ISO 42001 and ISO 13485 Alongside the EU AI Act
TL;DR
For medical AI, you build the AI Act's quality obligations on the standards you already run, not a parallel system:
- ISO 13485 (your medical-device QMS) is the backbone for the AI Act's quality management duty (Article 17).
- ISO/IEC 42001 (AI management system) is the new layer you add on top for the AI-specific governance.
- The Commission's MDCG 2025-6 guidance explicitly encourages integrating the AI-specific elements into your existing MDR/IVDR QMS.
- Harmonised AI Act standards are still being finalised, so ISO 13485 plus ISO/IEC 42001 (with ISO 14971, IEC 62304, IEC 62366) are the practical scaffold to build on now.
Every legal claim below is cited. See Sources.
Why teams overbuild here
The instinct on reading the AI Act is to stand up a whole new compliance system. For a medical-device maker, that is mostly wasted motion. You already run a mature quality system under ISO 13485 and a risk process under ISO 14971. The AI Act's job is not to replace them; it is to add the AI-specific pieces and have them assessed inside your existing route (see how conformity integrates). The efficient path is to extend, not rebuild.
Is your AI system high-risk?
Find out in 2 minutes, free, no signup required.
Take the free assessmentISO 13485 is your Article 17 backbone
Article 17 requires providers of high-risk AI to operate a quality management system. For a medical-device maker, that is substantially what ISO 13485 already gives you: document control, design controls, supplier management, CAPA, post-market processes. The AI Act adds AI-specific expectations on top of that structure rather than asking for a separate QMS.
ISO/IEC 42001 is the AI layer you add
ISO/IEC 42001 is the management-system standard for artificial intelligence. It is the natural home for the governance the AI Act cares about that a classic medical QMS does not fully cover: model lifecycle management, data governance, oversight of AI-specific risks, and continuous monitoring of AI performance. Layered onto ISO 13485, it fills the AI-shaped gap without duplicating the medical QMS you already maintain. MDCG 2025-6 points in exactly this direction: integrate the AI-specific elements into your existing QMS.
The supporting standards map
Your other medical-device standards already carry weight toward the AI Act requirements:
- ISO 14971 (risk management) supports Article 9 risk management; extend it to cover AI-specific risks (drift, data quality, foreseeable model misuse).
- IEC 62304 (software lifecycle) supports Article 15 accuracy and robustness.
- IEC 62366 (usability engineering) supports Article 14 human oversight.
The AI Act × MDR/IVDR crosswalk lays this out obligation by obligation, so you can see exactly what each standard already covers and where the genuine gaps are.
A note on harmonised standards (this is moving)
The AI Act will have its own harmonised standards, which give a presumption of conformity, but those are still being developed. Until they land, do not wait: ISO 13485 and ISO/IEC 42001 (plus ISO 14971, IEC 62304, IEC 62366) are the practical scaffold, and the classification and integration logic (Articles 6 and 43(3)) is stable regardless. We track the moving parts in our deadlines tracker.
FAQ
Do I need a new quality management system for the AI Act?
No. Article 17 requires a QMS, and for a medical-device maker your ISO 13485 system is substantially that. You add the AI-specific governance (ISO/IEC 42001) on top rather than standing up a separate system. MDCG 2025-6 encourages integrating the AI elements into your existing MDR/IVDR QMS.
What does ISO/IEC 42001 add that ISO 13485 does not?
The AI-specific governance a classic medical QMS does not fully address: AI model lifecycle management, data governance, oversight of AI-specific risks, and monitoring of AI performance over time. It complements ISO 13485 rather than replacing it.
Are there harmonised AI Act standards yet?
They are still being developed. Harmonised standards will eventually give a presumption of conformity, but until they are published, ISO 13485 and ISO/IEC 42001 (with ISO 14971, IEC 62304 and IEC 62366) are the practical basis. The underlying classification logic does not depend on them.
Sources (official)
- EU AI Act, Regulation (EU) 2024/1689: per-article on the European Commission AI Act Service Desk. Cited: Article 17 (quality management system), Article 9 (risk management), Article 14 (human oversight), Article 15 (accuracy and robustness), Article 43(3) (integrated conformity); official text on EUR-Lex.
- MDCG 2025-6, FAQ on the interplay between the MDR/IVDR and the AI Act (19 June 2025): Commission page. Cited for: integrating AI-specific QMS elements into the existing MDR/IVDR quality management system.
- Standards referenced (not EU law, industry standards): ISO 13485, ISO/IEC 42001, ISO 14971, IEC 62304, IEC 62366.
Legalithm provides compliance information and tooling, not legal advice. Standard selection and QMS design depend on your specific product and processes; confirm with your notified body and qualified counsel. Article references are to Regulation (EU) 2024/1689 (the AI Act).



