EU AI Act FAQ for US Companies

Yes. The EU AI Act applies to any organization that places an AI system on the EU market or puts it into service within the EU, regardless of where the company is incorporated. A US company whose AI system is used by European employees, customers, or partners falls within scope.

Very likely yes. AI systems used in recruitment, CV screening, interview scheduling, or candidate scoring are explicitly listed in Annex III of the EU AI Act as high-risk AI systems. If those systems affect EU-based applicants or employees, compliance obligations apply even if your company has no office in Europe.

If your AI system makes or informs decisions about EU-based workers, it is likely classified as high-risk under Annex III. This triggers mandatory obligations including a conformity assessment, transparency measures, human oversight requirements, and registration in the EU AI Act database before deployment.

High-risk AI systems under Annex III must be registered in the EU AI Act database managed by the European Commission before they are placed on the market or put into service. US companies without an EU entity must appoint an EU Authorised Representative to fulfill this obligation.

Annex III of the EU AI Act lists eight categories of high-risk AI, including systems used in critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice. AI used in HR, credit scoring, biometric identification, or public benefit allocation is considered high-risk by default and subject to the strictest compliance requirements.

Fines for prohibited AI practices can reach EUR 35 million or 7% of global annual turnover (Article 99). Violations of high-risk AI obligations carry fines up to EUR 15 million or 3% of global turnover. Providing incorrect information to authorities can result in fines up to EUR 7.5 million or 1.5% of turnover. These fines are calculated on global turnover, not just EU revenue.

An EU Authorised Representative is a legal entity or natural person established in the EU that a non-EU provider designates in writing to act on their behalf regarding EU AI Act obligations. The representative handles registration, maintains technical documentation, and serves as the point of contact for EU authorities. SecureFound S.L. (Tenerife, Spain) provides this service for US companies through Lexara Advisory.

Yes. Physical presence in the EU is not required. The Act applies based on where the AI system is used or who it affects, not where the provider is located. A US company deploying AI that affects EU residents, workers, or users must comply and must appoint an EU Authorised Representative if it has no EU establishment.

Compliance starts with a gap assessment to determine which of your AI systems fall within scope and at what risk level. For high-risk systems, this leads to a conformity assessment, technical documentation, a risk management system, data governance measures, and EU registration. Lexara Advisory provides structured compliance programs tailored to US organizations with European AI exposure.

A compliance audit evaluates your AI systems against EU AI Act requirements. It covers risk classification, documentation gaps, data governance practices, human oversight mechanisms, transparency obligations, and registration requirements. Lexara Advisory's audit produces a detailed gap report with prioritized remediation steps.

Pricing depends on the number of AI systems in scope, their risk classification, and the complexity of your data environment. Contact Lexara Advisory for a scoping call and fixed-fee proposal.

Lexara Advisory LLC is based in New York City and specializes in EU AI Act and GDPR compliance for US organizations with European exposure. As a consulting firm (not a law firm), we provide governance frameworks, gap assessments, technical documentation support, and EU Authorised Representative services through our European entity, SecureFound S.L.

A gap assessment covers: (1) inventory and classification of all AI systems in scope; (2) risk level determination against Annex III and Annex II criteria; (3) review of existing documentation, data governance, and human oversight practices; (4) identification of compliance gaps against applicable obligations; and (5) a prioritized remediation roadmap with timelines.

No. EU AI Act compliance is primarily a governance, technical, and risk management discipline. Legal advice on specific regulatory disputes or enforcement proceedings requires a licensed attorney. Lexara Advisory operates as a consulting firm and handles governance frameworks, documentation, and compliance programs. We are not a US law firm and do not provide legal representation.