ISO/IEC 42001 · EU AI Act Mapping
ISO 42001 & the EU AI Act:
How the Controls Map
The EU AI Act is binding law; ISO 42001 is the management system that helps you meet it in a structured, auditable way. This guide maps the Act's high-risk obligations to ISO 42001 controls — and is honest about what certification does and does not prove.
ISO/IEC 42001:2023 · AI Management System · Last reviewed July 2026
Law vs. Management System
One is the law. The other is how you run to it
The EU AI Act (Regulation (EU) 2024/1689) sets legal obligations for AI placed on or used in the EU market. ISO/IEC 42001 is a voluntary standard for an AI Management System. They are not the same thing — but they fit together unusually well, because the Act's high-risk requirements read like a control list, and ISO 42001 is that control list operationalized.
The honest position: certifying to ISO 42001 will not, on its own, make you legally compliant with the Act. What it does is give you a documented, audited governance program that satisfies most of the Act's expectations and produces the evidence regulators and enterprise buyers ask for — well ahead of the EU's own harmonized standards.
Practices banned outright — e.g. social scoring by public authorities, untargeted facial-image scraping, and certain manipulative or exploitative systems.
AI in regulated products (Annex I) or sensitive use cases (Annex III: employment, credit, education, critical infrastructure, biometrics, law enforcement). The bulk of the Act applies here.
Systems that interact with people or generate content must disclose AI use and label synthetic media (deepfakes, AI text in the public interest).
The vast majority of AI — spam filters, recommendation engines, game AI. Voluntary codes of conduct only.
Enforcement Timeline
When the obligations switch on
The Act phases in over four years — and the schedule changed in May 2026, when the digital-omnibus agreement (provisional, with formal adoption expected before August 2026) deferred the high-risk deadlines. Every summary written before May 2026 shows the old dates; this is the current picture.
Regulation (EU) 2024/1689 enters into force.
Prohibitions on unacceptable-risk AI and AI-literacy duties apply.
Obligations for general-purpose AI (GPAI) models (Articles 51–56) and the governance framework apply.
Article 50 transparency obligations apply (disclose AI interaction, label synthetic media), and the Commission’s GPAI enforcement powers begin. High-risk obligations do NOT switch on this day — the digital omnibus deferred them (below).
End of the watermarking grace period: Article 50(2) marking of AI-generated content applies to systems placed on the market before 2 August 2026.
High-risk obligations for Annex III use cases apply (deferred from 2 Aug 2026 by the May 2026 digital-omnibus agreement).
High-risk obligations for AI embedded in regulated products (Annex I) apply (deferred from 2 Aug 2027).
The Mapping
High-risk obligations, control by control
Each row pairs an EU AI Act obligation (by article) with the ISO 42001 clause or Annex A control that operationalizes it. Build the AIMS well and you have most of the evidence a high-risk conformity assessment will ask for.
| AI Act | Obligation | ISO 42001 clause / control |
|---|---|---|
| Art. 9 | Risk management system | Clause 6 (planning) + A.5 (impact assessment) + A.6 (lifecycle) — a continuous, documented AI risk process. |
| Art. 10 | Data and data governance | A.7 — data quality, acquisition, provenance, and preparation for training and operational data. |
| Art. 11 | Technical documentation | A.6.2.7 — technical documentation maintained across the AI lifecycle. |
| Art. 12 | Record-keeping / logging | A.6.2.8 — automatic recording of event logs for traceability. |
| Art. 13 | Transparency & information to deployers | A.8 — system documentation and information for users and interested parties. |
| Art. 14 | Human oversight | A.9 — responsible, intended-purpose use with effective human oversight. |
| Art. 15 | Accuracy, robustness, cybersecurity | A.6.2.4 / A.6.2.6 — verification, validation, and operational monitoring. |
| Art. 17 | Quality management system | The AIMS itself — clauses 4–10 of ISO 42001 provide the QMS backbone. |
| Art. 26 | Obligations of deployers | A.9 — processes and objectives for the responsible use of AI systems. |
| Art. 50 | Transparency for AI-generated content (applies 2 Aug 2026) | A.8 — disclosure to users that they are interacting with AI, plus system reporting/communication duties; marking of synthetic content per Art. 50(2). |
| Art. 53 | GPAI model documentation (in force since Aug 2025) | A.6.2.7 (technical documentation) + A.7.5 (data provenance) — model documentation, training-data summary, and downstream information. |
| Art. 72 | Post-market monitoring | A.6.2.6 — operation and monitoring, including drift detection. |
| Art. 73 | Reporting of serious incidents | A.8.4 — communication of incidents to interested parties. |
Article references are to Regulation (EU) 2024/1689 (the EU AI Act). Mapping is indicative and provided for planning; it is not legal advice and does not assert conformity. Consult qualified counsel for an Act conformity assessment.
Read This Before You Cite It
What certification does and does not prove
ISO 42001 gives you
- — A documented, independently audited AI governance program.
- — Evidence aligned to most high-risk obligations (Art. 9–15, 17).
- — A head start before EU harmonized standards are finalized.
- — Credibility in enterprise procurement and with regulators.
It does not give you
- — A legal presumption of conformity (ISO 42001 is not a harmonized standard as of 2026).
- — A substitute for the Act's required conformity assessment for high-risk systems.
- — Coverage of obligations the Act places outside an AIMS (e.g. registration, CE marking).
- — Legal advice — confirm scope and obligations with qualified counsel.
Want the management system that carries this evidence? Start with the AI governance guide, scope your obligations with the risk & impact assessment, and see the Annex A controls behind each mapped row.
Keep Exploring
More in the ISO 42001 Hub
AI Governance & AIMS
How an AI Management System is structured under ISO 42001 — policy, accountability, and principles.
AI Risk & Impact Assessment
Annex A.5 methodology for AI risk and system impact assessments, with a register structure.
Annex A Controls Catalog
All 38 Annex A controls across the nine objectives (A.2–A.10), with what each one governs.
Certification Process
Stage 1, Stage 2, and surveillance — the two-stage audit path and how to prepare for it.
Templates & Downloads
The AIMS template pack — AI use-case register, AI policy, risk and impact assessment, and SoA.
Frequently Asked Questions
What teams ask when EU AI Act exposure first lands on the roadmap.
Does ISO 42001 certification make me compliant with the EU AI Act?
Not automatically. The EU AI Act is law and ISO 42001 is a voluntary management-system standard. Certification demonstrates that you run a systematic, audited AI governance program and satisfies much of what the Act expects — risk management, data governance, technical documentation, logging, transparency, human oversight, and a quality management system. But conformity with the Act is assessed against the Act itself (and, in time, against harmonized standards), so certification is strong supporting evidence rather than a legal guarantee of compliance.
Is ISO 42001 a harmonized standard under the EU AI Act?
As of 2026, no. Harmonized standards that grant a presumption of conformity are being developed by the European standards bodies CEN and CENELEC (technical committee JTC 21) at the request of the European Commission. ISO/IEC 42001 is an influential international standard and overlaps heavily with the Act, but it is separate from the EU harmonized standards. Confirm the current status before relying on any standard for a presumption of conformity, as this area is evolving.
When do EU AI Act obligations take effect?
The Act entered into force on 1 August 2024 and phases in: prohibitions and AI-literacy duties from 2 February 2025; GPAI model obligations (Articles 51–56) from 2 August 2025; Article 50 transparency obligations and the Commission’s GPAI enforcement powers from 2 August 2026. The high-risk deadlines were deferred by the May 2026 digital-omnibus agreement: Annex III use cases now apply from 2 December 2027, and AI embedded in regulated products (Annex I) from 2 August 2028. Watermarking of AI-generated content under Article 50(2) applies to pre-August-2026 systems from 2 December 2026.
Did the EU delay the AI Act — and what still applies on 2 August 2026?
Partially. On 6 May 2026 the Council and Parliament reached a provisional political agreement (the "digital omnibus") deferring the high-risk application dates — Annex III to 2 December 2027 and Annex I embedded AI to 2 August 2028 — with formal adoption expected before August 2026. What was NOT delayed: 2 August 2026 still brings Article 50 transparency obligations (telling people they are interacting with AI, labelling synthetic media) and the start of the Commission’s enforcement powers over general-purpose AI models, whose substantive obligations have applied since August 2025. Treat the extra time on high-risk as build time for governance, not a reprieve.
Does the EU AI Act apply to companies outside the EU?
Yes, it can. The Act has extraterritorial reach: it applies to providers placing AI systems on the EU market regardless of where they are established, and to providers and deployers outside the EU where the output of the AI system is used in the EU. A company established outside the EU that serves EU customers can therefore fall in scope — which is why early AI governance, evidenced through ISO 42001, is a practical hedge.
What counts as a high-risk AI system?
Two routes. First, AI used as a safety component of, or itself a, product covered by EU product-safety legislation listed in Annex I. Second, AI used in the sensitive areas listed in Annex III — including employment and worker management, access to education, creditworthiness and essential services, biometric identification, critical infrastructure, and law enforcement. High-risk systems carry the full obligations of Articles 9–15 and a conformity assessment before going to market.
Written By Expert Auditors
Keep Exploring
Related Reading
ISO 42001 Knowledge Hub
AIMS controls, EU AI Act mapping, risk assessment and guides.
Read moreISO 42001 Annex A Controls
The 39 AI-specific controls grouped by domain, mapped to clauses.
Read moreAI Governance & AIMS
How an AI Management System is structured — policy, accountability, principles.
Read moreAI Risk Assessment
Risk identification, impact analysis and treatment for AI systems.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read moreCompliance Deadline Countdown
Live timers for DPDP, the EU AI Act and other looming dates.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours