Skip to main content
L
Lexara Advisory
EU AI Act · US Readiness · Advisory

EU AI Act Readiness for U.S. Companies

A practical guide to EU AI Act readiness for US companies: understanding scope under Article 2, classifying risk under Annex III, and building a compliance roadmap that reflects current regulatory timelines.

June 27, 2026 · By Constantin Razvan Gospodin, Legal AI Risk Manager

until EU AI Act high-risk obligations take effect

The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive horizontal regulation on artificial intelligence. For US companies with any EU-facing AI deployment, readiness is not optional. This guide explains how to assess scope, classify systems, and build a defensible compliance posture. US companies whose AI system outputs affect individuals in the EU fall within the scope of the EU AI Act under Article 2(1)(c). Readiness involves mapping AI systems, classifying risk under Annex III, building technical documentation, and preparing for conformity assessment. The Digital Omnibus deal of 7 May 2026 extended certain Annex III high-risk deadlines to 2 December 2027, but preparation should not be delayed.

What This Means

The EU AI Act applies extraterritorially. Under Article 2(1)(c), any provider or deployer established in a third country — including the United States — is covered if the output of its AI system is used in the Union. This is an output-based test, not a presence-based test. A US company does not need an EU office, subsidiary, or bank account to be in scope. For general counsel and compliance officers, this means the AI Act must be treated as a cross-border compliance obligation on par with the GDPR. The fact that the company is headquartered in New York, San Francisco, or Austin does not create an exemption.

The readiness framework has two tracks:

lex lata (the law as it currently stands) and lex ferenda (the law as amended by the Digital Omnibus). Under the original 2024 text, Annex III high-risk obligations were scheduled for 2 August 2026. Under the provisional agreement of 7 May 2026, stand-alone Annex III high-risk obligations now apply from 2 December 2027. Until the Omnibus is formally adopted and published in the Official Journal, both timelines coexist. Prudent organizations plan against the earlier date while monitoring the adoption process.

Key Requirements

Scope mapping under Article 2.

The first step in any readiness program is to determine whether the company is in scope. Article 2(1)(a) covers providers of AI systems irrespective of establishment. Article 2(1)(b) covers deployers established in the EU. Article 2(1)(c) covers deployers in third countries where the output is used in the EU. A US company may be a provider, a deployer, or both.

Risk classification under Article 6 and Annex III.

The AI Act uses a tiered risk framework. Prohibited AI practices (Article 5) are banned outright. High-risk AI systems are those listed in Annex III or used as safety components in products under Annex I. Limited-risk systems are subject to transparency obligations (Article 50). Minimal-risk systems are largely unregulated but subject to voluntary codes of conduct. Annex III lists eight high-risk categories: (1) biometrics; (2) critical infrastructure; (3) education and vocational training; (4) employment and worker management; (5) access to essential services; (6) law enforcement; (7) migration and border control; and (8) administration of justice and democratic processes. For US companies, categories 4 and 5 are typically the most relevant: HR tech, recruiting platforms, credit scoring, and insurance underwriting tools frequently trigger high-risk classification.

Technical documentation under Article 11.

High-risk AI systems must be accompanied by technical documentation demonstrating compliance with the requirements of Chapter III. This includes system architecture, training methodologies, data governance procedures, risk management measures, and performance metrics. Technical documentation is not a marketing document; it is a regulatory artifact that may be reviewed by market surveillance authorities.

Conformity assessment under Article 43.

Before placing a high-risk AI system on the EU market, providers must undergo a conformity assessment. The assessment pathway depends on whether the system is used as a safety component in a regulated product (Annex I) or is a stand-alone Annex III system. For Annex III systems, internal assessment is generally permitted, except for biometric systems which require third-party notification or approval.

EU database registration under Article 71.

Providers of high-risk AI systems must register their systems in the EU AI Act database before placing them on the market. The database is administered by the Commission and is publicly accessible. Registration requires detailed technical and organizational information about the system and its provider.

Human oversight under Article 14.

High-risk AI systems must be designed and deployed with effective human oversight. Deployers must ensure that natural persons are able to correctly interpret system outputs, decide not to use the system in particular situations, and intervene on the operation of the system. This is an operational obligation, not a checkbox.

AI literacy under Article 4.

This obligation has been in force since 2 February 2025. Providers and deployers must take measures to ensure that staff and other persons dealing with the operation and use of AI systems have a sufficient level of AI literacy. This applies to all AI systems, not just high-risk ones.

Practical Steps

Document every AI system the company develops, deploys, or procures. Include third-party tools with embedded AI functions. Map the EU nexus for each system: does the output reach EU individuals, customers, or employees?

2. Classify each system by risk tier.

Map each system against Annex III categories and Article 6 criteria. Document the classification rationale. If a system could reasonably be classified as high-risk, treat it as high-risk until a defensible contrary determination is confirmed. 3. Assess your role in the value chain.

Related Resources

EU AI Act Overview

EU AI Act Article 2 and US Companies

Understand the audit and assessment process:

EU representative requirements and appointment guidance:

Frequently Asked Questions

Q: What is the first step in EU AI Act readiness?

The first step is an AI inventory that maps every system against the Article 2 scope test and the Article 6 / Annex III risk classification framework. Without this mapping, subsequent compliance steps lack a foundation.

Q: Does the Digital Omnibus delay mean we can postpone readiness work?

No. The Digital Omnibus deal of 7 May 2026 extended certain Annex III deadlines to 2 December 2027, but Article 4 AI literacy and Article 5 prohibitions remain in force. Technical documentation and conformity assessment typically require twelve to eighteen months of preparation. The delay is breathing space, not a reset.

Q: Do US companies need an EU authorized representative?

Under Article 22, providers of high-risk AI systems not established in the EU must appoint an authorized representative before placing the system on the EU market. Deployers do not need a representative, but they remain subject to deployer obligations under Articles 26 and 27.

Q: What is the difference between a provider and a deployer?

A provider develops an AI system and places it on the market or puts it into service under its own name or trademark. A deployer uses an AI system under its authority. A US company may be both: it can develop an AI system (provider) and also use third-party AI tools (deployer).

Q: How long does technical documentation take to prepare?

For complex high-risk AI systems, technical documentation typically requires six to twelve months of structured work. The timeline depends on the maturity of the system, the availability of training data records, and the completeness of existing risk management processes. Starting early reduces the risk of gaps at the conformity assessment stage.

2026-06-27 Regulation (EU) 2024/1689 (EU AI Act); Digital Omnibus provisional agreement, Council Presidency and European Parliament, 7 May 2026; Official Journal of the European Union, 12 July 2024. US companies whose AI outputs affect EU individuals must assess EU AI Act scope under Article 2, classify systems under Annex III, and prepare technical documentation, conformity assessment, and EU database registration. The Digital Omnibus deal of 7 May 2026 extended certain Annex III deadlines to 2 December 2027. Lexara Advisory supports readiness planning and assessment.

4. Begin technical documentation.

Take our free AI Regulatory Readiness Assessment to evaluate your exposure level and next steps.

Start the Free Assessment

Need help with AI compliance?

Take our free AI Regulatory Readiness Assessment to evaluate your exposure level and next steps.

Start the Free Assessment

Lexara Advisory LLC provides AI governance consulting and is not a law firm. This article reflects our understanding of applicable regulations as of the date of publication. It does not constitute legal advice. Organizations should consult qualified legal counsel for advice specific to their circumstances.