The rapid evolution of Artificial Intelligence has driven the creation of new standards to help organisations manage it securely, reliably and in compliance with European regulations. In this context, different standards are emerging which, although related, perform complementary functions in the AI governance and compliance ecosystem.

On the one hand, we have ISO/IEC 42001:2023, the first international standard that defines the requirements for an Artificial Intelligence Management System (AIMS) applicable to any organisation that designs, develops, implements or uses AI systems. With no direct regulatory value, the standard seeks to promote responsible and transparent AI management through verifiable policies, controls and processes throughout its life cycle, with an emphasis on organisational management, data quality, impact assessment, traceability and continuous improvement.

On the other hand, prEN 18286, currently in draft form, is a harmonised European standard from CEN-CENELEC. This document aims to establish the requirements for a Quality Management System (QMS) to comply with the obligations of the European Artificial Intelligence Regulation (AI Act). Its objective is not ethical management in general, but rather the demonstration of legal compliance with Article 17 of the AI Act, especially for providers of high-risk AI systems.

Overlaps and Common Areas

Both standards share a common architecture based on the ISO high-level structure, which facilitates their integration. Both ISO 42001 and prEN 18286 require: documented AI policies, full lifecycle management, risk management and document traceability. Both documents promote traceability, transparency and continuous evaluation of AI systems, with clauses on management, lifecycle, data control, roles, impact assessment and third-party relationships being virtually equivalent.

Both standards concur in requiring structured AI management based on policies, risks, traceability, and lifecycle control.

Differences

The differences between ISO/IEC 42001 and prEN 18286 reflect different purposes and levels of requirement. While ISO/IEC 42001 establishes a voluntary framework for ethical and responsible AI management, prEN 18286 translates these good practices into mandatory requirements to demonstrate compliance with the European AI Regulation (AI Act). This means that prEN 18286 introduces components that are absent or less developed in ISO 42001, such as assessment of the impact on fundamental rights, post-market surveillance, incident reporting and regulatory traceability.

In summary, although both share a common foundation, prEN 18286 has a more strict, legal and verifiable scope, making it an essential tool for the certification and supervision of high-risk AI systems in Europe.

The differences between 42001 and prEN 28286 draw a line between an "ethical and responsible" management system (ISO 42001) and a management system with "legal compliance" (prEN 18286).

Approach, Roles and Complementarity

The conclusion after a thorough analysis of both standards is that they are complementary rather than mutually exclusive. ISO 42001 serves as an organisational management framework, applicable to any entity that develops or uses AI, including users, implementers, or integrators. prEN 18286, on the other hand, is specifically aimed at suppliers and manufacturers of high-risk AI systems, although its principles are also useful for importers or distributors in the value chain. Therefore, in organisations that perform multiple roles (e.g., a company that develops and implements AI internally), it would be most efficient to implement an integrated management system that combines both standards: ISO 42001 as a cross-cutting management structure and prEN 18286 as a regulatory layer that ensures compliance with the AI Act.

Both standards are complementary: ISO 42001 partially covers the AI Act as good practice, while prEN 18286 covers it comprehensively and bindingly.

In summary, ISO 42001 establishes “how to manage AI responsibly”, and prEN 18286 defines “how to demonstrate that this management complies with European law”. Adopting them together will enable European organisations not only to act responsibly and ethically, but also to become certified with guarantees of regulatory compliance in the new legal framework for AI.