EU AI Act Overview

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI legislation. It establishes harmonized rules for AI systems placed on the EU market or affecting people in the EU. The Act uses a risk-based approach, with stricter requirements for higher-risk AI systems.

Key Dates

August 2024: AI Act entered into force
February 2025: Prohibited AI practices banned
August 2025: GPAI model obligations apply
August 2026: High-risk AI requirements fully applicable
August 2027: Certain Annex I high-risk systems deadline

Who Does It Apply To?

  • Providers: Organizations developing AI systems or placing them on the EU market
  • Deployers: Organizations using AI systems (previously called "users")
  • Importers: Entities bringing non-EU AI systems into the EU market
  • Distributors: Entities making AI systems available on the market

The Act applies regardless of where the provider is established if the AI system is placed on the EU market or its output is used in the EU.

Compliance Timeline

Date What Applies Action Required
Feb 2025 Prohibited AI practices Stop prohibited AI uses (social scoring, emotion recognition in workplace/education, etc.)
Aug 2025 General-purpose AI models GPAI providers must comply with transparency and documentation requirements
Aug 2025 AI literacy (Article 4) Ensure staff have sufficient AI competence
Aug 2026 High-risk AI systems Full compliance with Chapter 2 requirements
Aug 2027 Annex I high-risk systems Existing high-risk systems in Annex I areas must comply

AI Act Risk Categories

Prohibited AI Practices (Unacceptable Risk)

The following AI practices are banned outright:

  • Social scoring by governments
  • Exploitation of vulnerable groups
  • Subliminal manipulation causing harm
  • Real-time remote biometric identification in public (with exceptions)
  • Emotion recognition in workplace and educational settings
  • Biometric categorization based on sensitive attributes
  • Facial recognition databases from untargeted scraping

High-Risk AI Systems

AI systems in specific areas face strict requirements:

  • Annex I: AI systems that are safety components of products covered by EU harmonization legislation (medical devices, machinery, vehicles, etc.)
  • Annex III: Standalone high-risk AI in areas including:
    • Biometric identification and categorization
    • Critical infrastructure management
    • Education and vocational training
    • Employment, worker management, self-employment access
    • Access to essential services (credit, insurance, public assistance)
    • Law enforcement
    • Migration, asylum, border control
    • Administration of justice and democratic processes

Limited Risk

AI systems with transparency obligations:

  • Chatbots and conversational AI (must disclose AI interaction)
  • Emotion recognition systems (must inform subjects)
  • Deep fakes and generated content (must label as AI-generated)

Minimal Risk

All other AI systems—no mandatory requirements but voluntary codes of conduct encouraged.

High-Risk AI System Requirements

High-risk AI systems must meet requirements in Chapter 2 of the AI Act:

Article 9: Risk Management System

  • Establish and maintain a risk management system throughout the lifecycle
  • Identify and analyze known and foreseeable risks
  • Estimate and evaluate risks
  • Adopt risk management measures
  • Test to identify most appropriate measures

Article 10: Data and Data Governance

  • Training, validation, and testing data subject to governance practices
  • Data quality criteria (relevance, representativeness, error-free, completeness)
  • Examination of possible biases
  • Appropriate data preparation procedures

Article 11: Technical Documentation

  • Comprehensive technical documentation before market placement
  • Documentation kept up-to-date
  • Content per Annex IV requirements

Article 12: Record-Keeping

  • Automatic logging capabilities
  • Logs enabling tracing of AI system operation
  • Logs retained for appropriate period

Article 13: Transparency and Information

  • Designed for transparency enabling deployer interpretation
  • Instructions for use provided
  • Information on capabilities, limitations, and risks

Article 14: Human Oversight

  • Designed to enable effective human oversight
  • Human ability to understand system capabilities and limitations
  • Ability to interpret outputs and make decisions
  • Override or intervention capability

Article 15: Accuracy, Robustness, Cybersecurity

  • Appropriate levels of accuracy, robustness, cybersecurity
  • Resilient against attempts to exploit vulnerabilities
  • Technical redundancy solutions where appropriate

ISO 42001 to EU AI Act Mapping

ISO 42001 provides substantial coverage of EU AI Act requirements. Here is a practical mapping for high-risk AI systems:

EU AI Act Article ISO 42001 Coverage Alignment Level
Art. 9 Risk Management Clause 6.1.2 AI Risk Assessment, Clause 8.2 Strong
Art. 10 Data Governance Annex A.6 Data for AI Systems (quality, provenance, preparation) Strong
Art. 11 Technical Documentation Annex A.5.8 AI System Documentation, A.7 Strong
Art. 12 Record-Keeping Clause 7.5 Documented Information, A.5.7 Monitoring Moderate
Art. 13 Transparency Annex A.7 AI System Information, A.7.3 Strong
Art. 14 Human Oversight Annex A.8 Use of AI Systems, A.8.3 Moderate
Art. 15 Accuracy/Robustness A.5.5 Verification & Validation, A.5.7 Monitoring Moderate
Art. 4 AI Literacy Clause 7.2 Competence, 7.3 Awareness Strong

Where ISO 42001 Helps - And Where It Doesn't

Strong Alignment Areas

  • Risk Management: ISO 42001's AI risk assessment aligns well with Article 9
  • Data Quality: Annex A.6 addresses data governance requirements
  • Documentation: ISO 42001 requires comprehensive documentation throughout
  • Competence: Clause 7.2 addresses AI literacy requirements
  • Third-Party Management: Annex A.9 covers supply chain requirements

Gaps Requiring Additional Work

  • Conformity Assessment: AI Act requires specific conformity assessment procedures not covered by ISO 42001
  • CE Marking: High-risk AI systems need CE marking - a regulatory process beyond ISO certification
  • EU Database Registration: High-risk systems must be registered in EU database
  • Post-Market Monitoring: AI Act has specific post-market surveillance requirements
  • Serious Incident Reporting: Mandatory reporting to authorities within specific timeframes
  • Instructions for Use: AI Act specifies detailed content requirements
Important Note

ISO 42001 certification does not automatically mean EU AI Act compliance. However, it provides a strong foundation that covers many requirements and demonstrates organizational commitment to responsible AI. Additional work is needed for full regulatory compliance.

Action Plan for EU AI Act Preparation

Step 1: AI System Classification (Now)

  • Inventory all AI systems
  • Classify each system per AI Act risk categories
  • Identify prohibited practices (address immediately)
  • Flag high-risk systems for priority attention

Step 2: Implement ISO 42001 AIMS

  • Establish AI governance framework
  • Implement risk assessment and treatment processes
  • Deploy Annex A controls relevant to your AI systems
  • Build documentation and record-keeping capabilities

Step 3: Address AI Act Gaps

  • Map ISO 42001 coverage to specific AI Act articles
  • Identify gaps requiring additional controls
  • Develop conformity assessment approach
  • Prepare for EU database registration
  • Establish incident reporting procedures

Step 4: Prepare for Deadlines

  • Prohibited practices: Ensure stopped by February 2025
  • AI literacy: Ensure staff competence by August 2025
  • High-risk compliance: Full compliance by August 2026

Think of ISO 42001 as building the governance foundation and operational muscle for AI management. The EU AI Act adds specific regulatory requirements on top. Starting with ISO 42001 makes AI Act compliance significantly more achievable.

ISO 42001 EU AI Act Compliance Regulation