Responsible AI Platform

ISO 42001 and the EU AI Act: what certification covers and what it does not

··7 min read

Since ISO/IEC 42001 appeared at the end of 2023, the same assumption keeps surfacing in proposals, tenders and boardrooms: get certified and you are ready for the EU AI Act. That assumption is understandable and wrong. This article sets out precisely what ISO 42001 does and does not certify, where the overlap with the AI Act sits, and how to use the standard wisely without falling into the certification trap.

What ISO/IEC 42001 is

ISO/IEC 42001 is the international standard for an AI management system (AIMS), comparable to what ISO 27001 is for information security. It describes how an organization structurally governs the use and development of AI: policy, roles and responsibilities, risk management, impact assessments, lifecycle management, supplier management and continuous improvement.

Crucial to understand: the standard certifies the organization's management system, not its individual AI systems. A certificate says your organization has a structured, auditable process for dealing with AI. It does not say that any specific AI system meets the requirements of the AI Act.

What the EU AI Act requires instead

The AI Act is not a management standard but legislation, with obligations that differ per risk category and per role (provider, deployer, importer, distributor). The key milestones: the prohibited practices and the AI literacy provision of Article 4 have applied since 2 February 2025, the transparency obligations of Article 50 apply from 2 August 2026, and the obligations for standalone high-risk systems under Annex III were moved to 2 December 2027 via the Digital Omnibus.

For high-risk AI systems the law requires, among other things, a risk management system per system (Article 9), data quality and governance (Article 10), technical documentation (Article 11), logging (Article 12), transparency towards deployers (Article 13), human oversight (Article 14) and accuracy and robustness (Article 15). Those are requirements on the system and its lifecycle, not just on the organization around it.

Where the overlap sits

The good news: whoever seriously implements ISO 42001 builds a foundation that carries a large part of AI Act compliance. The overlap is real:

  • Risk management. The AIMS cycle of risk identification, assessment and treatment aligns in approach with Article 9 of the AI Act.
  • AI inventory. No management system without an overview of AI systems; that same overview is the basis for risk classification under the AI Act. See also our article on the AI inventory register.
  • Roles and responsibilities. The standard enforces ownership; the law assumes it.
  • Impact assessments. ISO 42001 includes the AI impact assessment; the AI Act has the FRIA for specific deployers and the GDPR has the DPIA. The processes can feed each other.
  • Supplier management. The third-party controls help with the information and contract requirements across the AI Act value chain.
  • Documentation and audit readiness. A working AIMS produces exactly the kind of demonstrability regulators ask for.

Where the certificate stops

Four boundaries that belong in every conversation about ISO 42001 and the AI Act:

1. No legal presumption of conformity. The AI Act works with harmonised European standards: standards developed at the request of the European Commission by CEN-CENELEC (JTC 21) that, once published in the Official Journal, grant a presumption of conformity. ISO/IEC 42001 is not such a harmonised standard. A certificate therefore provides no legal presumption that you comply with the AI Act.

2. System requirements remain system requirements. Articles 9 through 15 impose requirements per high-risk system: data quality, logging, human oversight, accuracy. An organization-wide management system governs the process around them, but does not replace the technical documentation and conformity assessment per system.

3. Prohibitions remain prohibitions. A certified management system that neatly documents a prohibited practice is still in breach. Certification tests the process; the law tests the practice.

4. The law moves faster than the standard. The AI Act will see implementing acts, guidelines and harmonised standards appear over the coming years. An AIMS must be built to absorb those changes; the certificate itself is a snapshot.

How to use ISO 42001 wisely

For most organizations this is the sober sequence:

  1. Start with the law, not the standard. Inventory your AI systems, classify them and determine which AI Act obligations apply to your role. That is weeks of work, not months.
  2. Use ISO 42001 as the design framework. Build the governance process (policy, roles, risk cycle, supplier management) along the structure of the standard, even if you do not certify yet. Every step then works twice.
  3. Certify when it pays commercially. For AI providers selling to enterprise clients or governments, the certificate can shorten procurement questions and accelerate trust. For a deployer with a handful of purchased systems, full certification is rarely the first priority.
  4. Keep the per-system dossier in order. Whatever gets certified: the risk classification, the gap analysis and the evidence per system form the dossier a regulator or buyer will ask for.

If you first want to know where your organization stands before discussing certification, you can search the AI Act article by article on this platform, or have a guided gap analysis performed, for example through the fixed-price readiness sprint by Embed AI.

Frequently asked questions about ISO 42001 and the AI Act