Regulation
ISO 42001 and the EU AI Act
The EU AI Act is the world's first comprehensive AI law. It sets legal obligations; ISO/IEC 42001 gives you the management system to meet them and prove it. This page explains the current timeline, what changes for high-risk AI, and how a certified AIMS becomes your operational evidence.
Timeline updated July 2026 to reflect the AI Act Digital Omnibus (Council final approval, 29 June 2026).
Why it matters
The law is no longer coming — it's phasing in
AI didn't arrive through a strategic project. It crept in through free trials, browser extensions and "let me just try something" — in hiring, credit, support, coding and analysis. The EU AI Act turns that uncontrolled footprint into a legal exposure with real penalties. ISO 42001 is how you make AI use controllable, explainable and demonstrable before a regulator, customer or auditor asks.
The dates that matter
EU AI Act application timeline
The Digital Omnibus (agreed May 2026, given final green light by the Council on 29 June 2026) postponed the high-risk deadlines while keeping — and in one case accelerating — transparency and prohibition rules.
Since Feb 2025
Prohibited practices
Bans on the most harmful AI uses (e.g. social scoring, certain biometric practices) are in force.
Since Aug 2025
General-purpose AI (GPAI)
Transparency and documentation obligations for general-purpose AI models apply.
2 Aug 2026
Article 50 transparency
Duty to disclose AI interaction and to label AI-generated content. Unchanged by the Omnibus.
2 Dec 2026
New prohibition
Ban on AI-generated non-consensual intimate imagery and CSAM takes effect (new under the Omnibus).
2 Dec 2027
High-risk (Annex III, stand-alone)
Obligations for stand-alone high-risk systems — hiring, credit, education, essential services — now apply here, moved back from 2 Aug 2026.
2 Aug 2028
High-risk (Annex I, in products)
High-risk AI embedded in regulated products (machinery, medical devices, etc.) applies here.
Dates reflect the adopted Digital Omnibus. The act's amendments enter force on the third day after publication in the EU Official Journal.
Don't misread the delay
More time to comply — not less to do
The high-risk deadline moved from August 2026 to December 2027 because the harmonized standards weren't ready in time, not because the obligations shrank. Risk management, documentation, human oversight and monitoring requirements are unchanged. The organisations that use the extra runway to build a real management system will sail through; those that read it as "next year's problem" will scramble against a fixed calendar date.
The bridge
How ISO 42001 maps onto the AI Act
A well-implemented AIMS is operational evidence of exactly the controls the AI Act expects. The toolkit ships with an EU AI Act mapping sheet so you can connect each piece of ISO 42001 work to the obligation it satisfies.
Risk management system
AI Act Art. 9 ↔ ISO 42001 risk & impact assessment methodology and register.
Data governance
AI Act Art. 10 ↔ Annex A.7 data provenance, quality and bias controls.
Technical documentation
AI Act Art. 11 & Annex IV ↔ lifecycle documentation, model cards, technical pack.
Record-keeping & logging
AI Act Art. 12 ↔ event-logging specification and monitoring records.
Transparency
AI Act Art. 13 & 50 ↔ user information and AI transparency notices.
Human oversight
AI Act Art. 14 ↔ human-oversight plan and intended-use records.
Accuracy, robustness, security
AI Act Art. 15 ↔ verification & validation, monitoring and incident response.
Post-market monitoring
AI Act Art. 72 ↔ AIMS monitoring plan, KPIs and management review.
Questions
AI Act & ISO 42001 — quick answers
Does ISO 42001 certification make me AI-Act compliant automatically?+
No single certificate makes you legally compliant, and ISO 42001 is not yet a formally harmonized standard under the act. But a certified AIMS covers most of the act's management-system expectations and is the most efficient, auditable way to demonstrate them. The mapping sheet shows where they align and where act-specific duties remain.
I only use AI tools — does the act apply to me?+
Often yes. Deployers of high-risk AI have obligations too (human oversight, monitoring, following provider instructions). ISO 42001 explicitly scales to developers, providers, deployers and procurers.
Should I wait until December 2027?+
No. Building a real management system takes months, the obligations are unchanged, and Article 50 transparency plus GPAI rules already apply. Starting now turns a deadline into a calm checklist.
Turn AI Act obligations into a system you can prove
The toolkit includes the EU AI Act mapping sheet plus every policy, register and assessment template you need for an auditable AIMS.