Companies operating globally face a compliance challenge that is simultaneously more urgent and more fragmented than any previous technology regulatory wave: the EU AI Act imposes a unified, risk-tiered framework across 27 member states, while the United States has produced a patchwork of state laws with different scopes, penalty structures, and enforcement mechanisms. For a multinational deploying AI systems, understanding how these frameworks overlap, diverge, and sometimes conflict is essential to building a coherent global compliance program.
The Structural Difference: Binding Regulation vs. Legislative Patchwork
The most fundamental difference is structural. The EU AI Act (Regulation EU 2024/1689), which entered into force on August 1, 2024, is a directly binding EU regulation that applies uniformly across all 27 EU member states and is enforced by a combination of national competent authorities and the newly created EU AI Office. A company that complies with the EU AI Act is compliant across all EU jurisdictions for the covered provisions—no patchwork to navigate within the EU.
In the United States, there is currently no equivalent federal AI law. The result is a growing patchwork of state laws, each with different scopes, definitions, exemptions, and enforcement mechanisms. A company that complies with Colorado SB 205 must separately analyze its obligations under California's AI laws, NYC Local Law 144, Illinois AIVIA, and whatever laws other states have enacted. There is no "comply with one, comply with all" option in the US system.
The EU AI Act's Risk-Based Framework
| Risk Tier | Examples | Treatment |
|---|---|---|
| Unacceptable Risk | Social scoring by governments; real-time facial recognition in public spaces (narrow exceptions) | Prohibited outright |
| High Risk | AI in hiring, credit, education, critical infrastructure, healthcare, law enforcement | Mandatory conformity assessment, documentation, human oversight, EU database registration |
| Limited Risk | Chatbots, deepfakes | Transparency obligations (disclose AI identity) |
| Minimal Risk | Spam filters, AI in video games | No mandatory requirements (voluntary codes of conduct) |
The "prohibited" category is a feature of the EU AI Act with no clear US equivalent at the federal level. Certain AI practices that the EU bans outright—real-time biometric surveillance in public spaces by private entities, emotion recognition in workplaces—are not prohibited under most US state laws.
US State Laws: How They Map to EU Risk Tiers
The closest US analogs to the EU's "high-risk AI" requirements are:
- Colorado SB 205: The most structurally similar US law to the EU AI Act. Both use a consequential decision / high-risk framework, require impact assessments, mandate risk management programs, and impose transparency obligations. Colorado's law, however, lacks the EU's supply chain requirements for providers placing systems on the market.
- NYC Local Law 144: Focused narrowly on employment AI in one jurisdiction, with bias audit requirements that overlap with the EU's requirement for testing against protected characteristics in high-risk HR AI systems.
- Illinois AIVIA: Consent and disclosure requirements for AI video interviews parallel the EU AI Act's requirements for AI systems used in employment decisions.
Penalty Comparison
| Framework | Maximum Penalty | Notes |
|---|---|---|
| EU AI Act (prohibited AI violations) | €35 million or 7% of global turnover | Whichever is higher |
| EU AI Act (high-risk AI violations) | €15 million or 3% of global turnover | Whichever is higher |
| EU AI Act (providing incorrect information) | €7.5 million or 1.5% of global turnover | Whichever is higher |
| Colorado SB 205 | $20,000 per violation | AG enforcement only; 60-day cure period |
| California AB 325 / SB 763 | $6M (corporate); $1M (individual) per violation | Plus treble damages in private actions |
| NYC Local Law 144 | $1,500/day per violation | City enforcement only; no private action |
The EU's global-revenue-based penalty structure means that for a large multinational, violations of the EU AI Act can represent penalties many times larger than equivalent violations of US state laws. For a company with $10 billion in global revenue, a 7% turnover penalty for a prohibited AI use would be $700 million—no US state law approaches that scale. See our penalty tracker for a full breakdown of US state AI law penalties.
Extraterritorial Scope: Which Law Reaches Further?
The EU AI Act applies to providers placing AI systems on the EU market (regardless of where they are established), deployers of AI systems located in the EU, and providers and deployers outside the EU when the AI system's output is used in the EU. This extraterritorial reach mirrors the GDPR model and directly affects US companies with EU-facing products.
US state laws are generally triggered by the location of the affected consumer (Colorado, California) or the location of the job (NYC LL 144), not the location of the company. The practical reach is similar in many cases, but the legal theory and compliance infrastructure differ significantly.
Implementation Timeline Comparison
| Milestone | EU AI Act Date | US Equivalent |
|---|---|---|
| Prohibited AI provisions effective | February 2, 2025 | No direct federal equivalent |
| General-purpose AI (GPAI) model rules effective | August 2, 2025 | California AB 2013 training data disclosure: Jan 1, 2026 |
| High-risk AI (HR, credit, education) effective | August 2, 2026 | Colorado SB 205: June 30, 2026; NYC LL 144: July 2023 |
| Full high-risk AI obligations | August 2, 2027 | Ongoing state legislative expansion |
Building a Unified Compliance Strategy
For global companies, the most efficient approach is to use EU AI Act compliance as the foundation and map US state obligations to it:
- Conduct an AI system inventory using EU risk-tier classifications. Systems you classify as high-risk under the EU AI Act will almost certainly require compliance attention under US state laws as well.
- Align impact assessments. The EU AI Act's required conformity assessment and Colorado SB 205's required impact assessment cover substantially overlapping ground. A single assessment framework, adapted for each jurisdiction's specific requirements, is more efficient than two separate processes.
- Use NIST AI RMF as the bridge standard. The NIST AI RMF is referenced in Colorado SB 205 (as a basis for the affirmative defense) and in EU AI Act compliance guidance. Adopting NIST AI RMF supports both compliance programs simultaneously.
- Map documentation requirements. Both frameworks require model cards, dataset documentation, impact assessments, and incident reports. A single documentation system that captures required information for both jurisdictions reduces duplication. Organizations evaluating tooling for this can compare AI compliance vendors that cover both EU AI Act and US state law requirements.
- Identify where EU is stricter. The EU AI Act's prohibition on certain biometric identification and social scoring practices has no US equivalent. For AI systems in those categories, EU compliance requirements set the global standard for your organization.
For a detailed side-by-side comparison of EU AI Act provisions and US state law equivalents, visit our EU AI Act vs. US laws comparison tool.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
Subscribe to the daily AI law digest →