On 18 March 2026 EN ISO/IEC 42001:2026 was published, the European adoption of the standard on Artificial Intelligence management systems, while the work of CEN-CLC/JTC 21 on harmonised standards supporting the AI Act proceeds rapidly. But beware of confusing the levels: the AIMS of ISO/IEC 42001 is not the quality-management system required by Article 17 of the AI Act and, above all, no harmonised standard is to date cited in the Official Journal of the EU: without citation, the presumption of conformity does not operate. Let us clarify.
In the debate on AI Act compliance a widespread and insidious misunderstanding recurs: the idea that ISO/IEC 42001 certification constitutes, in itself, a regulatory pass. The author takes part in standardisation work within UNINFO, for ISO/IEC JTC 1/SC 42 and CEN-CLC/JTC 21, and this seems the right place to clarify a theme that touches the heart of the relationship between voluntary technical standardisation and binding regulation.
Article 40 of the AI Act: the presumption of conformity
The starting point is Article 40(1) of the AI Act, headed “Harmonised standards and standardisation deliverables”, under which high-risk AI systems or general-purpose AI models that conform to harmonised standards, or parts thereof, “the references of which have been published in the Official Journal of the European Union” are “presumed to be in conformity” with the relevant requirements. The presumption of conformity does not stem from the technical nature of the standard, but from a precise procedure: development at the Commission’s request by the European standardisation organisations, the Commission’s scrutiny and, finally, the citation of the references in the Official Journal (OJEU). The Commission itself reiterates it: “the application of standards remains voluntary. Providers can choose any other framework to demonstrate their compliance with the AI Act. However, harmonised standards referenced in the Official Journal of the EU provide legal certainty.”
The work of CEN-CLC/JTC 21 and the standardisation request
Implementing Article 40(2), the Commission entrusted CEN and CENELEC, through a standardisation request (decision C(2025)3871), with developing deliverables in ten key areas: risk management, data governance and quality of datasets, record-keeping, transparency, human oversight, accuracy, robustness, cybersecurity, quality-management system and conformity assessment. The work sits within the joint technical committee CEN-CLC/JTC 21, established on 1 June 2021, bringing together over three hundred experts from more than twenty countries. As CEN-CENELEC notes, “once published in the Official Journal of the European Union (OJEU), these standards will provide companies with a legal presumption of conformity”.
The most advanced stage is that of prEN 18286 on the quality-management system: “on 30 October 2025, prEN 18286: Artificial Intelligence — Quality Management System for EU AI Act Regulatory Purposes became the first harmonised standard for AI to enter public enquiry”. It is, significantly, a European home-grown standard, “designed to provide presumption of conformity with Article 17 of the Act”. The path was accelerated by an exceptional decision: at the joint Technical Boards meeting of 14–16 October 2025, CEN and CENELEC, to ensure the AI Act support standards are “available by Q4 2026”, allowed, “in the case of a positive Enquiry vote”, the “direct publication of the drafts without a separate Formal Vote — a known and fully legitimate procedure”. With the public enquiry closed, EN 18286 is therefore on the home straight.
Here, in any case, is the legally decisive point: the publication of the EN by CEN-CENELEC is not enough. For the presumption of conformity to operate, the further step of the Commission’s citation of the references in the OJEU is required and, as we write, no harmonised standard supporting the AI Act is cited there. Until then, the presumption under Article 40(1) simply does not operate for any standard, however authoritative.
EN ISO/IEC 42001:2026: what it is and what it is not
In this frame sits EN ISO/IEC 42001:2026, “Information technology — Artificial intelligence — Management system”, published on 18 March 2026 as the European adoption of ISO/IEC 42001:2023, the first international standard on AI management systems, developed by ISO/IEC JTC 1/SC 42 and published in December 2023. In Italy it was transposed as UNI CEI ISO/IEC 42001:2024, available in Italian since January 2025. The standard follows the harmonised management-system structure and is certifiable under accreditation, per ISO/IEC 17021-1:2015, supplemented by the specific additional requirements of ISO/IEC 42006:2025.
The distinction must be drawn sharply, on two levels. On the level of content, a recurring misunderstanding overlaps the AI management system of ISO/IEC 42001 with the quality-management system that Article 17 of the AI Act imposes on providers of high-risk systems. These are distinct objects: Article 17 configures a regulatory product-compliance obligation, and the standard developed to answer it within the standardisation request is precisely prEN 18286, “designed to provide presumption of conformity with Article 17 of the Act”. ISO/IEC 42001 is, instead, a voluntary organisational management-system standard for AI: it was not developed in response to the Commission’s standardisation request, is not calibrated on Article 17 and does not cover its requirements. Adopting it does not mean having the QMS required by the AI Act.
On the level of legal effects, EN ISO/IEC 42001:2026 remains a voluntary standard: a precious governance and accountability tool that allows structured oversight of risk management, transparency and process documentation. As UNI observes, “organisations adopting UNI CEI ISO/IEC 42001 will be able to demonstrate conformity with many AI Act requirements, such as risk management, transparency and process documentation”. But “demonstrating conformity with many requirements” does not equal “being presumed to be in conformity”: the standard is not a harmonised standard cited in the OJEU, and its certification does not generate the presumption of conformity under Article 40. AI Act conformity must, for now, be demonstrated by alternative solutions, requirement by requirement.
Critical issues: the timing of standardisation and the legitimacy of delegation
The first critical aspect concerns timing. The lag of standardisation behind the AI Act’s original calendar was one of the factors that led to the Digital Omnibus: the Commission now links the applicability of the high-risk rules to ultimate deadlines set at 2 December 2027 for Annex III systems and 2 August 2028 for Annex I ones. The second aspect, of a constitutional order, concerns the legitimacy of the de facto delegation to private standardisers of the concretisation of requirements affecting fundamental rights — tempered by Recital 121’s call for balanced representation of interests and by the Commission’s scrutiny at the citation stage. The third aspect concerns the coverage gap: specialised analyses note that ISO/IEC 42001, conceived as an organisational management system and not as a product-compliance standard, only partly covers the AI Act requirements, which explains JTC 21’s choice to flank the adoption of international standards with European home-grown standards such as prEN 18286.
Conclusions
The message for organisations is twofold. On the one hand, adopting today a management system compliant with UNI CEI ISO/IEC 42001 is a far-sighted governance choice: it structures processes, feeds accountability and prepares the ground for regulatory compliance. On the other, one must avoid the misunderstanding of a salvific certification: until the harmonised standards are cited in the OJEU, no certificate stands in for AI Act conformity, and regulatory due diligence remains a punctual exercise, requirement by requirement. In the light of the above, one wonders whether the European standardisation works in progress will deliver in good time a body of harmonised standards equal to the task, or whether the link between legal rule and the state of the art that Article 40 entrusts to standardisation will long remain committed to alternative solutions built requirement by requirement, without the benefit of the presumption of conformity.
