Hael
Sign inRequest a demo
ISO/IEC 42001 · Buyer intent

ISO/IEC 42001 vs the EU AI Act

Updated 12 July 2026 · 6 min read
Key takeaway
ISO/IEC 42001 certification does not confer EU AI Act conformity. The two answer different questions. ISO 42001 certifies that the organisation operates a compliant AI management system. The EU AI Act requires that a specific high-risk AI system passes a product-level conformity assessment before it is placed on the market. A vendor can hold ISO 42001 and still place a non-conformant high-risk system on the EU market; a vendor can pass conformity for a specific system without holding ISO 42001. Any material that conflates the two is wrong and buyers' lawyers know it.
  • ISO 42001 certifies the management system. The EU AI Act regulates individual AI systems and models.
  • A certificate does not substitute for a conformity assessment on a high-risk system.
  • The two are complementary — most EU-facing AI providers will operate both.
  • A functioning AIMS is the operational spine that makes Act compliance sustainable, but it is not the compliance itself.
  • Correcting the conflation is a credibility asset — it is the error the market makes most often.
  • General information, not legal advice. Current as of July 2026.

The stated position

ISO/IEC 42001 certification does not, on its own, make any AI system compliant with the EU AI Act. This is not a minor technicality. It is the single most-common misrepresentation in the AI governance market, and stating the opposite in writing to a buyer creates legal and commercial risk.

What each one actually is

  • ISO/IEC 42001 is an international, voluntary management-system standard. Certification proves that an organisation runs an AIMS conformant to the standard, issued by an accredited certification body.
  • The EU AI Act (Regulation (EU) 2024/1689) is binding EU law that classifies AI systems by risk and imposes obligations on providers, deployers, importers and distributors. High-risk systems require a conformity assessment before market placement; general-purpose AI models have their own regime; certain uses are prohibited.

Why they are not substitutes

The units of governance differ. ISO 42001 governs the organisation. The EU AI Act governs the system or model. Holding a certificate on the organisation does not answer the question 'is this specific high-risk system compliant?' — that is a product-level assessment against Annex III and the technical requirements of Chapter III.

The consequences differ. An ISO 42001 non-conformity is a governance finding managed with the certification body. An EU AI Act breach on a high-risk system is a regulatory matter, with fines up to 3% of global turnover for most obligations and up to 7% for prohibited practices.

How they work together

In practice, most EU-facing AI providers will operate both. ISO 42001 supplies the management-system spine — the AI policy, the system register, the risk and impact processes, the training and supplier records, the internal audit and management review cycle. That spine is exactly what makes Act obligations executable at scale: the register is what Article 6 classification relies on; the impact assessment is what evidences Article 9 risk management; the training records support Article 14 human oversight; the internal audit programme evidences Article 17 quality management. But the Act's obligations attach to systems, not to the AIMS, and the conformity assessment happens system by system.

Language to use with buyers

Correct: 'We are ISO/IEC 42001 certified. That certifies our AI management system. Each high-risk AI system we place on the EU market is separately conformity-assessed against the EU AI Act's requirements.' Wrong (and unfortunately common): 'We are ISO/IEC 42001 certified, so we are EU AI Act compliant.' The second statement is not defensible under scrutiny.

Key terms

Conformity assessment
The EU AI Act procedure by which a high-risk AI system's compliance with the regulation is verified before market placement.
Provider
Under the EU AI Act, the party that develops an AI system (or general-purpose AI model) and places it on the market under its name or trademark.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to ISO/IEC 42001
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE