Since August 2025, the first obligations under the EU AI Act have been in force. Organisations that develop or deploy AI systems are required to carry out risk classifications, provide transparency and establish governance. At the same time, the adoption of ISO 42001, the international standard for AI management systems, is growing. The two are not competitors. They complement each other. But it is important to understand where the overlap lies and where the gaps fall.
The EU AI Act is legislation. It sets binding requirements for providers and users of AI systems within the EU. The law classifies AI systems into risk categories: unacceptable risk (prohibited), high risk (strict requirements), limited risk (transparency obligations) and minimal risk (no specific requirements). For high-risk systems, extensive requirements apply around data quality, documentation, human oversight, robustness and transparency.
ISO 42001 is a voluntary standard. It provides a framework for setting up an AI management system (AIMS) that helps organisations develop and deploy AI in a responsible way. The standard follows the familiar ISO structure with clauses 4 to 10 and an Annex A with controls.
Where they overlap
The overlap is substantial. Both require an AI inventory: you must know which AI systems you have. Both require risk assessment: the AI Act through risk categories, ISO 42001 through an AI risk assessment. Both set requirements for documentation, transparency and human oversight. And both expect organisations to establish governance with clear roles and responsibilities.
In practice, this means that an organisation that implements ISO 42001 already covers a large part of the EU AI Act requirements. The management system provides the structure, the processes and the evidence that regulators expect. That makes ISO 42001 a logical starting point for AI Act compliance.
Where the gaps lie
But ISO 42001 does not cover everything. The EU AI Act sets specific technical requirements for high-risk systems that go beyond what ISO 42001 prescribes. Consider mandatory conformity assessments, CE marking, registration in the EU database, and specific requirements for the datasets used to train models. ISO 42001 provides the management system, but not the detailed technical requirements that the law sets.
In addition, the AI Act has specific obligations for providers of general purpose AI models (GPAI). These requirements around model transparency, copyright compliance and energy reporting fall outside the scope of ISO 42001.
The practical approach
What we advise organisations is to use ISO 42001 as a foundation and to address, on top of that, the specific AI Act requirements that are not covered by the standard. Start with the AI inventory and risk classification. Determine which of your AI systems qualify as high risk under the AI Act. Implement the management system in accordance with ISO 42001 and supplement it with the technical and legal requirements from the AI Act.
The risk of not acting
Organisations that wait and see are taking a risk. The AI Act carries significant fines: up to 35 million euros or 7% of global annual turnover for the most serious violations. But it is not only about fines. Customers and partners increasingly ask for demonstrable AI governance. An ISO 42001 certificate is the most concrete evidence of that.
The combination of legal obligation and market demand means that AI governance is no longer a nice-to-have. It has become a business-critical capability. Organisations that start now with ISO 42001 implementation will be in a stronger position once enforcement of the AI Act is fully under way.
We help organisations set up AI governance that covers both ISO 42001 and the EU AI Act. From inventory and risk classification to implementation and internal audit. The certification audit itself is carried out by an accredited certification body such as DigiTrust (www.digitrust.nl). Get in touch for a pragmatic introductory conversation.
About the author
Partner | IT Auditor