ISO 42001:2023 is the first international standard for an AI Management System (AIMS). It ensures governance, ethics and continuous improvement. It is the most direct path to demonstrate EU AI Act compliance.
What does an ISO 42001 AI Management System include?
Ten components. (1) AI policy approved by management. (2) Context and interested-parties analysis (stakeholders impacted by AI). (3) Fundamental rights impact assessment (FRIA). (4) Identification and classification of AI systems by risk. (5) Lifecycle management (design, data, training, deployment, monitoring, decommissioning). (6) Operational human oversight. (7) Transparency and explainability. (8) Training and validation data (quality, bias, governance). (9) AI supplier management. (10) Continuous improvement + management review.
What is the relationship between ISO 42001 and the EU AI Act?
They are complementary. The EU AI Act is mandatory (EU regulation); ISO 42001 is voluntary. ISO 42001 provides the how to implement the management system the AI Act requires. For high-risk systems (Annex III) of the AI Act, ISO 42001 covers approximately 80% of the organisational obligations. An external ISO 42001 audit is solid documentary evidence in an AESIA inspection.
How much does ISO 42001 certification cost in 2026?
Nascent market in Spain. SME 20-50 emp: consulting €10,000-18,000 + external audit €3,500-6,500 + maintenance €3,000-5,500/year. SME 50-200 emp: consulting €18,000-30,000 + audit €5,500-9,500 + maintenance €5,500-9,000/year. Deployment timeline 5-8 months. Because the standard is young, being among the first Spanish certified companies has high commercial value (demanding-client RFPs).
Official sources
- ISO · Standard 42001:2023 AI Management System
- AENOR · ISO 42001 AI
- AESIA · Spanish AI Supervisory Agency
- EUR-Lex · EU Regulation 2024/1689 EU AI Act
Frequently asked questions
What does an ISO 42001 AI Management System include?
Ten components: AI policy, context analysis, FRIA, classification of AI systems, lifecycle management, human oversight, transparency, training data, supplier management, continuous improvement.
What is the relationship between ISO 42001 and the EU AI Act?
Complementary. The AI Act is mandatory (EU regulation); ISO 42001 is voluntary. ISO 42001 provides the how. For Annex III high-risk systems, it covers approximately 80% of organisational obligations. An external audit is solid evidence in an AESIA inspection.
How much does ISO 42001 certification cost in 2026?
Nascent market in Spain. SME 20-50 emp: consulting €10,000-18,000 + audit €3,500-6,500 + maintenance €3,000-5,500/year. SME 50-200 emp: consulting €18,000-30,000 + audit €5,500-9,500 + maintenance €5,500-9,000/year. Timeline 5-8 months.
Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalisation for SMEs.
Frequently asked questions
How does this apply to my SME?
It applies as long as you serve Spanish customers or process Spanish data; the framework is mandatory above thresholds we summarise in the table.
What does it cost in 2026?
Indicative ranges for SMEs 10-50 employees: 2,500-12,000 EUR for documentation + auditor fees vary by AENOR / BV / SGS / LRQA.
Which Spanish regulation applies?
BOE references RD 311/2022 (ENS), Regulation EU 2016/679 (GDPR), LOPDGDD, NIS2, DORA and the EU AI Act 2024/1689 depending on scope.
How long does the implementation take?
Average runs 4-7 months for a single ISO. Compound integrated SGI (9001+14001+27001) usually 8-12 months.
Can I co-finance it with Kit Digital or Kit Consulting?
Yes, Kit Consulting 2026 covers up to 24,000 EUR in advisory hours; Kit Digital covers tools (CRM, ERP, ciberseguridad) up to 29,000 EUR.