Learn
After reading this, you’ll understand exactly what ISO 42001 gives you, what it doesn’t, how much of the EU AI Act it covers, and whether the certification is worth the investment for your organisation.
I get asked this question at least twice a week: “If we get ISO 42001 certified, are we compliant with the EU AI Act?”
The short answer is no.
The longer answer is: no, but ISO 42001 gets you maybe 60-70% of the way there, and that remaining 30-40% is exactly the part that trips organisations up. It’s also the part that most consultants selling you ISO 42001 certification conveniently forget to mention.
Let me explain by starting with what each one actually is, because the confusion usually starts at the most basic level.
What Each One Actually Is
ISO 42001
What it is: An international standard for AI management systems (AIMS), published by ISO/IEC in December 2023.
Legal status: Voluntary. Nobody forces you to adopt it. You can choose to get certified by an accredited body, or simply implement it internally.
Scope: Any organisation that develops, provides, or uses AI systems, anywhere in the world.
Approach: Management system standard (like ISO 27001 or ISO 9001). Establishes policies, processes, roles, and continuous improvement cycles for AI governance.
Bottom line: It tells you how to govern AI responsibly. It’s a framework for building good AI management practices.
EU AI Act
What it is: A binding EU regulation (2024/1689) that classifies AI systems by risk and imposes specific legal obligations.
Legal status: Mandatory for anyone placing AI on the EU market or deploying AI in the EU. Violations carry penalties up to €35M or 7% of global turnover.
Scope: All AI systems in the EU market, with specific obligations based on risk classification (prohibited, high-risk, limited-risk, minimal-risk).
Approach: Prescriptive legal requirements. Specific articles telling you exactly what you must do for each risk category.
Bottom line: It tells you what the law requires. It’s a set of legal obligations with enforcement mechanisms.
See the fundamental difference? ISO 42001 is a how framework. The EU AI Act is a what regulation. ISO 42001 helps you build good AI governance practices. The EU AI Act tells you what the law demands. They operate at different levels - one is about process and management maturity, the other is about specific legal compliance.
Where ISO 42001 Helps With AI Act Compliance
The 60-70% you get “for free”
Let me be fair to ISO 42001. If you implement it well, you build a solid foundation that makes AI Act compliance significantly easier. Here’s where the overlap is strongest:
Risk management framework
ISO 42001 requires a systematic approach to identifying, assessing, and treating AI-related risks (Clause 6.1). The AI Act requires a risk management system for high-risk AI (Article 9). The ISO standard gives you the process and structure; the AI Act tells you the specific risks you must address. An organisation with a mature ISO 42001 risk management process can adapt it to meet Article 9 requirements with targeted additions.
Governance and accountability
ISO 42001 Clause 5 requires leadership commitment, policy definition, and clear roles and responsibilities for AI governance. The AI Act requires that providers have a quality management system (Article 17) with accountability structures. Again, the ISO standard builds the governance skeleton; the AI Act adds specific obligations to it.
Documentation practices
ISO 42001 Clause 7.5 requires documented information for the AI management system. The AI Act requires technical documentation per Annex IV. An organisation that’s disciplined about documentation under ISO 42001 will find the Annex IV requirements demanding but not culturally alien.
Continuous improvement
ISO 42001’s Plan-Do-Check-Act cycle (Clause 10) aligns with the AI Act’s requirement for post-market monitoring (Article 72) and ongoing risk management. Both expect that AI governance isn’t a one-time project but a continuous process.
Impact assessment approach
ISO 42001 Annex B includes AI impact assessments considering societal impacts, fairness, and ethical considerations. The AI Act’s fundamental rights impact assessment (Article 27) is more prescriptive, but if you’re already doing impact assessments under ISO 42001, you have the methodology. You just need to add the specific EU legal requirements.
Where ISO 42001 Falls Short
The 30-40% that will trip you up
Here’s where the “ISO 42001 means AI Act compliance” argument breaks down. The AI Act has specific legal requirements that ISO 42001 simply doesn’t address, because it was designed as a management system standard, not as a legal compliance tool.
Gap 1: Risk classification
The AI Act’s four-tier risk classification (prohibited, high-risk, limited-risk, minimal-risk) is a legal construct. ISO 42001 doesn’t classify AI systems this way. You can be ISO 42001 certified and still have no idea whether your AI systems are “high-risk” under Annex III. The classification determines which obligations apply, so getting it wrong means you’re either over-complying (expensive) or under-complying (dangerous).
Gap 2: Conformity assessment
The AI Act requires a formal conformity assessment for high-risk AI systems (Article 43), following either Annex VI (internal) or Annex VII (third-party). ISO 42001 certification is a management system audit - it assesses your processes, not your individual AI systems. They are procedurally and legally distinct. ISO 42001 certification does not constitute a conformity assessment under the AI Act.
Gap 3: Technical documentation specificity
ISO 42001 requires documented information, but it doesn’t prescribe the specific contents the way Annex IV does. The AI Act wants architecture descriptions, training data details, performance metrics, validation results, and monitoring procedures at a level of specificity that goes beyond what ISO 42001 demands. Having “documentation practices” is different from having “Annex IV-compliant technical documentation.”
Gap 4: EU database registration
High-risk AI systems must be registered in the EU public database (Article 49). This is a pure regulatory obligation with no ISO 42001 equivalent. You must create a database entry with specific information about each high-risk system before it’s placed on the market.
Gap 5: Transparency obligations
The AI Act requires that users know when they’re interacting with an AI system (Article 50), that deployers of high-risk AI inform affected individuals, and that certain AI-generated content is marked as such. ISO 42001 addresses transparency as a principle, but doesn’t prescribe these specific disclosure requirements.
Gap 6: Prohibited practices
The AI Act outright bans certain AI applications (social scoring, certain biometric uses, manipulation techniques). ISO 42001 doesn’t prohibit anything - it provides a management framework. An ISO 42001-certified organisation could theoretically be governing a prohibited AI practice with excellent documentation and oversight. That wouldn’t make it legal.
Gap 7: Enforcement and penalties
ISO 42001 non-conformity means you don’t get (or keep) your certificate. AI Act non-compliance means fines up to €35M or 7% of global turnover, potential market withdrawal orders, and public enforcement actions. The stakes are categorically different.
So Do You Need Both?
It depends on who you are and what you’re trying to achieve. Let me give you three scenarios:
Scenario 1: EU financial institution with high-risk AI
Do you need the AI Act? Yes. It’s law. Not optional. Do you need ISO 42001? Not legally. But it gives you the management system foundation that makes AI Act compliance sustainable. Without it (or something equivalent), you’ll comply on paper and fail in practice within a year as your AI systems evolve and your documentation drifts. My recommendation: Implement ISO 42001 principles (you don’t necessarily need formal certification), then add the AI Act-specific requirements on top.
Scenario 2: AI vendor selling to EU financial institutions
Do you need the AI Act? Yes, if your AI system is high-risk. Do you need ISO 42001? Strategically, yes. ISO 42001 certification is becoming a procurement requirement. EU financial institutions subject to the AI Act need to demonstrate that their AI providers have robust governance. ISO 42001 is the shorthand proof. My recommendation: Get certified. It’s a competitive differentiator and demonstrates maturity to potential customers.
Scenario 3: Organisation outside the EU
Do you need the AI Act? Only if you place AI systems on the EU market or if your AI’s output is used in the EU. Do you need ISO 42001? It depends on your risk appetite and market ambitions. If you plan to expand into EU markets, ISO 42001 gives you a head start. If you’re purely domestic with no EU exposure, the AI Act doesn’t apply, but ISO 42001 is still good practice. My recommendation: ISO 42001 for governance maturity; add AI Act compliance when EU market entry is planned.
The Harmonised Standards Question
There’s one more dimension that makes this relationship interesting. The EU AI Act (Article 40) allows the European Commission to request harmonised standards from European standardisation organisations (CEN, CENELEC). When a standard is harmonised, compliance with that standard creates a “presumption of conformity” with the corresponding AI Act requirements.
As of March 2026, ISO 42001 is not a harmonised standard under the AI Act. The European Commission has requested harmonised standards from CEN/CENELEC, and those standards are under development, but they’re not ISO 42001. They’re new European standards that will be specifically mapped to AI Act requirements.
What does this mean practically?
- ISO 42001 certification does not create a presumption of AI Act conformity.
- Future CEN/CENELEC harmonised standards likely will create such a presumption, but they’re not ready yet.
- Those future harmonised standards will likely reference or incorporate elements of ISO 42001, since international standards inform European standardisation work.
- So ISO 42001 gives you a head start on whatever the harmonised standards will eventually look like, without giving you legal shortcut status today.
It’s a reasonable bet. Just not a legal guarantee.
A Practical Mapping: ISO 42001 Clause to AI Act Article
For teams that want to see exactly where the overlap and gaps are, here’s a condensed mapping:
| ISO 42001 Area | AI Act Equivalent | Coverage | What’s Missing |
|---|---|---|---|
| Risk management (6.1) | Art. 9 | Good | Art. 9 specifies testing against “preliminarily defined metrics”; ISO 42001 is less prescriptive |
| Leadership & governance (5) | Art. 17 QMS | Good | Art. 17 lists 12 specific QMS elements; ISO 42001 is broader but less specific |
| Documentation (7.5) | Annex IV | Partial | Annex IV is far more prescriptive; ISO 42001 documentation practices alone won’t satisfy it |
| Impact assessment (Annex B) | Art. 27 FRIA | Partial | Art. 27 requires specific fundamental rights analysis; ISO 42001 covers broader ethical impacts |
| Data management (Annex B.3) | Art. 10 | Partial | Art. 10 requires detailed bias testing, representativeness analysis, proxy discrimination checks |
| Monitoring (9.1, 10) | Art. 72 | Good | Art. 72 adds specific post-market monitoring plan requirements |
| N/A | Art. 43 Conformity | Gap | No ISO 42001 equivalent. Requires separate Annex VI/VII assessment process |
| N/A | Art. 49 Registration | Gap | Pure regulatory obligation; no standard equivalent |
| N/A | Art. 50 Transparency | Gap | Specific user-facing disclosure obligations not in ISO 42001 |
| N/A | Art. 5 Prohibitions | Gap | ISO 42001 governs AI practices; it doesn’t prohibit any |
The Smart Approach: Use ISO 42001 as Your Foundation
If I were advising a financial institution today, here’s what I’d say:
Don’t choose between them. They’re not alternatives. ISO 42001 is the management system that makes AI Act compliance sustainable. The AI Act is the legal obligation you must meet. Together, they give you both the governance infrastructure (ISO 42001) and the specific compliance targets (AI Act).
Implement ISO 42001 first (or concurrently). Build the management system, the risk management process, the documentation practices, and the governance structure. Then layer on the AI Act’s specific requirements: risk classification, conformity assessment, Annex IV documentation, registration, transparency obligations.
Don’t assume certification covers compliance. ISO 42001 certification proves you have good AI governance processes. It doesn’t prove you meet the AI Act’s specific legal requirements. Your market surveillance authority will want to see conformity assessment documentation, not your ISO certificate.
Track both in one system. This is where compliance platforms add genuine value. Managing ISO 42001 controls and AI Act requirements in separate spreadsheets is a recipe for gaps and contradictions. A platform like Venvera, which supports 13 regulatory frameworks including the EU AI Act and ISO standards, lets you map the relationship between your management system controls and your legal obligations in one place - so when you update a risk assessment, the impact on both ISO 42001 and the AI Act is visible.
The Bottom Line
ISO 42001 and the EU AI Act are not the same thing. They’re not interchangeable. ISO 42001 is a voluntary management system standard that helps you govern AI well. The EU AI Act is a binding regulation that tells you what the law requires.
ISO 42001 gives you roughly 60-70% of the foundation you need for AI Act compliance. The remaining 30-40% - risk classification, conformity assessment, specific documentation formats, EU database registration, transparency disclosures, prohibited practices awareness - must be addressed separately.
Do you need both? If you have high-risk AI systems in the EU, you must comply with the AI Act. You should implement ISO 42001 (or at least its principles) because it gives you the governance backbone that makes sustained compliance possible rather than performative.
The organisations that get this right are the ones that see ISO 42001 and the AI Act not as competing demands, but as complementary pieces of the same AI governance puzzle. One gives you the process. The other gives you the requirements. You need both pieces to see the full picture.
Manage ISO 42001 and the AI Act in One Place
Venvera supports 13 regulatory frameworks with cross-framework mapping - see where your ISO controls satisfy AI Act requirements and where gaps remain. Starting at €399/month, hosted in Amsterdam.
Book a Demo →Last updated: March 2026. ISO 42001 was published in December 2023 by ISO/IEC. The EU AI Act (Regulation 2024/1689) was published in the Official Journal in July 2024. Harmonised standards under the AI Act are under development by CEN/CENELEC.