AI governance standards
ISO/IEC 42001 and the EU AI Act
ISO/IEC 42001 is the international certifiable standard for an AI Management System. It is widely adopted as a governance baseline and maps closely to EU AI Act controls. But there is a critical legal nuance: on its own, ISO 42001 does not give a presumption of conformity with the AI Act. Understanding the difference could save you from overconfidence - or unnecessary work.
Key legal nuance
In short
The standard explained
What ISO/IEC 42001 actually is
ISO/IEC 42001:2023 is an international standard for an AI Management System (AIMS). It follows the Plan-Do-Check-Act (PDCA) governance cycle familiar from ISO 27001 (information security) and ISO 9001 (quality). It is designed for any organisation that develops, provides, or uses AI systems, regardless of size, sector, or whether those systems are high-risk under the AI Act.
What it governs
Policies, roles, processes, risk management, data governance, transparency, human oversight, post-deployment monitoring, and continual improvement for AI systems across their lifecycle.
Who can use it
Any organisation - AI provider, deployer, importer or distributor - regardless of size or sector. Particularly useful for deployers that use multiple third-party AI tools and need a unified governance framework.
Certification
Organisations can be independently certified by an accredited auditor, giving them a recognised third-party attestation of their AI governance maturity - useful for customer assurance, procurement, and regulatory conversations.
Relationship to ISO 27001
ISO 42001 was designed to be integrated with ISO 27001 and ISO 9001. Organisations already certified under 27001 will find many controls familiar; the addition covers AI-specific risks, impact assessments, and use-case governance.
The critical distinction
International standard vs harmonised standard
In EU law, a harmonised standard is a European standard (EN) developed by a recognised European body (CEN, CENELEC, or ETSI) under a European Commission standardisation request, whose reference is then published in the Official Journal of the EU (OJEU). Following a harmonised standard gives the manufacturer a legal presumption that the corresponding regulatory requirements are met - a major practical advantage in conformity assessments.
ISO/IEC 42001 is published by ISO and IEC - international bodies. It is not a European standard and has no Annex ZA (the annex that maps a European standard's clauses to specific regulatory requirements). Therefore, holding an ISO 42001 certificate does not trigger Article 40's presumption of conformity. ISO 42001 and harmonised standards
Article 40 - Presumption of conformity
The harmonised standards path
CEN-CENELEC JTC 21 and prEN 18286
The European Commission issued a standardisation request in May 2023 to CEN-CENELEC to develop the harmonised AI Act standards. Joint Technical Committee 21 (JTC 21) is working on approximately 10 standards covering the main AI Act obligation clusters: risk management, data governance, record-keeping, transparency, human oversight, accuracy, robustness, cybersecurity, quality management, and conformity assessment. EC standardisation request
The draft standard most relevant to ISO 42001 users is prEN 18286 (AI management system). It maps closely to ISO/IEC 42001 controls - meaning that organisations already certified to ISO 42001 will be able to largely reuse their existing controls once prEN 18286 is finalised and its reference published in the OJEU. DLA Piper: harmonised standards analysis
Practical implication
Mapping the overlap
ISO 42001 controls vs AI Act obligations
The table below shows how ISO 42001's main clause areas align with AI Act obligation clusters, and where gaps remain:
| ISO 42001 clause area | Relevant AI Act obligation | Coverage |
|---|---|---|
| Risk management (Clause 6, Annex A) | Art. 9 - Risk management system | Strong overlap |
| Data governance (Annex A.7) | Art. 10 - Data and data governance | Good baseline |
| Documentation / records (Clauses 7-8) | Art. 11-12 - Technical documentation, logging | Partial - AI Act is more prescriptive |
| Transparency (Annex A.6) | Art. 13 - Transparency to deployers | Partial |
| Human oversight (Annex A.6) | Art. 14 - Human oversight design | Partial |
| Quality management (Clause 10) | Art. 17 - Quality management system | Strong overlap |
| Impact assessment (Annex A.5) | Art. 27 - Fundamental Rights Impact Assessment (FRIA) | Good starting point |
| n/a | Art. 43 - Conformity assessment; CE marking (Art. 48) | Not covered - separate process |
| n/a | Art. 53-55 - GPAI model documentation, copyright policy | Not covered - model-specific |
Coverage ratings are indicative. The actual gap analysis for your organisation depends on your AI system types, risk tier, and role (provider vs deployer).
Questions about ISO 42001 and the AI Act
Does ISO/IEC 42001 certification mean I comply with the EU AI Act?
No. ISO/IEC 42001 is an international standard, not a harmonised European standard. It carries no Annex ZA mapping and therefore confers no automatic "presumption of conformity" under Article 40 of the AI Act. That presumption comes only from following harmonised standards whose references are published in the EU Official Journal (OJEU). That said, ISO 42001 certification shows strong governance maturity, and its controls map closely to the harmonised standards being drafted by CEN-CENELEC, so certified organisations are well-positioned to make the step to full conformity once harmonised standards land.
What is the "presumption of conformity" under Article 40?
Article 40 of the AI Act says that an AI system that fully or partly complies with harmonised standards whose references have been published in the Official Journal of the EU is presumed to comply with the corresponding AI Act requirements. This is a legal shortcut: follow the standard, and regulators presume you meet the relevant obligations without further proof. No harmonised AI Act standards have yet been published in the OJEU (as of June 2026), so no presumption of conformity is currently available from any standard.
What is CEN-CENELEC JTC 21 working on?
CEN-CENELEC Joint Technical Committee 21 is developing a family of harmonised AI standards under a European Commission standardisation request issued in May 2023. The work covers approximately 10 areas including risk management, data governance, record-keeping, transparency, human oversight, accuracy, robustness, cybersecurity, quality management, and conformity assessment. The draft prEN 18286 (AI management system) is the most directly relevant to ISO 42001, as it maps closely to 42001 controls - meaning organisations with an existing ISO 42001 implementation can largely reuse those controls once prEN 18286 is finalised and published in the OJEU.
Does ISO/IEC 42001 apply to GPAI models?
ISO/IEC 42001 covers AI systems and related governance processes broadly. It addresses the lifecycle of AI from development through deployment and monitoring. For general-purpose AI (GPAI) model providers, the AI Act's Chapter V obligations (technical documentation, copyright policy, training data summary, and - for systemic risk - adversarial testing and incident reporting) go beyond what a management system standard covers. GPAI providers should address those specific obligations directly, with or without ISO 42001 certification.
Should I pursue ISO/IEC 42001 certification now or wait for harmonised standards?
The two are not mutually exclusive. ISO 42001 certification now gives you a structured governance framework, documented risk management processes, trained staff, and an auditable record that shows regulators you take AI governance seriously. When harmonised standards arrive, your certified controls will give you a significant head start. The risk of waiting is that AI Act obligations are already in force for some categories (AI literacy and prohibited practices from 2 February 2025; GPAI and penalties from 2 August 2025) and a governance framework is useful regardless of which standard it is anchored to.
Next steps
- Want a full AI Act governance framework? Read the AI Governance guide.
- Need to know which obligations apply to you? Use the Provider vs Deployer obligations tool.
- New to the AI Act? Start with the AI Act overview.
This is guidance to help you understand ISO/IEC 42001 and the EU AI Act, not legal or certification advice. For decisions specific to your organisation, consult the official sources we link or a qualified adviser. Last updated: 9 June 2026.
Sources
- [1]Regulation (EU) 2024/1689 (AI Act), EUR-Lexretrieved 9 Jun 2026
- [2]AI Act, Article 40 - Harmonised standards and presumption of conformityretrieved 9 Jun 2026
- [3]European Commission, standardisation request to CEN-CENELEC (May 2023)retrieved 9 Jun 2026
- [4]Analysis: ISO 42001 and harmonised standards under the EU AI Actretrieved 9 Jun 2026
- [5]DLA Piper: The role of harmonised standards as tools for AI Act complianceretrieved 9 Jun 2026
- [6]A-LIGN: Preparing for EU AI Act complianceretrieved 9 Jun 2026
The AI Act Brief
Subscribe to The AI Act Brief
We watch Brussels so you don't. Plain-English EU AI Act updates, free.
No spam. Unsubscribe anytime.