Index

When the Law Points at Your Standard

· Tom Cranstoun · 6 min read

This is the tenth post in the standards-governance series. Every earlier post has treated a standard as a private arrangement among the people who build on it - who owns it, who funds it, who can leave it. There is a threshold past which it stops being private. When a regulator names a standard as the way to satisfy the law, the body that holds the standard starts, in effect, to write part of the law. Its neutrality is no longer a matter of taste among implementers. It is a public concern, because the standard now decides who is allowed to operate.

Reference is power

A law that says "do the right thing" leaves the right thing to the courts. A law that says "follow this standard and you are presumed to comply" hands the definition of the right thing to whoever drafts the standard. That presumption of conformity is the most valuable thing a regulator can grant, because it converts a legal duty into a checklist, and the author of the checklist gains a quiet authority that no vote conferred. Alignment between a standard and the law is good for everyone when the standard is neutral. The same reference, pointed at a captured standard, writes private interest straight into public obligation.

The Act that waited on its own standard

Note: This page describes regulatory frameworks in general terms only. Nothing here is legal advice. Requirements vary by jurisdiction, organisation type, and use case. Consult qualified legal specialists for guidance specific to your situation.

The European Union's AI Act is the case study unfolding in real time. Providers of high-risk systems that build in line with the harmonised standards earn a presumption of conformity; those standards, drafted by the European standards bodies, therefore become the operative definition of what the Act demands. The striking part is what happened to the timetable. The standards ran late - pushed from 2025 into late 2026 - and the gap became serious enough that the Commission's Digital Omnibus proposal tied the application of the high-risk rules to the availability of the standards themselves, deferring obligations toward firm dates in late 2027 and 2028. A statute passed by the Parliament now waits on a technical committee, because the committee holds the part that makes the statute usable. The Cyber Resilience Act adds another turn, with compliance under one regime feeding a presumption under another. Standards leaning on standards, and law leaning on all of them.

That is the power in plain view, and the hazard with it. A drafting committee weighted toward the largest incumbents writes a safe harbour shaped to what those incumbents already do - the same committee-capture this series met earlier in the story of a document standard waved through by a stuffed working group. When the law points at a standard, the make-up of the committee that drafts it becomes a question of public law, not housekeeping.

What this asks of MX

This is the regulatory edge MX has been built toward, and it cuts in both directions. On one side, MX and REGINALD produce structured, attestable evidence of provenance and accountability - the kind of record these regimes increasingly ask for. The European Accessibility Act, in force since mid-2025, with injunctions already brought against large retailers, is the nearer example: obligations that turn on demonstrable evidence rather than good intentions. There is even a thread that meets a stated MX value directly, as European bodies begin to ask for documentation of an AI system's energy and resource use across its life - provenance and resource accounting in the same record.

On the other side, the lesson of this post falls on MX itself. If the law ever comes to point here - if "show your provenance" starts to mean "show an MX record" - then The Gathering's neutrality stops being a design preference and becomes the thing standing between a public duty and a private toll. That is the reason the standard is held by an open, community-led body and the commercial engine is kept apart from it. It is what stops "comply with MX" from quietly becoming "buy from one vendor." A standard that wants to be safe to reference must be neutral before anyone references it, not after.

Not a harmonised standard

A boundary worth stating plainly, because the temptation to overclaim is real. MX is not a harmonised standard and does not grant a presumption of conformity to anyone. It is an evidence and provenance layer that can support compliance - making claims checkable and accountable - not a substitute for the law's own requirements or for the bodies that set them. Being useful to a regulated organisation is not the same as being the regulation. Keeping that line clear is itself part of staying neutral: a standard that pretends to be the law invites exactly the capture it should be guarding against.

The test

The final question for the buyer's test looks past the buyer to the public. If the law came to point at this standard, who would you have handed lawmaking power to, and could they be leaned on? A standard worth building on is one you would still trust if a regulator named it tomorrow - held by a body no single interest controls, with the definition in the open and the sale kept separate. Being pointed at by the law is a responsibility a standard has to earn before it arrives, because afterwards is too late to fix who holds the pen.

Tom Cranstoun is the founder of the Machine Experience (MX) community and author of the MX book series. He consults on MX strategy through Digital Domain Technologies Ltd.