EU AI Act Compliance · New York · European Legal Expertise

The EU AI Act applies to your organization. The question is whether you find out now — or when a regulator does.

Fines up to €35M. Applies to any organization whose AI affects EU individuals. AI governance consulting in NYC from a European-barred attorney with 10+ years of EU legal practice.

Check your exposure — free 5-minute assessment How we help
until the next EU AI Act obligation takes effect
Spanish Bar Member (ICATF 5961)
10+ Years EU Legal Practice
Trained in 2 EU Countries
IAPP AIGP Candidate

Note — Digital Omnibus on AI (7 May 2026)

On 7 May 2026, Council and Parliament negotiators reached a provisional political agreement on the Digital Omnibus on AI proposing to defer the high-risk deadline from 2 August 2026 to 2 December 2027 (Annex III stand-alone) and 2 August 2028 (Annex I embedded). Until the Omnibus is formally adopted and published in the Official Journal, the original 2 August 2026 deadline remains legally binding.

Article 5 prohibitions and Article 4 AI literacy obligations have been enforceable since 2 February 2025 and are not affected by the Omnibus. The AI Office obtains full enforcement powers on 2 August 2026 regardless of the Omnibus outcome. A new 2 December 2026 obligation under the proposed regime introduces Article 50 transparency for synthetic content and a new Article 5 prohibition on AI-generated CSAM and nudifier applications.

The Problem

Most US companies do not realize they are already in scope

The EU AI Act follows the output, not your office address. If your AI system produces results used by anyone in the EU — a job applicant, a customer, a partner — Article 2 applies to you. No EU office required. No EU employees needed. This is broader than GDPR.

Already enforceable

Prohibited AI practices have been illegal since 2 February 2025. AI literacy obligations under Article 4 are active now. These are unaffected by the Digital Omnibus deferral. Most US companies have not started compliance.

Material penalties

Up to €35 million or 7% of global annual turnover for prohibited practices. Up to €15M or 3% for high-risk non-compliance. These are not theoretical — GDPR enforcement provides the precedent.

Multi-jurisdiction overlap

NYC organizations face dual obligations: EU AI Act for cross-border AI, Local Law 144 for employment AI, GDPR for personal data. Without a unified strategy, compliance costs multiply.

Services

Four paths to compliance clarity

Each engagement begins with an EU AI Act readiness assessment tailored to your specific AI landscape and regulatory exposure. No templated solutions — every recommendation maps to your systems, sectors, and jurisdictions. Our EU AI Act consulting covers the full compliance lifecycle.

EU AI Act Compliance Audit

Systematic classification of your AI systems against the EU AI Act risk framework. Inventory, Annex III analysis, gap assessment, and compliance roadmap with deadlines.

Learn more →

AI Risk Assessment

Bias, privacy, and fairness evaluation for AI systems under LL144, GDPR Article 22, and EU AI Act high-risk requirements. Documentation for audit readiness.

Learn more →

🌐

Cross-Border AI Compliance

Unified compliance strategy spanning EU AI Act, GDPR, NYC LL144, NIST AI RMF, and emerging state legislation. One framework, multiple jurisdictions.

Learn more →

EU Authorised Representative

Article 22 mandate coordination for non-EU providers of high-risk AI systems. Through our partner SecureFound (Spain), Lexara structures the legal mandate, scope, and ongoing compliance interface with EU authorities.

Learn more →

Industries We Serve

Sector-specific AI compliance

💼

Financial Services

Credit scoring, insurance underwriting, algorithmic trading. Annex III Area 5.

💻

HR & Recruitment Tech

AEDTs, resume screening, promotion algorithms. LL144 + EU AI Act Annex III Area 4.

🎓

Higher Education

Admissions, proctoring, adaptive learning. Annex III Area 3. Extraterritorial for EU partnerships.

Healthcare & Biotech

Diagnostic AI, clinical support, medical devices. High-risk under both Annex I and Annex III.

Why Lexara

The advantage no US-only firm can offer

Most US AI compliance consultants interpret EU regulation from the outside. As an AI compliance consultant in New York with direct EU legal training, active European bar membership, and practical experience navigating EU regulatory systems, Lexara bridges both worlds.

European-barred attorney

Active member of the Spanish Bar (ICATF 5961). Legal training in Romania (law degree) and Spain (UNED master's). Native understanding of EU legal reasoning, not a translation of US frameworks.

10+ years EU practice

A decade of active practice under EU regulatory frameworks including GDPR, immigration law, and cross-border litigation. Practical experience with how EU enforcement actually works.

NYC-based, US-focused

Based in New York City, serving US organizations. We understand both sides: EU regulatory expectations and US business realities. Compliance strategies built for American operating models.

Case in point

A New York fintech with EU customers needed Annex III classification for three AI systems used in credit assessment and customer onboarding. Two were confirmed high-risk under Area 5, requiring conformity assessments, EU database registration, and an EU authorised representative. One qualified for the Article 6(3) exemption as a narrow procedural task. The engagement identified a six-month compliance timeline — well within the deadline under either the original 2 August 2026 schedule or the deferred 2 December 2027 timeline proposed by the Digital Omnibus, but only because they started early.

Published analysis

Guilty Algorithm — 33 chapters on AI regulation →
Regulatory Knowledge

Frameworks we work with

EU AI EU AI Act Reg. 2024/1689
GDPR GDPR Data Protection
LL144 NYC LL144 AEDT Bias Audits
NISTAI RMF NIST AI RMF Risk Management
ISO42001 ISO 42001 AI Management
IAPPAIGP IAPP AIGP AI Governance

EU Regulation

EU AI Act (Reg. 2024/1689), GDPR, EU Digital Services Act, EU Product Safety Regulation

US Regulation

NYC Local Law 144, Colorado AI Act, NIST AI RMF, EEOC/Title VII, FTC AI Guidance

Standards

ISO 42001, ISO 27001, IEEE 7000, OECD AI Principles, NIST AI 100-1

How It Works

From exposure to compliance in four steps

1

Rapid Assessment

90-minute session to inventory AI systems, map EU nexus, and classify risk levels. Delivered in one week.

2

Gap Analysis

Detailed EU AI Act gap analysis comparing your current governance against regulatory requirements. Identifies what exists, what is missing, and what must change against the applicable deadline.

3

Documentation

Build the compliance artifacts: risk management system, technical documentation, conformity declarations, FRIA where required, EU authorised representative mandate.

4

Ongoing Advisory

Post-market monitoring support, regulatory updates, and adaptation as standards and enforcement evolve.

Start with a free assessment
Latest Insights

Understanding your obligations

In-depth analysis of the regulations that affect your AI operations. Written for compliance officers, legal teams, and business leaders.

Extraterritorial Scope

Article 2 — Does the EU AI Act Apply to US Companies?

The scope trigger follows the output, not your address. If your AI reaches the EU, you are in scope.
Compliance Overlap

EU AI Act vs NYC Local Law 144 — Overlap Map

Where the two frameworks converge, where they diverge, and how to build a unified approach.
Penalties

EU AI Act Fines: €35M and 7% Turnover

Three penalty tiers, GDPR enforcement precedent, and what US companies should prepare for.
Already In Force

Article 4 AI Literacy — The Obligation You May Have Missed

In force since February 2025. Applies to all AI systems regardless of risk level. Not affected by the Digital Omnibus.
Key Dates

EU AI Act Timeline for US Organizations

Every deadline from February 2025 to August 2028 on one page, with the Digital Omnibus dual regime.
Frameworks

NIST AI RMF vs EU AI Act — Unified Framework

Where they align, where they diverge, and how to bridge the gap.
Financial Services

Annex III for NY Financial Services
Registration

EU Database Registration (Article 71)
Higher Education

EU AI Act for NY Universities
GDPR + AI Act

Double Compliance for Automated Decisions
View all insights →
FAQ

Common questions

Yes. Under Article 2(1), the EU AI Act applies to any organization whose AI system outputs are used within the EU, regardless of where the organization is headquartered. If your AI affects EU individuals — through hiring, credit scoring, customer service, or any other function — you are likely in scope. The scope trigger follows the output, not your infrastructure or physical location.
Penalties are tiered by severity: up to €35 million or 7% of global annual turnover for prohibited AI practices, up to €15M or 3% for high-risk system non-compliance, and up to €7.5M or 1% for providing incorrect information to authorities. GDPR enforcement history shows that the EU does enforce against non-EU companies.
Under the regulation as currently in force, high-risk AI systems under Annex III must comply by 2 August 2026. The Digital Omnibus on AI — on which Council and Parliament negotiators reached a provisional political agreement on 7 May 2026 — proposes to defer this deadline to 2 December 2027 (Annex III stand-alone) and 2 August 2028 (Annex I embedded). Until the Omnibus is formally adopted and published in the Official Journal, the original 2 August 2026 deadline remains legally binding. Article 5 prohibitions and Article 4 AI literacy obligations have been enforceable since 2 February 2025 and are unaffected by the Omnibus. GPAI model obligations have applied since 2 August 2025.
No. The Omnibus is a provisional political agreement, not formally adopted law. Until publication in the Official Journal, the 2 August 2026 deadline remains legally binding. Even under the proposed timeline, registration in the EU database (Article 71) cannot occur until conformity assessment is complete — a process that typically requires 4 to 6 months. The AI Office obtains full enforcement powers on 2 August 2026 regardless of the Omnibus. Article 5 prohibitions and Article 4 AI literacy are already enforceable since 2 February 2025. Professional prudence requires building compliance against the original deadline, treating any deferral as a supervening benefit.
NYC LL144 focuses specifically on automated employment decision tools, requiring annual bias audits and candidate notification. The EU AI Act is far broader, classifying all AI systems by risk level and imposing comprehensive obligations on high-risk systems across multiple sectors. NYC organizations using AI for employment decisions face both simultaneously. LL144 obligations are unaffected by the Digital Omnibus.
No. Lexara Advisory LLC is an AI governance consulting firm, not a law firm. We provide compliance consulting, risk assessments, and documentation support. Our founder is a European-barred attorney (Spanish Bar, ICATF 5961) but Lexara does not practice law in the United States and does not provide legal advice.
Get Started

Deadlines do not wait. Start now.

Organizations that begin compliance now have the advantage of time under either the original 2 August 2026 deadline or the deferred 2 December 2027 timeline proposed by the Digital Omnibus. Those that wait face compressed timelines, higher costs, and enforcement risk under either regime. Start with a free five-minute assessment.

Take the free assessment Email us directly

Last updated 8 May 2026 to reflect the Digital Omnibus provisional agreement reached on 7 May 2026.

LA

Lexara Assistant

AI compliance guidance

AI assistant — not a lawyer, not legal advice