The most common question EU-based AI companies ask right now is whether certifying under ISO 42001 will make them compliant with the EU AI Act. The short answer is no. The longer answer is more interesting and explains why most organizations still benefit from pursuing both.
## The common belief
Two opposite misreadings dominate the conversation. The first treats ISO 42001 and the AI Act as interchangeable: get certified, tick the regulatory box, move on. The second treats them as unrelated tracks that compete for the same budget.
Both readings miss how the two instruments actually relate. One is a voluntary management system standard. The other is a binding product regulation. They operate on different planes, and the interface between them is what matters.
## What each instrument does
The EU AI Act is a regulation that classifies AI systems by risk and imposes binding obligations accordingly. Prohibited practices are banned. High-risk systems face conformity assessment, technical documentation, post-market monitoring, and registration in an EU database. General-purpose AI models carry their own obligations. Limited-risk systems face transparency duties. Minimal-risk systems are largely unregulated.
ISO/IEC 42001 is a voluntary management system standard. It does not classify individual AI systems as high-risk or low-risk. It does not prescribe how to perform a technical conformity assessment. What it does is require the organization to have a documented, operating, and continuously improving management system that governs how it develops and deploys AI.
> The EU AI Act tells you what your AI systems must do. ISO 42001 tells you how your organization must be built to keep those systems compliant over time.
>
## Where they actually connect
Several articles of the AI Act impose organizational obligations that map cleanly to an AIMS. Quality management (Article 17), post-market monitoring (Article 72), risk management (Article 9), human oversight design (Article 14), data governance (Article 10), and logging (Article 12) are all obligations that require organizational capability, not just a one-time technical report.
An organization with a mature ISO 42001 management system already has most of those capabilities in place. The management system is not a substitute for the AI Act obligations, but it is the infrastructure on which most of those obligations are operationalized.
## The current regulatory timeline
The enforcement schedule of the AI Act has been recalibrated. The prohibited practices ban took effect in August 2025. General-purpose AI obligations took effect in August 2025 for new models and in August 2027 for existing ones. High-risk system obligations were initially scheduled for August 2026 but have been delayed through the Digital Omnibus package, with enforcement now expected across 2027 and 2028. Harmonized standards to support conformity assessment are themselves being finalized through late 2026.
This matters because it gives organizations a rare gift: time. The window to build a defensible management system before the high-risk obligations bite is still open, but narrowing.
## Presumption of conformity — what it is and what it isn’t
The AI Act foresees that compliance with certain harmonized standards will create a “presumption of conformity” for relevant requirements. This is the mechanism that connects voluntary standards to binding law. However, ISO 42001 is not, as of today, a harmonized standard under the AI Act. The harmonized standards are being developed by CEN-CENELEC JTC 21, and the relationship between them and ISO 42001 is expected to be close but is not yet formalized.
In practice, this means that ISO 42001 certification today does not automatically grant presumption of conformity with any AI Act article. What it does is give regulators, auditors, and notified bodies strong evidence that the organization has the governance infrastructure the Act expects.
## Reframing the question
The question to ask is not “Does ISO 42001 cover the AI Act?” The question is “What is the most efficient path to build the organizational capability that the AI Act will require, across all the systems we operate or will operate in the next three years?”
Framed that way, ISO 42001 becomes the scaffolding. It gives you the governance, risk management, monitoring, and continuous improvement structures that the Act will expect anyway. You then layer system-level requirements on top for the specific high-risk systems in your portfolio.
## The structural shift
Product regulation traditionally assumed static products. Conformity assessment happened once, pre-market, and the product was placed on the market on the basis of that assessment. AI systems break that model because they change. The AI Act has responded by embedding post-market monitoring, change management, and quality management into the text of the regulation itself.
Those post-market obligations cannot be satisfied with a point-in-time document. They require a management system that runs continuously. ISO 42001 is, at the moment, the most operationally coherent answer to that requirement.
## What this means for your organization
If you operate in the EU, treat the two in sequence, not in parallel. Build the management system first. Once the AIMS is operating, layer AI Act system-level compliance on top. Doing it the other way around, system by system, creates duplicated effort and inconsistent controls across the portfolio.
Do not wait for the harmonized standards to be published. The standards will codify expectations that are largely known today. Organizations that wait will compress a two-year implementation into six months.
Document the mapping. When you implement the AIMS, explicitly map each clause and Annex A control to the AI Act articles it supports. That mapping will become the backbone of your AI Act compliance file when enforcement begins.
—
Ready to move from documentation to certification?
📩 [[email protected]](mailto:[email protected]) · 🌐 [zertia.ai](http://zertia.ai)
–
