Regulation

ISO 42001 and the EU AI Act

The EU AI Act is the world's first comprehensive AI law. It sets legal obligations; ISO/IEC 42001 gives you the management system to meet them and prove it. This page explains the current timeline, what changes for high-risk AI, and how a certified AIMS becomes your operational evidence.

Timeline updated July 2026 to reflect the AI Act Digital Omnibus (Council final approval, 29 June 2026).

Why it matters

The law is no longer coming — it's phasing in

AI didn't arrive through a strategic project. It crept in through free trials, browser extensions and "let me just try something" — in hiring, credit, support, coding and analysis. The EU AI Act turns that uncontrolled footprint into a legal exposure with real penalties. ISO 42001 is how you make AI use controllable, explainable and demonstrable before a regulator, customer or auditor asks.

The dates that matter

EU AI Act application timeline

The Digital Omnibus (agreed May 2026, given final green light by the Council on 29 June 2026) postponed the high-risk deadlines while keeping — and in one case accelerating — transparency and prohibition rules.

  1. Since Feb 2025

    Prohibited practices

    Bans on the most harmful AI uses (e.g. social scoring, certain biometric practices) are in force.

  2. Since Aug 2025

    General-purpose AI (GPAI)

    Transparency and documentation obligations for general-purpose AI models apply.

  3. 2 Aug 2026

    Article 50 transparency

    Duty to disclose AI interaction and to label AI-generated content. Unchanged by the Omnibus.

  4. 2 Dec 2026

    New prohibition

    Ban on AI-generated non-consensual intimate imagery and CSAM takes effect (new under the Omnibus).

  5. 2 Dec 2027

    High-risk (Annex III, stand-alone)

    Obligations for stand-alone high-risk systems — hiring, credit, education, essential services — now apply here, moved back from 2 Aug 2026.

  6. 2 Aug 2028

    High-risk (Annex I, in products)

    High-risk AI embedded in regulated products (machinery, medical devices, etc.) applies here.

Dates reflect the adopted Digital Omnibus. The act's amendments enter force on the third day after publication in the EU Official Journal.

Don't misread the delay

More time to comply — not less to do

The high-risk deadline moved from August 2026 to December 2027 because the harmonized standards weren't ready in time, not because the obligations shrank. Risk management, documentation, human oversight and monitoring requirements are unchanged. The organisations that use the extra runway to build a real management system will sail through; those that read it as "next year's problem" will scramble against a fixed calendar date.

The bridge

How ISO 42001 maps onto the AI Act

A well-implemented AIMS is operational evidence of exactly the controls the AI Act expects. The toolkit ships with an EU AI Act mapping sheet so you can connect each piece of ISO 42001 work to the obligation it satisfies.

Risk management system

AI Act Art. 9 ↔ ISO 42001 risk & impact assessment methodology and register.

Data governance

AI Act Art. 10 ↔ Annex A.7 data provenance, quality and bias controls.

Technical documentation

AI Act Art. 11 & Annex IV ↔ lifecycle documentation, model cards, technical pack.

Record-keeping & logging

AI Act Art. 12 ↔ event-logging specification and monitoring records.

Transparency

AI Act Art. 13 & 50 ↔ user information and AI transparency notices.

Human oversight

AI Act Art. 14 ↔ human-oversight plan and intended-use records.

Accuracy, robustness, security

AI Act Art. 15 ↔ verification & validation, monitoring and incident response.

Post-market monitoring

AI Act Art. 72 ↔ AIMS monitoring plan, KPIs and management review.

Questions

AI Act & ISO 42001 — quick answers

Does ISO 42001 certification make me AI-Act compliant automatically?+

No single certificate makes you legally compliant, and ISO 42001 is not yet a formally harmonized standard under the act. But a certified AIMS covers most of the act's management-system expectations and is the most efficient, auditable way to demonstrate them. The mapping sheet shows where they align and where act-specific duties remain.

I only use AI tools — does the act apply to me?+

Often yes. Deployers of high-risk AI have obligations too (human oversight, monitoring, following provider instructions). ISO 42001 explicitly scales to developers, providers, deployers and procurers.

Should I wait until December 2027?+

No. Building a real management system takes months, the obligations are unchanged, and Article 50 transparency plus GPAI rules already apply. Starting now turns a deadline into a calm checklist.

Turn AI Act obligations into a system you can prove

The toolkit includes the EU AI Act mapping sheet plus every policy, register and assessment template you need for an auditable AIMS.