In This Guide
- The EU AI Act (Regulation 2024/1689) establishes risk-based requirements for AI systems in the EU market
- ISO 42001 provides a structured management system framework that maps to many EU AI Act obligations
- High-risk AI systems under the EU AI Act require conformity assessment, risk management, data governance, and human oversight — all addressed by ISO 42001
- ISO 42001 certification does not automatically ensure EU AI Act compliance, but demonstrates a systematic approach to AI governance
- Organizations operating in the EU should implement ISO 42001 as a foundation and layer EU AI Act-specific requirements on top
EU AI Act Overview
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI legislation. It establishes harmonized rules for AI systems placed on the EU market or affecting people in the EU. The Act uses a risk-based approach, with stricter requirements for higher-risk AI systems.
August 2024: AI Act entered into force
February 2025: Prohibited AI practices banned
August 2025: GPAI model obligations apply
August 2026: High-risk AI requirements fully applicable
August 2027: Certain Annex I high-risk systems deadline
Who Does It Apply To?
- Providers: Organizations developing AI systems or placing them on the EU market
- Deployers: Organizations using AI systems (previously called "users")
- Importers: Entities bringing non-EU AI systems into the EU market
- Distributors: Entities making AI systems available on the market
The Act applies regardless of where the provider is established if the AI system is placed on the EU market or its output is used in the EU.
Compliance Timeline
| Date | What Applies | Action Required |
|---|---|---|
| Feb 2025 | Prohibited AI practices | Stop prohibited AI uses (social scoring, emotion recognition in workplace/education, etc.) |
| Aug 2025 | General-purpose AI models | GPAI providers must comply with transparency and documentation requirements |
| Aug 2025 | AI literacy (Article 4) | Ensure staff have sufficient AI competence |
| Aug 2026 | High-risk AI systems | Full compliance with Chapter 2 requirements |
| Aug 2027 | Annex I high-risk systems | Existing high-risk systems in Annex I areas must comply |
AI Act Risk Categories
Prohibited AI Practices (Unacceptable Risk)
The following AI practices are banned outright:
- Social scoring by governments
- Exploitation of vulnerable groups
- Subliminal manipulation causing harm
- Real-time remote biometric identification in public (with exceptions)
- Emotion recognition in workplace and educational settings
- Biometric categorization based on sensitive attributes
- Facial recognition databases from untargeted scraping
High-Risk AI Systems
AI systems in specific areas face strict requirements:
- Annex I: AI systems that are safety components of products covered by EU harmonization legislation (medical devices, machinery, vehicles, etc.)
- Annex III: Standalone high-risk AI in areas including:
- Biometric identification and categorization
- Critical infrastructure management
- Education and vocational training
- Employment, worker management, self-employment access
- Access to essential services (credit, insurance, public assistance)
- Law enforcement
- Migration, asylum, border control
- Administration of justice and democratic processes
Limited Risk
AI systems with transparency obligations:
- Chatbots and conversational AI (must disclose AI interaction)
- Emotion recognition systems (must inform subjects)
- Deep fakes and generated content (must label as AI-generated)
Minimal Risk
All other AI systems—no mandatory requirements but voluntary codes of conduct encouraged.
High-Risk AI System Requirements
High-risk AI systems must meet requirements in Chapter 2 of the AI Act:
Article 9: Risk Management System
- Establish and maintain a risk management system throughout the lifecycle
- Identify and analyze known and foreseeable risks
- Estimate and evaluate risks
- Adopt risk management measures
- Test to identify most appropriate measures
Article 10: Data and Data Governance
- Training, validation, and testing data subject to governance practices
- Data quality criteria (relevance, representativeness, error-free, completeness)
- Examination of possible biases
- Appropriate data preparation procedures
Article 11: Technical Documentation
- Comprehensive technical documentation before market placement
- Documentation kept up-to-date
- Content per Annex IV requirements
Article 12: Record-Keeping
- Automatic logging capabilities
- Logs enabling tracing of AI system operation
- Logs retained for appropriate period
Article 13: Transparency and Information
- Designed for transparency enabling deployer interpretation
- Instructions for use provided
- Information on capabilities, limitations, and risks
Article 14: Human Oversight
- Designed to enable effective human oversight
- Human ability to understand system capabilities and limitations
- Ability to interpret outputs and make decisions
- Override or intervention capability
Article 15: Accuracy, Robustness, Cybersecurity
- Appropriate levels of accuracy, robustness, cybersecurity
- Resilient against attempts to exploit vulnerabilities
- Technical redundancy solutions where appropriate
ISO 42001 to EU AI Act Mapping
ISO 42001 provides substantial coverage of EU AI Act requirements. Here is a practical mapping for high-risk AI systems:
| EU AI Act Article | ISO 42001 Coverage | Alignment Level |
|---|---|---|
| Art. 9 Risk Management | Clause 6.1.2 AI Risk Assessment, Clause 8.2 | Strong |
| Art. 10 Data Governance | Annex A.6 Data for AI Systems (quality, provenance, preparation) | Strong |
| Art. 11 Technical Documentation | Annex A.5.8 AI System Documentation, A.7 | Strong |
| Art. 12 Record-Keeping | Clause 7.5 Documented Information, A.5.7 Monitoring | Moderate |
| Art. 13 Transparency | Annex A.7 AI System Information, A.7.3 | Strong |
| Art. 14 Human Oversight | Annex A.8 Use of AI Systems, A.8.3 | Moderate |
| Art. 15 Accuracy/Robustness | A.5.5 Verification & Validation, A.5.7 Monitoring | Moderate |
| Art. 4 AI Literacy | Clause 7.2 Competence, 7.3 Awareness | Strong |
Where ISO 42001 Helps - And Where It Doesn't
Strong Alignment Areas
- Risk Management: ISO 42001's AI risk assessment aligns well with Article 9
- Data Quality: Annex A.6 addresses data governance requirements
- Documentation: ISO 42001 requires comprehensive documentation throughout
- Competence: Clause 7.2 addresses AI literacy requirements
- Third-Party Management: Annex A.9 covers supply chain requirements
Gaps Requiring Additional Work
- Conformity Assessment: AI Act requires specific conformity assessment procedures not covered by ISO 42001
- CE Marking: High-risk AI systems need CE marking - a regulatory process beyond ISO certification
- EU Database Registration: High-risk systems must be registered in EU database
- Post-Market Monitoring: AI Act has specific post-market surveillance requirements
- Serious Incident Reporting: Mandatory reporting to authorities within specific timeframes
- Instructions for Use: AI Act specifies detailed content requirements
ISO 42001 certification does not automatically mean EU AI Act compliance. However, it provides a strong foundation that covers many requirements and demonstrates organizational commitment to responsible AI. Additional work is needed for full regulatory compliance.
Action Plan for EU AI Act Preparation
Step 1: AI System Classification (Now)
- Inventory all AI systems
- Classify each system per AI Act risk categories
- Identify prohibited practices (address immediately)
- Flag high-risk systems for priority attention
Step 2: Implement ISO 42001 AIMS
- Establish AI governance framework
- Implement risk assessment and treatment processes
- Deploy Annex A controls relevant to your AI systems
- Build documentation and record-keeping capabilities
Step 3: Address AI Act Gaps
- Map ISO 42001 coverage to specific AI Act articles
- Identify gaps requiring additional controls
- Develop conformity assessment approach
- Prepare for EU database registration
- Establish incident reporting procedures
Step 4: Prepare for Deadlines
- Prohibited practices: Ensure stopped by February 2025
- AI literacy: Ensure staff competence by August 2025
- High-risk compliance: Full compliance by August 2026
Think of ISO 42001 as building the governance foundation and operational muscle for AI management. The EU AI Act adds specific regulatory requirements on top. Starting with ISO 42001 makes AI Act compliance significantly more achievable.
Frequently Asked Questions
Does ISO 42001 certification satisfy the EU AI Act?
Not automatically, but it demonstrates systematic AI governance that substantially supports compliance with EU AI Act requirements. Additional work is needed for conformity assessment, CE marking, EU database registration, and specific prohibited practice compliance.
Which EU AI Act requirements does ISO 42001 cover?
Risk management system (Article 9), data governance (Article 10), technical documentation (Article 11), human oversight (Article 14), accuracy/robustness requirements (Article 15), and AI literacy (Article 4). ISO 42001 provides strong alignment in these areas.
What EU AI Act requirements go beyond ISO 42001?
Conformity marking (CE), registration in EU database, specific prohibited practices, transparency obligations for general-purpose AI, post-market surveillance requirements, and serious incident reporting to national authorities within specific timeframes.
When does the EU AI Act apply?
Phased implementation: prohibited practices from February 2025; GPAI model obligations and AI literacy from August 2025; high-risk system requirements from August 2026; full applicability for Annex I high-risk systems by August 2027.
Should I get ISO 42001 first or start with EU AI Act compliance?
ISO 42001 provides a reusable management system foundation. It is more efficient to implement ISO 42001 first and then address EU AI Act-specific gaps, as the standard covers many regulatory requirements and provides the governance infrastructure needed for ongoing compliance.