In December 2023, ISO published the first international standard specifically for AI management: ISO/IEC 42001. Since then, the standard has quietly gained traction. Larger clients increasingly ask for it in tenders, insurers are starting to factor it into premiums, and the EU AI Act references 42001-aligned operations as a way to satisfy a large part of its obligations.
ISO/IEC 42001 is the first international standard for an AI management system (AIMS), helping organizations develop, procure, and use AI responsibly. The standard is technology-neutral, sector-agnostic, and certifiable by accredited bodies.
This article explains what ISO 42001 is, who needs it, how it relates to the EU AI Act and GDPR, what certification costs, and which steps you can take now.
What is ISO 42001 exactly?
ISO 42001 is a management system standard, similar in structure to ISO 27001 (information security) or ISO 9001 (quality management). The standard does not prescribe which AI you can build; it prescribes how you manage AI activities: from strategy and risk assessment to deployment, monitoring, and continuous improvement.
The core of an AI management system (AIMS) consists of six pillars:
- Context and governance. What role does AI play in your organization, and who is responsible for what?
- Risk management. What risks do your AI applications pose for customers, employees, and third parties?
- Policy frameworks. Which rules and limits apply to AI use within your business?
- Lifecycle management. How do you stay in control from design to retirement?
- Suppliers and supply chain. How do you assess AI tools and models you procure?
- Monitoring and improvement. How do you measure and continuously improve your AI practice?
ISO 42001 is technology-neutral: you can apply it to chatbots, computer vision, autonomous systems, or classic machine learning. The standard forces you to do the strategic thinking many businesses skip.
How does ISO 42001 relate to the EU AI Act, GDPR, and NIS2?
This is the question we get most often. Short answer: they overlap, but solve different problems. Think of them as layered, not interchangeable.
| Standard / law | Mandatory? | Focus | Burden of proof |
|---|---|---|---|
| EU AI Act | Yes, from August 2026 | Risk-based obligations for AI systems | Per AI system |
| GDPR | Yes, since 2018 | Personal data and privacy | Per processing activity |
| NIS2 | Yes, for medium and large businesses in vital sectors | Cybersecurity and resilience | Organization-wide |
| ISO 42001 | Voluntary, but increasingly commercially required | AI management at organization level | Organization-wide, certifiable |
In practice this means: if you comply with ISO 42001, you've already addressed most governance requirements from the EU AI Act. You have risk assessments, logging, and accountability documented. What remains is usually completing AI-system-specific documentation.
ISO 42001 does not replace GDPR. For personal data, GDPR and DPIAs remain authoritative. But 42001 work makes DPIAs simpler because much of the underlying groundwork is done.
Who needs ISO 42001?
Not every SMB. ISO 42001 becomes interesting if at least one of these applies:
- You bid on tenders. More Dutch and European tenders now require demonstrable AI governance, and 42001 is the most concrete demonstrable standard.
- You use AI in HR, financial decisions, healthcare delivery, or customer selection. These are the "high-risk" categories under the AI Act. A 42001 certification is a strong mitigation.
- You sell AI functionality to other businesses. Customers will ask how you manage AI risk. A certification gives a direct answer.
- Investors, auditors, or insurers ask about it. In 2026, 42001 is increasingly factored into due diligence and risk assessments.
- You already operate ISO 27001 or 9001. You can integrate 42001 into the same management structure with relatively limited extra effort.
For a five-person business that uses ChatGPT to draft emails faster, 42001 is probably overkill. For a thirty-person software vendor embedding AI in its product, it's almost certainly a good investment.
The 7 core components of an AI management system
ISO 42001 requires you to set up seven interconnected components. Each contains multiple controls you must satisfy.
1. Policy and objectives. A written AI policy stating what you do, what you don't do, and which principles guide you (responsible, fair, transparent, explainable).
2. Roles and responsibilities. Someone is ultimately responsible for AI governance. Someone monitors risk. Someone approves new AI applications. The AI governance framework is a good starting point.
3. Risk assessment and impact assessment. For every AI application, a documented evaluation of technical, ethical, and legal risk. This overlaps significantly with DPIA work.
4. Data quality and data lifecycle. Training and operational data must be assessed for quality, documented, and periodically reviewed. Read our guide on getting business data ready for AI.
5. Supplier management. For every AI tool or model you procure: contract, data agreements, accountability division. A side-effect requirement of 42001 work: knowing which AI tools are even in use.
6. Monitoring and logging. Who made which decision with which AI? Which prompts were entered? Which output went to which customer? A solid AI audit trail is a core 42001 requirement.
7. Incident management and continuous improvement. When an AI system shows unwanted behavior (bias, wrong answer, data leak), a process exists to detect, mitigate, learn, and document.
Save 4 hours per week on ad-hoc answers to AI questions in audits and tenders
What does ISO 42001 certification cost?
Total investment depends on company size, existing management systems, and the complexity of your AI portfolio. Realistic ranges for SMBs:
| Component | SMB up to 50 staff | SMB 50-250 staff |
|---|---|---|
| Gap analysis and internal preparation | €5,000 - €15,000 | €15,000 - €40,000 |
| Implementation support (consultant) | €10,000 - €25,000 | €25,000 - €75,000 |
| Certification audit (external body) | €4,000 - €8,000 | €8,000 - €20,000 |
| Annual surveillance audit | €2,000 - €4,000 | €4,000 - €10,000 |
| Internal time investment | 100-200 hours | 300-700 hours |
Total first-year investment: typically €20,000 to €50,000 for a small to mid-size SMB. Companies with existing ISO 27001 or 9001 certification land at the low end; companies setting up a management system for the first time at the high end.
Roadmap: how to prepare
Whether you aim for certification now or later, these steps build your AI maturity step by step.
Step 1: inventory your AI use. Which AI tools are actually running? ChatGPT used by sales? A chatbot on your website? Predictive analytics in marketing? Most businesses underestimate this by a factor of two. Read our article on shadow AI policy.
Step 2: run a first risk assessment. Which AI applications touch sensitive data, customers, or financial decisions? Those are your high-risk candidates and your starting point for governance work.
Step 3: draft a first AI policy. Even a two-page document with principles, do's, and don'ts is more than 80% of SMBs have. Start there.
Step 4: assign accountability. One person, with a mandate. It does not have to be a full-time role, but it must be someone empowered to say no to an AI application.
Step 5: run a gap analysis against 42001. You can do this yourself with the standard and a spreadsheet, or in collaboration with an AI consultant experienced with 42001.
Step 6: build out your system and certify. Close the gaps, build documentation, train your team, and only then schedule the external audit. The certification body audits the system, not your intentions.
Learn more about AI consulting?
View serviceConclusion
ISO 42001 is not mandatory, but in 2026 it is rapidly becoming a commercially differentiating credential. For SMBs working with AI in a B2B context, operating in regulated sectors, or competing in tenders, a 42001 program directly strengthens both positioning and actual AI maturity.
The biggest mistake we see: companies waiting until a customer explicitly asks for it, then panicking and trying to rush certification. 42001 requires a minimum of four to six months of serious work; companies starting now will have a commercial argument next year that their competitors do not.
Wondering whether ISO 42001 is the right step for your business? Book a no-obligation discovery and we'll review your AI portfolio, existing management systems, and commercial context together.