Skip to content
All articles
EU AI Act 7 min read· by Lars Zimmermann

EU AI Act and ISO 42001: mapping the obligations

Which EU AI Act obligation maps to which ISO/IEC 42001 requirement: a crosswalk showing how an AI management system demonstrably serves the AI Act.

In short

ISO/IEC 42001 is not automatic proof of EU AI Act conformity, but it is the strongest organisational framework for meeting and evidencing the obligations. The AI Act defines the objective (for example risk management under Art. 9, human oversight under Art. 14, transparency under Art. 50); ISO 42001 supplies the structure through Clauses 4 to 10 and Annex A. This mapping shows the correspondence obligation by obligation.

Auf Deutsch lesen: deutsche Fassung

One of the most common questions in mid-sized companies: „If I do ISO 42001, am I then AI Act compliant?“ The honest answer: not automatically, but ISO/IEC 42001 is by far the strongest organisational framework for meeting the obligations of the EU AI Act and for evidencing that you meet them. The AI Act tells you WHAT you have to achieve; ISO 42001 delivers HOW you do it in an orderly and auditable way.

The following crosswalk maps the central obligations for high-risk AI to the corresponding ISO 42001 requirements (Clauses 4 to 10 and Annex A). Each entry lists the EU AI Act obligation, the matching ISO/IEC 42001 clause or Annex A control, and what you do in practice:

  • Art. 9, risk management ↔ Clause 6 + A.5 (impact assessment): continuous AI risk and impact assessment across the lifecycle.
  • Art. 10, data governance ↔ A.7 (data): manage data quality, provenance and bias in a documented way.
  • Art. 11 + Annex IV, technical documentation ↔ A.6/A.8 + documented information (7.5): create and keep the system’s technical documentation up to date.
  • Art. 12, logging ↔ A.6 (operation & monitoring): automatic recording of events (logging).
  • Art. 14, human oversight ↔ A.6: an effective human-oversight concept with the ability to intervene and shut down.
  • Art. 15, accuracy, robustness, cybersecurity ↔ A.6 + ISO/IEC 27001: testing, robustness against attacks, information security.
  • Art. 17, quality management system ↔ the AIMS itself (Clauses 4-10): the organisational framework is precisely this management system.
  • Art. 26, deployer obligations ↔ A.9 (acceptable use) + A.6 (oversight): intended use, oversight and, where required, a fundamental-rights impact assessment.
  • Art. 50, transparency & marking ↔ A.8: disclose chatbots, mark AI-generated content and deepfakes.
  • Art. 72, post-market monitoring ↔ Clause 9 + A.6: post-market monitoring, continuously verifying effectiveness.

Indicative mapping, as of June 2026 (Regulation (EU) 2024/1689). A single piece of evidence can serve several obligations at once, and that is the efficiency gain of an integrated management system.

Why this is more than a table

The real leverage lies in the word „demonstrable“. The AI Act does not only require you to do something, it requires you to be able to prove it, if in doubt to a supervisory authority. A well-maintained AIMS produces this evidence in day-to-day operations: risk register, impact assessments, logs, oversight records, internal audits. If you live ISO 42001, you get the AI Act documentation almost as a by-product.

What ISO 42001 does NOT do

Let us stay honest: ISO 42001 replaces neither a legal assessment nor a conformity assessment under the AI Act. The formal classification of your systems (prohibited, high-risk, subject to transparency obligations, minimal) and, for high-risk, the conformity procedure remain separate steps in their own right. ISO 42001 is the bridge that carries these steps and makes them economical, because a single piece of evidence satisfies several obligations at once.

Where your systems stand is something we clarify in the classification exercise, and the AI Act risk-class check also gives a first orientation. The management system builds the rest.

Share: LinkedIn E-Mail

Frequently asked questions

Does ISO 42001 make me automatically AI Act compliant?+

No, not automatically. But ISO/IEC 42001 is the strongest organisational framework for meeting the obligations of the EU AI Act (risk management, data governance, transparency, human oversight and more) and making them demonstrable. The formal conformity assessment for high-risk systems remains a separate step.

Which AI Act obligation covers which ISO 42001 requirement?+

Examples: Art. 9 (risk management) ↔ Clause 6 + A.5; Art. 14 (human oversight) ↔ A.6; Art. 50 (transparency) ↔ A.8; Art. 10 (data governance) ↔ A.7. The full mapping is set out in the crosswalk above.

Is ISO 42001 worthwhile if my AI is not high-risk?+

Often yes. Even below the high-risk threshold, an AI management system creates order, builds trust with customers and the supply chain, and meets transparency obligations (Art. 50) in a structured way. It is the difference between „we use AI“ and „we have AI under control and can show it“.

Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer · ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB)

Last updated: 16 July 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.

Sources & further reading

Questions about your own case?

In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.

Continue reading