What is hard law, soft law and an AI standard?
Global AI regulation
Hard law is binding law, such as statutes, regulations, enforceable decisions and treaty duties. Soft law is non-binding guidance, principles, codes and official expectations that influence behaviour without creating the same direct legal duty. An AI standard is a structured technical or management document, usually issued by a standards body, that sets terminology, requirements, controls or test methods for AI. In practice, AI governance uses all three together: law sets duties, soft law interprets them, and standards help turn them into repeatable controls and evidence.
What this means
If a rule says you must do something and a regulator or court can enforce it, that is hard law. If a public body, international organisation or regulator publishes principles, guidance or a code that is meant to steer conduct but does not work like a statute, that is soft law.
An AI standard is different again. It is usually a consensus document that turns broad ideas such as transparency, documentation, risk management or oversight into repeatable controls, definitions or assessment criteria. Some AI standards are about management systems, some about terminology, some about life cycle processes, some about impact assessment and some about audit related requirements.
The reason people confuse these categories is that they often work together. A law may point to a standard as one accepted way to show compliance. A regulator may use soft law to explain how it reads a statute. A customer may ask for certification against a standard in procurement, which can make a voluntary document commercially hard to ignore.
Why it matters
For organisations that build, buy, deploy or govern AI, the distinction is practical, not academic. Hard law tells you what is mandatory and what can trigger enforcement, liability, reporting or market access problems. Soft law tells you what supervisors, policymakers and international bodies expect responsible organisations to be able to explain and document. Standards tell you how to organise the work so that the evidence exists when a board, buyer, auditor or regulator asks for it.
Getting the categories wrong creates different kinds of risk. If you treat soft law as irrelevant, you can miss the direction of travel in enforcement, procurement and investor scrutiny. If you treat every standard as legally mandatory, you can waste time on controls that are not necessary for your actual risk profile or jurisdiction. Good AI governance depends on knowing which instruments are binding, which are persuasive, and which are useful evidence.
How it works
<strong>Hard law creates enforceable duties</strong>
Hard law is the part of the rulebook that binds people and organisations as a matter of law. In AI, that can include statutes, regulations, binding decisions and, where relevant, treaties. These instruments are made through formal legal processes and can be enforced by courts, supervisory authorities or other public bodies.
In practice, hard law usually states obligations at a relatively high level, then attaches enforcement machinery. A binding AI rule may require risk management, human oversight, transparency, documentation, record-keeping, incident handling or market surveillance, and it may also define who is responsible, which authority supervises compliance and what sanctions or restrictions apply.
Current example: the EU AI Act is hard law. For certain high-risk AI systems it requires technical documentation, documentation keeping, record-keeping, quality management and an EU declaration of conformity. Those are not optional governance measures. They are part of the legal architecture for placing relevant systems on the market or putting them into service.
<strong>Soft law steers interpretation, expectations and supervision</strong>
Soft law covers non-binding instruments that shape behaviour without operating like a statute. In AI this includes intergovernmental principles, regulator guidance, official frameworks, interpretive notices and codes of practice. They do not usually create the same direct legal duty as an Act or regulation, but they can still matter a great deal.
Soft law is useful because AI changes faster than legislation. Public bodies can update guidance, sector expectations or documentation practices more quickly than they can rewrite statutes. That makes soft law an important bridge between durable legal duties and fast-moving technical practice.
The OECD AI Principles are a good example of soft law at international level. They set a shared policy baseline for trustworthy AI and have been used as a reference point for national AI policy. NIST's AI Risk Management Framework is another example. It is intended for voluntary use, but it gives organisations a recognised structure for governance, mapping, measuring and managing AI risks.
<strong>An AI standard turns broad expectations into repeatable controls</strong>
An AI standard is a formal document issued by a standards body that specifies terminology, requirements, processes, methods or assessment criteria relevant to AI systems. It is not the same thing as a law, and it is not the same thing as a regulator's guidance note.
This matters because "AI standard" is not one document or one topic. The standards landscape includes vocabulary and terminology standards, management system standards, risk management guidance, life cycle process standards, impact assessment standards and audit related standards. ISO's AI standards pages show that AI standardisation now spans concepts, governance, risk, impact and assurance rather than one single rulebook.
ISO/IEC 42001 is a useful anchor point because it is a management system standard. It helps an organisation establish, implement, maintain and continually improve an AI management system. That is different from a terminology standard, which defines concepts, or a life cycle standard, which describes process steps, or an impact assessment standard, which structures how impacts are identified and documented.
<strong>Law, guidance and standards interact rather than compete</strong>
In mature AI governance regimes, the three layers usually work together. Law sets the mandatory requirement. Soft law explains regulatory expectations, supervisory practice or a preferred route to implementation. Standards provide one structured way to operationalise the requirement and produce evidence that the work has been done.
The EU AI Act shows this interaction clearly. It allows harmonised standards to support compliance. Where relevant harmonised standards are published in the Official Journal of the European Union, applying them can give a provider a presumption of conformity for the covered requirements. If standards do not exist, are incomplete or are not used, the legal duty does not disappear. The provider still has to show compliance, and the conformity assessment route may become more demanding. The Act also allows common specifications as a fallback where standards are missing or insufficient.
Soft law can sit in the same chain. Under the AI Act, codes of practice are designed to help providers of general-purpose AI models demonstrate compliance before standards are available, or alongside them. That does not turn the code into a statute, but it does make it operationally important.
<strong>These instruments create different kinds of evidence</strong>
A useful way to distinguish the three categories is to ask what sort of evidence each one demands or produces. Hard law tends to require legally meaningful evidence: technical documentation, logs, declarations, notices, assessments, registrations and records that can be inspected by an authority. Soft law typically produces governance evidence: policies, risk criteria, role definitions, issue escalation paths, monitoring practices and explanations of how the organisation interprets responsible use. Standards often create process evidence: control design, testing methods, system inventories, management review records, internal audit trails and assurance artefacts.
This is why standards and soft law matter even when they are voluntary. They help organisations build an evidence base that can support legal compliance, procurement, board oversight and external assurance. ISO also notes that certification is written assurance from an independent body and that, in some sectors, certification can itself become a legal or contractual requirement.
<strong>Not every respected framework is a standard</strong>
One final distinction is easy to miss. A framework can be highly influential without being a formal standard. NIST's AI RMF is one of the clearest examples. It is a voluntary framework issued by a public body, not an ISO or IEC standard and not a statute. That does not make it less useful. It simply means it sits in the soft law and guidance layer, unless a contract, procurement process or regulator effectively builds it into a binding obligation for a given organisation.
Examples
Current example: a provider building a high-risk AI system for the EU market maps the legal duties in the AI Act first. If harmonised standards covering the relevant requirements are available and referenced in the Official Journal, the provider can use them to support conformity assessment and gain a presumption of conformity for the covered points. If those standards are missing, only partly used or restricted, the provider still has legal duties and may need a different assessment path, including notified body involvement in some cases.
A second workflow sits in the soft law layer. An organisation deploying AI internally can use NIST's AI RMF to assign responsibility through governance functions, map intended use and affected parties, measure risks, and document how risks will be managed over time. This does not replace legal compliance, but it creates a disciplined operating model that teams can use across product, risk, legal and assurance functions.
A third workflow shows how standards become commercially binding. A buyer may require a supplier to hold certification against ISO/IEC 42001, or to provide equivalent evidence of an AI management system, before purchase or renewal. ISO explains that certification is written assurance from an independent body and that, in some industries, certification can be a legal or contractual requirement. The standard remains voluntary in general, but not necessarily in that commercial relationship.
Common misunderstandings
"Soft law is optional, so it does not matter." Not true. Soft law may not bind like a statute, but it often shapes supervisory expectations, procurement, assurance and future rulemaking.
"A standard is basically the same as a law." No. A standard is usually voluntary unless a law, contract, procurement rule or certification route gives it binding force in a specific context.
"If we certify to ISO/IEC 42001, we are legally compliant everywhere." No. Certification can strengthen governance and provide assurance evidence, but it does not automatically satisfy every AI, privacy, consumer, product safety, employment or sector-specific duty.
"NIST AI RMF is an AI law." No. It is official and influential, but it is a voluntary framework.
"Hard law always gives precise technical instructions." Usually it does not. Legislators often set duties in broad terms, then rely on standards, common specifications, guidance and enforcement practice to make application more concrete.
Risks and boundaries
These categories are useful, but they are not perfect boxes. Instruments can move between them. A voluntary standard can become practically mandatory through procurement. A code of practice can become central to demonstrating compliance even if it is not itself legislation. A regulator's guidance can be formally non-binding but still highly relevant to enforcement risk.
There are also limits to what standards can do. Standards help structure controls, terminology and assessment, but they do not settle political choices about rights, acceptable uses, liability or democratic accountability. Those are legal and institutional questions. Standards can support those choices, not replace them.
The legal status of a given instrument also depends on jurisdiction and timing. Under the EU AI Act, harmonised standards matter most once they are formally cited in the Official Journal. Where they are absent or incomplete, the Commission may use common specifications, and providers may need to justify other technical means. International instruments can also vary in force. Some, such as OECD recommendations, are designed to guide policy without binding force. A treaty or statute, by contrast, binds only within its own legal scope.
The safest operational approach is to avoid both extremes: do not dismiss soft law because it is non-binding, and do not assume a respected standard automatically answers every legal question.
What to do next
Start by classifying every relevant AI instrument your organisation relies on into three buckets: binding law, non-binding guidance and standards. Then decide who owns each bucket. Legal and public policy teams should track hard law and official guidance; governance, security, product and assurance teams should decide which standards or frameworks to adopt and why.
Next, build one evidence map rather than three separate programmes. For each important AI use case, identify the legal duties, the guidance that explains regulator or market expectations, the standards or frameworks you will use to run the controls, and the documents you must be able to produce on request. Finally, review contracts and procurement terms. Many organisations discover that their real AI obligations come not only from regulators, but also from enterprise customers who expect standard-based assurance and documented governance.
FAQs
Is hard law always national legislation?
No. It can also include directly applicable regulations, binding decisions and treaty obligations, depending on the legal system.
Are the OECD AI Principles legally binding?
No. They are an intergovernmental recommendation and operate as soft law, but they are influential in national policy design and international alignment.
Is the NIST AI RMF a standard?
Not in the formal ISO or IEC sense. It is a voluntary framework issued by NIST and is best understood as official guidance or soft law style governance material.
Can a voluntary AI standard become mandatory?
Yes, in context. A law can reference it, a regulator can recognise it, or a contract or procurement process can require it.
Does using a recognised standard guarantee regulatory approval?
No. It can improve your evidence and governance, and in some regimes it can support a presumption of conformity for certain requirements, but the underlying legal duty still matters.
What is the difference between an AI standard and certification?
The standard is the rulebook. Certification is an independent body's written assurance that a product, service or management system meets specified requirements.
What should a board ask first?
Ask which AI obligations are legally binding for the organisation, which guidance the organisation has chosen to follow, which standards it relies on, and what evidence exists for each material AI use case.
Sources
Types of EU law (). The difference between binding regulations, directives and decisions, and non-binding recommendations and opinions.
Regulation (EU) 2024/1689, Artificial Intelligence Act (). A current example of hard law in AI, including documentation duties, declarations of conformity, harmonised standards, common specifications and codes of practice.
Standardisation of the AI Act (). That harmonised standards under the EU AI Act remain voluntary, but can provide legal certainty and a presumption of conformity once cited in the Official Journal.
Artificial Intelligence Risk Management Framework, AI RMF 1.0 (). The voluntary character of the AI RMF and its governance, mapping, measuring and managing structure.
Recommendation of the Council on Artificial Intelligence (). An intergovernmental soft law instrument that sets principles and policy recommendations for trustworthy AI.
Artificial intelligence (). The breadth of the ISO AI standards landscape, including terminology, risk management, impact assessment, governance and life cycle topics.
ISO/IEC 42001:2023, AI management systems (). A formal AI management system standard and an example of how AI standards translate governance expectations into a structured management system.
Certification (). The meaning of certification as independent written assurance and the point that certification can become a legal or contractual requirement.