On 1 August 2024, the EU AI Act entered into force. The world’s first comprehensive legal framework for artificial intelligence is no longer a proposal or a future obligation — it is law. Organisations operating in or selling into the EU that deploy AI systems now have compliance obligations on a defined timeline, with enforcement to follow.
For organisations already pursuing ISO 42001 certification, a reasonable question has emerged: does ISO 42001 compliance cover what the EU AI Act requires? The short answer is: substantially but not entirely. Understanding exactly where the coverage lands — and where the gaps are — is the practical question your AI governance programme needs to answer right now.
What the EU AI Act Actually Requires
The EU AI Act takes a risk-tiered approach. The vast majority of AI systems fall into the minimal or limited risk categories and face light-touch obligations — primarily transparency requirements (such as disclosure that users are interacting with an AI system) and conformity with the general principles of the Act.
The significant compliance weight falls on high-risk AI systems — defined by Annex III of the Act as AI systems used in specific contexts: recruitment and employment, credit scoring, educational assessment, critical infrastructure, law enforcement, and administration of justice, among others. These systems face mandatory requirements including:
- A conformity assessment before market placement
- Registration in the EU AI Act’s publicly accessible database
- Risk management documentation maintained throughout the system’s lifecycle
- Data governance requirements for training, validation, and test datasets
- Technical documentation of the AI system’s design, capabilities, and limitations
- Automatic logging and audit trail requirements
- Transparency and information obligations for users and affected persons
- Human oversight measures — ensuring humans can monitor, understand, and where necessary override AI outputs
- Accuracy, robustness, and cybersecurity requirements
At the top of the risk tier sit prohibited AI applications — systems that are banned outright regardless of safeguards: social scoring by public authorities, most forms of real-time biometric surveillance in public spaces, AI that exploits psychological vulnerabilities, and AI that manipulates behaviour without the subject’s awareness.
Where ISO 42001 and the EU AI Act Align
ISO 42001 was developed with awareness of the EU AI Act’s direction, and the conceptual territory is substantially shared. An organisation implementing ISO 42001 properly will have addressed many of the EU AI Act’s high-risk system requirements through their AIMS infrastructure:
Risk management documentation. ISO 42001 requires a structured AI risk assessment methodology with documented outputs. The AI Act requires risk management documentation maintained throughout the lifecycle. The ISO 42001 risk assessment process, applied to a high-risk AI system, produces documentation that directly serves the AI Act’s requirements.
Data governance. ISO 42001’s Annex A controls include data governance for AI — covering training data quality, representativeness, and appropriateness. These controls address the AI Act’s data governance requirements for high-risk systems, particularly the requirements around bias mitigation and dataset documentation.
Technical documentation. ISO 42001 requires AI system documentation — purpose, capabilities, limitations, and operational context. The AI Act requires technical documentation covering much of the same ground. The ISO 42001 documentation requirements, if applied rigorously, produce a significant portion of the technical file required for EU AI Act conformity.
Human oversight. Both frameworks treat human oversight as a core control requirement. ISO 42001’s human oversight mechanisms — documented processes for monitoring, reviewing, and overriding AI outputs — map directly to the AI Act’s human oversight obligations for high-risk systems.
Transparency. ISO 42001’s transparency controls and its requirements for documentation accessible to affected stakeholders align with the AI Act’s transparency and information obligations.
Where the Gaps Are
ISO 42001 is a management system standard, not a product conformity framework. The EU AI Act, particularly for high-risk systems, requires conformity assessment — a specific process demonstrating that a given AI system meets defined technical requirements before it is placed on the market. ISO 42001 certification demonstrates that your organisation has a functioning AI governance programme; it does not substitute for the product-level conformity assessment the AI Act requires.
Specific gaps to be aware of:
Conformity assessment and CE marking. High-risk AI systems must complete a conformity assessment and, in many cases, bear CE marking before deployment. ISO 42001 certification is not a conformity assessment under the AI Act, and does not produce CE marking. These are distinct processes.
Database registration. High-risk AI systems and certain general-purpose AI models must be registered in the EU’s publicly accessible AI database. ISO 42001 has no equivalent requirement — registration is a direct legal obligation under the Act that exists independently of any management system certification.
GPAI model obligations. The AI Act introduces specific obligations for providers of general-purpose AI models — a category that includes large language models and foundation models. These obligations (technical documentation, copyright compliance summaries, and for systemic-risk models, adversarial testing and incident reporting to the AI Office) go beyond what ISO 42001 requires.
Enforcement timeline specifics. The AI Act’s compliance deadlines (prohibited applications: February 2025; high-risk systems in Annex III: August 2026 for many categories) create hard legal obligations. ISO 42001 is a voluntary standard — its certification does not satisfy these legal deadlines directly, though it provides strong evidence of governance maturity.
The Practical Approach for Organisations with ISO 42001
If you are implementing or have implemented ISO 42001, you are not starting from zero on EU AI Act compliance. Your AI inventory, risk classification methodology, risk assessment documentation, human oversight controls, and technical documentation are all directly reusable. The incremental work is:
First, applying the EU AI Act’s specific risk tier classification to your AI inventory — identifying which systems fall into the high-risk categories defined in Annex III. Second, for high-risk systems, assessing the gap between your existing ISO 42001 documentation and the technical file requirements of the Act. Third, preparing for conformity assessment — either through self-assessment (available for some categories) or third-party conformity assessment body engagement where required.
ISO 42001 does not complete your EU AI Act compliance journey. But it builds the foundation that makes that journey significantly shorter.
At Bitsecura, we are helping clients map their ISO 42001 AIMS against EU AI Act obligations — identifying which systems fall under the Act’s risk tiers, documenting the coverage ISO 42001 already provides, and building the incremental compliance work into their existing programme. One governance infrastructure, serving both frameworks.
If you want to understand where your AI footprint stands under the EU AI Act and how your ISO 42001 programme can be structured to serve both obligations, have a conversation with us here.
Bitsecura provides ISO 42001 AIMS implementation, internal audit, and maintenance services. Learn more about our ISO 42001 services.