Blog / AI Governance

ISO 42001 vs EU AI Act

Understanding the Difference

· 12 min read

As organizations rush to implement AI systems, two frameworks dominate the compliance conversation: ISO/IEC 42001:2023—the world's first AI management system standard—and the EU AI Act—the world's first comprehensive AI regulation. Understanding how they differ and complement each other is essential for any organization serious about responsible AI.

Key Insight: ISO 42001 is the "how"—a voluntary management system for AI governance. The EU AI Act is the "what"—mandatory legal requirements with significant penalties.

The Fundamental Difference

Before diving into specifics, it's crucial to understand the fundamental nature of each framework:

Aspect ISO 42001 EU AI Act
Nature Voluntary international standard Mandatory EU regulation
Legal Force No legal obligation Binding law with penalties up to EUR 35M or 7% turnover
Focus Management system (how to govern AI) Product safety (what must be achieved)
Scope Global applicability EU market (with extraterritorial reach)
Approach Process-oriented (PDCA cycle) Risk-based classification

ISO/IEC 42001:2023 — The AI Management System Standard

Published in December 2023 by ISO/IEC JTC 1/SC 42, ISO 42001 is the first internationally recognized certifiable standard for AI Management Systems (AIMS). It provides a structured framework for organizations to govern their AI activities responsibly.

Structure: 10 Clauses + Annexes

ISO 42001 follows the Annex SL high-level structure, making it easy to integrate with existing management systems like ISO 27001 or ISO 9001:

  • Clauses 4-10: Core management system requirements covering context, leadership, planning, support, operation, performance evaluation, and improvement
  • Annex A: 38 reference controls across 9 domains (AI policy, internal organization, resources, impact assessment, lifecycle, data, transparency, use, third-party)
  • Annex B: Implementation guidance
  • Annex C: AI objectives and risk sources reference
  • Annex D: Integration guidance with other ISO standards

Certification

ANAB launched the accreditation program in January 2024. Notable early certifications include:

  • Microsoft Azure (early adopter)
  • IBM Granite (first major open-source AI model developer)
  • Cognizant (first global IT services company, December 2024)

EU AI Act — The Regulation

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It entered into force on August 1, 2024, with phased implementation through 2027.

Key Timeline

February 2, 2025
Prohibited practices + AI literacy obligations apply
August 2, 2025
GPAI obligations + governance + penalties apply
August 2, 2026
High-risk AI obligations fully apply
August 2, 2027
Extended deadline for high-risk AI in regulated products

Risk-Based Classification

The AI Act categorizes AI systems by risk level:

Unacceptable Risk (Prohibited)

Social scoring, subliminal manipulation, exploitation of vulnerabilities, untargeted facial scraping, real-time biometric ID in public spaces

High-Risk (Regulated)

Biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice

Limited Risk (Transparency)

Chatbots, deepfakes, emotion recognition—users must know they're interacting with AI

Minimal Risk (Unregulated)

Most current AI applications: video games, spam filters, recommendation systems

Penalties

The AI Act has teeth:

  • Prohibited practices: Up to EUR 35 million or 7% of global annual turnover
  • Other violations: Up to EUR 15 million or 3% of turnover
  • Incorrect information: Up to EUR 7.5 million or 1% of turnover

Where They Overlap (~40-50%)

Despite their different natures, ISO 42001 and the AI Act share significant common ground:

Area ISO 42001 EU AI Act
Risk Management Comprehensive risk assessment framework Risk classification + mitigation requirements
Data Governance A.7 controls on data quality/provenance Article 10 data governance requirements
Human Oversight Governance structures, accountability Article 14 human oversight requirements
Documentation Management system documentation Technical documentation (Annex IV)
Transparency Information for interested parties Transparency obligations throughout

Critical Gaps: What ISO 42001 Doesn't Cover

While ISO 42001 provides an excellent foundation, it doesn't automatically achieve AI Act compliance:

Key Gaps

  • Logging/Record-keeping: AI Act requires mandatory automatic logging; ISO 42001 treats this as optional risk controls
  • Conformity Assessment: ISO 42001 certification is NOT a conformity assessment under the AI Act
  • Harmonised Standard Status: ISO 42001 is NOT an EU harmonised standard—no presumption of conformity
  • Prohibited Practices: ISO 42001 doesn't address AI Act's specific prohibitions
  • GPAI Requirements: No specific provisions for general-purpose AI models
  • CE Marking: ISO certification doesn't result in CE marking

How They Complement Each Other

The most effective approach treats ISO 42001 as the "operating system" that makes AI Act compliance repeatable and auditable:

"The EU AI Act is the rulebook and ISO/IEC 42001 is the operating system that makes compliance repeatable and auditable."

ISO 42001 as Foundation

  • Provides PDCA structure to operationalize legal requirements
  • Integrates with existing ISO 27001/9001 audit cadences
  • Creates evidence repositories useful for AI Act compliance
  • Risk assessment methodology transfers to AI Act risk classification
  • Training/competence framework supports AI literacy requirements

Practical Recommendations

Which Organizations Need Which?

Organization Type ISO 42001 EU AI Act
EU-based AI developer (high-risk) Recommended Mandatory
Non-EU company selling AI in EU Recommended Mandatory
GPAI model provider Recommended Mandatory (Aug 2025)
Global enterprise (any AI) Recommended If EU market
SME using AI tools only Optional Deployer obligations

Implementation Timeline

For organizations needing both:

  1. Now – Q1 2026: Implement ISO 42001 as governance foundation
  2. Q1-Q2 2026: Layer AI Act-specific requirements on top
  3. August 2026: High-risk AI Act obligations deadline
  4. Ongoing: Annual surveillance audits + regulatory updates

Cost Considerations

ISO 42001 certification costs vary significantly by organization size:

Component SME Mid-Market Enterprise
Implementation EUR 4K-20K EUR 20K-75K EUR 75K-200K+
Certification Audit EUR 5K-15K EUR 15K-35K EUR 35K-100K+
Annual Surveillance EUR 3K-8K EUR 8K-20K EUR 20K-50K

Key Takeaways

1

They're complementary, not competing. ISO 42001 provides the management system; the AI Act defines legal requirements.

2

Start with ISO 42001 now. Organizations certified in 2025-2026 establish themselves as AI governance leaders before certification becomes baseline.

3

40-50% overlap helps but doesn't guarantee compliance. Use ISO 42001 as foundation, then layer AI Act-specific requirements.

4

Watch harmonised standards development. CEN-CENELEC JTC 21 standards expected late 2025 will clarify presumption of conformity.

5

Timeline pressure is real. August 2026 deadline for high-risk AI is ~18 months away—many organizations underestimate implementation time.

Next Steps

If your organization develops, deploys, or uses AI systems, consider these immediate actions:

  1. Inventory your AI systems and classify them under AI Act risk categories
  2. Assess your current governance against ISO 42001 requirements
  3. Develop a timeline that accounts for both ISO certification and AI Act deadlines
  4. Engage stakeholders—AI governance touches legal, IT, HR, and operations

Need Help Getting Started?

Our ISO 42001 template kit provides the documentation foundation you need—AI policies, risk assessment templates, model cards, and EU AI Act alignment tools.

Explore ISO 42001 Kit