Do I need ISO/IEC 42001 certification to adopt AI in my SME?
In short: no. ISO/IEC 42001:2023 is a voluntary standard — no law obliges you to adopt it or to get certified. It is, however, certifiable by an accredited body, and its real value for an SME is AI Act readiness: it builds the internal governance that the European Regulation requires in any event. Below, the facts verified on the ISO catalogue, then our reading.
The facts · fields 1–10
What the official source says.
01 · Name
ISO/IEC 42001:2023 — «Information technology — Artificial intelligence — Management system»
Common acronym: ISO 42001 (or ISO/IEC 42001). It defines an AI Management System (AIMS). It is the world's first international standard dedicated to an AI management system.
Note: the official title is in English; ISO does not publish an official Italian translation of the text (any national UNI/CEI adoption is ⚠️ [to verify]).
Official title · ISO catalogue — iso.org/standard/42001
02 · Type of source
International technical standard
Published jointly by ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission), developed by the technical committee ISO/IEC JTC 1/SC 42 (Artificial intelligence). It is not a legislative act: it is a technical standard adopted on a voluntary basis.
ISO catalogue (ISO/IEC JTC 1/SC 42 committee)
03 · Nature
Voluntary and certifiable
Voluntary (technical soft law) and certifiable by a third party. Adoption is not imposed by law; the organization may, however, obtain a certification of conformity issued by an accredited certification body (third-party audit). It adopts the Harmonized Structure (Annex SL) — the high-level structure common to ISO management system standards (e.g. ISO/IEC 27001, ISO 9001), built on the PDCA (Plan-Do-Check-Act) continual improvement cycle.
ISO/IEC Directives Part 1, Annex SL · ISO 42001 catalogue record
04 · Subject matter
An AI management system (AIMS), not the individual application
It specifies the requirements to establish, implement, maintain and continually improve an AI management system (AIMS) within an organization. It provides a structured approach to govern the risks and opportunities related to the development, provision and use of AI systems (policy, roles, risk and impact assessment, controls, monitoring, improvement). It does not address the technical merits of the individual AI application, but its organizational governance.
Official ISO catalogue · iso.org/standard/42001
05 · Who it applies to
Any organization that provides or uses AI
To any organization, of any size and sector, that provides or uses AI-based products or services (public or private, for-profit or non-profit). It is independent of the type of system (predictive machine learning, generative AI, agentic systems). Adoption is a choice of the organization, not a personal-scope obligation defined by law.
Official ISO catalogue · iso.org/standard/42001
06 · Key dates
First edition: December 2023
December 2023 — publication of the first edition (Edition 1) of the standard.
The exact publication date to the day and the number of pages of the document: ⚠️ [to verify] on the ISO catalogue (the full text is paywalled; the catalogue record confirms year 2023 and edition 1).
ISO catalogue (2023 edition)
07 · Authorities / bodies
No public authority
ISO and IEC are private, non-governmental standardization bodies; they neither supervise nor impose penalties. Conformity is attested — on a voluntary basis — by accredited certification bodies accredited with the national accreditation bodies (in Italy: ACCREDIA, ⚠️ [to verify] the existence of accreditation schemes specific to ISO/IEC 42001).
A certification body is not a public authority and the certification is not an administrative act.
ISO catalogue (nature of ISO/IEC as standardization bodies)
08 · Status
In force / published (first edition, 2023)
An active and certifiable standard. It constitutes the current international reference for AI management systems. Any subsequent editions or technical corrections: ⚠️ [to verify] on the ISO catalogue as at the date of consultation.
Official ISO catalogue · iso.org/standard/42001
09 · Relationship with other rules
It coordinates with the AI Act, ISO/IEC 27001, ISO 9001 and the GDPR
- ↔ AI Act (Reg. EU 2024/1689): ISO/IEC 42001 is not law and does not by itself confer compliance with the AI Act. However, adopting a compliant AIMS is a readiness framework: it structures the internal governance (risk management, documentation, human oversight, roles) that the AI Act requires, facilitating the demonstration of compliance.
- ↔ ISO/IEC 27001 and ISO 9001: it shares the Harmonized Structure (Annex SL), and is therefore integrable with management systems already in place (information security, quality) without duplicating the documentation framework.
- ↔ GDPR (Reg. EU 2016/679): the AIMS can incorporate safeguards useful for the processing of personal data, but does not replace GDPR obligations (see dedicated brief).
ISO catalogue (Harmonized Structure / relationship with ISO MSS)
10 · Official source
Official ISO catalogue
Primary source to be cited: official ISO catalogue — iso.org/standard/42001. Official preview (index / scope) on the ISO Online Browsing Platform: iso.org/obp — ISO/IEC 42001.
Transparency note: the full text of the standard is paywalled; NomotecnIA's verification is limited to the data of the official catalogue record (name, edition, year, committee, scope). The individual clauses/controls (Annex A, specific requirements) are not verifiable free of charge against the primary source and are not reproduced here.
Open the official source on ISO.org
Primary source · ISO (official catalogue)
Fields 11–12 · own synthesis
Our reading for an SME.
Synthesis
- ISO/IEC 42001 is voluntary: no SME is required to adopt it. The question is not "must I?" but "is it worth it as a governance infrastructure?".
- Its real value for an Italian SME is AI Act readiness: it builds the backbone (AI policy, roles, risk assessment, documentation, oversight) that the European Regulation requires in any event. Doing 42001 does not amount to being compliant with the AI Act, but it moves you closer in an orderly way.
- The great practical advantage is integration via Annex SL: those who already have ISO 27001 or 9001 reuse the structure, audit and documentation culture, reducing the marginal cost.
- Certification is a commercial and reputational asset (it signals AI governance to clients and partners), but it is optional: the standard can be adopted as an internal framework without being certified.
- Mind the boundary: certification is issued only by an accredited body, not by a consultant. Be wary of anyone promising "ISO 42001 certification" as a consultancy service.
Operational steps for an SME
These are not legal obligations, but the operational steps to adopt the AIMS.
- Define the scope: which AI systems/processes fall within the AIMS.
- Policy and roles: adopt an AI policy and assign clear responsibilities (who governs AI in the company).
- Risk and impact assessment: map the risks and impacts of the AI systems used or provided, with documented mitigation measures.
- Operational controls and human oversight: oversee the systems with controls, logs and human supervision.
- PDCA cycle: internal audits, management review, documented continual improvement actions.
- (Optional) Certification: if attestation is needed, turn to an accredited certification body (not to NomotecnIA).
Positioning note (NomotecnIA): NomotecnIA can accompany readiness towards ISO/IEC 42001 (gap analysis, documentation framework, audit preparation), but is not a certification body and does not issue ISO/IEC 42001 certifications: that is issued exclusively by an independent accredited body. NomotecnIA offers guidance and support, not certification or attestation of conformity.
From the rule to your business
Want to use ISO/IEC 42001 as AI Act readiness?
The AI Entry Assessment maps your AI systems, identifies the governance gaps and hands you back a prioritised roadmap — the same backbone that an ISO/IEC 42001 AIMS requires.