Regulome
Search regulations…⌘K
For providersFree Checker
The Ledger · Wednesday, 18 February 2026Issue № 28All issues →

AI Compliance Hub · newsroom

Regulation Analysis · 6 min read

How ISO 42001 Aligns with the EU AI Act

ISO/IEC 42001 is a candidate harmonized standard for the EU AI Act. Here’s how the two frameworks map to each other and what ISO 42001 certification means for EU AI Act conformity.

Regulome · AI Compliance Hub editors6 min read
How ISO 42001 Aligns with the EU AI Act
Regulation AnalysisIllustration · AI Compliance Hub

The EU AI Act requires high-risk AI systems to undergo conformity assessment before deployment. One path to conformity involves compliance with harmonized standards — standards developed by European standards bodies that are deemed to satisfy AI Act requirements. ISO/IEC 42001 is positioned as a candidate harmonized standard.

What “Harmonized Standard” Means

Under EU law, harmonized standards are technical specifications that, when followed, create a presumption of conformity with the essential requirements of an EU regulation. Once CEN-CENELEC (the European standards bodies) publishes a harmonized version of ISO 42001 under the AI Act, organizations that certify to it will have a formal presumption of conformity for the requirements the standard covers.

As of 2026, ISO 42001 is in the process of being recognized as a harmonized standard. The European Commission and AI Office are working with standards bodies on this. Until formal harmonization is complete, ISO 42001 certification is a strong evidence of conformity but not a formal presumption.

How ISO 42001 Maps to the EU AI Act

The EU AI Act’s requirements for high-risk AI systems cover several areas. Here’s how ISO 42001 addresses them:

Risk Management (Article 9)

AI Act requirement: Providers must establish a risk management system that identifies, analyzes, and evaluates risks throughout the lifecycle.

ISO 42001 mapping: Clause 6 (Planning) requires risk and opportunity assessment for the AI management system. Clause 8 (Operation) requires risk-based controls for AI systems. These directly address Article 9.

Data Governance (Article 10)

AI Act requirement: Training, validation, and testing data must be subject to appropriate data governance.

ISO 42001 mapping: ISO 42001 Clause 8.4 (AI system lifecycle) includes requirements for data management and quality. Combined with ISO 42001 Annex A controls on data governance (A.7.5), this addresses Article 10.

Technical Documentation (Article 11)

AI Act requirement: Detailed technical documentation must be maintained and made available to authorities.

ISO 42001 mapping: ISO 42001 requires documented information throughout the management system (Clause 7.5) and records of AI system characteristics. This creates the documentation foundation, though AI Act Annex IV specifies additional technical detail requirements.

Transparency (Article 13)

AI Act requirement: High-risk AI systems must be transparent to users — capable of being understood, with clear documentation.

ISO 42001 mapping: ISO 42001 Annex A includes controls on transparency (A.6.2) and accountability. These address the organizational dimension of Article 13.

Human Oversight (Article 14)

AI Act requirement: High-risk AI systems must be designed for effective human oversight.

ISO 42001 mapping: ISO 42001 Clause 8 includes controls on AI system oversight and human control mechanisms. Annex A control A.8.5 specifically addresses human oversight.

What ISO 42001 Certification Doesn’t Cover

ISO 42001 certifies your management system — not specific AI systems. EU AI Act conformity for high-risk systems requires both:

  1. A certified management system (ISO 42001 can satisfy this)
  2. Conformity assessment for each high-risk AI system (must be done separately)

Think of it this way: ISO 42001 proves you have the organizational governance to manage AI responsibly. The conformity assessment for each system proves that specific system meets the technical requirements.

For most high-risk AI categories (employment, credit, healthcare), providers can self-certify (no third-party assessment required). For biometric identification and law enforcement AI, third-party notified body assessment is required.

Practical Path for EU AI Act Compliance

If you need EU AI Act conformity and want to leverage ISO 42001:

  1. Implement ISO 42001. Build your AI management system and get certified.
  2. Use your AIMS documentation for AI Act technical documentation. Your ISO 42001 processes for AI system documentation satisfy much of Annex IV.
  3. Conduct system-level conformity assessment for each high-risk system. Use your AIMS as the governance infrastructure, then document each system’s conformity to Article 9-17 requirements.
  4. Register in the EU AI Act database. Required before deployment of high-risk systems.
  5. Monitor for harmonization update. When ISO 42001 is formally harmonized, update your documentation to reference the harmonized standard and the presumption of conformity it creates.

This path is more work than just getting an ISO 42001 certificate, but it’s the most defensible route to EU AI Act conformity for organizations with significant AI exposure.

Tagged regulations
ISO 42001EU AI ActHarmonized StandardConformity
AI Compliance Hub editors
The editorial desk covers AI and cyber regulation across the US, EU, and UK. Tips? editors@aicompliancehub.com
Not legal advice

This article is for informational purposes only and does not constitute legal advice. Always consult qualified counsel before making compliance decisions. Try the free compliance checker →

← Back to The Ledger

Keep the Ledger coming.

A weekly edition of new regulations, enforcement actions, and compliance deadlines — delivered every Friday. Free forever. No tracking pixels.

Subscribe free →

Read by 4,000+ compliance teams · Cancel any time