For AI companies navigating the EU AI Act, ISO/IEC 42001:2023 is becoming the go-to governance foundation. An AIMS certification doesn't give you an automatic EU AI Act compliance certificate — but it covers a substantial share of what the Act requires for high-risk AI providers, and dramatically reduces the gap for everyone else.
This guide maps ISO 42001 clauses and Annex A controls against EU AI Act obligations, identifying where they align, where they diverge, and what you need beyond the AIMS to be EU AI Act compliant.
Why the EU AI Act points to management systems
The EU AI Act (Regulation (EU) 2024/1689), applicable from August 2026 for high-risk AI providers, requires structured governance of AI throughout the lifecycle. Article 17 explicitly requires a quality management system covering:
- A strategy for regulatory compliance including conformity assessment
- Techniques, procedures, and systematic actions for design and design control
- Examination, testing, and validation before, during, and after development
- Technical standards and solutions adopted
- Data management systems and procedures
- A risk management system per Art. 9
- Post-market monitoring per Art. 72
- Incidents reporting per Art. 73
This is, in substance, a Quality Management System for AI — and ISO 42001 is designed to be exactly that.
ISO 42001 to EU AI Act clause mapping
| EU AI Act Article | Obligation | ISO 42001 Coverage | Coverage Level |
|---|---|---|---|
| Art. 9 | Risk management system | Cl. 6.1 (AI risk assessment), Cl. 8.2 (ongoing risk assessment), Annex A.5 (AIIA) | ✅ Strong alignment |
| Art. 10 | Data and data governance | Annex A.7 (data governance, quality, provenance, bias assessment) | ✅ Strong alignment |
| Art. 11 | Technical documentation (Annex IV) | Cl. 7.5 (documented information) — covers structure, not Annex IV specific content | ⚡ Partial — AIMS provides structure, Annex IV content must be added |
| Art. 12 | Record-keeping and logging | Cl. 8.4 (operational controls), Cl. 9.1 (monitoring) | ⚡ Partial — AIMS covers monitoring; Art. 12 requires specific automatic logging capability |
| Art. 13 | Transparency and information | Annex A.8 (transparency obligations, instructions for use) | ✅ Strong alignment |
| Art. 14 | Human oversight | Cl. 5.3 (roles/accountability), Annex A.3 (human accountability), Annex A.6 (lifecycle controls) | ✅ Strong alignment |
| Art. 15 | Accuracy, robustness, cybersecurity | Annex A.6 (lifecycle testing), Annex A.7 (data quality) — cybersecurity covered by ISO 27001 | ⚡ Partial — accuracy and robustness yes; cybersecurity requires ISO 27001 |
| Art. 17 | Quality management system | ISO 42001 AIMS is the quality management system for AI | ✅ Direct match |
| Art. 43 | Conformity assessment | ISO 42001 certification can support self-assessment pathway; not sufficient for third-party conformity assessment path | ⚡ Partial — supports Art. 43(1) self-assessment; not a substitute for notified body assessment |
| Art. 50 | Transparency (chatbots, deepfakes) | Annex A.8 (transparency information) — supports but doesn't fully prescribe Art. 50 disclosure requirements | ✅ Good alignment |
| Art. 53 | GPAI model obligations (Annex XI/XII) | Annex A.7 (data governance, copyright policy) partially covers GPAI training data obligations | ⚡ Partial — GPAI-specific Annex XI/XII technical docs required additionally |
| Art. 72 | Post-market monitoring | Cl. 9.1 (monitoring and measurement), Cl. 8.4 (deployment monitoring controls) | ✅ Strong alignment |
| Art. 73 | Serious incident reporting | Cl. 10.1 (nonconformity and corrective action) — supports incident management; specific reporting to market surveillance authorities must be added | ⚡ Partial |
What ISO 42001 doesn't cover (the EU AI Act gaps)
Even with ISO 42001 certification, high-risk AI providers need to additionally address:
- Annex IV technical documentation: The EU AI Act requires specific technical documentation (system description, performance metrics, testing results, instructions for use) for high-risk AI. ISO 42001 provides the documentation management framework but doesn't prescribe Annex IV content.
- EU AI database registration (Art. 49): High-risk AI providers must register their systems in the EU AI database maintained by the European Commission. ISO 42001 doesn't require this.
- EU Declaration of Conformity (Art. 47-48): Providers must prepare and sign a Declaration of Conformity before placing high-risk AI on the EU market.
- CE marking (Art. 49): High-risk AI systems must bear the CE marking.
- Notified body assessment (some cases): Biometric categorisation systems and emotion recognition systems in Annex III §1 require third-party conformity assessment by a notified body — ISO 42001 certification by an ISO certification body doesn't substitute for this.
- GPAI model obligations (Art. 53): The GPAI technical documentation required by Annex XI and Annex XII is highly specific and goes beyond ISO 42001's documentation requirements.
The practical combination: ISO 42001 + EU AI Act compliance program
The most efficient path for AI companies that need both ISO 42001 and EU AI Act compliance:
- Build the AIMS first: ISO 42001 provides the governance infrastructure that EU AI Act requires — AI Policy, risk assessment, AIIA, lifecycle controls, transparency, monitoring
- Run the AIMS through EU AI Act lens: For each high-risk AI system, extend the AIMS documentation to meet Annex IV requirements and conduct the EU AI Act-specific conformity assessment
- Add EU-specific requirements on top: EU database registration, Declaration of Conformity, CE marking, and notified body assessment where required
- Integrate ISO 27001 for cybersecurity: Art. 15 cybersecurity requirements are best met through an integrated ISO 27001 + ISO 42001 certification
Assess your ISO 42001 readiness with our free ISO 42001 AI Management System Gap Assessment. For EU AI Act compliance specifically, use the EU AI Act Compliance Checklist Generator. For AI risk management, see the AI Risk Register Generator and AI Privacy Impact Assessment Generator.