EU AI Act vs ISO 42001: What Is Actually Mandatory?
The EU AI Act is binding law with its own obligations for AI systems on the EU market. ISO 42001 is a voluntary certification of your AI governance, and it does not replace the Act.
The EU AI Act and ISO 42001 answer different questions and are not interchangeable. The EU AI Act is binding law: it sets risk-tiered obligations for AI systems placed on or used in the EU market, up to and including a ban on unacceptable-risk uses and conformity-assessment duties for high-risk ones. ISO 42001 is a voluntary international certification of a company's internal AI management system, issued by an accredited body after an audit. Holding ISO 42001 does not automatically satisfy EU AI Act obligations, but the governance work it requires overlaps enough with what the Act expects that doing ISO 42001 well is a genuine shortcut toward AI Act readiness, not a separate project.
The confusion is understandable, since both showed up in the same wave of AI-governance attention and both use the vocabulary of risk assessment, human oversight, and documentation. But one is a statute a regulator enforces, and the other is a certification an auditor issues. Our ISO 42001 framework page covers what the standard requires in full; this post goes deeper on the specific question of how it relates to the Act.
What is the difference between the EU AI Act and ISO 42001?
The EU AI Act is a regulation. It classifies AI systems by risk and attaches obligations to each tier: systems judged an unacceptable risk are banned outright, high-risk systems face conformity assessment and detailed technical documentation duties before they can be placed on the market, limited-risk systems face transparency duties (telling users they are interacting with AI, for example), and minimal-risk systems are largely left unregulated. It applies to providers and deployers of in-scope AI systems in the EU market, regardless of whether the company has ever heard of ISO 42001.
ISO 42001 is a management-system standard, in the same family as ISO 27001. It certifies how a company governs the AI it builds or uses, not how any specific AI system performs or what risk tier it sits in. A company earns it by defining the scope of its AI management system, running AI-specific risk assessments, documenting the lifecycle of its AI systems, and passing an audit by an accredited certification body. No regulator requires it. No law references it as a compliance path.
EU AI Act vs ISO 42001 at a glance
| EU AI Act | ISO 42001 | |
|---|---|---|
| Legal status | Binding EU regulation | Voluntary international standard |
| What it covers | AI systems placed on or used in the EU market, classified by risk tier | A company's internal AI management system: governance, risk assessment, oversight, lifecycle documentation |
| Who enforces it | EU and national market-surveillance authorities | Nobody. Certification is issued and periodically re-audited by an accredited certification body, not a regulator |
| Penalties | Real fines for in-scope systems found noncompliant, with severity tied to the risk tier and nature of the violation | None. Not holding it carries no statutory penalty, only diligence and procurement risk |
| Certification vs compliance | Compliance is assessed against the system you place on the market; there is no "AI Act certificate" to hold | Certification is a point-in-time audit outcome for your management system, reassessed on a surveillance cycle |
Which one is actually mandatory?
The EU AI Act, and only for the systems and companies it actually covers. If you place an AI system on the EU market or put one into service there, and that system falls into one of the Act's regulated tiers, you carry obligations whether or not you have ever pursued a certification of any kind. There is no opt-out by way of holding ISO 42001 or any other standard. The Act's requirements attach to the system itself: how it was built, how it is documented, what oversight exists, and in the case of high-risk systems, whether it has gone through the required conformity-assessment process before reaching the market.
ISO 42001 is mandatory for nobody. No jurisdiction requires it, and no regulator checks for it. A company can be fully compliant with the EU AI Act and never hold ISO 42001, and a company can hold ISO 42001 and still be out of compliance with the Act if it has an in-scope high-risk system without the specific documentation and conformity-assessment work the Act separately requires.
Does ISO 42001 satisfy EU AI Act obligations?
Not by itself. This is the most common misunderstanding, and it runs in both directions: companies with ISO 42001 sometimes assume it covers AI Act obligations automatically, and companies chasing AI Act readiness sometimes think ISO 42001 certification is a required step. Neither is right. The Act has its own conformity-assessment procedures, its own technical documentation requirements, and its own registration and reporting duties for high-risk systems, none of which ISO 42001's audit scope was built to produce as a byproduct.
What ISO 42001 does produce, when implemented for real rather than treated as a paperwork exercise, is the underlying discipline the Act keeps asking for in different words: a documented risk assessment specific to each AI system, a record of human oversight and the ability to intervene, lifecycle documentation from data sourcing through deployment and monitoring, and a management review cadence that catches drift before a regulator does. That overlap is real and it is substantial. It just is not a substitute, because the Act's specific procedural requirements, particularly the conformity-assessment path for high-risk systems, sit on top of that governance foundation rather than being satisfied by it.
Why doing ISO 42001 well still gets you closer to AI Act readiness
A company with a real, audited ISO 42001-certified AI management system is materially closer to AI Act readiness than a company with no AI governance in place at all, even though the certificate itself does not check any AI Act box. The reason is practical rather than legal: most of the work of AI Act readiness is not the paperwork filed with a regulator, it is the underlying habit of knowing what your AI systems do, who reviews their outputs, what data they were built on, and whether a human can override a decision. ISO 42001 forces a company to build exactly that habit, audited by an outside party, on a recurring cycle.
The gap that remains is specific and procedural: the Act's own risk classification for each system, its conformity-assessment steps for high-risk systems, and its own technical documentation format. A company that has done ISO 42001 well is not starting that work from zero, it is mapping existing governance evidence onto the Act's specific requirements rather than inventing governance from scratch under deadline pressure. That is the practical version of the shortcut, and it is the same relationship ISO 27001 has to frameworks like SOC 2: different standard, overlapping discipline, real time saved. If you are weighing ISO 42001 against a security-focused standard like ISO 27001 rather than against the AI Act specifically, see ISO 27001 vs ISO 42001 for how those two relate.
Which should I prioritize?
If you place an in-scope AI system on the EU market, EU AI Act compliance is not optional and has to come first, because it is the one with legal force and the one that decides whether the system can be placed or kept on the market at all. Whether ISO 42001 is worth pursuing alongside it depends on your buyers: if enterprise customers or investors are starting to ask how you govern the AI you ship, a real ISO 42001 program answers that question with an outside audit behind it, and it builds most of the evidence base the AI Act separately expects you to hold. Treat the Act as the legal floor and ISO 42001 as the governance system that makes clearing that floor, and staying above it as your product changes, far less painful.
Frequently asked questions
Is ISO 42001 required by the EU AI Act? No. The EU AI Act does not name ISO 42001 as a mandatory requirement. ISO 42001 is a voluntary international certification. The EU AI Act has its own conformity-assessment and documentation requirements for in-scope systems, and a company can meet those without ever pursuing ISO 42001.
Does ISO 42001 certification satisfy EU AI Act obligations? Not automatically. Holding ISO 42001 shows you run a working AI management system, but the EU AI Act requires its own risk classification, its own conformity-assessment path for high-risk systems, and its own technical documentation. ISO 42001 does not substitute for any of that on its own.
Which is legally binding, the EU AI Act or ISO 42001? The EU AI Act. It is binding regulation with real obligations, and for some categories of AI systems, real penalties for noncompliance. ISO 42001 is a voluntary standard issued by an accredited certification body after an audit, with no statutory force of its own.
Does every company shipping AI features need to comply with the EU AI Act? Only if the company places an in-scope AI system on the EU market or puts one into service there. The Act is risk-tiered, so obligations differ sharply depending on what the system does, and some lower-risk uses face light or no specific obligations under the Act.
If we already have ISO 42001, are we close to EU AI Act readiness? Closer than a company with no AI governance in place, but not automatically compliant. ISO 42001 requires risk assessment, human oversight, and lifecycle documentation that overlap substantially with what the AI Act expects a company to demonstrate. The Act still layers its own specific requirements on top, particularly for high-risk systems.
Should we pursue ISO 42001 or EU AI Act compliance first? If you place an in-scope AI system on the EU market, AI Act obligations are not optional and come first by necessity. ISO 42001 is worth pursuing alongside or after, because building it well produces most of the governance evidence the Act asks for, rather than duplicating the work.
Last reviewed: July 12, 2026.
Where Scadable fits
Scadable builds the AI management system with EU AI Act obligations in view from the start, so the governance work done for ISO 42001, the risk assessments, the human oversight records, the lifecycle documentation, moves the needle on AI Act readiness instead of sitting in a separate binder nobody maps back to the Act. Visit the ISO 42001 framework page for what the certification itself requires, or book a call to talk through where your AI systems actually sit against both.
