A February 2025 European Commission announcement confirmed that the first obligations of the EU AI Act took effect on 2 February 2025, with high-risk system rules phasing in through August 2026. For U.S. businesses, that timeline triggered a quieter, more important question: does any of this actually apply to us? Most leadership teams assume the answer is no because the company is headquartered in the United States. That assumption is wrong roughly half the time. The Act reaches across borders the moment your AI output is used inside the EU, regardless of where the model was built or deployed. This guide is for U.S. compliance, legal, and AI leaders who need a defensible answer to one question: what applies to us, and what doesn’t?
Why the EU AI Act matters to U.S. businesses (even ones with no EU office)
The EU AI Act is the first comprehensive horizontal regulation of artificial intelligence anywhere in the world. It is also the most extraterritorial piece of AI law currently on the books. If you build, sell, or operate AI systems and any of the output ends up in the EU, you are likely in scope, even with no entity, employee, or server in Europe.
This matters because the penalty regime is severe. According to Article 99 of the Act, fines for prohibited AI uses reach the higher of €35 million or 7% of global annual turnover. For high-risk and general-purpose AI obligations, the cap is €15 million or 3% of global turnover. These numbers are calculated on worldwide revenue, not EU revenue, and apply to U.S. companies the same way they apply to European ones.
There is a second reason this is on your desk now. U.S. enterprise customers, particularly those operating in regulated industries, are starting to flow EU AI Act requirements down through procurement. If your model powers a feature inside a SaaS product sold to a European bank, the bank is asking your vendor what they signed in their contract. Your vendor is asking you. Compliance flows uphill, and contracts are arriving faster than most U.S. legal teams expected.
EU AI Act penalty tiers at a glance
| Violation type | Maximum fine | Applies to |
|---|---|---|
| Prohibited AI practices (Article 5) | €35M or 7% of global turnover | Anyone, including U.S. firms |
| High-risk system non-compliance | €15M or 3% of global turnover | Providers, deployers, importers |
| Incorrect or misleading information | €7.5M or 1% of global turnover | Anyone responding to authorities |
How the Act decides whether it applies to you
Scope is the first thing to get right, and it is the most commonly misunderstood. Article 2 of the EU AI Act sets out three triggers for extraterritorial reach. Any one of them brings a U.S. business into scope.
Trigger 1: You place an AI system on the EU market
If you sell, license, or otherwise make available an AI system or general-purpose AI model in the EU, you are a provider under the Act. This includes embedded AI inside non-AI products. A U.S. SaaS company offering its platform to European customers is a provider the moment a customer in Berlin signs the contract, regardless of where the inference happens.
Trigger 2: You are a deployer located in the EU
Deployers are the organisations using AI under their own authority. A U.S. parent with a Dutch subsidiary that uses an AI hiring tool against EU candidates makes the subsidiary a deployer. The U.S. parent is not directly in scope under this trigger, but if it is also the system’s provider, it picks up the heavier provider obligations through Trigger 1.
Trigger 3: The system’s output is used in the EU
This is the trigger that catches U.S. businesses by surprise. Even if you have no EU customers, no EU subsidiary, and no EU users, you can still be in scope if the output of your AI system is used inside the EU. A U.S. analytics company whose risk scores are consumed by a European insurer is captured here, even though the contract is between the U.S. company and a U.S. broker.
| Practical test: trace the output path. If an AI prediction, classification, recommendation, or generated content produced by your system ends up influencing a decision, person, or process inside the EU, assume Article 2(1)(c) is in play and document why it is or isn’t. |
The four risk tiers, and why most U.S. systems land in the middle two
Once you know the Act applies, the next question is which obligations apply. The EU AI Act sorts AI systems into four risk categories. The category determines the rulebook.
| Risk tier | What it covers | What you must do | Typical U.S. example |
|---|---|---|---|
| Unacceptable | Social scoring, manipulative AI, real-time biometric ID in public spaces | Banned outright (since Feb 2025) | A consumer app that scores citizens by behaviour |
| High-risk | AI in hiring, credit, education, critical infrastructure, law enforcement, medical devices | Full conformity assessment, registration, post-market monitoring | A resume-screening model used on EU candidates |
| Limited risk | Chatbots, emotion recognition, deepfakes, AI-generated content | Transparency: tell users they are interacting with AI | A customer-service chatbot on a multilingual SaaS site |
| Minimal risk | Most enterprise AI: spam filters, recommendation engines, internal productivity tools | No mandatory obligations; voluntary codes of conduct | An internal sales-forecasting model |
Most U.S. enterprise AI lands in limited or minimal risk, which is why the Act is less burdensome for the typical business than headlines suggest. The risk is concentrated in a defined list of use cases set out in Annex III. If your system is not on that list and is not a safety component of a regulated product, it is almost certainly not high-risk.
What actually applies to your business: a 4-step decision tree
Most U.S. businesses do not need a 200-page legal memo. They need a structured way to answer four questions. Work through them in order.
- Question 1 – Does any output of your AI system touch the EU? If yes, the Act is potentially in scope. If no, you can stop here, but document the analysis. Scope can change quickly when contracts change.
- Question 2 – What role do you play? Provider, deployer, importer, or distributor? Roles carry different obligations. A U.S. company that builds and sells a model is almost always a provider, which is the heaviest role.
- Question 3 – What risk tier is the system? Run each AI system against the prohibited list, the Annex III high-risk list, and the limited-risk transparency triggers. Most systems are minimal risk, but assume nothing without checking.
- Question 4 – When does it apply? The Act phases in through August 2026. Prohibitions and AI literacy started Feb 2025. GPAI rules apply from Aug 2025. High-risk obligations under Annex III apply from Aug 2026, and Annex I high-risk rules from Aug 2027.
| If you answer ‘yes / provider / high-risk / 2026’ to those four questions, you are looking at the most demanding compliance pathway. Plan for a multi-quarter program, not a checklist. |
Provider vs deployer: why the same system can have two compliance owners
The provider/deployer split is one of the most consequential design decisions in the Act, and it is rarely understood correctly. The same AI system can carry different obligations for different organisations, depending on what each one is doing with it.
A provider develops or has developed an AI system or general-purpose AI model and places it on the market under its own name or trademark. Providers carry the heaviest load: technical documentation, conformity assessment, EU database registration for high-risk systems, post-market monitoring, and substantial obligations around training data, transparency, and human oversight.
A deployer uses an AI system under its own authority for non-personal use. Deployers carry a lighter but real set of obligations: ensuring human oversight, monitoring system operation, keeping logs, and conducting a fundamental rights impact assessment for certain high-risk uses in public services or essential private services.
The trap: a U.S. company that licenses a third-party model and substantially modifies it for its own purposes can become a provider in the eyes of the Act, even if it would describe itself as a user. Fine-tuning a foundation model for a specific high-risk use case is the canonical example. The original developer is no longer the only provider in the chain.
Quick way to test your role
- If you train, fine-tune, brand, or sell the model: provider obligations apply.
- If you only use the model in your operations under contract: deployer obligations apply.
- If you import a non-EU model into the EU market: importer obligations apply on top of any provider obligations the original developer carries.
- If you resell without modification: distributor obligations apply, mostly around verification and recordkeeping.
General-purpose AI: the rule that catches U.S. tooling vendors
General-purpose AI (GPAI) models, including foundation models and large language models, have their own obligations under Chapter V of the Act. These rules began applying on 2 August 2025 and are particularly relevant to U.S. companies, given the geographic concentration of frontier model providers.
GPAI obligations include maintaining technical documentation, providing information to downstream providers integrating the model, complying with EU copyright law, and publishing a sufficiently detailed summary of training data. Models classified as having systemic risk, currently those trained with more than 10²⁵ FLOPs of compute, take on additional obligations: model evaluations, adversarial testing, serious incident reporting, and cybersecurity measures.
If you are a U.S. AI tooling vendor whose model is integrated into European products, you are likely in scope of these GPAI rules even if your direct customers are not in the EU. The downstream-provider information disclosure obligation is a particularly common pain point: your enterprise buyers in Europe will start asking for compliance documentation as part of their own conformity assessments, and they have a regulatory reason to push back if you cannot provide it.
| If you sell APIs, model access, or fine-tunable foundation models to European companies, treat the GPAI documentation requirements as a procurement-readiness issue, not just a legal one. They are showing up in RFP responses now. |
How the EU AI Act lines up with NIST AI RMF and ISO 42001
Most U.S. businesses don’t approach the EU AI Act from a clean slate. They have already adopted, or are adopting, the NIST AI Risk Management Framework or ISO/IEC 42001. The good news is that significant overlap exists. The bad news is that overlap doesn’t equal equivalence, and U.S. teams sometimes assume more coverage than they have.
| Capability | EU AI Act | NIST AI RMF | ISO/IEC 42001 |
|---|---|---|---|
| Status | Binding regulation (EU) | Voluntary framework (US) | Certifiable management standard (global) |
| Risk classification | Mandatory, four tiers | Voluntary, contextual | Required as part of AIMS |
| Documentation | Article 11 technical file (mandatory for high-risk) | Suggested in Govern function | Required in Clauses 7.5 and 8 |
| Human oversight | Article 14 (mandatory for high-risk) | Manage 4.1 | Annex A.6.2.6 |
| Penalties | Up to 7% global turnover | None (voluntary) | Loss of certification |
The practical implication: if you have an ISO/IEC 42001 AI management system in place, you are roughly 60–70% of the way to EU AI Act readiness for high-risk systems. ISO 42001’s risk assessment, lifecycle management, and AI policy clauses map cleanly to Articles 9, 11, 14, and 17 of the Act. The gaps are mostly in EU-specific elements: Annex IV technical file structure, EU database registration, and CE marking processes.
This is one of the strongest arguments for a structured AI governance platform rather than a spreadsheet-based approach. Mapping a single AI system inventory to multiple frameworks at once turns three separate compliance programs into one. Govern365.ai’s AI model registry maps each system to its applicable ISO 42001 clauses, EU AI Act articles, and NIST AI RMF functions, which means evidence collected once satisfies obligations across all three.
The compliance timeline most U.S. businesses are working backward from
Treat the Act as a phased rollout, not a single deadline. Each phase has different scope and different stakes.
| Effective date | What applies | Practical action |
|---|---|---|
| 2 Feb 2025 | Prohibited AI practices, AI literacy obligations | Confirm no system uses banned techniques; document AI literacy program for staff working with AI |
| 2 Aug 2025 | GPAI rules, governance bodies, penalties active | If you provide foundation models, finalise GPAI technical documentation and downstream-provider information packs |
| 2 Aug 2026 | Most high-risk obligations (Annex III) | Complete conformity assessments and EU database registration for high-risk systems already in production |
| 2 Aug 2027 | Annex I high-risk obligations (regulated products) | Align with sector-specific conformity routes (medical devices, machinery, automotive, etc.) |
If your high-risk system goes live in 2026, your conformity assessment work needs to start now. Notified bodies have finite capacity, and queues are already forming. The same dynamic plays out for technical documentation: assembling an Article 11 file from scratch on a complex AI system takes 6–9 months for most teams.
What U.S. businesses actually need to do this quarter
Skip the boil-the-ocean approach. Five concrete actions cover 80% of where most U.S. businesses are exposed.
- Build an AI system inventory. Every AI system, model, or feature in production or development. Include source (built / bought / fine-tuned), business owner, and intended use. You cannot scope what you cannot see.
- Run a scope test against Article 2. For each system, document whether output reaches the EU. This is a recurring quarterly review, not a one-off.
- Tier each in-scope system. Apply the four risk categories. Flag any system on the prohibited list immediately. Flag any Annex III system for a deeper review.
- Map roles. For each in-scope system, document whether you are provider, deployer, importer, or distributor. Multiple roles per system are common.
- Stand up evidence collection. The technical file, post-market monitoring records, and incident logs required for high-risk systems do not exist if they are not being collected today. Start now, even informally.
These five actions are the foundation. Everything else, including conformity assessments, EU representative appointments, fundamental rights impact assessments, and CE marking, builds on top of them. Skip the foundation and the rest of the program will be exponentially more expensive.
Five misconceptions U.S. businesses repeat about the EU AI Act
1. “We’re not in Europe, so it doesn’t apply.”
Article 2(1)(c) brings extraterritorial reach. Output use in the EU is enough. Geographic absence is not a defence.
2. “We use a third-party model, so the vendor is responsible.”
Substantially modifying a third-party model, or branding it as your own, can transfer provider status to you. Many U.S. enterprise AI deployments inadvertently meet this threshold.
3. “All AI is now high-risk.”
Most AI is minimal risk. High-risk is a defined list. Treating every system as high-risk wastes compliance budget and burns out the team.
4. “NIST AI RMF compliance means EU AI Act compliance.”
NIST and the EU AI Act overlap on principles but not on enforceability. NIST is voluntary; the Act is binding. NIST does not require Annex IV documentation, EU database registration, or CE marking.
5. “We have time. The high-risk rules don’t apply until 2026.”
Prohibitions apply now. GPAI rules apply now. AI literacy applies now. Procurement clauses are flowing today. Waiting until 2026 means responding to enterprise customers from a backfoot.
Frequently asked questions
Does the EU AI Act apply to small U.S. businesses?
Yes, if any AI system output is used in the EU. The Act has no general small-business exemption, though it does provide proportionate compliance support for SMEs through regulatory sandboxes and reduced fees for conformity assessments. Size affects penalty calculations but not whether the Act applies in the first place.
How is the EU AI Act different from GDPR for U.S. businesses?
GDPR governs personal data; the EU AI Act governs AI systems regardless of whether they process personal data. Both have extraterritorial reach, but they trigger differently. A U.S. AI system that processes no personal data can still fall under the AI Act if it is high-risk and used in the EU. Many systems are in scope of both regimes.
What is an EU authorised representative and do we need one?
If you are a non-EU provider of high-risk AI systems or GPAI models, Article 22 requires you to appoint an authorised representative established in the EU before placing the system on the market. The representative is the regulator’s primary contact and holds the technical documentation. There is no equivalent obligation for deployers or for limited-risk and minimal-risk systems.
Are AI chatbots considered high-risk under the EU AI Act?
Most chatbots are limited-risk, not high-risk. Article 50 transparency obligations require you to inform users they are interacting with AI unless it is obvious. Chatbots become high-risk only if they are deployed in a high-risk context, for example, a chatbot that makes credit or hiring decisions. The function determines the tier, not the form factor.
Will the EU AI Act be enforced against U.S. companies?
Yes. EU regulators have explicit jurisdiction over U.S. companies in scope under Article 2 and have indicated cross-border enforcement is a priority. Practical enforcement will likely flow through EU customers and partners first, with direct regulatory action following for prohibited practices, GPAI non-compliance, and high-profile high-risk system failures. Treat enforcement as a when, not an if.
How does the EU AI Act interact with U.S. state AI laws like Colorado’s SB 205?
They overlap but do not conflict. Colorado’s AI Act, effective February 2026, regulates high-risk AI in employment, housing, credit, and similar areas, with parallels to EU high-risk categories. A U.S. business with operations in Colorado and EU customers needs to comply with both. The good news: a single AI governance program with a strong inventory, risk assessment, and impact assessment process can serve both regimes with relatively modest incremental work.
The bottom line on EU AI Act applicability
The EU AI Act is broader than U.S. businesses initially expect, and narrower than the headlines suggest. Most enterprise AI is not high-risk, but many U.S. companies are in scope through extraterritorial output reach without realising it. The companies that will absorb the regulation cleanly are the ones that built an AI inventory, ran a structured scope test, and started collecting evidence early, well before the August 2026 high-risk deadline.
If you do not yet have a defensible answer to “what applies to us under the EU AI Act,” make that your single deliverable for this quarter. Everything else, from conformity assessment to CE marking to EU representative appointment, depends on getting that scope question right.Govern365.ai, by the Global AI Certification Council, gives compliance and AI governance teams a single platform to inventory AI systems, classify them against EU AI Act risk tiers, map controls to ISO 42001 and NIST AI RMF, and assemble Article 11 technical files audit-ready. Start your 14-day free trial and turn the EU AI Act from a compliance liability into a procurement advantage.
