Skip to main contentChat with us
Chat with us

ISO/IEC 42001 · EU AI Act Mapping

ISO 42001 & the EU AI Act:
How the Controls Map

The EU AI Act is binding law; ISO 42001 is the management system that helps you meet it in a structured, auditable way. This guide maps the Act's high-risk obligations to ISO 42001 controls — and is honest about what certification does and does not prove.

2 Aug 2026Art. 50 transparency + GPAI enforcement
2 Dec 2027Annex III high-risk (post-omnibus)
13Obligations mapped to controls

ISO/IEC 42001:2023 · AI Management System · Last reviewed July 2026

Law vs. Management System

One is the law. The other is how you run to it

The EU AI Act (Regulation (EU) 2024/1689) sets legal obligations for AI placed on or used in the EU market. ISO/IEC 42001 is a voluntary standard for an AI Management System. They are not the same thing — but they fit together unusually well, because the Act's high-risk requirements read like a control list, and ISO 42001 is that control list operationalized.

The honest position: certifying to ISO 42001 will not, on its own, make you legally compliant with the Act. What it does is give you a documented, audited governance program that satisfies most of the Act's expectations and produces the evidence regulators and enterprise buyers ask for — well ahead of the EU's own harmonized standards.

Unacceptable
Prohibited

Practices banned outright — e.g. social scoring by public authorities, untargeted facial-image scraping, and certain manipulative or exploitative systems.

High-risk
Strict obligations

AI in regulated products (Annex I) or sensitive use cases (Annex III: employment, credit, education, critical infrastructure, biometrics, law enforcement). The bulk of the Act applies here.

Limited risk
Transparency

Systems that interact with people or generate content must disclose AI use and label synthetic media (deepfakes, AI text in the public interest).

Minimal risk
No obligations

The vast majority of AI — spam filters, recommendation engines, game AI. Voluntary codes of conduct only.

Enforcement Timeline

When the obligations switch on

The Act phases in over four years — and the schedule changed in May 2026, when the digital-omnibus agreement (provisional, with formal adoption expected before August 2026) deferred the high-risk deadlines. Every summary written before May 2026 shows the old dates; this is the current picture.

1 Aug 2024

Regulation (EU) 2024/1689 enters into force.

2 Feb 2025

Prohibitions on unacceptable-risk AI and AI-literacy duties apply.

2 Aug 2025

Obligations for general-purpose AI (GPAI) models (Articles 51–56) and the governance framework apply.

2 Aug 2026

Article 50 transparency obligations apply (disclose AI interaction, label synthetic media), and the Commission’s GPAI enforcement powers begin. High-risk obligations do NOT switch on this day — the digital omnibus deferred them (below).

2 Dec 2026

End of the watermarking grace period: Article 50(2) marking of AI-generated content applies to systems placed on the market before 2 August 2026.

2 Dec 2027

High-risk obligations for Annex III use cases apply (deferred from 2 Aug 2026 by the May 2026 digital-omnibus agreement).

2 Aug 2028

High-risk obligations for AI embedded in regulated products (Annex I) apply (deferred from 2 Aug 2027).

The Mapping

High-risk obligations, control by control

Each row pairs an EU AI Act obligation (by article) with the ISO 42001 clause or Annex A control that operationalizes it. Build the AIMS well and you have most of the evidence a high-risk conformity assessment will ask for.

AI ActObligationISO 42001 clause / control
Art. 9Risk management systemClause 6 (planning) + A.5 (impact assessment) + A.6 (lifecycle) — a continuous, documented AI risk process.
Art. 10Data and data governanceA.7 — data quality, acquisition, provenance, and preparation for training and operational data.
Art. 11Technical documentationA.6.2.7 — technical documentation maintained across the AI lifecycle.
Art. 12Record-keeping / loggingA.6.2.8 — automatic recording of event logs for traceability.
Art. 13Transparency & information to deployersA.8 — system documentation and information for users and interested parties.
Art. 14Human oversightA.9 — responsible, intended-purpose use with effective human oversight.
Art. 15Accuracy, robustness, cybersecurityA.6.2.4 / A.6.2.6 — verification, validation, and operational monitoring.
Art. 17Quality management systemThe AIMS itself — clauses 4–10 of ISO 42001 provide the QMS backbone.
Art. 26Obligations of deployersA.9 — processes and objectives for the responsible use of AI systems.
Art. 50Transparency for AI-generated content (applies 2 Aug 2026)A.8 — disclosure to users that they are interacting with AI, plus system reporting/communication duties; marking of synthetic content per Art. 50(2).
Art. 53GPAI model documentation (in force since Aug 2025)A.6.2.7 (technical documentation) + A.7.5 (data provenance) — model documentation, training-data summary, and downstream information.
Art. 72Post-market monitoringA.6.2.6 — operation and monitoring, including drift detection.
Art. 73Reporting of serious incidentsA.8.4 — communication of incidents to interested parties.

Article references are to Regulation (EU) 2024/1689 (the EU AI Act). Mapping is indicative and provided for planning; it is not legal advice and does not assert conformity. Consult qualified counsel for an Act conformity assessment.

Read This Before You Cite It

What certification does and does not prove

ISO 42001 gives you

  • A documented, independently audited AI governance program.
  • Evidence aligned to most high-risk obligations (Art. 9–15, 17).
  • A head start before EU harmonized standards are finalized.
  • Credibility in enterprise procurement and with regulators.

It does not give you

  • A legal presumption of conformity (ISO 42001 is not a harmonized standard as of 2026).
  • A substitute for the Act's required conformity assessment for high-risk systems.
  • Coverage of obligations the Act places outside an AIMS (e.g. registration, CE marking).
  • Legal advice — confirm scope and obligations with qualified counsel.

Want the management system that carries this evidence? Start with the AI governance guide, scope your obligations with the risk & impact assessment, and see the Annex A controls behind each mapped row.

Frequently Asked Questions

What teams ask when EU AI Act exposure first lands on the roadmap.

Does ISO 42001 certification make me compliant with the EU AI Act?

Not automatically. The EU AI Act is law and ISO 42001 is a voluntary management-system standard. Certification demonstrates that you run a systematic, audited AI governance program and satisfies much of what the Act expects — risk management, data governance, technical documentation, logging, transparency, human oversight, and a quality management system. But conformity with the Act is assessed against the Act itself (and, in time, against harmonized standards), so certification is strong supporting evidence rather than a legal guarantee of compliance.

Is ISO 42001 a harmonized standard under the EU AI Act?

As of 2026, no. Harmonized standards that grant a presumption of conformity are being developed by the European standards bodies CEN and CENELEC (technical committee JTC 21) at the request of the European Commission. ISO/IEC 42001 is an influential international standard and overlaps heavily with the Act, but it is separate from the EU harmonized standards. Confirm the current status before relying on any standard for a presumption of conformity, as this area is evolving.

When do EU AI Act obligations take effect?

The Act entered into force on 1 August 2024 and phases in: prohibitions and AI-literacy duties from 2 February 2025; GPAI model obligations (Articles 51–56) from 2 August 2025; Article 50 transparency obligations and the Commission’s GPAI enforcement powers from 2 August 2026. The high-risk deadlines were deferred by the May 2026 digital-omnibus agreement: Annex III use cases now apply from 2 December 2027, and AI embedded in regulated products (Annex I) from 2 August 2028. Watermarking of AI-generated content under Article 50(2) applies to pre-August-2026 systems from 2 December 2026.

Did the EU delay the AI Act — and what still applies on 2 August 2026?

Partially. On 6 May 2026 the Council and Parliament reached a provisional political agreement (the "digital omnibus") deferring the high-risk application dates — Annex III to 2 December 2027 and Annex I embedded AI to 2 August 2028 — with formal adoption expected before August 2026. What was NOT delayed: 2 August 2026 still brings Article 50 transparency obligations (telling people they are interacting with AI, labelling synthetic media) and the start of the Commission’s enforcement powers over general-purpose AI models, whose substantive obligations have applied since August 2025. Treat the extra time on high-risk as build time for governance, not a reprieve.

Does the EU AI Act apply to companies outside the EU?

Yes, it can. The Act has extraterritorial reach: it applies to providers placing AI systems on the EU market regardless of where they are established, and to providers and deployers outside the EU where the output of the AI system is used in the EU. A company established outside the EU that serves EU customers can therefore fall in scope — which is why early AI governance, evidenced through ISO 42001, is a practical hedge.

What counts as a high-risk AI system?

Two routes. First, AI used as a safety component of, or itself a, product covered by EU product-safety legislation listed in Annex I. Second, AI used in the sensitive areas listed in Annex III — including employment and worker management, access to education, creditworthiness and essential services, biometric identification, critical infrastructure, and law enforcement. High-risk systems carry the full obligations of Articles 9–15 and a conformity assessment before going to market.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations