Is ISO 42001 Required by Law in Europe?

No. ISO 42001 is a voluntary international certification, not a legal requirement anywhere, including the EU. The EU AI Act is the separate law that actually carries binding obligations.


No. ISO 42001 is a voluntary international certification, not a legal requirement anywhere, including the EU. Nobody can be fined for not holding it, because no law makes holding it mandatory. The confusion comes from its proximity to the EU AI Act, which is binding law with its own risk-tiered obligations for AI systems placed on the EU market, and which is frequently mentioned in the same breath as ISO 42001 even though the two are answering different questions.

That confusion is understandable. Both are about AI governance, both arrived around the same time, and vendors selling one often reference the other. But "voluntary" and "legally required" are not the same claim, and mixing them up leads to two different mistakes: assuming ISO 42001 is a compliance deadline you're missing, or assuming that because it's voluntary it's safe to ignore entirely. Neither is quite right. Our ISO 42001 framework page covers what the standard actually requires; this post is about the narrower legal question.

What is actually mandatory: the EU AI Act

The EU AI Act is the binding law here. It sets risk tiers for AI systems placed on the EU market, unacceptable risk, high risk, limited risk, and minimal risk, and attaches real, separate obligations to each tier: conformity assessment, technical documentation, transparency requirements, and human oversight for systems that fall into the higher tiers. Those obligations exist regardless of whether a company holds any certification at all. If your AI system is in scope of the AI Act, that is where the actual legal exposure sits.

ISO 42001 does not appear anywhere in the AI Act as a mandatory certification. A company can be fully AI Act compliant without ever pursuing ISO 42001, and a company can hold ISO 42001 without that alone satisfying its AI Act obligations. They are related in substance, since a working AI management system tends to produce the same risk assessments and documentation habits the AI Act asks for, but they are not the same requirement wearing two names. We cover exactly where the two overlap and where they diverge in ISO 42001 vs the EU AI Act.

What is voluntary: ISO 42001

ISO 42001 is the first international standard for an AI Management System, an AIMS: the governance, risk-management, and lifecycle controls a company runs around any AI it develops, deploys, or uses. It sits in the same standards family as ISO 27001, and like ISO 27001, holding it is a choice, not a legal obligation, in the EU or anywhere else. No regulator requires a company to be certified against it before shipping an AI feature.

What certification actually verifies is process, not outcome: that a company has defined the scope of its AI governance, run AI-specific risk assessments covering things like bias, transparency, and human oversight, documented the lifecycle of the AI systems it uses or builds, and put an independent auditor through that evidence. It is a statement about how seriously a company governs its AI, not a legal gate it has to pass through.

If it is voluntary, why does it matter?

Because "voluntary" is a legal category, not a market prediction. ISO 42001 is following roughly the same arc SOC 2 did in its early years: nobody was ever legally required to hold SOC 2, and yet within a few years of its adoption, not having one became a real friction point in enterprise sales and vendor diligence. ISO 42001 is newer and the market around it is still forming through 2026, but the direction is the same. Buyers, investors, and procurement teams are starting to ask how a company governs the AI it ships, and increasingly treat a working AI management system as evidence the company has actually thought about it, not just deployed a model and hoped.

That is the practical stakes, and it is worth naming plainly because there is no statutory penalty to point to instead: the cost of skipping ISO 42001 is not a fine, it is a weaker answer in a diligence conversation that is starting to happen more often. Whether that matters for a specific company depends on who its buyers and investors are and how AI-heavy its product is, which is a business timing question, not a legal one.

Frequently asked questions

Is ISO 42001 required by law in Europe? No. It is a voluntary international certification, not a legal requirement anywhere. The EU AI Act, a separate binding regulation, is what actually carries legal obligations for in-scope AI systems.

Can a company be fined for not holding ISO 42001? No. There is no statutory penalty anywhere for not holding ISO 42001, because no law requires it. Fines tied to AI exist under the EU AI Act, which applies based on what an AI system does and where it is placed on the market, not on whether the company holding it has a certification.

If ISO 42001 is voluntary, why do companies get it? The same reason companies pursued SOC 2 before it was ever a legal requirement anywhere: buyers, investors, and increasingly regulators-by-reference are starting to ask how a company governs the AI it ships. Holding ISO 42001 is a way to answer that question with evidence instead of a promise.

Does the EU AI Act require ISO 42001? No. The EU AI Act does not name ISO 42001 as a mandatory certification. It sets its own risk-tiered obligations directly. A working AI management system built to ISO 42001 makes demonstrating those obligations easier, since the underlying risk assessment and documentation habits overlap, but it is not a substitute for AI Act compliance and the AI Act does not require it.

What is actually mandatory for AI systems in the EU? The EU AI Act. It is binding law with its own risk tiers and obligations for AI systems placed on the EU market, independent of any voluntary certification a company chooses to pursue.

Is it safe to ignore ISO 42001 entirely? Legally, yes, nothing compels a company to hold it. Commercially, that is a separate question. If enterprise buyers or investors in your specific market are starting to ask for it, treating it as optional to address rather than optional to hold is the more accurate framing.

Last reviewed: July 12, 2026.

Where Scadable fits

Scadable's role here is not to sell every framework to every company. It's answering the timing question honestly: whether ISO 42001 is the right move for a company right now, or genuinely premature given its buyers, its product, and what it's actually shipping with AI today. That is the same question Scadable applies to every voluntary framework, not just this one. When the answer is yes, Scadable builds the AI management system concierge, real governance work behind the curtain, not a dashboard claiming automation this framework doesn't have yet. Book a call to work through where your company actually stands.