alignment after the harmonised standards are finalised.

Frequently Asked Questions

Why is the implementation period for the EU AI Act's harmonised standards an urgent issue for Taiwanese companies?

The implementation period is urgent because empirical research by Kilian et al. (2025) shows it may be less than six months for about 30 harmonised standards, while companies need at least twelve. This institutional gap means businesses starting preparations only after the draft standards are published will almost certainly fail to meet the deadline. For Taiwanese companies targeting the EU market, establishing an ISO 42001 governance framework before the standards are finalised is crucial. This allows for rapid integration of the new requirements rather than starting from scratch. Proactively building this foundational governance structure is the only effective strategy to overcome this critical six-month time deficit.

What are the most common specific obstacles for Taiwanese SMEs in implementing EU AI Act compliance?

Based on this study and our practical observations, Taiwanese SMEs face three primary obstacles. First is a lack of capacity for creating technical documentation; the EU AI Act requires high-risk AI systems to have documentation compliant with Annex IV, but many SMEs lack personnel with both legal and technical expertise. Second, there is high uncertainty in risk classification, as the Annex III high-risk list covers eight major areas with ongoing debates over borderline cases. Third, bilingual compliance capabilities are weak, as EU official documents and draft standards are primarily in European languages, creating a barrier to staying updated. Implementing ISO 42001 can systematically strengthen the first two capabilities, making it the most effective priority for Taiwanese companies.

What is the relationship between ISO 42001 and the EU AI Act's harmonised standards? Can implementing ISO 42001 replace compliance with the standards?

ISO 42001 and the EU AI Act's harmonised standards are complementary, not substitutes. ISO 42001 is a universal international standard for AI management systems, providing an organizational-level governance framework. The EU AI Act's harmonised standards, developed by bodies like CEN/CENELEC, provide specific technical requirements that grant a "presumption of conformity." For Taiwanese companies, ISO 42001 certification builds institutional governance capabilities, enabling faster technical alignment once harmonised standards are released and shortening the compliance timeline. Since Taiwan's AI Basic Act aligns with ISO 42001, using the standard as a foundational layer and the harmonised standards as an application layer creates a comprehensive, phased compliance system.

How much time and what resources are actually needed to establish an AI governance mechanism that complies with the EU AI Act?

Based on our consulting experience, establishing an AI governance framework from scratch that meets ISO 42001 and EU AI Act requirements typically takes 7 to 12 months for a Taiwanese company. This process is divided into three phases: Phase one (1-3 months) involves a gap analysis, AI system inventory, and preliminary risk classification. Phase two (3-8 months) focuses on designing and implementing the governance mechanism, including risk assessment procedures, a technical documentation framework, and personnel training. Phase three (8-12 months) covers internal audits, management reviews, and certification preparation. Resource needs vary with company size and AI system complexity, but engaging professional consultants can significantly shorten the timeline and reduce costly rework.

Why choose Winners Consulting Services for assistance with AI governance issues?

Winners Consulting Services Co., Ltd. is one of the few consulting firms in Taiwan with expertise in ISO 42001 implementation, EU AI Act compliance analysis, and Taiwan's AI Basic Act. Our team actively tracks developments from CEN/CENELEC, ENISA, and the EDPB to ensure our advice aligns with the latest regulatory trends. Unlike purely legal or technical consultants, we use an integrated "Legal × Technical × Management" approach to help companies build a verifiable AI governance system under the ISO 42001 framework, not just a pile of documents. We begin with a free mechanism diagnosis, allowing businesses to clearly understand their compliance gaps and priorities before committing to implementation.