ISO 42001 and the EU AI Act: A Strategic Approach to Compliance

As the EU’s Artificial Intelligence Act (AI Act) takes effect, organizations are facing a new landscape of compliance requirements, particularly for high-risk AI systems. With the AI Act now in force as of August 2024, companies must navigate a complex regulatory environment that demands rigorous adherence to a host of legal obligations. One tool that has garnered attention in this context is ISO 42001, the AI management system standard. This article explores whether ISO 42001 can serve as an effective means of achieving compliance with the AI Act, and what organizations need to consider as they implement AI systems in line with these new regulations.

The AI Act and ISO 42001: Understanding the Connection

The AI Act represents a significant shift in how AI systems are regulated within the European Union. With its risk-based approach, the AI Act categorizes AI systems into different risk levels, with high-risk AI systems facing the most stringent requirements. As companies seek to ensure compliance, ISO 42001 has emerged as a potential framework for managing AI systems within an organization. However, while ISO 42001 provides a foundation, it is not a one-size-fits-all solution for AI Act compliance.

Overlapping Requirements, Different Focus

ISO 42001 and the AI Act share some common ground, particularly in areas such as record-keeping, risk management, and human oversight. For example, both require that high-risk AI systems have mechanisms for logging events to ensure traceability and accountability. However, the AI Act imposes more specific and binding requirements, particularly concerning product safety and the protection of fundamental rights. While ISO 42001 can support compliance efforts, it is not sufficient on its own to meet all AI Act obligations.

For instance, under the AI Act, logs must be kept for a minimum of six months and must facilitate post-market monitoring and the identification of risks to health, safety, and fundamental rights. ISO 42001, while recommending logging practices, does not mandate these specifics, leaving organizations to determine the appropriate scope and duration of record-keeping based on their unique operational needs. This divergence highlights the importance of a tailored approach to AI Act compliance, one that integrates ISO 42001 with additional measures to meet the full spectrum of regulatory requirements.

What ISO 42001 Does Not Cover

While ISO 42001 provides valuable guidance on AI governance, it does not encompass all the obligations set out in the AI Act. Notably, ISO 42001 does not address European product safety laws, such as the requirement to produce and retain an EU Declaration of Conformity or to affix the CE marking to high-risk AI systems. Additionally, ISO 42001 does not include specific rules for reporting to and cooperating with European authorities, which is a critical aspect of AI Act compliance.

Moreover, the AI Act explicitly prohibits certain AI practices, such as social scoring and emotion recognition in the workplace, which ISO 42001 does not address. While ISO 42001 requires organizations to be aware of and comply with relevant prohibitions under other regulations, it does not impose these restrictions directly. As a result, organizations relying solely on ISO 42001 risk falling short of the AI Act’s comprehensive regulatory framework.

Additional Requirements Under ISO 42001

ISO 42001 includes several governance-related provisions that are not explicitly required by the AI Act but can still play a crucial role in an organization’s AI strategy. For example, ISO 42001 mandates that top management establish an AI policy aligned with the organization’s purpose and demonstrate leadership and commitment to the AI management system. This broader focus on AI governance can enhance an organization’s overall AI strategy, complementing the more prescriptive requirements of the AI Act.

Harmonized Standards on the Horizon

Looking beyond ISO 42001, the European Commission has commissioned the development of additional European standards to provide further guidance on AI Act compliance. These standards, expected to be published by April 2025, will address key areas such as risk management, record-keeping, and human oversight. Once adopted, high-risk AI systems that conform to these standards will be presumed to comply with the corresponding AI Act requirements, making them a critical component of the compliance landscape.

Strategic Takeaways for AI Act Compliance

For organizations seeking to align with the AI Act, ISO 42001 offers a useful starting point but must be integrated with additional compliance measures tailored to the specific requirements of the AI Act. Key considerations include:

• ISO 42001 as a Foundation: While ISO 42001 provides a solid foundation for AI governance, it is not a substitute for full compliance with the AI Act. Organizations should use ISO 42001 as a tool to support, not replace, their broader compliance efforts.
• Complementing ISO 42001: Organizations must implement additional measures to address areas not covered by ISO 42001, such as conformity assessment, CE marking, and prohibited AI practices. This may involve adopting supplementary standards or developing bespoke compliance processes.
• Monitoring Emerging Standards: The upcoming European standards will likely play a critical role in AI Act compliance. Organizations should monitor the development of these standards and be prepared to integrate them into their compliance strategies.
• Leadership and Commitment: ISO 42001’s focus on AI governance and leadership can strengthen an organization’s AI strategy, ensuring that top management is actively engaged in the oversight and management of AI systems.

Conclusion: Navigating AI Act Compliance with ISAKCO

As the AI Act reshapes the regulatory landscape for AI in the EU, organizations must adopt a comprehensive approach to compliance. ISO 42001 offers valuable guidance but is only part of the puzzle. By integrating ISO 42001 with other compliance measures and staying abreast of emerging standards, organizations can position themselves to meet the AI Act’s stringent requirements.

At ISAKCO, we specialize in helping organizations navigate the complexities of AI regulation. Our expertise in AI Advisory Services enables us to provide tailored support that ensures compliance while fostering innovation. Whether you are looking to implement ISO 42001 or develop a broader AI compliance strategy, our team is here to guide you every step of the way.