EU AI Act and ISO 42001: How the Standard Maps to the Regulation

ISO 42001 and the EU AI Act are not the same thing. The EU AI Act is binding law that regulates AI by risk level; ISO 42001 is a voluntary management-system standard. Certifying to ISO 42001 does not on its own make you AI Act compliant, but it gives you the governance backbone the regulation expects.

What the EU AI Act is

The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive law regulating artificial intelligence. It entered into force on 1 August 2024 and applies in stages: the bans on unacceptable-risk practices applied from February 2025, obligations for general-purpose AI models from August 2025, and the main obligations for high-risk systems from August 2026, with a further set following in 2027.

It classifies AI by risk: unacceptable (prohibited), high (strict obligations), limited (transparency duties) and minimal (largely unregulated). It also applies outside the EU: if your AI system is used or placed on the EU market, the Act reaches you. Penalties are significant, up to 35 million euros or 7% of global annual turnover for prohibited practices, and up to 15 million euros or 3% for most other breaches.

What ISO 42001 is

ISO/IEC 42001, published in December 2023, is the first international standard for an artificial intelligence management system (AIMS). It gives an organisation a structured, auditable way to govern the AI it builds or uses: risk management, accountability, data governance, transparency and human oversight, run as a continual cycle. You can read the full explainer in what is ISO 42001.

Where ISO 42001 maps to the EU AI Act

The two were designed to work together. The Act sets out what you must achieve; ISO 42001 gives you a repeatable way to achieve and evidence it. The overlap is substantial:

  • Risk management: the Act expects high-risk systems to have a risk management system; ISO 42001 builds exactly that, including the AI system impact assessment.
  • Governance and accountability: both require clear ownership, roles and oversight of AI.
  • Data governance: both address the quality and management of the data AI systems rely on.
  • Transparency and human oversight: both require that AI decisions can be explained and that humans can intervene.
  • Monitoring: both expect ongoing monitoring of AI systems once they are in use.

An organisation running a mature ISO 42001 management system has already built most of the governance the Act asks for, which makes demonstrating compliance far easier.

Where the gaps are

ISO 42001 is not a substitute for reading the regulation. The Act imposes specific legal obligations the standard does not cover: determining your role (provider or deployer) and your system’s risk tier, the conformity assessment and CE marking required for high-risk systems, registration in the EU database, specific transparency disclosures to users, and in some cases a fundamental-rights impact assessment. The standard helps you run the programme; it does not tell you which legal obligations apply to your particular system.

Is ISO 42001 a harmonised standard under the Act yet?

Not yet. The harmonised standards that will grant a formal presumption of conformity with the Act are still being developed by the European standards bodies. ISO 42001 is the closest international governance standard available today, and it is the sensible foundation to build on, but holding it does not automatically confer legal presumption of conformity. Treat it as the management system underneath your compliance, not as the compliance itself.

A practical sequence for a software company

For a SaaS company deploying or building AI, the order that works is: first establish whether you are a provider or a deployer and which risk tier your systems fall into; then stand up the governance, using ISO 42001 as the framework; then map the Act’s specific obligations onto your systems and close the gaps. Our ISO 42001 implementation guide covers building the management system, and our ISO 42001 internal audit tests it before it matters.

How Atoro helps

Atoro is Europe’s first ISO 42001 certified consultancy, with more than 200 certifications delivered. We run the same AI management system we help clients build, so we can take you from understanding your obligations under the Act to a governance programme that stands up to scrutiny.

EU AI Act and ISO 42001 FAQs

Does ISO 42001 make us EU AI Act compliant?

No, not on its own. The EU AI Act is binding law with specific obligations; ISO 42001 is a voluntary management-system standard. Certifying to ISO 42001 gives you the governance backbone the Act expects and makes compliance much easier to demonstrate, but you still have to meet the Act’s specific legal requirements for your systems.

When does the EU AI Act apply?

It entered into force on 1 August 2024 and applies in stages. The bans on unacceptable-risk practices applied from February 2025, general-purpose AI model obligations from August 2025, and the main high-risk obligations from August 2026, with a further set in 2027.

Does the EU AI Act apply to companies outside the EU?

Yes. If your AI system is placed on the EU market or its output is used in the EU, the Act can apply regardless of where your company is based, in the same way the GDPR reaches beyond the EU.

What are the penalties under the EU AI Act?

Up to 35 million euros or 7% of global annual turnover, whichever is higher, for prohibited practices, and up to 15 million euros or 3% for most other breaches. Providing incorrect information to authorities can attract up to 7.5 million euros or 1%.

What is the difference between the EU AI Act and ISO 42001?

The Act is binding regulation that says what must be achieved; ISO 42001 is a voluntary standard that gives you a structured way to achieve it. The Act classifies AI by risk and imposes legal duties; ISO 42001 builds the management system that helps you meet them.

Should we get ISO 42001 certified to prepare for the EU AI Act?

For most organisations building or deploying AI, yes. ISO 42001 is the most developed AI governance standard available and covers most of the governance the Act expects, so it is a strong, practical foundation, provided you also map and meet the Act’s specific obligations for your systems.

Is ISO 42001 a harmonised standard under the EU AI Act?

Not yet. The harmonised standards that will grant a formal presumption of conformity are still being developed by the European standards bodies. ISO 42001 remains the best available governance foundation in the meantime.