ISO 42001 and the EU AI Act: What Companies Need to Do Before August 2, 2026

Companies using AI in real business operations should not treat ISO 42001 and the EU AI Act as separate topics. The AI Act creates legal duties and fixed dates, while ISO 42001 provides the management-system structure needed to organise roles, processes, records, internal controls, and improvement. Businesses that wait until 2026 will be working under pressure. Businesses that start now can reduce friction, audit stress, and expensive rework.

Since February 2, 2025, the first AI Act rules have already applied, including the rules on prohibited AI practices and AI literacy. Since August 2, 2025, further obligations have applied to providers of general-purpose AI models. From August 2, 2026, the broader legal framework becomes generally applicable. Source: European Commission Source: European Commission

AI literacy is one of the most underestimated parts of this timeline. Many companies still assume they have until 2026 to act, but the employee training obligation already applies today to providers and deployers. That makes AI literacy one of the strongest practical starting points for consulting, because companies need more than a policy statement. They need evidence that the people working with AI systems understand what they are doing. Source: European Commission FAQ

Why August 2, 2026 is closer than most companies think

Many teams still treat the AI Act as a future legal project. In practice, it is already an operational project. As soon as AI is used in real workflows, questions appear around ownership, approvals, competence, data, suppliers, documentation, monitoring, and corrective action. Those operating details will later determine whether a company can credibly demonstrate that AI is being used under control.

The Commission’s timeline is clear: initial rules have applied since February 2025, GPAI-related obligations since August 2025, and the broader framework will apply from August 2026. That means businesses that postpone governance, documentation, and responsibilities until the last minute are likely to create rushed compliance rather than reliable compliance. Source: European Commission

Illustration of a team discussing a multi-stage AI governance and compliance roadmap. — Preparing for ISO 42001 and the EU AI Act works best as a structured implementation project rather than a last-minute legal clean-up exercise.

What ISO 42001 actually provides

ISO/IEC 42001 is described by ISO as the world’s first AI management system standard. It is intended for organisations that provide, develop, or use AI systems. In practical terms, that matters because ISO 42001 is not just a set of AI ethics statements. It is a framework for responsibilities, objectives, risks, documented information, internal controls, performance evaluation, and continual improvement. Source: ISO

For SMEs and growing businesses, the biggest benefit is not the certificate alone. It is the operating discipline behind it. ISO 42001 forces companies to treat AI as a management issue, not just a technical or legal side topic. Businesses already familiar with management systems will recognise the value immediately: defined responsibilities, controlled processes, records, reviews, and a repeatable improvement cycle.

The EU AI Act and ISO 42001: how they fit together

The AI Act is a law. ISO 42001 is a management-system standard. That difference matters, but in practice the two still connect. The law defines legal duties, roles, and risk-based obligations. ISO 42001 provides the organisational discipline that helps companies implement those duties consistently. Businesses that focus only on legal text often miss the operating structure underneath. Businesses that focus only on certification risk gaps against actual legal requirements.

Topic	EU AI Act	ISO 42001	Practical effect
Responsibility	Defines obligations for different actors and use cases	Builds roles, ownership, and governance into the business	Fewer grey areas in day-to-day decisions
AI literacy	Creates a real competence obligation for providers and deployers	Supports training, competence management, and records	Training becomes auditable instead of ad hoc
Risk and control	Imposes risk-based obligations depending on the system and role	Provides risk identification, controls, review, and improvement logic	Controls are managed systematically rather than reactively
Documentation	Requires information and evidence in many cases	Creates documented processes and document control	Evidence is easier to retrieve in audits or customer reviews
Suppliers and external tools	Relevant where external models, platforms, or systems are involved	Helps structure supplier oversight and interface control	Less blind reliance on external AI vendors

This is exactly where ISO 42001 becomes commercially relevant. Many companies do not need another abstract AI debate. They need a practical implementation structure. Businesses that already understand how management systems translate into processes for quality or audit readiness can apply the same discipline to AI governance.

Who needs to care because of the law, and who should care because of governance risk

The key distinction is between legal obligation and recommended management practice. The EU AI Act does not require an ISO 42001 certificate. Companies do not adopt ISO 42001 because the law explicitly orders them to. They look at ISO 42001 because the AI Act creates legal duties depending on role and use case, and ISO 42001 is a strong framework for implementing those duties in an organised way.

The European Commission’s guidance distinguishes most clearly between providers and deployers of AI systems. AI literacy already applies to both providers and deployers. Providers of general-purpose AI models have further obligations that started on August 2, 2025. From August 2, 2026, the broader AI Act framework becomes generally applicable, including the main obligations that matter for many high-risk situations. Source: European Commission Source: European Commission FAQ Source: European Commission FAQ

Business / role	What matters legally	How ISO 42001 fits
Companies using AI in their own operations	These businesses are often deployers. AI literacy already applies to them, and high-risk use cases can trigger more obligations such as oversight and operational controls. Source Source	Not legally mandatory as a certificate, but highly useful when AI is used across departments or with sensitive data.
Companies developing or placing AI systems on the market	These businesses are typically providers. For high-risk systems, the Act requires a real quality management system under Article 17. Source: AI Act Article 17	ISO 42001 can help structure roles, records, reviews, and governance, but the legal benchmark remains the AI Act itself.
Providers of general-purpose AI models	This group already faces additional obligations that started on August 2, 2025. Source: European Commission	ISO 42001 is helpful for governance and accountability, but it is not a substitute for specific GPAI duties.
Companies without productive AI use	These businesses may not yet face the same immediate implementation pressure as a provider or deployer.	Not a must, but still sensible if broad AI adoption is planned soon or if customers, investors, or auditors already expect structured governance.

There is also an important limit to the standard. ISO 42001 is currently not an automatic legal safe harbor under the AI Act. The Commission states in its standardisation FAQ that the objectives and definitions of ISO/IEC 42001:2023 are not equivalent to the AI Act’s quality management system, and that a separate standard for the AI Act QMS is being developed. Source: European Commission FAQ on standardisation

That means ISO 42001 should be understood as a strong implementation framework, not as a shortcut around legal analysis. It is especially relevant for companies that are not legally forced to certify, but still need to implement AI Act obligations in a way that is controlled, auditable, and commercially credible.

Five numbers that make the urgency concrete

The AI governance conversation is not theoretical. More use means more need for control. These figures are especially relevant:

20.0% of EU enterprises with at least ten employees used AI technologies in 2025, up from 13.5% in 2024. Source: Eurostat 2025 Source: Eurostat 2024
In Germany, 26% of businesses used AI in 2025. Among companies with 50 to 249 employees, the rate reached 36%. Source: Destatis
Among German companies not yet using AI, 72% cited lack of knowledge, 62% unclear legal consequences, and 60% data protection concerns as key barriers. Source: Destatis
The AI Index Report 2025 says 78% of surveyed organisations used AI in at least one business function in 2024, and 71% used generative AI in at least one function. This is useful market context, but it should be treated as survey evidence rather than legal proof.
AI literacy is already in force now, not later. That alone means many companies already have a live compliance and training challenge in 2026. Source: European Commission FAQ

A practical 90-day starting plan

Companies do not need a perfect AI management system on day one. But they do need to move quickly from uncontrolled AI use to a minimum level of governance that can actually be managed.

Map all current and planned AI use cases, including embedded features and external tools.

Define responsibilities across management, operations, IT, data protection, compliance, and process owners.

Set minimum rules for approvals, monitoring, change control, and escalation.

Build an AI literacy plan with role-specific training and records.

Assess critical suppliers, AI vendors, and platform dependencies.

Define an internal audit and review cycle so the system does not exist only on paper.

Businesses that already understand management systems will recognise these patterns immediately. Methods used for process mapping, risk and opportunity analysis, or internal audits can often be reused instead of reinventing AI governance from scratch. That is why content such as process landscape mapping, risk and opportunity management, or internal audit programmes still matters here.

Illustration of a workshop where a team reviews processes, risks, and actions for an AI management system. — ISO 42001 becomes practical when roles, records, training, and internal review are turned into one workable operating system.

Common mistakes that slow projects down

The most common mistake is treating the AI Act as purely a legal reading exercise while postponing operational implementation. That usually means no inventory, no approval logic, no ownership, and no training evidence. Another mistake is treating ISO 42001 only as a certificate project. Without functioning processes, records, and review routines, governance remains weak.

Audit readiness is often underestimated as well. Businesses reach the point of internal review or customer scrutiny and realise that decisions were made, but not documented properly. That is why topics like audit preparation, audit checklists, and the role of consulting versus certification bodies remain relevant in AI governance work too.

How we help companies implement ISO 42001 end to end

We support businesses end to end with ISO 42001 implementation, from gap assessment and AI inventory through governance design, documented processes, training, internal audits, management review, and certification readiness. Our focus is practical execution, not just templates. We help companies reduce internal coordination effort, avoid unnecessary compliance headaches, and move faster with a high level of service and responsiveness. If you want structured support, we can help through our ISO 42001 consulting service, our broader audit and management support, and transparent planning via our ISO 42001 pricing page.

FAQ about ISO 42001 and the EU AI Act

Does ISO 42001 replace legal analysis under the EU AI Act?

No. ISO 42001 does not replace legal analysis of AI Act obligations. It provides a management-system structure that can help companies implement those obligations more reliably.

Is ISO 42001 legally mandatory under the AI Act?

No. The AI Act does not require an ISO 42001 certificate. However, some actors and some use cases do face real legal system obligations, and ISO 42001 can be a practical way to meet them in an organised manner.

Do companies really need to act on AI literacy now?

Yes. AI literacy is one of the obligations that already applies. Companies that use or provide AI systems should not wait until 2026 to start training and documenting competence.

Which companies should start with an ISO 42001 gap assessment first?

Businesses with productive AI use, multiple departments using AI, sensitive data, regulated environments, or growing audit and customer pressure should usually start first.

About the Author

Jonathan Sternberg is a certified internal auditor and external quality management representative with experience in the automotive, semiconductor, laser optics, and medical device industries. Through Sternberg Consulting, he supports companies with practical implementation of ISO 9001, ISO 14001, ISO 45001, ISO 42001, and ISO 13485.