Beyond the Law - Part 1
The Accreditation Spine: How Certificates Become Law-By-Other-Means
We’re told ISO standards are voluntary, but in practice they’re not. Two little-known groups — ILAC and IAF — decide which certificates count. If yours isn’t from their network, governments and banks face growing pressure to reject1.
That’s how ‘voluntary’ standards quietly turn into hard rules. No law gets passed — the market gate just shuts.
Understanding the Accreditation Spine
The Trust of Trust Layer
Everyone knows ISO shape standards, including for global commerce. What remains invisible is the question that sits above the standards: who decides whose assessment counts?
ISO can write ISO 14001 for environmental management or ISO 27001 for cybersecurity. But when a government procurement office or development bank demands proof of compliance, whose certificate will they accept? This is where the global accreditation system reveals its power as the ‘trust of trust’ layer — not just verifying compliance, but determining whose verification has currency2.
The ISO/IEC 17000-series standards create this meta-governance layer3. These aren't standards for products or services, but rules for the rules — technical specifications that determine which conformity assessment bodies (CABs), testing laboratories, and accreditation bodies can issue certificates that governments and markets will recognise4.
Nested Accreditation
The architecture rests on a few key pillars:
ISO/IEC 170115 governs accreditation bodies — the organisations that vouch for the organisations that issue certificates. When a government says it only accepts ‘accredited certification’, this standard determines which accreditation bodies qualify.
ISO/IEC 17021-16 sets requirements for certification bodies themselves, particularly those certifying management systems like ISO 90017 or ISO 140018.
ISO/IEC 170259 covers testing laboratories, whilst ISO/IEC 1702010 governs inspection bodies.
Together, these create a hierarchy of nested trust: laboratories accredited by bodies recognised under international arrangements issue test results that certification bodies (also accredited) use to issue certificates that procurement systems accept as valid proof11.
The Global Recognition Network
At the apex of this system sit two organisations that most have never heard of, yet which wield enormous influence over global trade and governance:
ILAC12 (International Laboratory Accreditation Cooperation) coordinates the recognition of testing and calibration laboratory accreditation worldwide. Through its Mutual Recognition Arrangement13 (MRA), test results issued by laboratories accredited by ILAC MRA signatory accreditation bodies are accepted internationally.
IAF14 (International Accreditation Forum) performs a similar function for certification and validation/verification bodies. Through its Multilateral Recognition Arrangement (IAF MLA)15, management-system, product, and person certificates issued by bodies accredited by IAF-MLA signatories are recognised across the MLA’s scope. (Inspection reports are recognised under the ILAC MRA)
These MRAs create what we might call the ‘accreditation spine’ — a global nervous system that determines which assessments of compliance are considered valid. Once an accreditation body becomes a signatory to these arrangements, its certificates gain immediate international currency.
From Voluntary to Mandatory
The Four-Stage Compliance Chain
The process by which voluntary standards become mandatory gatekeepers follows a predictable pattern:
Stage 1: Indicator Definition
A government agency, multilateral organisation, or industry consortium identifies a policy objective requiring measurement16. This might be carbon emissions reduction, information security, supply chain transparency, or product safety. The objective is typically expressed in broad terms — ‘demonstrate environmental responsibility’ or ‘ensure cybersecurity readiness’.
Stage 2: Standard Mapping
Rather than developing bespoke assessment criteria, the requirement is mapped to existing voluntary technical standards. ISO 14001 becomes the proxy for environmental management; ISO/IEC 27001 represents information security; ISO 9001 signifies quality management. This mapping often occurs through consultation processes dominated by the very organisations that developed these standards17.
Stage 3: Accredited Certification Requirement
To demonstrate compliance with the standard, organisations must obtain certification from a conformity assessment body. However — and this is crucial — not just any certificate will suffice. The certificate must be issued by a CAB that is itself accredited by a nationally recognised accreditation body that participates in the relevant international MRA18.
Stage 4: Regulatory Embedding
The accredited certificate is then written directly into eligibility criteria for procurement contracts, licensing applications, grant programmes, export permits, or market access arrangements. At this point, what began as a voluntary standard has become a practical legal requirement19. No new legislation is needed; the compliance gate simply closes to those without the proper credentials.
The Power of the Procurement Lever
Public procurement represents perhaps the most powerful mechanism for embedding accreditation requirements into economic life. Government purchasing power — representing approximately 13% of GDP20 in most developed economies — becomes a massive lever for enforcing private standards through accreditation requirements21.
Consider the European Union's approach to green public procurement. The European Commission's recommendation on green public procurement explicitly encourages contracting authorities to require ISO 14001 certification or equivalent22. However, ‘equivalent’ is defined through reference to accreditation standards, effectively excluding non-accredited alternatives. Similar patterns emerge in the United States, where the Federal Acquisition Regulation increasingly incorporates accredited certification requirements for everything from cybersecurity to environmental compliance23.
Case Studies
Finance Through Certification
The European Commission's green taxonomy24 — determining access to hundreds of billions in sustainable finance — doesn't explicitly mandate ISO 14001 environmental certification25. But World Bank highlights a common requirement:
The use of the taxonomy is not mandatory. Green bond issuers are, however, often required to provide verification reports confirming the underlying assets are aligned with the taxonomy
With increasing emphasis on ‘green’ bond issuance, this in practice will call for accredited certification. The European Accreditation (EA) framework — through its IAF membership — provides the trust layer that makes certificates acceptable to financial institutions. Companies with perfectly adequate environmental systems but non-accredited verification could with time well find themselves locked out of green finance markets26.
Cybersecurity Through Accreditation
The Pentagon's Cybersecurity Maturity Model Certification27 (CMMC) requires third-party assessment by accredited certification bodies for defence contractors. These bodies must be accredited by ANSI-NAB or other ILAC MRA signatories.
Result: the global accreditation system is embedded directly into US national security. Defence contractors worldwide must navigate ILAC arrangements to access American defence contracts28.
Development Through Standards
World Bank Environmental and Social Standards don't explicitly require ISO certification for project funding. They simply demand systematic approaches with ‘appropriate verification’ from ‘internationally recognised’ bodies29.
Translation: only accredited certification counts. Local certification bodies in developing countries must either join the international accreditation network or watch their clients lose access to development finance.
The Power Above Policy
Governance Without Government
The accreditation system operates as governance without democratic accountability. ILAC and IAF are private organisations whose technical committees make decisions30 that ripple through global supply chains. When they change recognition criteria, companies worldwide can suddenly lose market access — yet these decisions happen through member votes, not democratic processes31.
The Economics of Trust
Accreditation creates artificial scarcity in the trust market. Only accredited bodies can issue certificates that count, allowing them to command premium prices and exclude perfectly competent non-accredited competitors. This two-tier system particularly disadvantages developing countries, where local assessment bodies may struggle with accreditation requirements designed for developed-country contexts.
The result is dependence on foreign certification, reliance on technology transfers built to those standards, and a drain of resources from local capacity building — all in the name of ‘international standards’.
Constitutional Questions
When access to public contracts depends on accredited certificates, the accreditation system exercises quasi-governmental power without democratic mandate. Companies excluded from markets face significant obstacles challenging these decisions — accreditation bodies claim their choices are ‘technical’ rather than regulatory32 making judicial review difficult33. The same pattern is now spreading into finance: in the sphere of green bonds and sustainable lending, demands for accredited verification are steadily increasing, turning access to capital into another arena of standards-based gatekeeping.
The result: enormous economic power with limited legal accountability.
The First Rail
The global accreditation system reveals how technical infrastructure becomes governance infrastructure. By controlling whose verification counts, it transforms voluntary standards into market gatekeepers without requiring a single new law. Procurement officers and finance directors who have never heard of ILAC or IAF find themselves enforcing its decisions every time they specify ‘accredited certification’ as a requirement.
The accreditation spine shows the pattern: governance through infrastructure rather than authority, compliance through market access rather than legal penalty. Once we see this pattern, similar structures become visible everywhere — each one another rail in the same system, each one making the measurement regime a little more inescapable.
This pattern is now accelerating toward complete consolidation. ILAC and IAF are merging into the Global Accreditation Cooperation (GLOBAC), provisionally operational from January 202634. The two separate mutual recognition arrangements will become a single GLOBAC MRA — transforming the ‘accreditation spine’ from a duopoly into a monopoly. The reaction reveals the constitutional stakes. Germany's Accreditation Council recommended against joining GLOBAC, citing its lack of charitable status, absence of WTO recognition, and potential antitrust violations35. The European Commission confirmed that GLOBAC lacks legal recognition under EU regulations.
When the world's third-largest economy refuses participation on constitutional grounds, it underscores precisely what this analysis has identified: private technical infrastructure exercising quasi-governmental power without democratic mandate.
The accreditation spine shows the pattern: governance through infrastructure rather than authority, compliance through market access rather than legal penalty. Once we see this pattern, similar structures become visible everywhere — each one another rail in the same system, each one making the measurement regime a little more inescapable.
But accreditation is just the first enforcement rail in a much larger architecture. Above it sits an entire ecosystem of financial regulations, digital identity systems, audit requirements, data access controls, and procurement rules that together make resistance to the global indicator system nearly impossible.
Addressing Common Objections
‘This is conspiracy thinking’
Every mechanism described is documented in official sources. ILAC and IAF openly publish their recognition arrangements. The ISO/IEC standards are public. The procurement requirements are in government regulations.‘Standards are good for quality’
The analysis doesn't oppose standards. It identifies how control over whose verification counts creates quasi-governmental power without democratic accountability.‘Markets need trust mechanisms’
True, but artificial scarcity in the trust market concentrates power. Perfectly competent non-accredited bodies are excluded not for quality reasons but for not being in the network.‘Companies can choose not to participate’
Only if they're willing to forfeit access to public procurement (13% of GDP), green finance, defense contracts, and development funding — plus the cascade effects when large enterprises require the same accredited certifications from their suppliers and subcontractors. SMEs that never bid on government work directly still get pulled into the system through supply chain requirements. That's not really a choice.‘This helps developing countries access global markets’
Actually, it forces dependence on foreign certification when local bodies could be adequate, draining resources that could build local capacity.‘There are appeals processes’
Within the same system. When ILAC or IAF changes recognition criteria, affected companies have limited recourse because these are deemed ‘technical’ rather than regulatory decisions.‘This is just efficient coordination’
Efficient for whom? It eliminates competition in certification markets and gives private technical committees power to determine global market access without democratic oversight.
The analysis stands: voluntary standards become mandatory gatekeepers through accreditation requirements, concentrating enormous economic power in private organisations with limited accountability.