δDOKEO
Comparison

EU AI Act vs ISO 42001:
How they compare

The EU AI Act and ISO 42001 are two central frameworks shaping AI governance. One is binding law, the other is a voluntary management-system standard. Understanding how they relate helps regulated institutions build evidence-linked review that can stand up to both legal and operational scrutiny.

01Overview

Two frameworks, different purposes

EU AI Act

A European Union regulation (Regulation 2024/1689) establishing harmonized rules for AI systems. It creates legally binding obligations based on risk classification and applies to anyone placing AI systems on the EU market or deploying them within the EU.

ISO/IEC 42001:2023

An international standard specifying requirements for establishing, implementing, maintaining, and improving an AI Management System (AIMS). It follows the ISO management system structure (Annex SL) and is certifiable through accredited bodies.

02Comparison

Side-by-side comparison

Nature
EU AI ACTLegally binding EU regulation with penalties up to 7% of global turnover
ISO 42001Voluntary international standard providing a certifiable management system framework
Scope
EU AI ACTApplies to AI system providers and deployers in the EU market, classified by risk level
ISO 42001Applies to regulated institutions and comparable high-accountability entities seeking to establish an AI management system, regardless of geography
Risk Approach
EU AI ACTPrescriptive risk tiers: unacceptable, high, limited, minimal. High-risk systems face detailed requirements
ISO 42001Risk-based management system approach. Institutions define their own risk criteria and controls within the management system
Documentation
EU AI ACTMandates specific technical documentation (Art. 11), conformity assessments, and EU declarations of conformity
ISO 42001Requires documented information for the AIMS, including policies, objectives, risk assessments, and treatment plans
Data Governance
EU AI ACTSpecific requirements for training, validation, and testing data quality (Art. 10)
ISO 42001Addresses data quality within the broader management system context, less prescriptive on specific data requirements
Human Oversight
EU AI ACTExplicit requirement for human oversight of high-risk systems (Art. 14)
ISO 42001Covered under defined governance roles and responsibilities, less prescriptive on specific oversight mechanisms
Monitoring
EU AI ACTRequires post-market monitoring and incident reporting for high-risk systems
ISO 42001Requires performance evaluation, internal audit, and continual improvement
Enforcement
EU AI ACTNational authorities enforce compliance. Fines for non-compliance
ISO 42001Certification bodies audit and certify. No legal penalties for non-certification
03Key Takeaway

They are complementary, not competing

ISO 42001 provides the management-system structure. The EU AI Act provides the legal obligations. Regulated institutions subject to the Act can use ISO 42001 as an operational backbone for parts of risk management, documentation, monitoring, and internal audit.

However, ISO 42001 alone does not guarantee EU AI Act compliance. The Act has specific requirements, including conformity assessments, EU declarations of conformity, and risk classification under Annex III, that go beyond what ISO 42001 covers. A durable AI governance program addresses both.

04Dokeo

How Dokeo supports review across both frameworks

Dokeo gives regulated institutions a formal operating layer for evidence-linked review across the EU AI Act and ISO 42001. Teams can map systems, obligations, controls, evidence, findings, and remediation in one operational model while keeping legal review and audit history visible.

See the platform

Related Reading

EU AI Act GuideRisk tiers, key obligations, and the enforcement timeline for the EU's AI regulation.What is AI Governance?A guide to the policies, processes, evidence, and controls institutions need to govern AI under scrutiny.

Cookie preferences

We use cookies to run this site, understand usage, and improve performance. By clicking "Accept all," you consent to our use of cookies.Read our cookie policy.