ISO 42001 vs the EU AI Act: Do They Overlap Enough to Build a Single Compliance Programme?

Article by

Introduction 

Artificial intelligence has rapidly evolved as a technological innovation. It has now become a core business function for entities. Organisations are consistently using AI in the processes of decision-making, customer engagement, risk management, and operations. Regulators and statutory bodies have created frameworks to deal with this rapid evolution. These frameworks are basically designed to tackle the emerging problems due to the expansion of AI and promote trustworthy and responsible AI. 

The development of two phenomena is particularly significant in this context. The first development is ISO 42001 (December 2023) which is the world's first international standard for establishing, implementing, maintaining, and continuously improving an Artificial Intelligence Management System (AIMS). The second development is the European Union Artificial Intelligence Act (EU AI Act), which is the world's first comprehensive and structured legislation governing AI systems through a risk-based regulatory framework. 

The overlap between ISO 42001 and the EU AI Act is very significant for organisation because they always remain keen to build a unified approach for the purpose of AI governance and compliance. The proper alignment between these two frameworks will be helpful in reducing duplication of efforts, streamline compliance processes, and enable organisations to build a single compliance strategy and framework that addresses both operational and regulatory requirements. 

Understanding the Two Frameworks 

ISO 42001 and the EU AI Act function in different ways. However, they address similar concerns. ISO 42001 is a voluntary and certifiable management system standard that deals with the processes of any organisation for the responsible AI governance. It emphasises management and leadership accountability, risk management, impact assessments, documentation, monitoring, evaluation, and continuous improvement and lifecycle governance of AI systems. 

On the other hand, the EU AI Act is a regulation, which is legally binding in nature. It imposes mandatory obligations on various stakeholders of the AI ecosystem, including AI providers, deployers, importers, distributors, and authorised representatives. It includes a well-structured risk-based model. This model classifies AI systems into prohibited, high-risk, limited-risk, and minimal-risk categories. The compliance obligations are proportional to the level of risk for each of these systems. 

In short, ISO 42001 guides organisations for building an AI governance system and the EU AI Act specifically provides the legal obligations that must be satisfied. 

Overlap between ISO 42001 and the EU AI Act 

ISO 420001 integrates AI governance into various organisational processes. The foundation of ISO 42001 is the establishment of an Artificial Intelligence Management System (AIMS). The EU AI Act provides some binding legal obligations for the providers of high-risk AI systems. It aims to maintain structured risk management and proper quality management mechanisms (Article 09-17) throughout the AI lifecycle. 

Several areas of similarities clearly show strong alignment between these two frameworks. The areas where there is a substantial overlap, include AI risk assessment and mitigation, governance and accountability structures, documentation and record-keeping, human oversight mechanisms, AI lifecycle management, continuous monitoring and improvement, and third-party and supplier management. 

As a part of practice, organisations implementing ISO 42001 already follow many of the governance regulations which are required under the EU AI Act. This practice reduces the effort which is required to show regulatory readiness of the organisation

Where Does the Overlap End? 

There are certainly many areas of alignment between ISO 42001 and the EU AI Act. However, ISO 42001 and the EU AI Act are not interchangeable. One of the major differences between these two frameworks is that ISO 42001 is a governance framework, whereas the EU AI Act is a legally binding regulatory framework, including specific legal requirements. 

The EU AI Act provides detailed requirements related to various aspects and processes, including classification of high-risk AI systems, conformity assessments, CE marking obligations, registration of certain AI systems, technical documentation requirements, post-market monitoring obligations, regulatory reporting duties, and market surveillance mechanisms. 

These comprehensive obligations do not automatically arise under ISO 42001 certification. An organisation, which has an ISO 42001 certification, may fail to fulfil specific legal and procedural requirements under the EU AI Act. Academic analysis focusing on the interaction between the EU AI Act and ISO 42001 also concludes that ISO 42001 provides a strong foundation but does not completely meet all the requirements under the EU AI Act. Therefore, ISO 42001 cannot be referred to as a substitute for legal compliance under the EU AI Act. 

How can Organisations build a Single Compliance Programme?

Organisations and entities can build a unified compliance programme by establishing ISO 42001 as the foundation of the compliance governance. They can advance this framework through adding the legal requirements under the EU AI Act into this. 

Key measures to establish a single compliance include various steps: 

  • Establish a clear and common governance structure: Organisations will have to define clear roles, responsibilities, oversight mechanisms, and decision-making processes for AI governance across the organisation. 


  • Implement a unified risk management process: Organisations need to use a single methodology to identify, assess, mitigate, and monitor AI-related risks throughout the AI lifecycle while incorporating EU AI Act risk-specific obligations. 


  • Maintain centralised documentation: Organisations must create a single repository for policies, risk assessments, technical documentation, audit records, and compliance evidence to support both internal governance and regulatory requirements. 


  • Assign accountability and oversight: Entities should designate responsibilities to oversee compliance, monitor performance, and ensure continuous improvement. 


  • Integrate regulatory reporting processes: Organisations should develop standardised workflows (Articles 12 and 18) for collecting, managing, and reporting compliance information, which are required under the EU AI Act. 

Organisations can smoothly integrate AI governance into existing governance, risk, and compliance (GRC) frameworks because ISO 42001 follows a management-system approach similar to ISO 27001. However, some other controls will be required to fulfil the requirements of the EU AI Act which are not completely dealt with under ISO 42001. 

Conclusion 

ISO 42001 and the EU AI Act overlap in a substantial way in areas such as governance, risk management, accountability, documentation, monitoring, and human oversight. However, both frameworks are certainly not interchangeable. ISO 42001 is basically a voluntary management system for AI governance, while the EU AI Act is a legally enforceable statute which binds obligations that extend beyond governance into regulatory compliance. 

Organisations must not consider ISO 42001 certification as evidence of EU AI Act compliance. They should adopt ISO 42001 as the foundation of their AI compliance programme and advance this further by adding a layer of the EU AI Act-specific requirements onto that framework. This approach will enable organisations to leverage a single governance framework, risk management process, and documentation system. It will also help organisations in following statutory requirements through targeted controls. 

A compliance framework built around ISO 42001 and supplemented by the requirements of the EU AI Act. Such a compliance framework will be effective for organisations in reducing duplication of controls, improving audit and regulatory readiness, and creating a scalable governance model. This framework can also adapt to emerging AI regulations across jurisdictions. This integrated approach supports both responsible AI governance and long-term regulatory compliance. 

Want to Know More? 

Want to understand how your organisation can align ISO 42001 with the EU AI Act through a unified AI governance and single compliance program? Reach out to the experts at gotrust today.