What ISO/IEC 42001 is
ISO/IEC 42001:2023 is the first international standard for an AI Management System (AIMS). It describes how organisations can develop, provide or use AI responsibly, transparently and with evidence.
For institutions with an existing ISO 27001 or ISO 9001 management system, this is helpful because ISO/IEC 42001 follows the familiar management-system logic: context, leadership, planning, support, operation, performance evaluation and improvement.
What ISO/IEC 42001 contributes to the EU AI Act
The standard supports governance, risk and quality management, competence, documentation, supplier control and continuous improvement. It is therefore a strong framework for anchoring EU AI Act compliance organisationally.
- Risk management and documented assessment processes
- Data governance and quality requirements
- Human oversight and responsibilities
- Competence, awareness and training
- Supplier and lifecycle management
Where ISO/IEC 42001 reaches its limits
| Area | EU AI Act requires | Additionally required |
|---|---|---|
| Role allocation | Distinction between provider, deployer, importer and distributor | Legal and process assessment for each system and use case |
| CE / EU database | Provider duties for high-risk AI | Conformity assessment, technical documentation and registration where a provider role exists |
| FRIA | Fundamental Rights Impact Assessment for certain high-risk uses | Specific impact assessment for credit and life/health insurance and possibly other constellations |
| Incident response | Reporting obligations under the EU AI Act, GDPR and DORA | Coordinated three-regime process with clear deadlines and escalation paths |
| Labour law | Information and possibly co-determination for HR AI | Involvement of employee representatives and review of Austrian labour constitution requirements |
What ISO/IEC 42001 does not fully cover
ISO/IEC 42001 is a strong management-system framework. Certification does not automatically replace all formal EU AI Act duties. Five gaps should be documented explicitly.
| Gap | EU AI Act | Additional clarification |
|---|---|---|
| Conformity assessment | Art. 43 | Formal procedure for each provider role and high-risk system. |
| CE marking | Art. 48 | Relevant where provider duties apply; process and evidence must be handled separately. |
| EU database registration | Art. 49 | Registration duties for certain high-risk systems must be assessed separately. |
| Post-market monitoring | Art. 72 | AI-Act-specific monitoring and feedback with provider information must be defined. |
| Incident response | Art. 73, GDPR, DORA, NISG 2026 | Reporting cascade with different authority routes and timelines must be mapped. |
European harmonised standards
CEN/CENELEC are working on harmonised standards for the EU AI Act. Once relevant standards are published in the Official Journal of the EU, they can trigger a presumption of conformity for certain requirements. ISO/IEC 42001 is a strong foundation, but it does not automatically replace this assessment.
CSRD / ESRS: ISO 42001 as an evidence framework
If AI bias or discriminatory AI decisions are classified as material sustainability impacts or governance risks, CSRD / ESRS reporting needs robust evidence. ISO/IEC 42001 can provide the organisational framework: policies, roles, risk assessments, controls, monitoring, internal audits and management reviews. It does not replace the ESRS reporting obligation, but it makes evidence much easier to structure.
Implementation is not a pure IT project. It affects the board, compliance, legal, IT, HR, procurement and business units. Core elements are scope, AI inventory, risk and control model, roles, evidence and regular management reviews.