All resources AI Governance & Responsibility

The EU AI Act for Non-EU Companies: When It Applies to You

Four ways the EU AI Act applies to a US-headquartered company. Most non-EU executives underestimate the reach.

TL;DR

Four ways the EU AI Act applies to a US-headquartered company:

  1. You sell AI products into the EU. Direct application.
  2. Your AI outputs are used in the EU. Even if you don’t sell there.
  3. You process EU residents’ data through AI. GDPR-style extraterritorial reach.
  4. Your customer is EU-based and uses your AI in their products. Cascading obligations.

The compliance work splits by risk tier: prohibited (don’t), high-risk (significant obligations), limited-risk (transparency only), minimal-risk (no obligations). Most enterprise AI lands in high-risk or limited-risk.

Four ways the EU AI Act applies to a US company. Most non-EU executives underestimate the reach.

The EU AI Act is the most comprehensive AI regulation in the world as of 2026, and its extraterritorial reach is broader than most non-EU executives appreciate. The pattern of “we don’t operate in the EU, so this doesn’t apply to us” is wrong in most enterprise cases. This piece is the specific applicability analysis — when the Act reaches you, what it requires, and what to do this quarter.

The four ways it applies

1. Selling AI products into the EU

The most obvious case. If your product is sold to EU customers, the Act applies. This includes:

  • SaaS sold to EU companies.
  • Hardware with embedded AI shipped to the EU.
  • AI-powered services with EU customers.

The applicability is automatic; you don’t have to opt in.

2. AI outputs used in the EU

Even if you don’t sell to the EU, if your AI outputs are used there, the Act applies. Examples:

  • Your AI generates content that’s distributed to EU customers (your customer’s customer).
  • Your AI is used by EU employees of your customers.
  • Your AI is used in cross-border decisions affecting EU residents.

This catches most B2B AI vendors with global customers. You can be a US company selling to a US-headquartered customer, and still fall under the Act because that customer’s EU subsidiaries use your AI.

3. Processing EU residents’ data

Similar to GDPR’s extraterritorial reach. If your AI processes data of EU residents — even if you and your customer are non-EU — the Act applies to those operations.

Common case: a global e-commerce platform’s AI personalization for users in Europe, even if the platform is US-headquartered.

4. Cascading obligations from EU customers

If your customer is EU-based and is using your AI in their high-risk product, they’re required to ensure their entire AI supply chain (including you) meets the Act’s requirements. Their compliance becomes your contractual obligation.

This is increasingly visible in 2026 procurement contracts: AI vendors getting AI Act compliance clauses pushed down from EU customers.

The four risk tiers

The Act’s obligations scale with risk tier.

Prohibited (Article 5)

Specific use cases that are not allowed. Examples: social scoring of citizens, real-time biometric identification in public spaces (with narrow exceptions), AI that exploits vulnerabilities of specific groups.

Action: don’t ship these. Audit your roadmap for inadvertent matches.

High-risk (Annex III)

A substantial list including: biometrics, critical infrastructure, education, employment (hiring, firing, performance), essential services (credit, insurance), law enforcement, migration, justice. Most enterprise HR-AI and lending-AI lands here.

Obligations include: risk management system, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and robustness, cybersecurity. Plus conformity assessment before market.

Cost of compliance: significant. Plan 6–12 months and dedicated team.

Limited-risk

AI that interacts with people (chatbots), generates synthetic content (deepfakes), emotion recognition, biometric categorization. Obligations: transparency. Users should know they’re interacting with AI; AI-generated content should be marked.

Cost: modest. Usually a UI and disclosure update.

Minimal-risk

Most other AI. No specific obligations under the Act. The voluntary code of conduct applies.

What to do this quarter

  1. Run the applicability analysis. Map your AI deployments against the four reach mechanisms. Most companies discover at least one applies.
  2. Tier your AI portfolio by risk. Each agent gets a tier assignment with a documented rationale.
  3. Plan compliance work for high-risk deployments. Significant; budget for it.
  4. Update procurement contracts with EU customers to clarify allocation of compliance obligations between you and them.

What you actually have to do for high-risk AI

The Act’s high-risk requirements aren’t infinite, but they’re substantial. The major categories:

Risk management system: documented process for identifying, analyzing, and mitigating risks throughout the AI’s lifecycle.

Data and data governance: training data must meet quality criteria; bias testing required; data lineage documented.

Technical documentation: comprehensive documentation enabling regulators to assess compliance.

Record-keeping: automatic logging of operation; retention periods specified.

Transparency: information provided to deployers (your customers); clear instructions for use.

Human oversight: provisions for meaningful human supervision throughout operation.

Accuracy, robustness, cybersecurity: meeting technical standards.

Conformity assessment: third-party or self-assessment depending on category, before market.

This is a working list, not legal advice. Engage EU counsel for the specifics.

Penalties

The Act’s fines:

  • Prohibited practices: up to €35M or 7% of global turnover.
  • Other violations: up to €15M or 3% of global turnover.
  • Misleading information to authorities: up to €7.5M or 1% of global turnover.

Comparable to GDPR fines. Plan accordingly.

FAQ

When does the Act take effect? Phased rollout starting 2025. Most provisions in force by mid-2026; some high-risk provisions phase in by 2027. The relevant dates for your specific deployments depend on tier.

Does this apply to internal-only AI tools? Mostly no, with exceptions. Pure internal employee tools usually don’t trigger high-risk obligations. But if internal AI affects employment decisions (hiring, firing, performance management), it’s likely high-risk.

What’s the practical difference between “high-risk” and “minimal-risk” cost? High-risk: $500K–$3M per AI deployment in initial compliance work. Minimal-risk: typically under $50K. The tier classification dominates the cost.

Are open-source AI models in scope? Open-source foundation models have specific carve-outs but obligations attach when integrated into high-risk systems. Don’t assume open-source eliminates compliance work.

How does this interact with US state-level regulation? Increasingly multi-jurisdictional compliance. Build the EU framework; adapt for state-specific (Colorado, NYC, California) variations on top.

Working with JAIN on EU AI Act compliance? We help executive teams run applicability analysis and plan compliance for high-risk deployments. Book a 30-minute call.

Related reading:

Want to talk through this for your team?

30 minutes, no slides. We'll work the specific call your company is facing.