The EU AI Act (Regulation (EU) 2024/1689) entered into force on August 1, 2024. It is the first comprehensive AI regulation in the world, and its extraterritorial scope means it reaches far beyond the borders of the European Union. If you are a CEO, general counsel, or compliance officer at a US company, this article explains whether the Act applies to you and what you need to do.
Key Requirements
Article 2 of the EU AI Act defines who falls within its scope. The critical provision for US companies is Article 2(1)(c): the Act applies to providers and deployers of AI systems that are established in a third country (like the United States), where the output produced by the AI system is used in the Union This is what makes the EU AI Act fundamentally different from regulations that only apply to companies with a physical EU presence. The scope trigger follows the output, not your office address. If your AI system produces results that are used by, or affect, anyone located in the EU, you are likely in scope. In practical terms, this means a New York fintech whose credit scoring algorithm evaluates EU applicants is in scope. A SaaS company in San Francisco whose AI-powered hiring tool screens candidates for EU-based clients is in scope. A healthcare AI company whose diagnostic tool is used by hospitals in Germany is in scope. The EU AI Act applies to several categories of actors, regardless of where they are established: Providers Deployers
Importers and distributors
A critical point many US companies overlook: deployer obligations exist independently of provider obligations. Even if your AI vendor claims their system is compliant, you remain responsible for how you deploy and use it. Under Articles 26 and 27 of the EU AI Act, deployers of high-risk AI systems must implement human oversight, conduct fundamental rights impact assessments, and ensure proper use in accordance with instructions. The EU AI Act uses a risk-based classification system defined in Article 6. An AI system is classified as high-risk if it falls under one of the use cases listed in Annex III of the Regulation. These eight categories are:
2. Critical infrastructure
3. Education and vocational training
4. Employment and worker management
5. Access to essential services
6. Law enforcement
7. Migration and border control
8. Justice and democracy
For most US companies, the highest-risk areas are employment (Area 4) and essential services (Area 5), particularly credit scoring and insurance underwriting. NYC-based financial services and HR technology companies are especially exposed. The EU AI Act does not become enforceable all at once. The timeline is phased:
February 2, 2025
August 2, 2025
August 2, 2026
Note: The European Commission proposed the Digital Omnibus package in November 2025, which could delay certain high-risk enforcement dates to December 2027. However, this proposal must still pass the European Parliament and Council. As of April 2026, the original August 2026 deadline remains the binding date. Compliance professionals should not treat the Omnibus as a guaranteed extension. The penalty structure is defined in Article 99 of the EU AI Act and follows three tiers: Tier 1 Tier 2 Tier 3 For SMEs and startups, fines are capped at the lower of the two amounts (percentage vs. fixed), providing some proportionality. However, even for smaller companies, the fines are material. GDPR enforcement provides the precedent. EU regulators have already demonstrated willingness to impose fines on non-EU companies, including Meta (€1.2 billion, 2023) and Amazon (€746 million, 2021). With the August 2, 2026 deadline approaching, US companies in scope should take these steps:
Inventory your AI systems.
Create a comprehensive list of every AI system you develop, deploy, or procure from vendors. Include embedded AI in third-party tools.
Classify each system by risk level.
Map each system against the Annex III categories to determine whether it qualifies as high-risk. Document your classification rationale.
Identify your role.
Take our free AI Regulatory Readiness Assessment to evaluate your exposure level and next steps.
Start the Free Assessment