18

Immagine creata con IAAI-generated image

Published in May 2025, ISO/IEC 42005 offers organisations guidance for assessing the impact of AI systems on individuals, groups and society. A voluntary tool that sits in an ecosystem crowded with mandatory assessments: the FRIA of Article 27 of the AI Act and the DPIA of Article 35 of the GDPR. How do these three planes coordinate?

In the ecosystem of international AI standards developed by ISO/IEC JTC 1/SC 42, alongside the management-system standard ISO/IEC 42001, sits ISO/IEC 42005:2025, “Information technology — Artificial intelligence (AI) — AI system impact assessment”, published in May 2025. This seems the right place to frame it, on the basis of publicly available information, and to clarify its relationship with the impact assessments provided by binding European law.

What ISO/IEC 42005 is

Per the standard’s public presentation, “ISO/IEC 42005 provides guidance for organisations conducting AI system impact assessments. These assessments focus on understanding how AI systems — and their foreseeable applications — may affect individuals, groups, or society at large”. Three elements deserve emphasis. First, it is guidance, not a certifiable requirements standard: its value is methodological. Second, its object is the single AI system and its impacts on individuals, groups and society — a more granular perspective than the organisational management system of ISO/IEC 42001, of which it is a natural operational complement. Finally, its perspective is that of the whole lifecycle, from foreseeable applications to reasonably expected misuse.

The binding plane: FRIA and DPIA

European law knows, on the same terrain, two mandatory assessments that no voluntary standard can replace. The first is the fundamental-rights impact assessment (FRIA) of Article 27 of the AI Act: before using certain high-risk systems, deployers that are bodies governed by public law, private entities providing public services, or operators in specific sectors carry out an assessment of the impact on fundamental rights, identifying processes, categories of affected persons, risks of harm, human-oversight measures and remedies. The second is the data-protection impact assessment (DPIA) of Article 35 of the GDPR: “where a type of processing, in particular using new technologies, […] is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”; for its documentation the template adopted by the EDPB in April 2026 is now also available. Nor should the internal AI Act link be forgotten: Article 27 provides that, where certain obligations are already met through the DPIA, the fundamental-rights assessment complements it, avoiding duplication.

Three planes, one process

How can organisations compose the picture? Our indication is to conceive a unitary impact-assessment process with three documentary outputs. The ISO/IEC 42005 methodology can serve as a common backbone: identification of the system and context, mapping of affected parties and impacts, assessment and treatment. Onto that backbone are grafted, where the conditions apply, the mandatory contents of the DPIA, for the data-protection aspects, and of the FRIA, for the fundamental-rights aspects of high-risk deployment. The benefits are evident: coherence of assessments, unitary traceability, reduced burden. The risk to avoid is, conversely, the “photocopy assessment”: three identical documents with three different headings, satisfying none of the three planes. The quality of the analysis, not the quantity of forms, is the measure of compliance.

A caveat on legal value

It must finally be reiterated, consistently with what we observed for ISO/IEC 42001, that conformity with ISO/IEC 42005 generates no presumption of conformity with the AI Act: the presumption under Article 40 is reserved to harmonised standards cited in the OJEU, and this standard is not among the candidates for that role, being a voluntary international guide. Its value is different: method, international comparability, accountability.

Conclusions

ISO/IEC 42005 fills a real methodological gap: organisations that must assess the impacts of their AI systems now have a structured international reference, usable as a common frame for the binding European obligations. The game, as always, is played in implementation. In the light of the above, one wonders whether the multiplication of impact assessments — of the system, of the data, of fundamental rights — will produce genuinely greater protection or only more paper: an integrated process has value only if, beyond the forms it fills in, it manages to intercept the real risks to people before they materialise.