With the publication of ISO 9001:2026 expected in fall 2026, a revision of the world's most important quality management standard is imminent, which at first glance appears unspectacular. However, it is a standard adjustment with considerable liability implications. The new version effectively forces organizations to integrate governance, risk, compliance, and process management into their quality management system (QMS) not only formally but also effectively. Those who ignore this are at risk of more than just a poor audit but also personal liability for management and QM managers.
ISO 9001 as the foundation of numerous industry standards
The significance of ISO 9001 goes far beyond classic quality management. It forms the core of numerous industry-specific standards. For example in the automotive industry (IATF 16949), aerospace (EN/AS 9100), healthcare (EN 15224), medical devices (ISO 13485), energy supply, and the public sector. Changes to ISO 9001 therefore have a systemic effect – they impact entire industries and value chains.
The underestimated legal nature of management systems
A key shortcoming of ISO 9001 will remain in 2026: the standard does not clearly explain its legal nature. Management system standards are not mere "good practice recommendations," but can have a quasi-legal effect in practice, even to the point of being "criminalizable." They are also used by courts, supervisory authorities, and experts as "anticipated expert opinions." Those who are certified implicitly declare that they have understood and implemented the normative requirements – including compliance with mandatory legal requirements, as required by the standard.
Legal obligation trumps standard compliance
It is particularly problematic that although the standard text often refers to "legal and regulatory (legal) requirements," it reveals a narrow understanding of compliance. Legal obligations encompass much more: EU regulations, case law, recognized rules and best practices, internal binding requirements, as well as contractual obligations. This legal obligation applies independently of any ISO standard. A QMS that does not systematically identify, evaluate, and translate these requirements into processes within its scope is not only incomplete, but dangerous.
Liability risks for management, auditors, and QMR
The new ISO 9001 contains numerous mandatory requirements that are explicitly addressed to "top management." If regulatory requirements are not recognized or effectively implemented within the QMS and personal injury or property damage occurs, management, the executive board, the supervisory board, as well as quality management representatives and internal auditors will become the focus of civil, criminal, and administrative investigations. Prominent cases such as the Transrapid incident show that QM can also be personally prosecuted or that the existence and quality of processes can be grounds for criminal liability.
Quality management does not exempt you from liability – compliance does
A common misconception is that a certified quality management system automatically relieves liability in the context of delegation of duties and breaches of supervisory and organizational obligations. In fact, case law has repeatedly clarified that in this context, it is not a QMS per se, but an effective compliance management system (CMS) and risk management system (RMS) that can have a liability-exempting effect – especially in the case of breaches of duty below management level. Although ISO 9001 implicitly refers to compliance obligations, it does not replace a systematic CMS in accordance with ISO 37301 or effective risk management (based on ISO 31000, IDW PS 340, COSO, or DIIR Audit Standard No. 2) that meets the requirements of case law for liability relief.
Risk-based thinking – a dangerous euphemism
ISO 9001:2026 continues to adhere to the concept of "risk-based thinking" and elevates it to a central theme of quality management. At first glance, this sounds modern, flexible, and pragmatic. However, this wording conceals a conceptually weak and legally problematic approach that does not meet the real requirements for dealing with risks in organizations.
The text of the standard suggests that it is sufficient to consider risks conceptually and plan measures on a case-by-case basis. At the same time, it explicitly emphasizes that no formal risk management methods and no documented risk management process are required. This statement is in stark contrast to legal requirements, case law, and recognized rules of technology. Risks – especially those with potentially existential consequences – cannot be controlled by thinking alone, only by systematic, comprehensible, and verifiable procedures.
In business, legal, and auditing practice, the risk management process is clearly defined: it requires structured risk identification, appropriate risk analysis, quantitative assessment of probability or frequency of occurrence and extent of damage, risk aggregation, prioritization, control through appropriate measures, and ongoing monitoring. This is not a matter of academic completeness, but rather, according to the "risk-based approach," a matter of prioritizing the protection of key legal interests: life and limb, the continued existence of the organization, and the avoidance of personal liability for members of the executive body or employees.
According to established opinion in legislation, case law, and recognized rules of technology, proper corporate governance involves not only the identification of individual risks, but also their systematic aggregation and comparison with risk-bearing capacity. Without this overall view, neither sound business decisions nor reliable exoneration of board members is possible.
It is particularly critical that the normative buzzword "risk-based thinking" is often misunderstood in practice as a justification for methodological arbitrariness. Instead of well-founded analyses, simple scoring models borrowed from quality management or outdated FMEA logic are used, which are unsuitable for compliance and liability risks. Anyone who downplays risks with very high damage potential – such as deaths, serious environmental violations, or massive liability consequences – simply due to low frequency of occurrence and unsuitable methods is skating on extremely thin legal ice.
This is precisely where the danger of the term becomes apparent: "risk-based thinking" can lead to risks being identified but deliberately not dealt with in a proper way. From a legal perspective, this is highly problematic. If serious damage is recognized as a possibility but is not addressed for cost reasons or due to formulaic assessment methods, this can no longer be considered negligence in the event of an emergency, but rather conditional intent (dolus eventualis). ISO 9001 offers no protection in this regard – on the contrary, documented risk awareness can even be incriminating in the event of liability.
Effective risk management is no longer a voluntary additional discipline, but a legal obligation. Requirements for early risk detection, assessment of risks that threaten the existence of the company, and appropriate organization can be found in corporate law, insolvency law, special legal regulations, and established case law, among others. These requirements cannot be undermined by semantic weakening in a standard.
Process management as a legal obligation
The process-oriented approach of ISO 9001 is further emphasized in the revision. However, processes are not purely organizational tools, but legally relevant descriptions of procedures. Faulty or missing processes can have criminal consequences – not only for those directly responsible, but also for their superiors. Modern process models must therefore include compliance, risk, and control requirements and must not remain static documentation.
The maturity level of process management determines effectiveness and legal certainty. While simple documentation offers little protection, BPMN-based, digitally supported, partially automated processes are now considered state of the art. Integrated workflows, clear responsibilities (RACI), stored compliance requirements, and continuous monitoring are not optional extras, but prerequisites for a robust management system.
ISO 9001:2026 as an opportunity – or a liability trap
Properly understood, ISO 9001:2026 offers the opportunity to further develop quality management into an integrated management tool that combines governance, risk, compliance, sustainability, and processes. Misinterpreted, it remains a formal certificate offering deceptive security. Organizations that continue to believe that quality management can be operated in isolation from law, risk, and governance run the risk of failing precisely at the point where security is promised.
