Regulatory Convergence • 2026-06-12 • 8 min

One evidence package, two regimes: ML assurance for EASA and the EU AI Act

EASA issued its first binding rulemaking proposal for AI in aviation in late 2025, and it ties aviation AI trustworthiness directly to the high-risk requirements of the EU AI Act. In May 2026, EU negotiators agreed to defer those high-risk obligations, pushing AI embedded in regulated products such as aircraft to August 2028. The deferral is runway, not relief. A program that uses the extra time to build one evidence architecture mapped to both control surfaces will be ready; a program that waits will face two compliance tracks at once.

EASA's first binding AI rule, and what it points at

On 10 November 2025, EASA published NPA 2025-07, its first binding rulemaking proposal on AI trustworthiness for aviation. This is a different instrument from the agency's Concept Papers, which are guidance. NPA 2025-07 opens Rulemaking Task RMT.0742, and it frames its technical guidance explicitly around the requirements for high-risk AI systems contained in the EU AI Act (Regulation (EU) 2024/1689). A second NPA is anticipated in 2026 to apply the framework to specific aviation domains.

The signal for any program is that aviation AI assurance and EU AI Act high-risk compliance are converging onto the same evidence. EASA is not building a parallel, aviation-only definition of trustworthiness; it is anchoring its guidance to the horizontal regulation that already governs high-risk AI across the single market.

The clock just moved, the work did not

On 7 May 2026, the Council, Parliament, and Commission reached a provisional agreement on the EU Digital Omnibus on AI, which defers the application dates for high-risk AI obligations. Stand-alone high-risk systems under Annex III move to 2 December 2027. AI embedded in regulated products under Annex I, the category that covers civil aviation, moves to 2 August 2028. The changes take effect once the Omnibus is formally adopted and published, expected before 2 August 2026.

It is worth reading why the dates moved. The deferral is, in plain terms, an acknowledgment that the harmonized standards and conformity infrastructure needed to make high-risk AI obligations operable did not arrive on the original schedule. The same gap shows up on the aviation side, where the ED-324 / ARP6983 process standard is still in draft.

Why a date slip is runway, not relief

A later deadline only helps a program that treats the interval as build time. The obligations did not get easier; they got later. For a machine-learning capability that will be retrained, compressed, or swapped across the years between now and 2028, the useful question is not how to be compliant on a single date. It is how to build an evidence architecture that stays valid as the model changes, under two regimes at once.

One control architecture, two reporting layers

The way to avoid maintaining two parallel compliance programs is to build shared control primitives and add thin, jurisdiction-specific reporting layers on top. Concretely, that means a traceability structure in which each machine-learning lifecycle artifact answers to both authorities at once. The operational design domain specification, the data-management and provenance record, the learning-process verification evidence, and the in-operation monitoring record each map to an EASA anchoring point and to a corresponding EU AI Act obligation for high-risk systems.

Built this way, a single artifact set produces an EASA submission and an EU AI Act conformity record without duplicated work, and the same structure extends to a U.S. framework where one is in play, since NIST AI RMF functions and FAA safety-assurance expectations describe the same underlying evidence in different vocabulary. The goal is convergence: one set of controls, reused across program boundaries, with reporting that speaks each authority's language.

Action checklist

  • Map every machine-learning lifecycle artifact to both an EASA anchoring point and an EU AI Act high-risk obligation, so one evidence set satisfies both rather than two parallel tracks.
  • Use the deferral window to 2028 as build time for an evidence architecture that survives model change, not as a reason to delay starting.
  • Keep the control primitives jurisdiction-neutral and push naming and reporting differences into a thin top layer, so the same controls extend to NIST AI RMF and FAA expectations.