Blog

Resources

Europe
AI
Machine Learning
SaMD
Quality
Regulatory
Medical device

EN 18286 Passes the Formal Vote: What the First EU AI Act QMS Standard Means for AI/ML Device Makers

EN 18286, the first EU AI Act harmonized standard, heads to publication

July 14, 2026
cosm logo
Cosm
Image announcing EN 18286, the EU AI Act QMS standard, passed the Formal Vote with publication expected July 22, 2026, alongside a timeline of four more AI Act standards currently in public enquiry
Share this

On July 10, 2026, CEN and CENELEC announced that EN 18286, Artificial intelligence - Quality management system for EU AI Act regulatory purposes, passed the Formal Vote by the national standardization bodies. Publication is expected on July 22, 2026. This makes EN 18286 the first harmonized standard developed specifically for the EU AI Act to complete the standardization process, and it arrives just as the Digital Omnibus resets the compliance timeline for high-risk AI systems. Below is what the standard covers, where it sits in the AI Act's conformity assessment architecture, and what it means if you are building an AI/ML-enabled medical device for the EU market.

What EN 18286 Is

EN 18286 specifies the requirements for a quality management system for organizations that provide AI systems, aimed squarely at providers placing high-risk AI systems on the EU market or putting them into service. It is the technical implementation of Article 17 of the AI Act, which requires every high-risk AI provider to operate a documented QMS covering regulatory compliance strategy, design and development controls, data management, post-market monitoring, incident reporting, and accountability.

The standard was developed by CEN-CENELEC JTC 21 under the European Commission's standardization requests (M/593 and M/613). It entered public enquiry on October 30, 2025 as prEN 18286, the first AI Act harmonized standard to reach that stage. The enquiry closed at the end of December 2025, comments were resolved through early 2026, and the standard cleared the harmonized standard (HAS) review before proceeding to Formal Vote.

Why This Standard, and Not ISO/IEC 42001

A question we hear often: why did Europe write a new QMS standard when ISO/IEC 42001 already exists? The answer is alignment. The AI Office concluded in 2024 that ISO/IEC 42001 was not fully aligned with the final AI Act text, so it was never brought into the EU harmonisation process. EN 18286 was written from the AI Act outward: its Annex ZA maps each requirement directly to Articles 11, 17, and 72, which is what makes the presumption of conformity mechanism work. The draft did include mapping annexes for organizations that have already implemented ISO/IEC 42001 or ISO 9001, so prior investment in those frameworks is not wasted, but neither is it sufficient.

In the standard, "quality" means compliance with the AI Act's provider obligations. If you come from the medical device world, this framing is familiar: it is the same relationship ISO 13485 has to the MDR's QMS requirements.

What the Standard Requires

The enquiry draft contained ten normative clauses and five informative annexes, structured around the full AI lifecycle: design, development, verification, deployment, monitoring, and retirement. The controls that matter most in practice:

Document control and traceability. The standard expects a formal document control procedure, version control, retention rules, and a traceability matrix linking regulatory requirements to verifiable AI system requirements and test acceptance criteria. Weak documentation discipline was called out during the enquiry period as the most common audit-readiness gap.

Supplier controls. Externally supplied models, datasets, and testing services fall under risk-based supplier evaluation and contractual controls. If your foundation model, annotation vendor, or validation lab sits outside your organization, the QMS still owns the evidence.

Change management. The standard expects a clear boundary between substantial and non-substantial modifications, including pre-determined change documentation for continuously learning systems. Readers who work with FDA's Predetermined Change Control Plan framework will recognize the concept immediately.

Conformity assessment readiness. The QMS established under EN 18286 feeds both conformity assessment routes: internal control under Annex VI for most high-risk systems, and third-party assessment by a notified body under Annex VII where required. Either way, the QMS documentation is what gets examined.

The Timeline: What the Digital Omnibus Changed

EN 18286 publishes into a compliance landscape that shifted this spring. The Digital Omnibus on AI, politically agreed on May 7, 2026 and formally endorsed by the Parliament on June 16 and the Council on June 29, moved the high-risk applicability dates: obligations for standalone Annex III high-risk systems now apply from December 2, 2027, and obligations for high-risk AI embedded in products regulated under Annex I, which includes medical devices under the MDR and IVDR, apply from August 2, 2028.

The Omnibus also narrowed the "safety component" definition (AI that merely assists users or optimizes performance is not automatically high-risk unless failure could endanger health or safety), and it empowered the Commission to disapply overlapping AI Act requirements where sectoral law such as the MDR already covers the same ground. Both changes matter for device manufacturers deciding how much of the AI Act applies to them at all.

Publication of EN 18286 itself is only the first step toward the presumption of conformity: the standard must also be cited in the Official Journal of the European Union before compliance with its normative clauses formally satisfies Article 17. Watch for that citation in the months after July 22.

Four More Standards Are in Public Enquiry Right Now

EN 18286 is the front of a pipeline. Four additional AI Act harmonized standards are in public enquiry with near-term comment deadlines:

  • prEN 18288, Taxonomy of AI tasks in computer vision: enquiry closes July 16, 2026.
  • prEN 18228, AI risk management: enquiry closes July 30, 2026.
  • prEN 18282, Cybersecurity specifications for AI systems: enquiry closes July 30, 2026.
  • prEN 18229-1, AI trustworthiness framework, Part 1: Logging: enquiry closes August 20, 2026.

Comments go through your national standards body. US-based manufacturers typically work through a European subsidiary, industry association, or liaison organization. If the cybersecurity or risk management drafts touch your product architecture, the enquiry window is the moment to influence the text.

What This Means for AI/ML Medical Device Developers

Extend your ISO 13485 QMS, do not build a second one. Article 17(3) explicitly permits providers with an existing QMS under sectoral Union law to integrate the AI Act requirements into that system, and EN 18286 was designed for compatibility with ISO 13485. The practical work is a gap assessment: map your existing design controls, data management, PMS, and change control procedures against the standard's clauses and close what is missing.

Use the extra time deliberately. August 2028 sounds distant, but conformity assessment queues, technical documentation, and human oversight design are slow work, and notified body capacity for combined MDR plus AI Act assessments is an open question. A grandfathering rule also rewards getting compliant systems on the market before the deadline: systems placed on the market earlier avoid the high-risk obligations until substantially modified.

Align your EU and US change control now. The convergence between EN 18286's substantial modification boundary and FDA's PCCP framework means a single, well-designed change control architecture can serve both jurisdictions. Designing them separately is wasted effort.

Track the OJEU citation. The presumption of conformity only attaches once the standard is cited in the Official Journal. Until then, EN 18286 is best practice and a strong signal of what notified bodies and market surveillance authorities will expect, but not yet a legal safe harbor.

The Bigger Picture

The EU is assembling the same architecture for AI that it built for medical devices: a horizontal regulation, harmonized standards that carry a presumption of conformity, and notified body oversight for the highest-risk category. EN 18286 is the keystone because everything else in a high-risk provider's obligations flows through the QMS. For AI/ML device manufacturers, this is now a two-regulation world where the QMS is the integration point. For more on how change control works on the FDA side, see our post on what an FDA Predetermined Change Control Plan (PCCP) is and how to create one for your AI/ML product.

How Cosm Can Help

Cosm supports AI/ML medical device companies with FDA regulatory strategy, EU MDR compliance, and quality system design, including gap assessments that integrate EU AI Act requirements into an existing ISO 13485 QMS and change control architectures that serve both FDA PCCP and EU substantial modification frameworks. If your CE-marked or CE-bound device includes AI, reach out at info@cosmhq.com or visit https://www.cosmhq.com.

Disclaimer - https://www.cosmhq.com/disclaimer