Most organisations certified to ISO 14001:2015 built their ISO 14001 legal register during implementation. Then they stopped updating it.
The register sits in a shared folder somewhere — a spreadsheet listing environmental legislation by name, maybe sorted by topic, maybe with a compliance status column. It passed the Stage 2 audit. It hasn’t been reviewed since. And at the next surveillance audit, it will generate a nonconformity that the corrective action process will close superficially and the following surveillance will reopen, because the actual failure is not the missing regulation. The failure is the absence of any process to catch regulatory change before the auditor does.
This is the compounding problem with static legal registers under ISO 14001:2015. Clause 6.1.3 requires organisations to determine and have access to their compliance obligations, determine how those requirements apply, and maintain documented information. Clause 9.1.2 requires them to evaluate compliance at a planned frequency and retain evidence of results. When the register is stale, the 9.1.2 evaluation is procedurally void — it confirmed compliance against obligations the organisation no longer accurately holds. One stale document generates two linked nonconformities in a single audit cycle.
What Clauses 6.1.3 and 9.1.2 Actually Require
Clause 6.1.3 is not a documentation exercise. It requires four things: identify legal and other requirements related to your environmental aspects, determine how they apply, account for them across the EMS, and maintain documented information. The word “maintain” is doing the heavy lifting — it means the register is a living process output, not a project deliverable filed at certification.
Clause 9.1.2 compounds this. The organisation must determine the frequency of compliance evaluation, execute it, take action on noncompliance findings, and — critically — maintain knowledge and understanding of its compliance status. Auditors probe this directly. They don’t just ask for the evaluation records. They ask whether the organisation can state its current compliance position. An evaluation conducted against a register that references superseded legislation produces records that are worse than no records at all — they create a false documented compliance status.
The link between 6.1.3 and 9.1.2 is what turns a single administrative lapse into a systemic audit finding. A register that cited the F-Gas Regulations 2015 when the 2018 version had been in force for years isn’t a typo. It’s evidence that the monitoring process required by 6.1.3 does not exist, and that every compliance evaluation since the regulatory change was conducted against the wrong baseline.
Where ISO 14001 Legal Register Failures Occur
A real minor nonconformity raised during a transfer assessment captures the pattern precisely. The auditor found that the environmental legislation register was missing the Waste Enforcement Regulations 2018 and the WEEE Regulations 2018, still referenced the F-Gas Regulations 2015 instead of the 2018 version, and the register of environmental aspects was also out of date. Multiple superseded and missing entries in a single register — at an organisation that already held ISO 14001 certification.
The pattern repeats because the root cause is structural, not administrative.
At Stage 2, a materially incomplete or stale register typically generates a major nonconformity. It signals a fundamental planning failure — the organisation cannot demonstrate it has identified its compliance obligations. Certification gets withheld or conditioned. At surveillance, the same finding appears as a minor nonconformity when the register existed and passed Stage 2 but shows no evidence of update since. The auditor asks four questions in sequence: When was this register last reviewed? What process monitors regulatory change? Walk me through the last regulatory change that affected it. Show me your most recent compliance evaluation records. Inability to answer questions two and three with documented evidence generates the NCR almost every time.
The corrective action cycle compounds the problem further under Clause 10.2. Organisations close the NCR by adding the missing legislation. They don’t address why the register went stale — no monitoring trigger, no named owner, no review mechanism. At the next surveillance, different regulations are missing. The NCR recurs. Auditors recognise the pattern, and repeated re-raises erode the credibility of the corrective action process itself.
What an Audit-Defensible Legal Register Looks Like
A register that survives surveillance has five things the static version doesn’t.
Every entry references the specific regulation version currently in force — not a generic title, but the dated instrument. Each entry carries an applicability determination linked back to the Clause 6.1.2 aspect register. The register has a named owner — not “the EHS team” but an individual accountable for currency. A documented review frequency exists (quarterly or at minimum annual), with version history showing executed reviews, not just a policy statement. And a regulatory monitoring mechanism is in place and documented: official gazette subscriptions, EUR-Lex alerts, ECHA notifications, or a legal compliance service. The mechanism itself is auditable — the auditor can verify it exists and produces outputs.
The compliance evaluation under 9.1.2 then operates against a register the organisation can defend. Each evaluation records the date, scope, responsible person, and per-requirement result. Where noncompliance is identified, corrective action records under Clause 10.2 exist and address root cause, not just the immediate gap.
For organisations running integrated management systems, the cross-standard exposure matters. ISO 45001:2018 carries a mirror requirement at Clause 6.1.3 under the same Annex SL structure. Co-certified organisations maintaining ISO 14001 and ISO 45001 legal registers in separate silos — different owners, different review cycles — create a contradiction risk. When an IED or REACH update triggers entries on one register but the other is not updated, the auditor finds inconsistency between two co-certified systems.
How to Fix Your Legal Register Before Surveillance
If the register is already stale, the remediation sequence matters. Get the order wrong and the corrective action arrives incomplete — the auditor will see through it.
Scope the Gap
Pull the current register and record its last-review date. Cross-check every entry against the current version of each regulation using official sources — EUR-Lex, national gazette, ECHA. Flag every entry where the cited version is superseded. Don’t start adding new regulations yet. Map the gap analysis completely so the corrective action is whole, not partial.
Rebuild and Assign Ownership
Update each flagged entry to the current version with a fresh applicability determination. Assign a named individual owner per register section or jurisdiction. Define a documented review frequency. Establish and document a regulatory monitoring mechanism — the process the auditor will ask about at the next surveillance.
Re-Run the Compliance Evaluation
Execute a full 9.1.2 evaluation against the rebuilt register, recording per-requirement results. Raise corrective actions under Clause 10.2 for any noncompliance found. Write a root-cause record for the original staleness failure — this is what closes the NCR at corrective action verification, not just the updated register. Present the updated register, evaluation results, and NCR closure evidence at the next management review under Clause 9.3. An internal audit against the rebuilt register before the surveillance date provides additional assurance that the corrective action holds.
Why This Can’t Wait
The revised IED — Directive (EU) 2024/1785 — entered into force in August 2024, with Member State transposition required by July 2026. The revised directive mandates ISO 14001 certification or EMAS registration for IED installation operators and introduces stricter emission limits, mandatory electronic permitting, and enhanced monitoring requirements. Organisations subject to IED that haven’t updated their register since 2023 won’t have these obligations captured. That’s a direct 6.1.3 gap with enforcement consequences — worst-infringement penalties under the revised IED reach at least 3% of annual EU turnover.
Meanwhile, ISO 14001 itself is under revision. ISO/TC 207/SC1 met in Toronto in October 2025 to finalise the Draft International Standard, with publication of ISO 14001:2026 anticipated in the first half of 2026 and a three-year transition period from publication. Organisations entering transition with a stale legal register carry two debts: an open nonconformity risk under the current edition, and a gap analysis starting position that’s already behind. Reported focus areas — climate change integration, biodiversity, strengthened governance — will each generate new register entries.
Clause reference reflects mapped standard requirement. Verify against current edition before audit use. (Applied to ISO 45001:2018 Clause 6.1.3 cross-reference.)
⚠️ DRAFT — NOT FINAL: ISO 14001:2026 publication date and final clause content are subject to change pending FDIS vote outcome.
Clause mapping reflects common audit practice. Verify with your certification body for specific expectations.
About AEC International
AEC International provides ISO certification, training, and consultancy services at the intersection of environmental management, compliance assurance, and operational risk. We support organisations across industries in achieving and maintaining ISO certification — from gap analysis and implementation through audit preparation and continual improvement.
Learn more: www.aec.llc