I Built a Free Open-Source EU AI Act / NIST AI RMF / ISO 42001 Crosswalk Tool - Here Is What I Found

Suhana Sayyad — Fri, 05 Jun 2026 21:25:34 +0000

Every week I see the same question in AI governance communities:

"We already have NIST AI RMF implemented. Does that cover our EU AI Act obligations?"

The honest answer is: sometimes yes, sometimes partially, and sometimes not at all. The problem is that nobody had built a clean, free, interactive tool that showed exactly which controls map to which, how strong those mappings actually are, and where the genuine gaps are.

So I built one.

Live tool:

suhanasayyad.github.io

GitHub:

SuhanaSayyad / eu-ai-act-crosswalk-tool

Interactive crosswalk mapping EU AI Act obligations to NIST AI RMF and ISO 42001 controls, with mapping strength indicators, gap analysis, and source links. 30 controls mapped. Free and open source.

EU AI Act × NIST AI RMF × ISO 42001 - Interactive Compliance Crosswalk Tool

An open-source tool that maps EU AI Act obligations to their equivalents in NIST AI RMF and ISO 42001, with mapping strength indicators, gap analysis, and source document links. Built for compliance teams, AI governance practitioners, and anyone trying to understand how these three frameworks relate to each other.

Live demo: https://suhanasayyad.github.io/eu-ai-act-crosswalk-tool

Built by: Suhana Sayyad | MSc Cybersecurity, TUS Athlone

Why I built this

Every organisation dealing with the EU AI Act is being asked the same questions:

"We already have NIST AI RMF controls in place. Does that cover our EU AI Act obligations?" "We're pursuing ISO 42001 certification. Does that satisfy the regulation?"

The honest answer is: sometimes yes, sometimes partially, and sometimes not at all. The problem is that nobody had built a clean, free, interactive tool that showed exactly which…

View on GitHub

What the tool does

The EU AI Act / NIST AI RMF / ISO 42001 Interactive Crosswalk Tool maps 30 EU AI Act obligations to their nearest equivalents in NIST AI RMF and ISO 42001. For each mapping it shows a strength rating - Strong, Partial, Indirect, or No Equivalent - so compliance teams know which mappings they can rely on and which need additional work.

Features:

Interactive control lookup - select any framework and control, see the equivalent in the other two side by side
Mapping strength indicators on every card and table row
Direct links to source documents - every reference links to the official text
Gap analysis section - five EU AI Act obligations with no equivalent in either voluntary framework
Filter by EU AI Act chapter, NIST function (Govern / Map / Measure / Manage), or show gaps only
Export to CSV or PDF
Row highlighting - selecting a control highlights its row in the full matrix table

The architecture

Deliberately simple. Three files. No backend, no database, no server, no build pipeline.

index.html
style.css
script.js

All 30 controls live in a JavaScript array. The entire tool runs in the browser. This means it deploys to GitHub Pages for free, loads instantly, and anyone can fork and modify it.

Each control follows this data structure:

{
    topic: "Risk Management System",
    category: {
        euChapter: "high-risk",
        nistFunction: "govern",
        isoClause: "planning"
    },
    euaiact: {
        ref: "Article 9",
        desc: "Providers of high-risk AI systems must establish, implement, 
               document and maintain a risk management system throughout 
               the entire lifecycle.",
        url: "https://artificialintelligenceact.eu/article/9/"
    },
    nist: {
        ref: "GOVERN 1.1",
        desc: "Policies, processes, procedures and practices related to 
               mapping, measuring and managing AI risks are in place.",
        url: "https://airc.nist.gov/airmf-resources/playbook/govern/",
        strength: "strong"
    },
    iso42001: {
        ref: "Clause 6.1",
        desc: "The organisation must determine risks and opportunities 
               that need to be addressed.",
        url: "https://www.iso.org/standard/81230.html",
        strength: "strong"
    }
}

The strength field drives the colour coding throughout the interface. Green for Strong, amber for Partial, red for Indirect, purple for No Equivalent.

What I actually found

Mapping 30 controls across three frameworks for six weeks taught me things I did not expect.

Most high-risk AI obligations map reasonably well. Risk management (Article 9), data governance (Article 10), human oversight (Article 14), cybersecurity (Article 15), post-market monitoring (Article 72), incident reporting (Article 73) - all of these have meaningful equivalents in both NIST AI RMF and ISO 42001. A company that has properly implemented either framework is genuinely partway there.

Transparency obligations are weaker than you think. Article 13 on transparency to deployers and Article 50 on user-facing AI disclosures both map as Partial at best. NIST and ISO address transparency at a high level but neither mandates the specific instructions-for-use requirements or machine-readable content marking that the EU AI Act requires.

GPAI obligations are essentially uncovered. Articles 53 and 55 on general-purpose AI models and systemic risk have no meaningful equivalent in either framework. NIST AI RMF was not designed for foundation model governance at a societal scale. ISO 42001 does not address systemic risk from large language models at all.

Five obligations are genuine gaps - no coverage anywhere. These are the ones that require EU-specific compliance work regardless of what frameworks you have implemented:

CE marking (Article 48) - mandatory market access requirement with no voluntary framework equivalent
EU AI database registration (Article 49) - register before market placement, no NIST or ISO equivalent
Notified body assessment (Article 44) - mandatory third party conformity assessment for certain high-risk systems
GPAI systemic risk (Article 55) - adversarial testing, model evaluation, reporting to EU AI Office
Market surveillance and enforcement (Article 74) - legally binding, penalties up to 7% of global turnover

If your compliance strategy is "we have NIST AI RMF and ISO 42001 so we are covered" - you are not covered on any of these five.

How the filter logic works

The three filter controls work together with the search bar. All filters are applied simultaneously on every keystroke or selection change.

function applyFilters() {
    var search = document.getElementById('search-input').value.toLowerCase().trim();
    var chapter = document.getElementById('filter-chapter').value;
    var nistFn = document.getElementById('filter-nist').value;
    var gapOnly = document.getElementById('filter-gaps').checked;

    var filtered = crosswalkData.filter(function(item) {
        if (search && /* search logic */ ) return false;
        if (chapter && item.category.euChapter !== chapter) return false;
        if (nistFn && item.category.nistFunction !== nistFn) return false;
        if (gapOnly && item.nist.strength !== 'none' 
            && item.iso42001.strength !== 'none'
            && item.nist.strength !== 'indirect' 
            && item.iso42001.strength !== 'indirect') return false;
        return true;
    });

    populateTable(filtered);
}

All tools are free, open-source, and deploy on GitHub Pages. No backend, no data collection, no paywalls.

Try it

Live:

suhanasayyad.github.io

GitHub:

SuhanaSayyad
/
eu-ai-act-crosswalk-tool

Interactive crosswalk mapping EU AI Act obligations to NIST AI RMF and ISO 42001 controls, with mapping strength indicators, gap analysis, and source links. 30 controls mapped. Free and open source.

EU AI Act × NIST AI RMF × ISO 42001 - Interactive Compliance Crosswalk Tool

An open-source tool that maps EU AI Act obligations to their equivalents in NIST AI RMF and ISO 42001, with mapping strength indicators, gap analysis, and source document links. Built for compliance teams, AI governance practitioners, and anyone trying to understand how these three frameworks relate to each other.

Live demo: https://suhanasayyad.github.io/eu-ai-act-crosswalk-tool

Built by: Suhana Sayyad | MSc Cybersecurity, TUS Athlone

Why I built this

Every organisation dealing with the EU AI Act is being asked the same questions:

"We already have NIST AI RMF controls in place. Does that cover our EU AI Act obligations?" "We're pursuing ISO 42001 certification. Does that satisfy the regulation?"

The honest answer is: sometimes yes, sometimes partially, and sometimes not at all. The problem is that nobody had built a clean, free, interactive tool that showed exactly which…

View on GitHub

If you find it useful, a star on GitHub goes a long way. If you find an error in the mappings, open an issue - I want the data to be as accurate as possible.

I am Suhana Sayyad, an MSc Cybersecurity student at TUS Athlone, Ireland, building open-source AI governance tooling and looking for roles in AI governance and data protection from September 2026.

LinkedIn:

linkedin.com/in/suhana35

DEV Community: Suhana Sayyad

I Built a Free Open-Source EU AI Act / NIST AI RMF / ISO 42001 Crosswalk Tool - Here Is What I Found

SuhanaSayyad / eu-ai-act-crosswalk-tool

Interactive crosswalk mapping EU AI Act obligations to NIST AI RMF and ISO 42001 controls, with mapping strength indicators, gap analysis, and source links. 30 controls mapped. Free and open source.

EU AI Act × NIST AI RMF × ISO 42001 - Interactive Compliance Crosswalk Tool

Why I built this

What the tool does

The architecture

What I actually found

How the filter logic works

Try it

SuhanaSayyad / eu-ai-act-crosswalk-tool

Interactive crosswalk mapping EU AI Act obligations to NIST AI RMF and ISO 42001 controls, with mapping strength indicators, gap analysis, and source links. 30 controls mapped. Free and open source.

EU AI Act × NIST AI RMF × ISO 42001 - Interactive Compliance Crosswalk Tool

Why I built this

SuhanaSayyad
/
eu-ai-act-crosswalk-tool