ISO 42001 vs the EU AI Act: What Enterprise Buyers Actually Expect You to Hold

"We're EU AI Act compliant." "We hold ISO 42001." "We're aligned with the AI governance frameworks." Three different statements, increasingly used interchangeably by AI vendors in marketing materials. They are not interchangeable. They mean different things, satisfy different obligations, and convince different buyers. This guide explains the structural relationship between ISO 42001 and the EU AI Act, what enterprise buyers actually want to see, and how to position your AI governance posture credibly without overstating your compliance status.

ISO/IEC 42001:2023 is a voluntary international management system standard. Companies adopt it because it is recognised by buyers, supports good governance, and provides an auditable framework for AI risk management. There is no legal requirement to hold it. The EU AI Act (Regulation 2024/1689) is a binding piece of EU law. Compliance is mandatory for any company that places AI systems on the EU market, puts them into service in the EU, or whose AI output is used in the EU. There is no choice about whether to comply; only about how to evidence compliance. The two operate in different domains. ISO 42001 is a management system tool. The EU AI Act is a legal regime.

Holding ISO 42001 does not make you EU AI Act compliant. The Act has specific obligations including technical documentation, conformity assessment for high-risk systems, CE marking, EU database registration, post-market monitoring, and incident reporting that ISO 42001 does not directly address. Equally, claiming EU AI Act compliance does not mean you hold ISO 42001. The Act allows different evidence pathways, of which ISO 42001 is one. A company can hold ISO 42001 and not be EU AI Act compliant because they have not addressed the Act-specific obligations. A company can be EU AI Act compliant and not hold ISO 42001 because they have evidenced compliance through alternative pathways. A company can hold both, which is the cleanest position for an EU-facing AI vendor.

ISO 42001 provides the management system foundation that the EU AI Act expects. The structural mapping is roughly: EU AI Act Article 17 on quality management system maps to ISO 42001 Clauses 4 to 10, Article 9 on risk management maps to ISO 42001 Annex A.5 controls, Article 10 on data governance maps to ISO 42001 Annex A.7 controls on data quality and provenance, Article 11 on technical documentation is supported by but not satisfied by the ISO 42001 documentation requirements, and Articles 14 to 15 on human oversight, accuracy, robustness and cybersecurity are addressed by ISO 42001 controls but require Act-specific implementation. ISO 42001 covers roughly 70 percent of the EU AI Act's management system and risk management obligations. The remaining 30 percent is Act-specific work.

Based on questions appearing in enterprise vendor questionnaires over the last six months, the AI governance question typically takes one of three forms. Form 1: "Are you ISO 42001 certified?" The buyer is looking for a recognisable certification because their procurement team has been told that ISO 42001 is the relevant credential. Form 2: "How are you preparing for the EU AI Act?" Asked by buyers with EU operations testing whether you understand the Act's obligations. Form 3: "What is your AI governance framework?" The most sophisticated form, asked by buyers with mature AI risk programmes who want to see structural thinking, not just a certificate.

Three positioning pitfalls to avoid. First, do not claim EU AI Act compliance unless you have completed the Act-specific obligations. "Compliant" implies you have satisfied a legal regime that requires conformity assessment and for high-risk systems CE marking. "Aligned with the Act's principles" is more honest and equally credible. Second, do not present ISO 42001 as legal compliance with the Act. It provides evidence of governance maturity and partially supports Act compliance, but it does not satisfy the Act's specific obligations. Third, do not present the absence of EU operations as exemption. The Act's extraterritorial reach catches any company whose AI output is used in the EU.

The strongest commercial positioning for a UK AI company facing enterprise buyers is: ISO 42001 certification providing the management system credential procurement teams recognise, ISO 27001 certification providing the broader information security credential, EU AI Act readiness work documented separately including risk classification and impact assessments, and a named senior owner for AI governance ideally with the IAPP AIGP credential or equivalent. This combination answers all three forms of the AI governance question credibly and positions the company ahead of competitors who have only one of these elements in place.

If you sell AI to enterprise buyers, ISO 42001 is the certification to pursue first. If you sell into the EU specifically, EU AI Act readiness work runs in parallel rather than sequentially. If your AI is high-risk under the Act's classification, formal conformity assessment is the third workstream and cannot be substituted by ISO 42001 alone. Most UK AI companies need all three, in that order.