ISO/IEC 42001:2023 is a voluntary international management system standard. It specifies how an organisation establishes, operates, and improves an AI Management System (AIMS), and certification to it is granted by accredited certification bodies.
The EU AI Act is binding EU regulation — Regulation (EU) 2024/1689 — that imposes specific obligations on providers, deployers, importers, and distributors of AI systems placed on the EU market.
The Standard governs the management system around AI; the Act governs AI systems themselves and the actors who place them on the market.
“This Regulation lays down: (a) harmonised rules for the placing on the market, the putting into service, and the use of artificial intelligence systems (AI systems) in the Union.” — Regulation (EU) 2024/1689, Article 1(2)(a)
“This document specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving an AI management system within the context of an organization.” — ISO/IEC 42001:2023, Clause 1 (Scope)
The two sentences describe different objects. That difference governs everything that follows.
Key definitions
| Term | ISO 42001 meaning | EU AI Act meaning |
|---|---|---|
| AI system | An engineered system that generates outputs for human-defined objectives. The boundary of what the AIMS governs. | A machine-based system designed to operate with varying levels of autonomy that may exhibit adaptiveness and that, for explicit or implicit objectives, infers from the input it receives how to generate outputs (Article 3(1)). Triggers regulatory obligations. |
| Provider | An organisation that develops an AI system and places it on the market or puts it into service. Determines control selection under the AIMS. | A natural or legal person, public authority, agency, or other body that develops an AI system or general-purpose AI model, or has one developed, and places it on the market or puts it into service under its own name (Article 3(3)). Carries the heaviest obligations. |
| Deployer | An organisation that uses an AI system under its own authority. | A natural or legal person using an AI system under its authority, except where the system is used in the course of a personal non-professional activity (Article 3(4)). Carries specific use-phase obligations. |
| Risk | Effect of uncertainty on objectives, applied to AI in the AIMS. Treated through Annex A controls. | Treated as a tiered classification (unacceptable, high, limited, minimal/no risk) that determines which obligations apply. |
| Conformity assessment | Not a term in ISO 42001. Certification is the analogous concept. | The process of demonstrating that the requirements of the Act relating to a high-risk AI system have been fulfilled (Article 3(20)). Required before placing high-risk systems on the market. |
| Post-market monitoring | Implied in Clause 9 monitoring and Annex A controls on operation and monitoring. | An explicit, distinct obligation under Article 72. Providers of high-risk systems must establish and document a post-market monitoring system. |
The vocabulary overlaps but does not align. Reading either document with the other’s terminology produces persistent mistranslation.
Where ISO 42001 and the EU AI Act align
ISO 42001 and the EU AI Act share substantive ground in five areas. In each, the Standard’s controls produce evidence that supports — though does not by itself satisfy — the Act’s obligations.
| Area | ISO 42001 source | EU AI Act source |
|---|---|---|
| Risk management | Clauses 6.1.2, 6.1.3, 8.2, 8.3 | Article 9 (risk management system for high-risk systems) |
| Data governance | Annex A.7 (data for AI systems) | Article 10 (data and data governance for high-risk systems) |
| Technical documentation | Annex A.6.2.7 (AI system technical documentation) | Article 11 and Annex IV (technical documentation for high-risk systems) |
| Human oversight | Annex A.6.2.6 (operation and monitoring); A.9 (use of AI systems) | Article 14 (human oversight for high-risk systems) |
| Post-market monitoring | Clauses 8.2, 9.1; Annex A.6.2.6 | Article 72 (post-market monitoring for high-risk systems) |
| Transparency to users | Annex A.8 (information for interested parties) | Article 13 (transparency and information to deployers); Article 50 (transparency obligations) |
| Record keeping and logging | Annex A.6.2.8 (event logs); Clause 7.5 | Article 12 (record-keeping); Article 19 (automatically generated logs) |
| Quality management | Clauses 4–10 collectively (the AIMS itself) | Article 17 (quality management system for high-risk providers) |
The most consequential overlap is Article 17. The Act explicitly requires providers of high-risk AI systems to operate a quality management system, and Article 17(1)(a) through (m) lists the elements that quality management system must contain. Most of those elements correspond directly to ISO 42001 clauses — risk management procedures, data management, technical documentation, post-market monitoring, communication with competent authorities, record-keeping, resource management, accountability framework. An organisation operating a conformant AIMS under ISO 42001 has the structural basis for Article 17 compliance, even before the certificate is issued.
Where ISO 42001 and the EU AI Act diverge
The alignment ends at five points. Each is a structural difference, not a gap in either document.
Scope of object
ISO 42001 governs the management system around AI. The EU AI Act governs AI systems themselves, their classification, and the actors placing them on the market. An organisation can have a fully conformant AIMS and still place a non-conformant AI system on the EU market. Conversely, an organisation can place a conformant high-risk AI system on the EU market without operating an ISO 42001 AIMS.
Risk model
ISO 42001 treats risk as an organisation-specific concept defined through the risk assessment methodology under Clause 6.1.2. The organisation determines its risk criteria and risk treatment options. The EU AI Act imposes a fixed risk classification — unacceptable, high, limited, and minimal/no risk — that determines which obligations apply.
| Tier | EU AI Act treatment |
|---|---|
| Unacceptable risk | Prohibited under Article 5 |
| High risk | Permitted subject to extensive obligations under Articles 8–27, conformity assessment, and CE marking |
| Limited risk | Permitted subject to transparency obligations under Article 50 |
| Minimal or no risk | Permitted without specific obligations under the Act |
ISO 42001 does not produce this classification, and conformance to ISO 42001 does not establish which tier an AI system falls into. The classification is a regulatory determination the organisation must make, supported by the impact and risk assessments the AIMS produces.
Conformity assessment and CE marking
The Act requires high-risk AI systems to undergo conformity assessment before being placed on the market, with CE marking demonstrating conformity. The assessment is performed either through internal control (Annex VI) or by a notified body (Annex VII), depending on the system and the harmonised standards available.
ISO 42001 certification is not conformity assessment under the Act. Certification demonstrates that the organisation operates a conformant management system; it does not by itself demonstrate that any specific AI system meets the Act’s requirements for high-risk systems. The CE mark cannot be applied on the basis of ISO 42001 certification alone.
The relationship may change as harmonised standards emerge. The Act provides for presumption of conformity where harmonised standards published in the Official Journal are applied. Standards developed under the European Commission’s standardisation request to CEN-CENELEC may eventually serve this function. ISO 42001 itself is unlikely to be designated as a harmonised standard, but European adaptations or derived standards may be.
ISO 42001 and the EU AI Act: Legal effect
ISO 42001 is voluntary. Failure to conform produces no legal sanction — the consequences are contractual (where customers require certification), reputational, and operational. The EU AI Act is binding regulation. Failure to comply produces administrative fines up to €35 million or 7% of worldwide annual turnover for the most serious violations (Article 99), and up to €15 million or 3% for other infringements.
| Consequence | ISO 42001 | EU AI Act |
|---|---|---|
| Failure to conform | Loss of certification, contractual exposure | Administrative fines, market access removal, withdrawal from market |
| Regulator | Certification body (private) | National competent authorities; EU AI Office for general-purpose AI |
| Enforcement | Surveillance audit, recertification | Investigation, sanctions, withdrawal orders |
General-purpose AI
The Act contains a dedicated regime for general-purpose AI models (Chapter V), with additional obligations for models with systemic risk. These obligations include technical documentation, copyright compliance, training data summaries, and — for systemic-risk models — model evaluation, adversarial testing, incident reporting, and cybersecurity protection. ISO 42001 does not contain a parallel regime. Annex A controls apply to general-purpose AI within the AIMS, but the specific GPAI obligations under the Act sit outside the Standard’s scope.
How AIMS controls evidence AI Act obligations
In practice, ISO 42001 implementation produces artefacts that support EU AI Act conformity work. The mapping below covers the obligations most often discussed in compliance planning. It is illustrative, not exhaustive, and not a substitute for legal analysis of each specific obligation.
| EU AI Act obligation | Article | AIMS evidence |
|---|---|---|
| Risk management system for high-risk systems | 9 | Risk assessment methodology (6.1.2), risk treatment plan (6.1.3), recurring risk assessment (8.2), Annex A.5 (impact) and A.6 (lifecycle) controls |
| Data and data governance | 10 | Annex A.7 controls (data acquisition, quality, provenance, preparation), data resource documentation (A.4.3) |
| Technical documentation | 11, Annex IV | Annex A.6.2.7 (technical documentation), A.6.2.3 (design and development documentation), Clause 7.5 documented information |
| Record-keeping and logging | 12, 19 | Annex A.6.2.8 (event logs), Clause 7.5 documented information control |
| Transparency and information to deployers | 13 | Annex A.8 (information for interested parties), specifically A.8.2 (system documentation and information for users) |
| Human oversight | 14 | Annex A.6.2.6 (operation and monitoring), A.9.4 (intended use), A.9.2 (responsible use processes) |
| Accuracy, robustness, cybersecurity | 15 | Annex A.6.2.4 (verification and validation), A.6.2.6 (operation and monitoring), risk treatment under 6.1.3 |
| Quality management system | 17 | The AIMS as a whole — Clauses 4–10 collectively |
| Post-market monitoring | 72 | Clauses 8.2 and 9.1 monitoring, Annex A.6.2.6 (operation and monitoring) |
| Serious incident reporting | 73 | Annex A.8.4 (communication of incidents), Clause 10.2 (nonconformity and corrective action) |
| Transparency obligations to natural persons | 50 | Annex A.8 (information for interested parties) |
The mapping is asymmetric. AIMS controls produce evidence supporting Act obligations, but the Act imposes specifics the Standard does not — content of technical documentation under Annex IV, conformity assessment procedures, registration in the EU database for high-risk systems, CE marking, declaration of conformity, communication with national competent authorities. An organisation cannot work backward from a complete SoA to a complete set of Act obligations.
What ISO 42001 certification does and does not provide
The question most organisations preparing for both instruments ask is whether ISO 42001 certification reduces the EU AI Act burden. The answer has three parts.
What certification provides
| What | How |
|---|---|
| Evidence of governance maturity | A certified AIMS demonstrates that the organisation operates a structured management system for AI, which is favourable evidence in interactions with regulators, customers, and notified bodies |
| Article 17 foundation | Most elements required by Article 17 (quality management system for high-risk providers) are produced by an ISO 42001 AIMS |
| Reusable evidence | Risk assessments, technical documentation, monitoring records, audit reports, and management review minutes produced under the AIMS are reusable as evidence for the corresponding Act obligations |
| Internal audit and review capability | The AIMS internal audit and management review processes are directly applicable to ongoing Act compliance verification |
What certification does not provide
| What | Why |
|---|---|
| Conformity assessment under the Act | ISO 42001 certification is not the conformity assessment Articles 43 and Annexes VI and VII require for high-risk systems |
| CE marking | The CE mark requires the conformity assessment route the Act specifies, not management system certification |
| Presumption of conformity | The Act provides presumption of conformity only where harmonised standards listed in the Official Journal are applied; ISO 42001 in its current form is not such a standard |
| Risk classification | The Act’s risk tier classification is a regulatory determination the organisation must make; the AIMS supports it but does not produce it |
| GPAI compliance | The Act’s general-purpose AI obligations sit outside ISO 42001 |
| Compliance with prohibition (Article 5) | Prohibited AI practices are prohibited regardless of any management system the organisation operates |
The practical position
Organisations developing or deploying AI for the EU market typically pursue both instruments in parallel, not in sequence. The AIMS provides the governance structure within which Act compliance is operationalised. The Act imposes the specific requirements that govern individual AI systems and market access. Treating ISO 42001 as a route to Act compliance — or the Act as a substitute for management system certification — produces gaps in both.
ISO 42001 and the EU AI Act timeline considerations
The EU AI Act entered into force on 1 August 2024 and applies in phases:
| Date | What applies |
|---|---|
| 2 February 2025 | Prohibitions under Article 5; AI literacy obligations under Article 4 |
| 2 August 2025 | Obligations for general-purpose AI models; governance provisions; penalties |
| 2 August 2026 | Most obligations for high-risk AI systems under Annex III; most other operative provisions |
| 2 August 2027 | Obligations for high-risk AI systems regulated under existing product safety legislation (Annex I) |
ISO 42001 has no comparable phased entry. The Standard has been in force since December 2023 and is available for certification now. Organisations preparing for EU AI Act milestones often use the period before each phase to build AIMS capability — the AIMS produces the records and processes Act compliance subsequently requires, and the implementation timeline for an AIMS (six to twelve months) fits well inside the gaps between Act milestones.
FAQ
Does ISO 42001 certification satisfy the EU AI Act?
No. The two instruments operate at different levels. Certification demonstrates that the organisation operates a conformant management system; the Act imposes specific obligations on AI systems and market actors that ISO 42001 does not enumerate. Certification supports Act compliance work substantially — particularly for Article 17 quality management — but does not substitute for it.
Will ISO 42001 become a harmonised standard under the EU AI Act?
Unlikely in its current form. The European Commission has issued a standardisation request to CEN-CENELEC for harmonised standards supporting the Act. Standards developed in response to that request — sometimes adapted from or aligned with ISO 42001 — may be designated as harmonised standards in the Official Journal and confer presumption of conformity. ISO 42001 itself is an ISO/IEC document and is not the natural vehicle for that designation.
Do I need to do ISO 42001 first, EU AI Act first, or both at once?
Neither precedes the other structurally. Most organisations work on both in parallel, with the AIMS providing the management system within which Act compliance is operationalised. Organisations with limited resources sometimes prioritise Act compliance for systems already in or near the EU market, then formalise the underlying AIMS for certification. Organisations with multiple AI systems and a longer planning horizon often start with the AIMS to produce the governance structure that supports Act compliance across the portfolio.
Can I use my Statement of Applicability as evidence for EU AI Act conformity assessment?
Partially. The SoA documents the controls applied within the AIMS and their justification. It is useful evidence in interactions with notified bodies, customers, and regulators, but it does not constitute the conformity assessment the Act requires. Conformity assessment under the Act is a distinct procedure with specific evidentiary requirements set out in Annexes VI and VII.
Does the EU AI Act apply if I am not based in the EU?
The EU AI Act applies on a placing-on-the-market and use basis, not on the basis of establishment. Providers placing AI systems on the EU market, deployers established in the EU, and providers and deployers outside the EU whose AI system output is used in the EU are within scope (Article 2). ISO 42001, being a voluntary international standard, has no comparable territorial concept; an organisation anywhere can certify.
Are the risk classifications in the EU AI Act compatible with the AIMS risk assessment?
They operate at different levels and need to be reconciled in implementation. The Act’s classification is a regulatory determination about whether a system falls into the unacceptable, high, limited, or minimal/no risk category. The AIMS risk assessment is an organisational analysis of risks across the AI portfolio. The AIMS risk assessment informs the Act classification — particularly for systems where high-risk status is determined by intended purpose and impact — but does not replace it.
How does the Act’s post-market monitoring obligation relate to ISO 42001 monitoring?
The Act requires providers of high-risk systems to establish and document a post-market monitoring system that actively and systematically collects, documents, and analyses relevant data on the performance of the system throughout its lifetime (Article 72). ISO 42001 requires monitoring of AIMS performance and AI system operation under Clause 9.1 and Annex A.6.2.6. The AIMS monitoring provides the structure within which Act-specific post-market monitoring runs; the Act adds specific content requirements — incident analysis, performance against intended purpose, interaction with other systems — that the AIMS structure must accommodate.
Are general-purpose AI obligations covered by ISO 42001?
Partly. The AIMS applies to general-purpose AI systems within the organisation’s scope, and Annex A controls — particularly A.6 (lifecycle), A.7 (data), and A.10 (third-party) — bear directly on GPAI development and procurement. The Act’s specific GPAI obligations under Chapter V (technical documentation for GPAI providers, copyright compliance, training data summaries, systemic-risk obligations) are not enumerated in ISO 42001. Organisations developing GPAI models for the EU market should treat the two regimes as complementary rather than substitutable.
What happens if my AIMS conflicts with the Act?
EU AI Act prevails. ISO 42001 is voluntary; the Act is binding regulation. Where AIMS processes produce outcomes inconsistent with Act requirements — for example, an SoA that excludes controls the Act would mandate for a high-risk system — the AIMS must be revised to align. The Standard accommodates this: Clause 6.1.3 requires controls to be selected on the basis of the risk treatment plan, and regulatory requirements are part of the risk landscape the plan must address.
Does the EU AI Act require ISO 42001?
No. The Act does not require certification to ISO 42001 or to any other standard. It requires conformity with its own provisions, supported by harmonised standards where they exist. Certification is voluntary throughout. In practice, customers, partners, and procurement frameworks increasingly request ISO 42001 certification as evidence of AI governance maturity, particularly in regulated sectors, and this contractual pressure operates independently of the Act.
![EU AI Act High-Risk System Requirements [UPDATED May 2026]](https://grecta.com/wp-content/themes/blankslate/assets/images/2026/03/hero-image-EU-AI-Act-compliance-automation-platform.png)