ISO 42001 vs EU AI Act. The complete crosswalk.

Not yet. Article 40 of the EU AI Act creates a presumption of conformity for high-risk AI systems that conform to harmonized standards. The European Commission issued standardization request M/593 to CEN-CENELEC in May 2023; the JTC 21 committee is developing the AI Act-specific harmonized standards (expected 2026-2027). ISO 42001 informs that work and is the closest existing standard, but until it (or a derivative) is published in the Official Journal as harmonized, certification does not directly trigger presumption of conformity.

No. For high-risk AI systems the AI Act requires a formal conformity assessment procedure: internal control (Article 43 + Annex VI) for most categories, or third-party assessment by a notified body (Annex VII) for biometric identification systems. ISO 42001 is a voluntary management system certification — it demonstrates governance maturity but is legally distinct from the conformity assessment. The two are complementary: a strong AIMS makes the conformity assessment significantly faster and lower-risk.

Most AI vendors and deployers are in scope of the AI Act in some way — providers/deployers of high-risk systems face the heaviest obligations, but limited-risk systems (chatbots, deepfakes, emotion recognition) have transparency obligations under Art. 50, and all AI operators face the AI literacy obligation under Art. 4. ISO 42001 is valuable beyond AI Act scope: enterprise procurement (RFPs and DPAs increasingly request it), board governance, customer due diligence, and other jurisdictions (UK, US states, Canada, Singapore) that may converge on ISO 42001 as their reference standard.

Several AI Act-specific obligations sit outside ISO 42001's scope: (1) the conformity assessment procedure itself (Art. 43), (2) CE marking for high-risk systems (Art. 48), (3) EU declaration of conformity (Art. 47), (4) registration in the EU AI database (Art. 49 + 71), (5) fundamental rights impact assessment for deployers of certain public-service AI (Art. 27 — though A.5 partially covers this), (6) serious incident reporting to national authorities within 15 days (Art. 73), (7) the specific GPAI Code of Practice obligations under Art. 56. ISO 42001 builds the management system; the AI Act adds these procedural and reporting overlays.

ISO 42001 directly supports Art. 9 (risk management — Clause 6), Art. 10 (data and data governance — A.7), Art. 11 + Annex IV (technical documentation — Clause 7.5 + A.6.2), Art. 12 (logging — A.6.2.6), Art. 13 (transparency and instructions — A.8), Art. 14 (human oversight — A.9.3), Art. 15 (accuracy, robustness, cybersecurity — A.6.2.8), Art. 17 (quality management system — entire AIMS), Art. 27 (FRIA — partially via A.5 impact assessment), Art. 72 (post-market monitoring — Clause 9), and Art. 25 (value chain responsibilities — A.10). That's about 60 percent of the high-risk obligations by article count.

ISO 42001 certification is typically faster (4-9 months for orgs with mature ISO 27001), but they aren't really alternatives — they answer different questions. AI Act compliance is a status determined by your specific AI systems' classification (prohibited, high-risk, limited-risk, minimal-risk) and your role (provider, deployer, importer, distributor). ISO 42001 is a management system that supports the work needed for whatever AI Act classification applies. The pragmatic order: classify your AI systems under the AI Act first, then build the AIMS, then certify, then complete any AI Act-specific procedures (conformity assessment, CE marking, registration).