A company can have a carefully designed prevention plan and compliant protective equipment, and still be non compliant because it has never identified the legal texts that apply to its activity, or because it never checks whether it actually meets them. This is precisely the point that ISO 45001:2018 addresses through two complementary requirements: clause 6.1.3 (legal requirements and other requirements) and clause 9.1.2 (evaluation of compliance). Properly implemented, these two requirements turn a burdensome obligation into a managed, traceable regulatory monitoring process that can withstand an inspection.
What a compliance obligation means in OH&S
A compliance obligation covers the full set of requirements that an organization must, or chooses to, comply with regarding occupational health and safety. The standard distinguishes two families. On one side, legal requirements: the applicable national and local regulatory framework, meaning the laws, decrees, orders and technical texts that govern the hygiene, safety and health of workers. On the other side, other requirements: commitments the organization voluntarily subscribes to, such as customer or client requirements, agreements with employee representatives, internal group rules, or sector codes and standards the company adheres to.
These obligations are not a theoretical list. They directly shape hazard identification, the definition of control measures and the design of the management system. Understanding their scope requires first laying the foundations of a coherent OH&S management system, in which regulatory compliance is a pillar and not a box to tick at the end of the project.
What the standard requires: 6.1.3 and 9.1.2
Clause 6.1.3 requires the organization to establish, implement and maintain a process to determine and have access to the legal requirements and other requirements applicable to its hazards, its OH&S management system and its activities. It also requires determining how these requirements apply concretely to the organization and what needs to be communicated, then taking them into account when establishing, implementing, maintaining and continually improving the system. In other words, the standard does not settle for a binder of texts: it requires linking each requirement to an operational reality.
Clause 9.1.2 closes the loop. It requires establishing, implementing and maintaining a process to evaluate compliance with legal requirements and other requirements. The organization must define the frequency and methods of evaluation, evaluate its compliance and take action if needed, maintain knowledge and understanding of its compliance status, and retain documented information as evidence of the evaluation results. The standard therefore requires both knowing what applies (6.1.3) and demonstrating that it is actually being met (9.1.2).
Identifying is not evaluating: regulatory monitoring vs compliance evaluation
The most common confusion on the ground is believing that a well maintained register of texts is enough to prove compliance. These are two distinct and sequential activities.
Regulatory monitoring (identify and track)
Regulatory monitoring consists of identifying applicable texts, collecting them, tracking their changes and recording them in a register. It answers the question: what requirements apply to us today? Organized monitoring rests on three stages:
- Identification: establishing the list of texts applicable to the activity, the processes, the substances used, the equipment and the categories of personnel.
- Tracking: monitoring amendments, repeals and new texts, at a defined frequency, using a reliable source and a named person responsible.
- The register: recording, in a structured way, each requirement, its source, its date, its scope and how it applies to the organization.
Compliance evaluation (verify)
Compliance evaluation comes afterwards. It consists of comparing each identified requirement against the company's actual situation in order to determine: compliant, non compliant, or partially compliant with an action plan. It answers the question: are we actually meeting what applies to us? Identifying an obligation relating to employee medical surveillance is one thing; verifying that every relevant employee has actually undergone the scheduled examination is another. Monitoring feeds the evaluation, but never replaces it. An audit will systematically rely on this distinction to test the robustness of the system.
The OH&S regulatory framework in Morocco
In Morocco, the foundation of OH&S compliance obligations is found first in the Labor Code (law 65-99). Its section on hygiene and safety sets out the employer's general obligations regarding worker protection, the layout and cleanliness of workplaces, risk prevention and the provision of protective means. This is the primary reference that any OH&S monitoring process must cover.
On top of this foundation, monitoring must also cover specific arrangements:
- Occupational medicine: the rules governing occupational health services and employee health surveillance, which structure medical examinations and individual follow up.
- The safety and hygiene committee: the internal body dedicated to occupational risk prevention, whose composition, role and operation are regulated, and which is a compliance point regularly checked.
- Technical implementing texts: decrees and orders that specify requirements by risk, sector or type of installation, and that must be linked to the hazards actually present in the company.
The underlying logic is essential: the regulatory framework is not copied wholesale, it is filtered according to the hazards identified. This is why regulatory compliance must be built in close dialogue with the hazard identification and risk assessment (HIRA) process: every significant hazard calls for the corresponding legal requirements, and every legal requirement in turn shapes the control measures to be put in place.
Keeping the register up to date
The register of legal requirements and other requirements is the cornerstone of the system, the one that makes compliance manageable and demonstrable. To be truly usable, it should include, for each requirement:
- the title and reference of the text or commitment, with its official source;
- the area concerned (hygiene, machine safety, chemical products, occupational medicine, representative bodies...);
- applicability: how and on what basis the requirement concerns the organization;
- the compliance status resulting from the evaluation, with the associated evidence;
- the person responsible, the action to take in case of a gap, and the deadline;
- the date of the last update and the date of the next review.
A living register requires governance: a defined update frequency, a named owner, a reliable monitoring source and a clear link with management review. This regularity is what distinguishes a mature management system from a static binder. Keeping the register up to date also means anticipating changes rather than being caught by them, and having, at any time, a clear picture of the organization's compliance status, which is exactly what clause 9.1.2 requires.
To check where your organization stands ahead of an audit and structure your compliance review, HEMC provides its ISO 45001 audit preparation checklist, a concrete starting point for organizing your regulatory monitoring and compliance evaluation.
