AI Act vs ISO 42001: What's the Difference and Do You Need Both?

The AI Act ISO 42001 difference matters enormously to any SME buying or deploying AI tools in Europe right now. Conflating the two is one of the most common mistakes compliance officers make in 2025, and it can leave a company either over-engineered and overspending, or dangerously under-compliant.

Let's be direct: the EU AI Act is EU law. ISO 42001 is a voluntary international standard. One can result in fines of up to €15 million or 3% of global annual turnover if you breach it. The other is a certification you can choose to pursue or ignore. That asymmetry shapes everything.

# What the EU AI Act Actually Requires of Deployers

If your company uses AI systems in the EU, you are a deployer under the AI Act, regardless of whether you built the tool. The law places a specific set of obligations on deployers, which are spelled out primarily in Article 26.

For high-risk AI systems (think: CV screening tools, performance monitoring, credit scoring, biometric systems), Article 26 requires you to:

• Conduct a Fundamental Rights Impact Assessment (FRIA) before deployment, as required under Article 27
• Assign human oversight to each system
• Ensure staff who work with the AI have sufficient literacy and training under Article 4
• Keep logs and technical documentation
• Notify your national authority if something goes wrong

For general-purpose AI systems, you still carry obligations around transparency and, in some cases, register the system in the EU database. Non-high-risk AI use still triggers Article 50 transparency duties if your AI interacts with humans directly.

The enforcement clock is real. AI literacy obligations under Article 4 applied from 2 August 2025. High-risk system obligations phase in through 2026. Penalties for non-compliance can reach up to €15 million or 3% of turnover, whichever is higher.

# What ISO 42001 Is (and Isn't)

ISO/IEC 42001:2023 is an AI management system standard. Think of it like ISO 9001 for quality or ISO 27001 for information security: it gives you a structured framework for governing AI across your organisation. It covers things like:

• AI policy and strategy documentation
• Risk assessment processes for AI systems
• Roles, responsibilities, and accountability structures
• Supplier and procurement controls
• Incident management and continuous improvement

It is internationally recognised and increasingly requested in enterprise procurement and public tenders. Getting certified signals maturity. But ISO 42001 certification does not make you EU AI Act compliant. It is not a legal safe harbour.

The standard was designed before the final text of the AI Act was locked down. Its risk categories do not map perfectly to the Act's high-risk classifications. It has no concept of a FRIA. It does not reference national supervisory authorities or the EU AI database. It is built for global applicability, which means it cannot be tuned to any single legal jurisdiction.

# Where They Overlap: About 70% of the Work

That said, there is substantial common ground. If you implement ISO 42001 properly, you are doing meaningful EU AI Act prep work at the same time.

Both frameworks require:

• An inventory of AI systems in use across the organisation
• Documented risk assessments for each system
• Clear accountability: who owns each AI deployment?
• Supplier due diligence (your AI provider's obligations flow down to you)
• Training and awareness for staff who interact with AI
• A process for incidents and corrective action

For a 50-person company, building these controls once and mapping them to both frameworks is far more efficient than running two parallel programmes. The documentation you create for ISO 42001 can directly feed into your Article 26 compliance file, your Article 27 FRIA records, and your Article 4 training logs.

The overlap is highest at the governance and documentation layer. The gap opens up when you get into EU-specific legal requirements: the FRIA, the national authority notification process, the EU AI database registration, and the specific prohibited practices listed in Article 5.

# Why ISO 42001 Alone Is Not Enough

Three practical gaps make relying solely on ISO 42001 risky for European deployers.

Gap 1: No FRIA template. The Act requires a structured fundamental rights impact assessment before deploying a high-risk system. ISO 42001's risk assessment process is generic. It does not cover the specific rights dimensions the FRIA demands, including effects on vulnerable groups, access to services, and the right to an explanation.

Gap 2: No prohibited-practices checklist. Article 5 bans specific AI uses outright: social scoring by public authorities, certain biometric categorisation, subliminal manipulation. ISO 42001 does not map to these prohibitions. A certified company could still inadvertently breach them.

Gap 3: Different timeline. ISO 42001 certification is time-intensive and audit-driven. The EU AI Act's compliance deadlines do not wait for your certification cycle. Article 4 literacy obligations are already in force. You cannot defer AI Act compliance until your next ISO audit window.

# The Cost-Benefit Picture for SMEs

For a company with 20 to 200 employees, full ISO 42001 certification is a significant investment: typically €20,000 to €60,000 including gap analysis, implementation, and the audit itself, depending on company size and complexity. Annual surveillance audits add ongoing cost.

EU AI Act compliance, done proportionately for an SME deployer, costs considerably less. Most SMEs are not building AI; they are using third-party tools. The compliance work centres on:

1. Classifying the AI systems you use (high-risk or not)
2. Completing a FRIA if any system is high-risk
3. Documenting your human oversight procedures
4. Running a one-time AI literacy session for relevant staff
5. Keeping a simple log

This can be completed in weeks, not months, and does not require a third-party audit to be legally valid.

If your company sells into enterprise accounts or public sector, ISO 42001 certification may have commercial value beyond legal compliance. In that case, the hybrid approach makes sense: pursue ISO 42001 as a strategic differentiator, while treating AI Act compliance as the legal baseline you complete first.

# A Practical Hybrid Approach

For most SMEs, the right sequence is:

1. Complete AI Act compliance first. Classify your systems, run your FRIA where needed, document human oversight, train your staff. This is your legal obligation and it is time-bound.

2. Map your AI Act documentation to ISO 42001 controls. Your system inventory, risk records, supplier contracts, and training logs all have a home in the ISO framework. Do not rebuild them from scratch.

3. Decide on certification based on commercial need. If customers are asking for it, or you want to differentiate in a regulated sector like financial services or healthcare, pursue the full certification. If not, you can operate to the ISO 42001 standard informally without the audit cost.

4. Review annually. Both the Act and the standard will evolve. The Commission is already producing guidance on FRIA methodology via digital-strategy.ec.europa.eu. Keep your documentation live, not a one-time exercise.

The companies that will struggle in 2026 are those treating the AI Act as an IT project and ISO 42001 as a box-ticking exercise run by two separate teams. Governance, documentation, and training are the same underlying work. Build it once. Map it to both.

---

Not sure whether your AI systems are high-risk under the Act, or whether you need a FRIA before your next deployment? The free 2-minute compliance check at comply.khairos.ai gives you a plain-language verdict on your current exposure and your next three steps.