Mapping NIST AI RMF to EU Regulations

1. Regulatory Ecosystem Overview

Area	NIST AI RMF	EU AI Act	GDPR	NIS2	DORA
Risk Management	GOVERN 1.3, MAP, MEASURE	Art. 9	Art. 35 (DPIA)	Art. 21	Art. 6
Documentation	GOVERN 1.5, MAP 1.1	Art. 11, Annex IV	Art. 30	Art. 21(2)	Art. 11
Human Oversight	GOVERN 3.2, MAP 3.4	Art. 14	Art. 22	-	-
Data Governance	MAP 1.1, MEASURE 2.11	Art. 10	Art. 5, 25	Art. 21(2)(i)	Art. 9
Incident Reporting	GOVERN 4.3, MANAGE 4.3	Art. 73	Art. 33-34	Art. 23	Art. 19
Security	MEASURE 2.7, MANAGE 3.1	Art. 15	Art. 32	Art. 21	Art. 9
Third-party Risk	GOVERN 6, MANAGE 3.1	Art. 25-27	Art. 28	Art. 21(2)(d)	Ch. V
Transparency	GOVERN 1.2, MEASURE 2.8	Art. 13, 50	Art. 12-14	Art. 23(3)	Art. 17
Testing/Validation	MEASURE 2.3-2.6	Art. 9(7), 43	-	Art. 21(2)(e)	Art. 24-27
Accountability	GOVERN 2.1	Art. 17, 26	Art. 5(2), 24	Art. 20	Art. 5(4)

Term	NIST	EU AI Act	GDPR	NIS2	DORA
Personal Data	PII/Sensitive Data	Personal Data	Personal Data (Art. 4)	-	-
Risk	Composite measure	4-tier classification	High risk processing	Cyber risk	ICT risk
Incident	AI Incident	Serious Incident	Data Breach	Significant Incident	Major ICT Incident
System	AI System	AI System (Art. 3)	-	Network & Info System	ICT System
Provider/Controller	AI Actor	Provider	Controller	Operator	Financial Entity
Audit	TEVV	Conformity Assessment	-	Audit	Testing