AI compliance in manufacturing: what mid-market operators need to know about ISO 42001 and the EU AI Act

Two regulatory instruments now shape how manufacturers deploy AI in the EU. The EU AI Act carries legal force with penalties reaching €35M. ISO 42001 is a voluntary governance standard, but enterprise procurement is making it a practical requirement. A provisional political agreement in May 2026 defers the main high-risk compliance deadlines, though formal adoption is still pending. For mid-market manufacturers, the question is not which framework to follow, but how to treat them as a single, coordinated programme, and to start that work now rather than in 2027.

What mid-market manufacturers need to know: a direct answer

AI compliance in manufacturing now rests on two instruments: the EU AI Act, which is binding law, and ISO 42001, which is voluntary but increasingly required by enterprise buyers. Mid-market manufacturers are primarily deployers of AI and face substantial obligations under the Act wherever their AI systems monitor workers or affect employment decisions. A provisional political agreement in May 2026 defers standalone high-risk AI obligations to December 2, 2027, but formal adoption in the Official Journal is still pending. The most effective first step is a complete AI inventory: every system in use, classified by risk tier.

Most mid-market manufacturers are already running regulated AI

Today, most manufacturers manage AI deployments without a central inventory. Visual quality inspection tools, workforce scheduling platforms, predictive maintenance software, and production optimisation systems are typically procured by individual operational teams, with no formal risk classification or governance structure. This is the starting condition for the majority of mid-market operators approaching AI compliance in manufacturing for the first time.

The EU AI Act distinguishes between providers (organisations that build and place AI systems on the market) and deployers (organisations that put AI into operational use). Most manufacturers are deployers. Deployer obligations are still substantial: human oversight requirements, logging, incident reporting, and instructions for use all apply to high-risk systems.

Manufacturers who sell equipment with embedded AI to EU buyers are also providers. Both roles can apply to the same organisation, and they carry different compliance tracks.

Two manufacturing AI use cases fall squarely within the Act’s Annex III high-risk category: worker monitoring systems, and AI used for task allocation, performance evaluation, or any decision affecting employment status. The Act also expressly prohibits AI designed to infer the emotional state of workers in the workplace, with no exceptions. By contrast, equipment-focused predictive maintenance and product quality inspection, where no personal data is processed and no individual rights are affected, typically fall outside high-risk classification. (Source: EU AI Act Annex III)

Classification is use-case-specific, not technology-specific. The same underlying model can be high-risk in one deployment and minimal-risk in another, depending on what data it processes and whose decisions it influences.

The EU AI Act timeline and what the May 2026 Omnibus changes

The EU AI Act follows a phased structure. Prohibited AI practices and AI literacy obligations entered force in February 2025. General-purpose AI model obligations have applied since August 2025. The main high-risk obligations were originally scheduled for August 2026.

On May 7, 2026, the European Parliament and the Council reached a provisional political agreement on the Digital Omnibus on AI. Standalone high-risk Annex III obligations are provisionally deferred to December 2, 2027. For AI embedded in regulated products under Annex I, including machinery covered by existing EU product safety legislation, the provisional deadline is August 2, 2028. Formal adoption and publication in the Official Journal are expected before August 2026; until that publication, the original August 2, 2026 deadline remains binding law. (Source: Gibson Dunn, May 2026)

Two things the Omnibus does not change: Article 50 transparency obligations, which require disclosure to users interacting with AI systems, remain on the 2026 schedule; and the prohibition on unacceptable-risk AI practices remains in force. These are live obligations now.

For the EU AI Act mid-market operator, the deferral should not be read as a signal to pause. Multiple legal sources characterise the May 2026 agreement as a one-time extension, not the first in a series, with the political case for further delay exhausted. The compliance build; AI inventory, risk classification, governance documentation, technical files; typically takes 12 to 18 months for a mid-market organisation to execute properly. Non-compliance fines reach €35M or 7% of global annual turnover for prohibited practices, a higher ceiling than GDPR. (Source: Legiscope penalty summary)

What ISO 42001 requires and why it matters

Published in December 2023, ISO/IEC 42001 is the first certifiable international AI management system standard. Think of it as ISO 27001 applied to AI governance: a repeatable, auditable framework covering the full AI lifecycle from risk identification through to continuous improvement. It is not a legal requirement. Organisations pursue ISO 42001 implementation because enterprise procurement increasingly demands it, because it creates the documentation foundation that EU AI Act compliance builds on, and because it provides a structured way to demonstrate responsible AI use to auditors and customers.

ISO 42001 operates across 38 controls using a Plan-Do-Check-Act cycle, covering AI risk management, data governance, transparency, ethics, human oversight, and continuous improvement. It is deliberately aligned with ISO 27001 and ISO 9001, so manufacturers holding either certification will find significant structural overlap when beginning ISO 42001 work.

The adoption signal is hard to ignore. The Cloud Security Alliance 2025 Compliance Benchmark Report, surveying over 1,000 compliance professionals, found that 76% of organisations planned to pursue AI compliance with a framework like ISO 42001 soon. (Source: Cloud Security Alliance, June 2025) Enterprise buyers are already requiring it. Manufacturers that delay ISO 42001 work risk not only regulatory exposure but procurement disqualification in contracts where AI governance certification has become a supplier qualification criterion.

How ISO 42001 and the EU AI Act work together and where they diverge

The two frameworks serve different purposes and are not interchangeable. The table below maps the six dimensions where they differ most.

ISO 42001 covers approximately 70–80% of the EU AI Act’s high-risk system requirements, making it an effective foundation rather than a complete substitute. (Source: GLACIS crosswalk guide) Both frameworks require risk assessment, data governance, human oversight, and documentation of AI system properties. Organisations with ISO 42001 certification in place can compress EU AI Act compliance work by an estimated 30–40%.

The gaps that ISO 42001 does not close are specific: EU conformity assessment procedures, CE marking for high-risk hardware, Annex IV technical documentation files, EU AI database registration, and post-market surveillance reporting. These require legal and technical input that sits outside a management system programme.

The practical approach is sequential: build the governance foundation through ISO 42001 first, then layer the Act’s technical requirements on top. Treating them as two parallel, unconnected projects duplicates effort on documentation and misses the overlap that makes both achievable within a realistic budget. (Source: ISACA, December 2025)

A practical compliance pathway for mid-market manufacturing operators

Five steps, in order of dependency:

1. Build a complete AI inventory. Every AI system across production, quality, logistics, HR, and procurement, including SaaS tools with embedded AI features and AI-enabled machinery procured from third parties. This step is a prerequisite for every other action and is required by both ISO 42001 and the EU AI Act.
2. Classify each system by risk tier. Map against Annex III. Worker monitoring AI is high-risk by definition. Equipment-focused predictive maintenance typically is not. Classification must be documented and defensible, not assumed. The EU AI Office publishes ongoing guidance on classification methodology at ai-act-service-desk.ec.europa.eu.
3. Identify your role as provider, deployer, or both. Manufacturers who sell AI-embedded equipment to EU buyers carry provider obligations; conformity assessment, technical documentation, CE marking; in addition to deployer obligations. Determine which tracks apply before allocating compliance resource.
4. Pursue ISO 42001 as the governance foundation. It addresses the majority of documentation, risk management, and governance work required by the EU AI Act. It also creates an audit-ready programme that enterprise procurement processes increasingly require. Start here, not with the Act’s technical requirements.
5. Close the gaps ISO 42001 does not cover. Conformity assessments, Annex IV technical documentation, EU AI database registration for high-risk systems, and post-market monitoring plans all require dedicated legal and technical input beyond management system work. For organisations with existing ISO 27001 certification, the ISO 27001-to-ISO 42001 structural overlap significantly reduces the effort of this final layer.

The added compliance surface of agentic AI in manufacturing

Until recently, most manufacturing AI deployments were bounded systems: a quality inspection camera reviewing one production line, a scheduling tool managing one shift. Agentic AI systems change this materially. They plan, retrieve data from multiple sources, and act across enterprise systems; workforce records, quality data, maintenance logs, procurement databases; within a single autonomous workflow.

The classification risk is architectural. An agent that accesses worker scheduling data alongside production quality records must be classified by its highest-risk use case. Worker-data access can place an otherwise minimal-risk system into Annex III high-risk territory, even when the stated purpose is production optimisation.

The governance challenge is equally specific to agentic systems. Traditional periodic review does not capture what autonomous agents do between audit cycles. An agent can gain new data permissions, initiate tool calls, and execute consequential actions between checks, unless observability, logging, and role-based access controls are built into the architecture from the start. A McKinsey survey published in 2026 identified security, risk management, and governance concerns as among the most frequently cited barriers to scaling AI, including agentic deployments. (Source: TechTarget, April 2026)

The systems we have built at Vstorm for engineering environments make this concrete. In our work with Synera, an engineering automation platform used by Airbus, BMW, Hyundai, and others, the agentic system combined an LLM, a RAG component, and a validator operating across a CAD and PLM tool ecosystem simultaneously. (Read the full case study) When an agentic system touches that many data sources and tools at once, compliance posture must be a design input from the outset, not an audit item addressed after deployment.

“At Vstorm, we see compliance as something that has to be built into agentic systems from the start, not added later as a checklist. In production, things like observability and data access limits are what let teams understand what an agent did, why it did it, and whether it stayed within the right boundaries.”

Wojciech Achtelik, PhD AI Engineer Lead, Vstorm

Frequently asked questions

Is the EU AI Act mandatory for mid-market manufacturers operating in the EU?

Yes. The EU AI Act applies to all organisations that place AI systems on the EU market or use AI systems in EU operations, regardless of company size or where the organisation is headquartered. Mid-market manufacturers deploying AI across production, HR, or logistics within the EU are in scope.

Does ISO 42001 certification satisfy EU AI Act compliance requirements?

No. ISO 42001 covers approximately 70–80% of EU AI Act high-risk system requirements and significantly accelerates compliance work, but it does not satisfy the Act’s specific requirements for conformity assessment, CE marking, EU AI database registration, or post-market surveillance. It is a foundation, not a substitute.

Which manufacturing AI use cases are classified as high-risk under the EU AI Act?

AI systems used for worker monitoring, task allocation, performance evaluation, and any decision affecting employment status are high-risk under Annex III. AI systems that infer the emotional state of workers in the workplace are prohibited outright, regardless of purpose or deployment context.

What is the current compliance deadline for high-risk AI in manufacturing?

A provisional political agreement reached May 7, 2026 defers standalone Annex III high-risk obligations to December 2, 2027, and AI embedded in regulated Annex I products (including machinery) to August 2, 2028. Formal adoption is pending Official Journal publication, expected before August 2026. Until publication, August 2, 2026 remains binding law.

What is the difference between a provider and a deployer under the EU AI Act, and why does it matter for manufacturers?

A provider develops and places an AI system on the EU market. A deployer uses an AI system in their operations. Most manufacturers are deployers; those who sell AI-embedded equipment to EU buyers are also providers. Provider obligations, including conformity assessment and Annex IV technical documentation, are more demanding. Both roles can apply to the same organisation, and both must be assessed separately.