Skip to content
Confir.
Free trial
Blog

What ISO/IEC 42001 Does Not Cover for EU AI Act Compliance

Guide15 May 2026· 15 min read

An ISO 42001 certificate is not EU AI Act compliance. See the gaps 42001 leaves — Article 43 conformity, Annex IV, CE marking — and the EUR 35M penalty floor.

A short answer first: an ISO/IEC 42001 certificate is not EU AI Act compliance. ISO/IEC 42001:2023 is a voluntary AI management system standard; Regulation (EU) 2024/1689 — the EU AI Act — is binding law. A certificate proves your AI governance is systematic and auditable. It does not perform the conformity assessment that Article 43 demands, produce the technical file that Annex IV specifies, or discharge a single statutory obligation on a specific high-risk system.

This matters because the two frameworks are easy to conflate. Both speak the language of risk, data governance, and oversight. But ISO/IEC 42001 is a management-system standard — it certifies process — while the Act imposes system-level legal duties that do not map one-to-one onto a management-system clause. No certification body audits your specific AI system against Annex IV or runs the Article 43 assessment.

The productive way to read this page: treat ISO/IEC 42001 as scaffolding that compresses the work, then close the named statutory gaps separately. For the wider picture, see the ISO 42001 overview and the full ISO 42001 vs the EU AI Act comparison. Below, the gaps are named one by one.

The Short Answer: A 42001 Certificate Is Not AI Act Compliance

ISO/IEC 42001:2023 is a certifiable AI management system (AIMS) standard built on the Plan-Do-Check-Act cycle and continual improvement. It tells you how to govern AI as an organisation. The EU AI Act tells you what a specific system must legally do before it reaches the market.

Management-system standard vs binding regulation

A management-system standard certifies that you have policies, a risk process, internal audits, and a review loop. That is real and valuable. But the Act's obligations are attached to the system itself — its classification, its technical documentation, its conformity assessment — not to the maturity of the programme that surrounds it. Certification is complementary: it can supply evidence toward some obligations, but it is not a legal conformity route.

Why a certificate cannot discharge a legal obligation

No ISO/IEC 42001 certification body evaluates your specific system against Annex IV, and no certificate is a notified-body opinion. An enforcement authority assesses the system against the Act's text, not against your AIMS scope statement. So the certificate cannot, by construction, discharge an Article 43, Article 47, or Article 49 duty. It compresses the work; it does not complete it.

Coverage at a Glance: What 42001 Covers vs the Gap

The table below is the anchor asset of this page: it converts the broad comparison into an actionable gap register. Read each row as a verdict on a single EU AI Act obligation.

How to read 'Partial' vs 'Not covered'

Partial means ISO/IEC 42001 builds reusable evidence toward the obligation — process architecture you can point a notified body or authority to. Not covered means the standard has no equivalent mechanism at all; you start from zero. Neither verdict means "done": even a Partial obligation needs the Act's system-level outcome layered on top.

The eight high-risk requirements (Articles 9-15) in one view

EU AI Act requirementCovered by ISO/IEC 42001Gap that remains
Risk classification (Art 6 / Annex III)Not coveredA legal determination 42001 never makes
Risk management system (Art 9)PartialClause 6.1 / Annex A controls give process, not the Act's lifecycle outcome
Data governance (Art 10)PartialBias-examination records and dataset characteristics are system-specific
Technical documentation (Art 11 / Annex IV)PartialAIMS produces internal docs, not the per-system Annex IV file
Record-keeping & logs (Art 12)PartialAutomatic logging over the lifetime is a system-design duty
Transparency to deployers (Art 13)PartialThe Act specifies measurable instructions-for-use content
Human oversight (Art 14)PartialDesign-level oversight measures, not a governance principle
Accuracy & robustness (Art 15)Not coveredA technical-performance requirement the standard does not test
Conformity assessment & CE marking (Art 43, Art 48)Not coveredNo 42001 body runs Annex VI/VII or affixes CE marking
EU Declaration of Conformity (Art 47)Not coveredNo equivalent regulatory instrument
EU database registration (Art 49)Not coveredNo equivalent filing
FRIA (Art 27)PartialAIMS impact assessment overlaps but is not legally substitutable
Art 50 transparency (chatbots, synthetic-content marking)Not coveredNo user-facing disclosure mechanism
AI literacy (Art 4)PartialClause 7 competence provides structure, not the legal duty
Penalties (Art 99)N/AA certificate is no defence to a fine

The pattern is consistent: where the requirement is a process, 42001 helps. Where it is a legal determination, a system-level outcome, or a regulatory formality, the standard stops short.

Gap 1: Legal Risk Classification (Article 6 and Annex III)

ISO/IEC 42001 asks you to assess and document AI risk. It does not tell you whether a system is legally high-risk. That is decided by Article 6 read together with Annex III — and by Annex I for AI embedded in products covered by EU harmonisation law.

Why Annex III status is independent of your AIMS

A recruitment-screening tool, a creditworthiness model under Annex III point 5(b), or a biometric categorisation system is high-risk regardless of how mature your AIMS is. Classification is a legal question, not a governance-maturity question. A spotless certificate does not move a listed system out of Annex III.

The Article 6(3) non-high-risk filter is still your burden

A provider who believes a listed system is not high-risk may rely on the Article 6(3) filter — but must document that assessment and register it regardless. ISO/IEC 42001 contains no equivalent of this legal filter and produces none of the required documentation. Run a readiness assessment to perform the classification the standard omits.

Gap 2: The High-Risk Technical Requirements (Articles 9-15)

ISO/IEC 42001 gives process architecture for some of these requirements but never the per-system regulatory outcome the Act demands.

Process (42001) vs outcome (the Act)

For Article 9 risk management, ISO/IEC 42001 Clause 6.1 and the Annex A risk controls give you a method. The Act requires a continuous, lifecycle-spanning, documented risk management system that identifies known and reasonably foreseeable risks to health, safety, and fundamental rights for the specific system. The method is reusable; the documented system-level result is not produced by the standard. See the Article 9 risk management system for what that result must contain.

For Article 10 data governance, training, validation, and test data must be relevant, representative, and examined for bias. ISO/IEC 42001 data controls support the documentation, but the bias-examination evidence is system-specific and must be generated per model.

Article 11 / Annex IV: the file 42001 does not produce

Article 11 requires technical documentation drawn up in accordance with Annex IV — a product-facing file with prescribed content, retained for ten years under Article 18. The AIMS produces organisation-level records: policies, procedures, audit reports. It does not produce the per-system Annex IV file. You build the Annex IV technical file per system, against the Act's content list, drawing on AIMS evidence as input.

Articles 12-15: system-level duties with no AIMS equivalent

Article 12 requires high-risk systems to technically allow automatic recording of events (logs) over their lifetime — a system-design obligation, not a policy. Article 13 (transparency to deployers), Article 14 (human oversight), and Article 15 (accuracy, robustness, cybersecurity) are touched by Annex A governance controls, but the Act specifies measurable, system-level requirements that an auditor of the standard does not test against the regulation. The closer you read Articles 12-15, the clearer it is that 42001 sets the principle while the Act sets the deliverable.

Gap 3: Market-Entry Formalities (Articles 43, 47, 48, 49)

This is the sharpest gap. ISO/IEC 42001 has no equivalent of any of the formalities that gate market entry for a high-risk system.

Article 43: internal (Annex VI) vs notified body (Annex VII)

Article 43 requires a conformity assessment before a high-risk system is placed on the market. The route depends on the category:

  1. Internal assessment under Annex VI — for most Annex III categories, the provider self-assesses against Articles 9-15 and assembles the Annex IV file.
  2. Notified body under Annex VII — required for biometrics under Annex III point 1 where harmonised standards have not been applied.

No ISO/IEC 42001 certification body assesses a specific system against Annex IV. A 42001 certificate is not a notified-body opinion and cannot substitute for one.

Declaration of Conformity, CE marking and EU database registration

After conformity assessment, three further regulatory steps follow, none of which the standard touches:

  1. Draw up the EU Declaration of Conformity (Article 47, format in Annex V).
  2. Affix the CE marking (Article 48) to indicate conformity.
  3. Register the system in the EU database (Article 49) before placing it on the market.

The caveat worth trusting: a well-run AIMS feeds the Annex IV file and so reduces the conformity-assessment burden — it does not remove the obligation. Certification lowers the cost of clearing the gate; it does not open the gate.

Gap 4: Rights, Transparency and Literacy Duties (Articles 27, 50, 4)

These duties sit partly outside the high-risk technical stack — and some apply far more broadly than high-risk systems.

The FRIA (Article 27) overlap and where it stops

Under Article 27, certain deployers must run a Fundamental Rights Impact Assessment (FRIA) — public bodies, and operators of credit-scoring and life/health-insurance systems under Annex III point 5(b) and 5(c). The ISO/IEC 42001 AI impact assessment is substantively similar, so much of the analytical work overlaps. But the FRIA has prescribed legal content and is not legally substitutable: the 42001 assessment alone does not discharge the Article 27 duty.

Article 50 disclosures and the new 2 December 2026 content-marking date

Article 50 requires user-facing disclosures the standard does not produce: chatbots must disclose AI interaction; emotion-recognition and biometric-categorisation systems must inform affected people; and providers must mark synthetic audio, image, video, and text as artificially generated. A fixed 2 December 2026 deadline applies to the content-marking obligations, alongside a new prohibition on CSAM-generating and image-based 'nudifier' systems. ISO/IEC 42001 Annex A transparency controls do not generate any of these disclosures.

Article 4 AI literacy as a standing obligation

Article 4 requires providers and deployers to ensure staff dealing with AI systems have a sufficient level of AI literacy — in force since 2 February 2025. ISO/IEC 42001 Clause 7 (competence and awareness) gives the management-system structure to deliver literacy, but the clause is not itself the legal obligation. Note that Articles 50 and 4 reach beyond high-risk systems, so even a company with no Annex III system can carry these duties.

Gap 5: Penalties - A Certificate Is No Defence (Article 99)

Article 99 sets statutory penalty tiers that apply regardless of any voluntary certification. A 42001 certificate may evidence diligence, but it does not cap a fine or discharge liability.

The three penalty tiers and what triggers each

TriggerMaximum penaltyBasis
Breaching the Article 5 prohibitionsEUR 35,000,000 or 7% of total worldwide annual turnoverArticle 99(3)
Breaching most other obligations (incl. high-risk provider/deployer duties)EUR 15,000,000 or 3% of total worldwide annual turnoverArticle 99(4)
Supplying incorrect, incomplete or misleading information to authoritiesEUR 7,500,000 or 1% of total worldwide annual turnoverArticle 99(5)

The third tier is 1% — not 1.5%. Whichever of the percentage or the fixed figure is higher applies for most undertakings.

SME / start-up proportionality (Article 99(6))

For SMEs and start-ups, each fine is capped at the lower of the percentage or the fixed amount under Article 99(6) — a proportionality rule, not an exemption. The bottom line is unchanged: an enforcement authority assesses the specific system against the Act's obligations, and the certificate does not stand between you and the fine.

Timeline Caveat: What Is Law Today vs What Is Agreed

Dates are a trust asset on a page like this, so be precise. As of June 2026, the Digital Omnibus reached provisional political agreement on 6-7 May 2026, with COREPER text confirmed around 13 May 2026. It is agreed, not yet law — it still needs a European Parliament plenary vote, formal Council adoption, and publication in the Official Journal.

Digital Omnibus: agreed but not yet in force

The Omnibus agreed to defer stand-alone high-risk Annex III obligations (Article 6(2)) from 2 August 2026 to 2 December 2027, and Annex I product-embedded high-risk (Article 6(1)) from 2 August 2027 to 2 August 2028. Until publication, the statute still reads 2 August 2026 for stand-alone Annex III high-risk. These are fixed calendar dates: the standards-contingent 'stop the clock' proposal was rejected, so the deferral is not tied to harmonised-standards availability.

Deadlines that did not change

Not everything moved. The Article 5 prohibitions have applied since 2 February 2025. GPAI obligations (Articles 51-55) have applied since 2 August 2025. Most Article 50 transparency is unchanged, with content-marking and the new CSAM/'nudifier' provisions at a fixed 2 December 2026 date. The practical takeaway: the deferral is not headroom. Building an AIMS, completing certification, and assembling the Annex IV pack typically takes close to a year, so the 42001-to-Act gap work should start now.

How Confir Helps

Confir cross-maps ISO/IEC 42001 Annex A controls to EU AI Act obligations so the evidence you build once serves both frameworks. The mapping is deterministic and rule-based — the same logic every time, no model inference, no hallucination, the same inputs producing the same findings.

Deterministic control-to-obligation mapping

Where the standard stops, Confir's rule-based engine fills the gap: legal classification under Article 6 and Annex III, role determination (provider vs deployer), the Annex IV technical file, the Article 27 FRIA, and identifying whether Article 43 routes you to an internal assessment (Annex VI) or a notified body (Annex VII). Each output is reproducible and traceable to the article it satisfies.

From coverage table to a system-level gap register

The recommended next step is to run a readiness assessment that converts the coverage table above into a system-by-system gap register, then build the Annex IV file from the AIMS evidence you already hold. If you are still scoping the certificate itself, the ISO 42001 certification guide covers the route. The message is the same throughout: certification compresses the work; it does not complete it.

Frequently Asked Questions

Does ISO 42001 certification make you EU AI Act compliant? No. ISO/IEC 42001 is a voluntary AI management system standard; the EU AI Act is binding law. A certificate shows your governance is systematic and auditable, but it does not perform the Article 43 conformity assessment, produce the Annex IV technical file, or register your system. It compresses the work — it does not complete it.

Is ISO 42001 enough for the EU AI Act? No. ISO 42001 builds the governance backbone — risk processes, data governance, monitoring — but it leaves named legal gaps: classification under Article 6 and Annex III, the Article 43 conformity assessment, CE marking (Article 48), EU database registration (Article 49), the FRIA (Article 27), and Article 50 disclosures. Each must be met separately for the specific system.

What does ISO 42001 not cover for high-risk AI systems? It does not classify a system as high-risk, complete the Article 43 conformity assessment, generate the Annex IV technical file, issue the Article 47 Declaration of Conformity, affix CE marking, or register the system under Article 49. It also does not produce the Article 50 user-facing transparency disclosures. The standard gives process; the Act demands per-system regulatory outcomes.

Can an ISO 42001 certificate replace the Article 43 conformity assessment? No. For most Annex III categories, Article 43 requires an internal assessment under Annex VI; for biometrics under Annex III point 1 without harmonised standards, a notified body under Annex VII is required. No 42001 certification body evaluates your specific system against Annex IV, and a certificate is not a notified-body opinion.

Does ISO 42001 cover the Article 27 FRIA? Partly. The ISO 42001 AI impact assessment is substantively similar to the Fundamental Rights Impact Assessment that qualifying deployers must run under Article 27, so much of the analytical work overlaps. But the FRIA has prescribed legal content and is not legally substitutable, so the 42001 assessment alone does not discharge the Article 27 obligation.

What are the EU AI Act penalties if you rely only on ISO 42001? A certificate is no defence to a fine. Penalties reach up to EUR 35 million or 7% of worldwide turnover for prohibited practices (Article 99(3)), EUR 15 million or 3% for most other obligations (Article 99(4)), and EUR 7.5 million or 1% for supplying incorrect or misleading information (Article 99(5)). SMEs and start-ups get the lower cap under Article 99(6).

When do high-risk EU AI Act obligations apply? As of June 2026 the statute still reads 2 August 2026 for stand-alone Annex III high-risk systems. The Digital Omnibus agreed in May 2026 to defer this to 2 December 2027 (and Annex I product-embedded AI to 2 August 2028), but it is not yet law — it still needs the Parliament vote, Council adoption, and Official Journal publication.

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Guide

DPIA and FRIA for AI Systems: Two Assessments, One Workflow

GDPR Article 35 DPIA and EU AI Act Article 27 FRIA are distinct duties. Learn when each is required, which deployers owe it, and how to run both together.

Complete Guide

AI Governance for EU AI Act Compliance: The SME Operating Model

Build an EU AI Act governance programme for your SME. Correct article map (Art 9, 14, 43, 72), 2 Dec 2027 deadline, penalties, RACI, and a 90-day plan.

Guide

The CISO's EU AI Act Compliance Guide

CISOs and EU AI Act: AI inventory, Article 15 cybersecurity, Article 73 incident reporting, NIS2 overlap, board reporting. High-risk deadline: Dec 2027.