All resourcesFree · No signup

EU AI Act vs ISO 42001 vs NIST AI RMF

What is it?

EU AI Act

EU regulation with mandatory compliance obligations for AI systems placed on the EU market or affecting EU residents.

ISO 42001

International management system standard for responsible AI development and use. Voluntary, but increasingly required by enterprise procurement.

NIST AI RMF

US federal guidance framework for managing AI risk across the AI lifecycle. Voluntary in most contexts.

Who must comply?

EU AI Act

Any organisation deploying or developing AI systems that affect people in the EU, regardless of where the organisation is based.

ISO 42001

Any organisation that wants certification. No mandatory scope, but often required by large enterprise customers or regulated sectors.

NIST AI RMF

US federal agencies (mandatory). Voluntary for private sector, but widely adopted as a risk management baseline.

What does it focus on?

EU AI Act

Risk classification (unacceptable / high / limited / minimal). Mandatory requirements for high-risk systems: documentation, human oversight, data governance, logging.

ISO 42001

Management system controls: policies, roles, risk assessment, objectives, monitoring, continual improvement. Process-focused rather than system-specific.

NIST AI RMF

Four core functions: Govern, Map, Measure, Manage. Emphasises sociotechnical risk, bias, and transparency across the full AI lifecycle.

Is there a deadline?

EU AI Act

Yes. Prohibited AI: Feb 2025. High-risk AI obligations: Aug 2026. General-purpose AI: Aug 2025.

ISO 42001

No mandatory deadline. Certification timeline is organisation-driven (typically 6–18 months).

NIST AI RMF

No deadline. US federal agencies required to report AI use cases but no universal compliance date for the RMF itself.

What evidence does it require?

EU AI Act

Technical documentation, human oversight records, bias/accuracy testing results, logs, user notices, conformity declarations.

ISO 42001

Management system documentation, risk assessment records, audit results, corrective action logs, policy and procedure evidence.

NIST AI RMF

Risk assessments, impact evaluations, incident records, governance documentation, bias testing results.

How do they interact?

EU AI Act

Sets the mandatory floor for EU-market AI. Requires documentation that ISO 42001 and NIST RMF help structure.

ISO 42001

Provides a management system that can evidence EU AI Act compliance. ISO certification does not equal EU AI Act compliance.

NIST AI RMF

US-origin but globally referenced. Aligns well with EU AI Act risk thinking. Useful for organisations operating in both US and EU contexts.

Build evidence packs for any of these frameworks

AuditEvidenceAI has pre-built schemas for EU AI Act, ISO 42001, NIST AI RMF, and NYC LL144. Three packs free.

Get started free