EU AI Act vs ISO 42001: A Practical Crosswalk
A practitioner crosswalk mapping ISO/IEC 42001 controls to EU AI Act obligations — what overlaps, what doesn't, and how to build one system.
The two documents that dominate AI governance conversations in European boardrooms right now pull in different directions. The EU AI Act is law: prescriptive, product-focused, with deadlines and fines. ISO/IEC 42001 is a voluntary, certifiable management-system standard: process-focused, organisation-wide, and deliberately technology-agnostic. Governance teams keep asking the same question — do we need both, and if so, how do we avoid building two parallel bureaucracies?
The answer is a crosswalk. At CC Conceptualise we have built exactly this mapping for regulated clients, and the practical insight is that roughly two-thirds of the work overlaps. Run one AI management system, evidence each control once, and bolt the Act-only obligations on top. This post shows where the two align, where they diverge, and how to operationalise the mapping before the 2 August 2026 high-risk deadline.
TL;DR / Key takeaways
- ISO 42001 is the engine, the EU AI Act is the regulation it must satisfy. Certification is strong evidence of maturity but is not a legal safe harbour.
- About two-thirds of the controls overlap — risk management, data governance, logging, human oversight, and lifecycle documentation map cleanly between the two.
- The Act-only obligations are the ones that bite: conformity assessment, EU database registration, Annex IV technical documentation, and post-market monitoring.
- Deadlines are fixed: high-risk (Annex III) obligations apply from 2 August 2026; GPAI obligations have applied since 2 August 2025.
- Build the management system first. It makes conformity assessment cheaper and repeatable instead of a one-off scramble.
Two instruments, two jobs
It helps to be precise about what each instrument actually is, because conflating them is the most common and most expensive mistake we see.
The EU AI Act regulates AI systems by risk. It assigns legal duties to providers (who place a system on the market) and deployers (who use one under their authority). For high-risk systems under Annex III, those duties are concrete and external: you must perform a conformity assessment, register the system in the EU database, maintain Annex IV technical documentation, ensure human oversight, and operate post-market monitoring. Non-compliance is expensive — up to EUR 15M or 3% of global turnover for high-risk breaches, and up to EUR 35M or 7% for prohibited practices.
ISO/IEC 42001 is the AI management-system (AIMS) standard. If you have lived through an ISO 27001 implementation, the shape is familiar: clauses 4–10 cover context, leadership, planning, support, operation, performance evaluation, and improvement, with an Annex A control set tailored to AI. It tells you how to govern AI across its lifecycle, not which AI is legal.
That distinction is the whole game. The standard gives you repeatable processes; the law tells you which outcomes are mandatory. A mature AIMS makes legal compliance dramatically easier to demonstrate, but it does not confer it.
Where they overlap — and where they don't
The table below is a condensed version of the crosswalk we use in delivery. It maps the dominant AI Act obligation areas to their nearest ISO 42001 equivalent and flags the gap.
| AI Act obligation | Nearest ISO 42001 element | Overlap | What's still missing |
|---|---|---|---|
| Risk management system (Art. 9) | Clause 6 planning + AI risk assessment controls | High | Act-specific risk criteria tied to fundamental rights |
| Data and data governance (Art. 10) | Annex A data-management controls | High | Documented bias/representativeness checks per Act wording |
| Technical documentation (Art. 11, Annex IV) | Documented-information requirements | Medium | The specific Annex IV structure and content |
| Record-keeping / logging (Art. 12) | Operational logging controls | High | Retention and traceability calibrated to high-risk use |
| Human oversight (Art. 14) | Lifecycle and operation controls | Medium | Concrete oversight measures and operator competence |
| Accuracy, robustness, cybersecurity (Art. 15) | Performance evaluation + security controls | High | Quantified thresholds and adversarial testing evidence |
| Conformity assessment (Art. 43) | — | None | No ISO equivalent — a legal procedure |
| EU database registration (Art. 49) | — | None | No ISO equivalent — a legal filing |
| Post-market monitoring (Art. 72) | Improvement + monitoring controls | Medium | Structured plan and serious-incident reporting |
| QMS for providers (Art. 17) | The entire AIMS | High | Maps almost directly onto the management system |
The pattern is clear. Governance, risk, data, and lifecycle controls overlap heavily. The items with no ISO equivalent are the externally facing legal procedures: conformity assessment and registration. Those you build once, on top of the management system — you cannot certify your way into them.
The Article 17 shortcut
If you are a provider of high-risk AI, Article 17 requires a quality management system. ISO 42001 maps onto this almost one-to-one. For provider clients this is the single highest-leverage finding in the crosswalk: the AIMS you build for certification is, with modest tailoring, the QMS the Act demands. You are not building two things.
How to run it as one system
Here is the sequence we recommend, and the one we use in engagements.
- Inventory and classify. You cannot govern what you have not catalogued. Build an AI system inventory and classify each entry against the Act's risk tiers and your role (provider vs deployer). Annex III classification is where most teams stumble — see our Annex III high-risk classification guide for the decision logic.
- Stand up the AIMS. Define scope, AI policy, roles, and objectives under ISO 42001. Critically, assign board-level accountability — the Act and the standard both expect demonstrable senior ownership, not a delegated checkbox.
- Build the crosswalk matrix. For each ISO 42001 Annex A control, record the AI Act article(s) it supports. Tag every control with its dual purpose so a single piece of evidence serves both the certification audit and the conformity file.
- Close the Act-only gaps. Add conformity assessment, EU database registration, Annex IV documentation, and post-market monitoring as explicit workstreams. Our conformity assessment guide walks through the high-risk procedure in detail.
- Operate, evidence, and review. Collect evidence once. Run internal audit and management review on the same cadence. When the auditor and the regulator ask for overlapping artefacts, you hand over the same controlled documents.
This is the difference between a governance function that scales and one that drowns in duplicate paperwork. Map once; evidence once; satisfy both.
A realistic timeline
Teams routinely underestimate the lead time. ISO 42001 implementation plus a certification audit cycle is a multi-quarter effort, and conformity assessment for a genuinely high-risk system is not a sprint either.
| Phase | Typical duration | Primary output |
|---|---|---|
| Inventory + classification | 4–6 weeks | Risk-tiered AI register |
| AIMS design + crosswalk | 8–12 weeks | Operating management system |
| Evidence build + internal audit | 8–12 weeks | Audit-ready control set |
| Conformity assessment (high-risk) | Varies by system | Declaration + registration |
With high-risk obligations live from 2 August 2026, an organisation starting late in 2025 has a workable runway only if it treats the AIMS and the Act work as one programme. Starting them as separate initiatives is how budgets double. For the deadline-by-deadline view, our August 2026 readiness checklist lays out the milestones.
What the standard will not do for you
Be honest with stakeholders about the limits. ISO 42001 will not:
- Perform your conformity assessment. That is a legal procedure with no ISO analogue.
- Register your system in the EU database.
- Decide your risk tier. Classification is a legal judgement against the Act's text.
- Cover GPAI provider duties in full — transparency, copyright, and systemic-risk obligations sit outside the standard. Deployers building on third-party models should use the AIMS to capture supplier evidence and allocate responsibilities by contract along the supply chain.
What it will do is give you the disciplined, auditable backbone that makes every one of those legal obligations cheaper, faster, and defensible. That is why we recommend it for any organisation with high-risk or GPAI exposure — and why we pair it with ISO/IEC 42001 as the governance counterpart to the Act in nearly every engagement.
Closing thought
The crosswalk reframes the question. It is not "AI Act or ISO 42001" — it is "one AI management system that discharges both." Build the engine once, point it at the regulation, and add the legal-only procedures on top. Teams that internalise this avoid the parallel-bureaucracy trap and arrive at August 2026 with evidence already in hand.
If you want help building the crosswalk for your portfolio, our AI governance and platform engineering team does this work hands-on — we bring the matrix, you bring the systems.
FAQ
Does ISO 42001 certification make me compliant with the EU AI Act?
No. ISO/IEC 42001 is a voluntary management-system standard; the EU AI Act is binding law with product-level obligations. An ISO 42001 AI management system gives you the governance backbone — risk processes, roles, documentation discipline — but it does not satisfy the Act's specific high-risk requirements like conformity assessment, EU database registration, or the Annex IV technical documentation. Treat certification as strong evidence of organisational maturity, not as a legal safe harbour.
What is the difference between the EU AI Act and ISO 42001?
The EU AI Act regulates AI systems by risk tier and imposes legal obligations on providers and deployers, with fines up to EUR 35M or 7% of global turnover. ISO/IEC 42001 is an organisation-level management-system standard, structured like ISO 27001, that defines how you govern AI across its lifecycle. One is law about products; the other is a certifiable framework about your organisation.
When do EU AI Act high-risk obligations apply?
High-risk (Annex III) obligations apply from 2 August 2026, including conformity assessment, registration in the EU database, technical documentation, post-market monitoring, and human oversight. GPAI obligations have applied since 2 August 2025, and GPAI models already on the market before that date must comply by 2 August 2027.
Can I use one set of controls for both ISO 42001 and the AI Act?
Largely yes, and that is the whole point of a crosswalk. Risk management, data governance, logging, human oversight, and lifecycle documentation map cleanly between the two. You run one AI management system and tag each control with the obligation it discharges, then add the Act-only items, such as conformity assessment and registration, on top.
Is ISO 42001 worth pursuing before the August 2026 deadline?
If you operate or plan high-risk AI, yes. Building the management system first gives you the repeatable risk and documentation processes that the Act's conformity work depends on. Even where formal certification is not feasible by August 2026, adopting the ISO 42001 structure materially reduces the cost and chaos of conformity assessment.
Does ISO 42001 cover general-purpose AI (GPAI) obligations?
Partially. ISO 42001 helps you govern how you procure, fine-tune, and deploy GPAI models, and to maintain the documentation trail. But the Act places specific transparency, copyright, and systemic-risk duties on GPAI providers that go beyond the standard. Deployers building on third-party models should use the management system to capture supplier evidence and allocate responsibilities contractually.
Topics