ISO 42001 and AI Regulatory Compliance 

The regulatory compliance landscape for AI in medical devices has never been more confusing. While there is growing consensus that requirements for AI shall encompass transparency, fairness, accountability, privacy, safeguards for sensitive data, and clear documentation, the number of guidelines and regulations is overwhelming for manufacturers. Choosing a regulatory compliance pathway for AI in medical devices and integrating it into the existing quality management frameworks can become daunting. 


In this post, we aim to offer a short overview of how ISO 42001 can be used to establish a compliance framework for AI in healthcare, in agreement with the requirements of the EU AI Act.

At QUAREGIA, we can support you with a tailored quality management system, ensuring strict adherence to both ISO 42001 and the EU AI Act, which will ensure a robust compliance framework for developing AI-containing medical devices.


Schedule your complimentary consultation here


Key Requirements of ISO 42001


The standard delineates crucial prerequisites for fostering responsible AI deployment, and addressing its associated challenges. Some of these requirements encompass those of the EU AI Act and thus the two documents can be addressed simultaneously.


Alongside, the EU AI Act requirements for testing against preliminarily defined metrics and probabilistic thresholds that are appropriate to the intended purpose of the high-risk AI system to identify the most appropriate risk management measures shall be taken into account.

Particular attention shall be given to transparency and the provision of information to users, as also highlighted by the European AI Act.

Maintaining up-to-date technical documentation and record keeping (automatic recording of events/logs) are also key requirements of the EU AI Act.

Additionally, the provisions of the EU AI Act concerning appropriate data governance practices that take into account the characteristics or elements that are particular to the specific geographical, behavioral, or functional setting within which the high-risk AI system is intended to be used shall be considered.

Additionally, the EU AI Act puts forward requirements for a post-market surveillance system and the reporting of serious incidents to the market surveillance authorities of the Member States where that incident occurred.


ISO 42001 provides in Annex A reference control objectives and controls that provide organizations with a reference framework regarding the development, operation, and risk assessment of AI systems. Annex B additionally provides implementation guidance for the controls listed in Annex A, which can be used as a starting point to develop organization-specific implementation controls.

Furthermore, compliance with the requirements of the EU AI Act regarding human oversight and cybersecurity would round up a comprehensive framework for the responsible development of AI-containing medical devices.


Integrating ISO 42001, the EU AI Act, and ISO 13485 Requirements


The adoption of ISO 42001 significantly influences how organizations handle AI policies and controls, emphasizing ethical AI usage and ensuring control mechanisms are in place to guarantee responsible, secure, and transparent development, deployment, and management of AI systems. It also allows organizations to comply with the QMS requirements of the EU AI Act.


At QUAREGIA, we support organizations in seamlessly integrating ISO 42001 with pre-existing quality management systems in 5 steps:



If your organization does not yet have a quality management system in place, we can provide customer-specific lean QMS solutions based on well-established frameworks to support your compliance requirements and timelines.


Schedule your complimentary consultation here


Finally, QUAREGIA’s cybersecurity experts can support you with implementing a customized cybersecurity process, including SOPs, templates, and training to guarantee the secure development of AI systems per the latest standards. With their guidance, your team can confidently navigate the complexities of cybersecurity, safeguarding your AI projects against potential threats and vulnerabilities.


Like with any new standard or piece of legislation, meeting the requirements of ISO 42001 and the EU AI Act might seem daunting initially. Proactively embracing compliance and integrating these requirements in a stepwise process into pre-existing quality frameworks ensures a smooth organizational adaptation to the newest requisites. As standards and legislation converge and become harmonized, this proactive approach enables flexible adaptation to evolving requirements, ensuring your organization continues to deliver compliant, high-quality AI systems and devices.

Last updated 2024-03-28