ISO/IEC 42001 vs EU AI Act: What Each Does — and What Each Doesn't

ISO/IEC 42001:2023 is a voluntary, certifiable AI management system standard. Regulation (EU) 2024/1689 — the EU AI Act — is binding law. These two frameworks share a subject (AI governance) and some overlapping language, but they operate through entirely different mechanisms, carry different legal weight, and leave different gaps when used alone.

The distinction that matters most in practice: an ISO/IEC 42001 certificate does not make a high-risk AI system EU AI Act-compliant. The two serve each other well, but they are not interchangeable. This article explains where they align, where they diverge, and what you still have to do under the Act even after achieving certification under the standard.

---

What ISO/IEC 42001:2023 Is

ISO/IEC 42001:2023 is an AI management system (AIMS) standard published by the International Organization for Standardization in December 2023. It follows the ISO Harmonised Structure shared with ISO 9001 (quality), ISO 27001 (information security), and ISO 14001 (environment) — which means it slots into an existing integrated management system rather than requiring a standalone programme.

The standard has two layers. The main body (Clauses 4–10) establishes the Plan-Do-Check-Act cycle: understand your context, define scope, set objectives, implement controls, audit, and improve. The normative Annex A provides 38 controls across nine control domains (A.2–A.10), covering areas such as AI policy, data governance, impact assessment, transparency, and incident management.

Certification is available through accredited certification bodies operating under ISO/IEC 17021. Achieving certification means an independent auditor has reviewed your AIMS against the standard's requirements — it says something real about your governance maturity. What it does not say is that any specific AI system meets the EU AI Act's technical or legal requirements.

---

What the EU AI Act Is

The EU AI Act (Regulation (EU) 2024/1689) is directly applicable law across all EU member states. It entered into force on 1 August 2024 and applies in phases. For high-risk AI systems — those in the Annex III list (recruitment tools, credit scoring, biometrics, etc.) — the key deadline under the Digital Omnibus agreed in May 2026 is 2 December 2027 for stand-alone systems and 2 August 2028 for AI embedded in regulated products covered by EU product law (Annex I).

The Act structures its obligations around risk tier and role:

• Unacceptable risk (Article 5): prohibited practices, banned since 2 February 2025. Real-time remote biometric identification in public spaces (with narrow exceptions), subliminal manipulation, social scoring by public authorities, exploitation of vulnerabilities — these cannot be deployed regardless of any governance framework.
• High risk (Article 6 + Annex III): the full compliance stack. Risk management system (Article 9), data governance (Article 10), technical documentation (Article 11, Annex IV), record-keeping (Article 12), transparency to deployers (Article 13), human oversight (Article 14), accuracy and robustness (Article 15). Providers must run a conformity assessment under Article 43 before placing the system on the market, issue an EU Declaration of Conformity under Article 47, affix CE marking under Article 48, and register in the EU database under Article 49.
• Limited/transparency risk (Article 50): disclosure duties for chatbots, deepfakes, emotion recognition, and AI-generated content. These apply from 2 August 2026.
• Minimal risk: no mandatory obligations.

Providers bear the heaviest duties (Article 16). Deployers must follow instructions, ensure human oversight, retain logs for at least six months, and — where they are public bodies or operate credit-scoring or life/health-insurance systems (Annex III 5(b)/(c)) — run a Fundamental Rights Impact Assessment under Article 27.

---

Where ISO/IEC 42001 Supports EU AI Act Compliance

The overlap is genuine and substantial. If you implement ISO/IEC 42001 well, you will already have built the foundations for several high-risk obligations.

Article 17 Quality Management System

Article 17 requires high-risk AI providers to maintain a quality management system covering data quality, design choices, risk management, testing, incident reporting, and staff competence. ISO/IEC 42001's Plan-Do-Check-Act cycle — Clauses 5 through 10 — maps closely to this. Your AI governance policy, management review records, and internal audit trail are exactly what Article 17 asks for. In practice, an organisation that has implemented ISO/IEC 42001 seriously will already have most of the Article 17 infrastructure in place; the remaining work is documenting it to Annex IV specifics.

Article 9 Risk Management System

Article 9 requires providers of high-risk systems to establish, implement, document, and maintain a risk management system throughout the system's lifecycle — identifying risks, estimating and evaluating them, and adopting risk-management measures. ISO/IEC 42001 Clause 6.1 (Planning for risks and opportunities) and Annex A controls A.6.1 and A.6.2 (AI risk assessment and treatment) do this at the process level. The standard won't give you the Act's exact risk categories automatically, but its risk assessment methodology is a strong foundation. Layer the Article 9 requirements (continuous, lifecycle-spanning, documented) on top of what you already have.

Article 10 Data and Data Governance

Article 10 requires training, validation, and test data to be relevant, representative, free of errors where possible, and subject to appropriate data governance practices — including bias examination. ISO/IEC 42001 Annex A controls A.8.1 through A.8.4 cover data quality management, use of data, and data provenance. If you have built these controls, your Article 10 work is substantially documented; fill in any gaps in bias examination records and dataset characteristic documentation.

Article 72 Post-Market Monitoring

Article 72 requires providers to actively collect and review data on high-risk system performance after deployment, proportionate to the nature of the risk. ISO/IEC 42001 Clause 9.1 (Monitoring, measurement, analysis, and evaluation) and Clause 10 (Improvement) establish exactly this kind of ongoing review loop. Performance records, non-conformity logs, and corrective-action records from your AIMS double as Article 72 evidence.

---

Where ISO/IEC 42001 Leaves Gaps the Act Fills

These are the areas where the standard does not — and cannot — substitute for the Act's specific requirements.

Classification under Article 6 and Annex III

ISO/IEC 42001 asks you to assess and document the risks of your AI systems. It does not tell you whether a specific system is legally classified as high-risk under the EU AI Act. That determination comes from Article 6 read together with Annex III (and Annex I for product-embedded AI). A biometric categorisation tool, a recruitment-screening system, or a creditworthiness model falls in Annex III regardless of how mature your AIMS is. Classification is a legal question, not a governance-maturity question. You must work through it separately — and providers who believe their Annex III system is exempt under the Article 6(3) filter must document that assessment and register it regardless.

The Conformity Assessment under Article 43

This is the most important gap. Article 43 requires providers of high-risk AI systems to complete a conformity assessment — either an internal conformity assessment based on Annex VI (for most Annex III categories, points 2–8) or a notified-body assessment based on Annex VII (required for biometrics under point 1, where harmonised standards have not been applied). Conformity assessment involves testing the system against the technical requirements of Articles 9–15, assembling the Annex IV technical file, and generating the Article 47 Declaration of Conformity.

An ISO/IEC 42001 certificate says your management system is sound. It does not stand in for the Article 43 process. No certification body auditing against ISO/IEC 42001 is evaluating your specific system against Annex IV. If you have an AI system in the Annex III list and you want to place it on the EU market after 2 December 2027, you need to complete Article 43 — the certificate alone will not get you there.

That said, a well-run AIMS helps. Your ISO/IEC 42001 documentation — governance records, risk treatment plans, data quality evidence, internal audit results — feeds directly into the Annex IV technical file. The conformity assessment becomes less burdensome, not unnecessary.

The Technical Documentation File (Article 11, Annex IV)

Article 11 requires providers to draw up technical documentation before placing a high-risk system on the market, maintained in accordance with Annex IV. Annex IV specifies nine categories of content: a general description of the system and its intended purpose; a description of design elements and development process; information about training, validation, and testing data; a description of monitoring, functioning, and control procedures; risk management measures; changes over the system's lifecycle; performance metrics and testing results; basic cybersecurity measures; and a post-market monitoring plan.

ISO/IEC 42001 generates internal documentation — policies, procedures, records, audit reports. That is useful input. But the Annex IV technical file is a product-facing document about a specific AI system, not an organisation-level management system record. You build the file per system, per the Act's nine categories, and it must be retained for ten years under Article 18.

CE Marking, Registration, and Declaration of Conformity (Articles 47, 48, 49)

Once a provider completes the Article 43 conformity assessment, three further steps are required: drawing up the EU Declaration of Conformity (Article 47, using the format in Annex V), affixing the CE marking (Article 48), and registering the system in the EU database before placing it on the market (Article 49). ISO/IEC 42001 has no equivalent steps. These are regulatory formalities unique to the EU product-law framework the Act borrows from. They must be completed regardless of what management system standard you hold.

Article 49 Registration

All providers of high-risk systems must register them in the EU database for AI systems established under Article 71 — before market placement. This is a regulatory filing obligation. ISO/IEC 42001 includes no such requirement.

Article 50 Transparency Disclosures

Article 50 requires certain AI systems to disclose their AI nature to users: chatbots must notify users they are interacting with an AI system; systems generating synthetic content (audio, video, images, text) must label it as AI-generated; emotion-recognition and biometric-categorisation systems must inform the people they process. These obligations apply from 2 August 2026. ISO/IEC 42001 Annex A control A.9.3 (Transparency for third parties) touches transparency as a governance principle, but it does not produce the user-facing disclosures Article 50 requires.

---

The One-Line Summary of What ISO 42001 Does and Does Not Do

ISO/IEC 42001 builds the governance infrastructure — the quality management system (Article 17), the risk management process (Article 9), the data governance framework (Article 10), the monitoring loop (Article 72) — and produces audit-ready evidence across all of these. It does not classify your systems under the Act, complete the Article 43 conformity assessment, generate the Annex IV technical file, issue the Declaration of Conformity, affix CE marking, or register your system in the EU database. For high-risk providers, ISO/IEC 42001 is a strong foundation that compresses the compliance work; it is not the compliance itself.

---

How Confir Helps

Confir cross-maps its deterministic control framework to ISO/IEC 42001 Annex A controls alongside the EU AI Act, so organisations working toward both frameworks build their evidence once. Three specific points of intersection:

The AIGM module (Governance & Post-Market Monitoring) maps Article 9 risk management and Article 72 monitoring requirements to ISO/IEC 42001 Clause 6.1 and Clause 9.1 — meaning the same structured assessment builds the ISO evidence base and the Act's risk management system documentation simultaneously.

The AITR module (Data & Technical Robustness) covers Article 10 data governance and Article 11 / Annex IV technical documentation. The output is an Annex IV-compliant technical file ready for the Article 43 conformity assessment — the step that ISO/IEC 42001 does not perform but that your AIMS documentation feeds.

The AIRC module (Risk Classification & Compliance) handles the step ISO/IEC 42001 cannot: classifying your system under Article 6 and Annex III through plain-English checklists, deriving your role (provider under Article 16, deployer under Article 26), and identifying whether Article 43 internal self-assessment (Annex VI) or a notified body (Annex VII) applies. This is where the two frameworks' jurisdictions diverge most sharply — and where Confir's rule-based engine fills the gap.

---

Frequently Asked Questions

Does ISO/IEC 42001 certification make our AI system EU AI Act-compliant?

No. ISO/IEC 42001 is a voluntary management system standard. The EU AI Act is binding law. A certificate demonstrates that your AI governance processes are systematic and auditable — which is genuinely useful — but it does not substitute for the Article 43 conformity assessment, the Annex IV technical documentation file, CE marking (Article 48), or registration (Article 49). A well-run AIMS compresses the work; it does not complete it.

What does ISO/IEC 42001 actually cover for EU AI Act purposes?

ISO/IEC 42001 supports the Article 17 quality management system, the Article 9 risk management process, Article 10 data governance practices, and the Article 72 post-market monitoring loop. Its 38 Annex A controls produce governance documentation that feeds directly into the Annex IV technical file. Where the standard helps most is in creating audit-ready evidence that a competent authority or notified body can interrogate — reducing, not eliminating, the conformity-assessment burden.

What does the EU AI Act require that ISO/IEC 42001 doesn't address?

Classification of your systems under Article 6 and Annex III; the Article 43 conformity assessment; the Annex IV technical documentation file (nine mandatory categories, retained ten years under Article 18); the Article 47 EU Declaration of Conformity; CE marking under Article 48; registration in the EU database under Article 49; and user-facing transparency disclosures under Article 50. These are statutory requirements with legal consequences — fines up to €15 million or 3% of worldwide turnover (Article 99) for providers who fail to meet them.

Can ISO/IEC 42001 replace a notified body assessment under Article 43?

No. For most Annex III categories (points 2–8), providers complete an internal conformity assessment based on Annex VI. For biometric systems under Annex III point 1 — where no harmonised standard has been applied — Article 43 requires a notified body. An ISO/IEC 42001 certificate is not a notified-body opinion and cannot substitute for one. It may, however, reduce the scope of the notified body's assessment by demonstrating pre-existing governance rigour.

Which ISO/IEC 42001 controls map most directly to the EU AI Act's high-risk obligations?

The closest mappings: A.6.1–A.6.2 (risk assessment and treatment) to Article 9; A.8.1–A.8.4 (data governance and quality) to Article 10; A.9.3 (transparency) to Article 13; A.9.5 (human oversight) to Article 14; Clause 9.1 (monitoring) to Article 72; Clauses 5–10 overall to the Article 17 quality management system. Gaps exist in each: the standard requires the process; the Act specifies what the process must produce and what must be filed externally.

What is the deadline for high-risk EU AI Act compliance?

Under the Digital Omnibus agreed in May 2026, stand-alone high-risk AI systems listed in Annex III must comply by 2 December 2027. High-risk AI systems embedded as safety components of Annex I regulated products must comply by 2 August 2028. ISO/IEC 42001 has no regulatory deadline — certification is voluntary and can be pursued at any time, but starting the AIMS implementation now means the evidence base is in place well before the Act's deadlines arrive.

Should we pursue ISO/IEC 42001 certification before or after completing EU AI Act compliance?

The two workstreams can and should run in parallel. ISO/IEC 42001 implementation builds the governance infrastructure that feeds the Annex IV technical file and the Article 43 conformity assessment. Starting early means the documentation exists when you need it. The risk in sequencing ISO first and Act second is that you build a management system without the Act's specific technical requirements in view and then have to retrofit — inefficient and sometimes disruptive. Build both together.

---

Related guides

• ISO 42001 management system framework
• EU AI Act compliance requirements
• EU AI Act risk classification levels
• EU AI Act key requirements
• EU AI Act compliance for small businesses
• EU AI Act compliance for SaaS