How the AI Act and ISO 42001 Work Together

The AI Act and ISO 42001 represent two complementary responses to the same challenge: how to develop and deploy artificial intelligence systems responsibly, traceably and sustainably. One is a mandatory regulation for the European market; the other is an international management standard that provides the internal system to comply with it.

Understanding how they work together prevents two common mistakes: treating the AI Act as a purely legal problem that only concerns the legal team, and treating ISO 42001 as a technical certification disconnected from regulatory obligations. In practice, both frameworks share territory and reinforce each other.

Urgent Context: Deadlines That Can No Longer Wait

Regulation (EU) 2024/1689, the AI Act, entered into force on 1 August 2024 with a phased application that has been activating obligations in tranches:

Date	What enters into force
1 August 2024	Regulation enters into force
2 February 2025	Prohibitions on unacceptable practices (social scoring, subliminal manipulation, etc.)
2 August 2025	Obligations for general-purpose AI (GPAI) models and AI literacy
2 August 2026	Full obligations for high-risk systems (Annex III)
2 August 2027	High-risk systems embedded in regulated products (Annex I)

At the time of publication of this blog, there are weeks left before the most relevant date for most organisations: 2 August 2026, when full obligations for high-risk AI systems under Annex III enter into force, critical infrastructure, employment, essential services, education, law enforcement and others.

In Spain, the supervisory authority is already operational: the Agencia Española de Supervisión de la Inteligencia Artificial (AESIA), based in A Coruña, began supervising prohibited practices in February 2025 and has had full sanctioning powers since August 2025. It has already published guidelines and checklists that any organisation using AI in Spain should be aware of.

What each framework covers: the starting difference

The AI Act (EU Regulation 2024/1689) is a regulation with direct effect across all Member States. It classifies AI systems by risk level, unacceptable, high, limited and minimal, and imposes specific obligations on providers (those who develop or place AI systems on the market) and deployers (those who use them in professional contexts). For high-risk AI systems, obligations include conformity assessments, technical documentation, human oversight, risk management and quality records.

ISO/IEC 42001:2023 is an international standard specifying requirements for an AI Management System (AIMS). It does not classify AI systems by risk or impose legal obligations: it provides the organisational framework, policies, roles, processes, impact assessment, risk management and continuous improvement, for an organisation to systematically manage the lifecycle of its AI systems, from design through to decommissioning.

The key distinction: the AI Act says what must be complied with; ISO 42001 provides a system for how to manage it internally in a sustainable way.

Scope: who needs to pay attention to what

The AI Act affects:

• Providers that develop AI systems intended for the EU market (including those established outside the EU if their systems affect people in the EU).
• Deployers that use high-risk AI systems in professional contexts within the EU.
• Importers and distributors of high-risk AI systems.

ISO 42001 is relevant for:

• Organisations of any size and sector that develop, provide or use AI systems and want to manage that activity with a structured framework.
• It has no direct territorial applicability: it is a voluntary standard applicable globally.

The overlap is considerable: a company developing high-risk AI systems for the European market falls under the AI Act AND has strong incentives to certify to ISO 42001, because the standard provides exactly the kind of management system the AI Act presupposes in obligated providers.

The Penalty Framework: Figures That Matter to Management

Fines for non-compliance with the AI Act scale according to the severity of the infringement:

• Prohibited practices (unacceptable risk systems): up to €35 million or 7% of global annual turnover.
• Non-compliance with obligations for high-risk systems or other Regulation obligations: up to €15 million or 3% of global annual turnover.
• Incorrect information provided to supervisory bodies: up to €7.5 million or 1.5% of global annual turnover.

SMEs and startups have a somewhat more favourable regime in the determination of penalties. In Spain, AESIA is the authority that can inspect, sanction and order the withdrawal of systems. Non-compliance with the AI Act that also affects personal data can generate simultaneous proceedings at AESIA and the AEPD.

Where they overlap: five bridges between both frameworks

1. AI risk management

The AI Act requires providers of high-risk systems to have a risk management system specific to the AI system: risk identification and analysis, mitigation measures, testing and a review cycle. ISO 42001 includes in clause 6 a process of risk and opportunity assessment for the AIMS that covers exactly that territory. The difference is that ISO 42001 applies at organisational level (all of the organisation’s AI systems), while the AI Act requires it at the level of each individual high-risk system.

2. Technical documentation and traceability

The AI Act requires specific technical documentation for high-risk systems (Annex IV): system description, training data, performance metrics, human oversight measures, change management. ISO 42001 includes in its informative Annexes B and C references to traceability controls, data management and AI system lifecycle documentation that align directly with those requirements.

3. Human oversight

One of the AI Act’s most explicit requirements for high-risk systems is that they must be designed to enable effective human oversight. ISO 42001 includes in its framework the principle of human accountability and controls aimed at ensuring that automated decisions can be reviewed and corrected. The standard provides the internal system to implement what the regulation requires as an outcome.

4. Transparency and user information

The AI Act imposes transparency obligations: instructions for use for high-risk systems, information to deployers, declaration of conformity. ISO 42001 covers in its interested parties and communication dimension the mechanisms for maintaining that transparency systematically, not as a reactive response to a regulatory requirement, but as part of the management cycle.

5. Continuous improvement and management review

The AI Act anticipates that AI systems evolve and that management systems must reflect that evolution, especially when substantial changes may require a new conformity assessment. ISO 42001 explicitly includes management review and continuous improvement mechanisms for the AIMS, creating the organisational cycle that the AI Act presupposes but does not detail internally.

How to use ISO 42001 as a lever for AI Act compliance

ISO 42001 is not a substitute for AI Act compliance, but it is a highly efficient lever for achieving it. These are the practical connections:

ISO 42001 certification does not automatically grant presumption of conformity with the AI Act, unlike what happens with harmonised standards under other European regulations. However, the AI Act provides that the European Commission may recognise harmonised standards which, when applied, generate presumption of conformity with specific requirements. ISO 42001 is the natural candidate for that recognition in the management system domain.

While that formal recognition arrives, ISO 42001 certification provides:

• Evidence that a structured AI management system exists, precisely what the AI Act presupposes in responsible providers.
• An internal framework for organising the technical documentation required by the AI Act without designing it from scratch.
• Credibility with customers, partners and regulators who ask how the organisation manages its AI risks.
• A basis for conformity assessments when the system applies to high-risk categories.

If your organisation already works with ISO/IEC 27001 for information security, the move to ISO 42001 is natural: they share the High Level Structure (HLS), plan-do-check-act logic and many organisational controls. Risk documentation, roles and management review from the ISMS can serve as a foundation for the AIMS.

AI Act risk classification vs ISO 42001 risk management

A common point of confusion: risk in the AI Act and risk in ISO 42001 are not exactly the same thing.

AI Act: system risk category classification:

• Unacceptable: prohibited (subliminal manipulation, social scoring by governments, etc.).
• High risk: full conformity requirements (critical infrastructure, education, employment, welfare, public safety, etc.).
• Limited risk: transparency obligations.
• Minimal risk: no specific requirements.

This classification determines which legal obligations apply to a specific system. It is a regulatory categorisation, not a management process.

ISO 42001: AIMS risk assessment:

• Identifies risks to organisational objectives arising from AI activities.
• Includes risks to the rights and interests of people affected by AI systems.
• Produces a treatment plan with controls and owners.

This assessment is an internal management process that must be updated periodically. It applies at organisational level, not only to individual AI systems.

The correct integration: use the AI Act classification as a starting point to prioritise which systems need most attention in the ISO 42001 risk assessment, and use the AIMS as the internal system to manage and document the controls the AI Act requires for each category.

The role of impact assessment

Both the AI Act and ISO 42001 contemplate impact assessments, but with different approaches:

The AI Act requires deployers of high-risk AI systems to carry out a fundamental rights impact assessment when those systems may affect a significant number of people. This assessment must be recorded and notified in the cases prescribed by the regulation.

ISO 42001 includes in its Annex B informative controls on AI system impact assessment, a broader process covering potential impacts on individuals, groups and society, including bias, discrimination and unintended effects. When implemented, this control provides the methodology and records the AI Act requires for its specific assessments.

AI compliance and governance requires articulating these two types of assessment: the one the regulator requires for specific systems and the one the standard recommends as continuous management practice.

Who needs both frameworks

Companies developing high-risk AI systems for the European market. They are obligated by the AI Act and have the strongest incentives to certify to ISO 42001: they need the management system the regulator presupposes, and the certification demonstrates it.

Companies using high-risk AI systems from third parties in professional contexts. They are deployers under the AI Act. ISO 42001 gives them the framework for managing AI supplier assessment, human oversight and use documentation, areas the AI Act regulates but does not detail how to implement internally.

Companies developing limited or minimal risk AI. They have no heavy obligations under the AI Act, but can use ISO 42001 to differentiate themselves, respond to customer questions about AI governance and prepare for potential future expansion of regulatory scope.

Organisations already working with other European frameworks. If the organisation has ISO 27001, complies with NIS2 or is under DORA, ISO 42001 integrates naturally into the existing compliance ecosystem without significant duplicated effort.

Practical steps to align both frameworks

Step 1. Inventory AI systems. Which systems are developed, used or integrated into products or services. Without an inventory, it is not possible to classify by AI Act risk category or define the AIMS scope.

Step 2. Classify by AI Act risk. For each system in the inventory, determine whether it falls into prohibited, high-risk, limited or minimal risk. This classification defines applicable legal obligations.

Step 3. Design the ISO 42001 AIMS. Define scope, AI policy, roles, risk and impact assessment process, controls and review mechanisms. If an ISO 27001 ISMS exists, leverage the established structure.

Step 4. Map ISO 42001 controls to AI Act requirements. For high-risk systems, identify which AIMS controls cover each AI Act requirement (technical documentation, human oversight, quality management, etc.). This map avoids duplicated work and enables coherence to be demonstrated to the regulator.

Step 5. Implement and evidence. Execute the controls, generate the records and document the assessments. AIMS evidence is what sustains AI Act compliance before an inspection or conformity assessment.

Step 6 . Periodic and change-triggered review. The AI Act requires a new assessment when substantial changes are made to the system. The ISO 42001 AIMS provides the change management and management review process that ensures that assessment takes place when needed.

For AI systems that also process personal data, articulation with GDPR and data protection impact assessment (DPIA) adds another layer that must be integrated into the same management cycle.

What Privalex offers for AI Act and ISO 42001 projects

Privalex supports compliance, legal and product teams in designing and implementing AI management systems that articulate the requirements of the AI Act with the structure of ISO 42001. Our approach also integrates ISO 27001, GDPR and other regulatory frameworks when the organisation operates in a multi-compliance environment.

We do not just design documentation: we build systems that the team can operate and that hold up in conversation with auditors and regulators. To start with an assessment of your current situation against the AI Act and ISO 42001, access the free risk assessment. To align scope and priorities with your team, book a strategy session.

Conclusion

The AI Act defines the obligations; ISO 42001 provides the system to meet them sustainably. Using them together is not redundancy, it is the difference between reactive compliance managed fire by fire and an AI governance programme the organisation can defend before any stakeholder.

Frequently asked questions