EU AI Act: What US Companies Need to Know

What Is the EU AI Act?

The EU AI Act (formally, Regulation (EU) 2024/1689 of the European Parliament and of the Council) was adopted on June 13, 2024 and entered into force on August 1, 2024. It is the world's first legally binding, horizontal regulation governing artificial intelligence as a technology class — not limited to a specific sector, use case, or type of AI model.

The Act takes a risk-based approach: the obligations imposed on a company depend on the risk level of the AI system it develops or deploys. Systems that pose unacceptable societal risks are outright banned. Systems classified as high-risk face extensive pre-market conformity requirements. Lower-risk systems face lighter transparency obligations. Purely minimal-risk applications are largely unregulated.

The EU AI Act is a Regulation (not a Directive), meaning it has direct legal effect in all 27 EU member states without requiring each country to pass implementing legislation. Enforcement is handled by national market surveillance authorities in each member state, with oversight coordination by the newly created EU AI Office within the European Commission — particularly for general-purpose AI models.

The law defines "AI system" broadly: any machine-based system designed to operate with varying degrees of autonomy that can generate outputs such as predictions, recommendations, decisions, or content that influence real or virtual environments. This definition captures a wide range of technologies beyond what is commonly called "AI," including many automated decision-support tools already in widespread business use.

Key Dates and Implementation Timeline

The EU AI Act applies in a phased rollout. Understanding which obligations are already in force and which are approaching is essential for prioritizing your compliance roadmap. Our Deadlines page tracks upcoming AI law effective dates across jurisdictions.

Extraterritorial Reach: How the EU AI Act Applies to US Companies

Many US companies initially assume the EU AI Act is a European compliance problem. This is incorrect. The Act's jurisdictional scope (Article 2) explicitly captures organizations outside the EU under three distinct scenarios:

1. Placing AI Systems on the EU Market

Any company — regardless of where it is incorporated or headquartered — that places an AI system on the EU market (i.e., makes it available to users in the EU for the first time) is a "provider" under the Act and bears the highest compliance obligations. This covers virtually any US software company with EU enterprise or consumer customers using AI-powered products.

2. Putting AI into Service in the EU

Companies that deploy AI systems for their own operational use within the EU — even if those systems were procured from a third-party vendor — are classified as "deployers" and bear a distinct set of compliance obligations. US multinationals with EU offices or operations fall squarely into this category when they use AI tools in HR, finance, customer service, or operations.

3. AI Outputs Used in the EU

The Act also applies when an AI system is not physically located in the EU but its outputs — predictions, decisions, recommendations, generated content — affect persons located in the EU. This means that a US company running AI models entirely on US servers can still be subject to the EU AI Act if European residents are on the receiving end of those outputs. This provision has significant implications for SaaS companies, financial services firms, healthcare AI providers, and any business processing data or making decisions about EU residents.

Who Counts as a Provider vs. Deployer?

This distinction matters enormously because the obligations differ substantially:

• Providers are companies that develop and place AI systems on the market — this includes software vendors, AI model developers, and companies that put their own name or brand on an AI product. Providers bear the heaviest obligations: conformity assessments, technical documentation, CE marking, registration in the EU database, and post-market monitoring.
• Deployers are companies that use AI systems developed by others in their own operations. Deployers have lighter but still significant obligations: conducting fundamental rights impact assessments for high-risk AI, ensuring human oversight, maintaining logs, and cooperating with regulators.
• Importers and distributors in the supply chain also bear specific obligations to verify that the AI systems they handle comply before entering the market.

A single US company can simultaneously be a provider (for the AI tools it builds and sells to EU clients), a deployer (for AI tools it licenses from third-party vendors and uses internally in EU operations), and a distributor. Each role carries different obligations, and the analysis must be done product-by-product and use-case-by-use-case.

The Risk Classification System

The EU AI Act organizes AI systems into four risk tiers. Your obligations — and your penalty exposure — scale with the assigned risk level. Before beginning compliance work, every in-scope company must map its AI systems to the appropriate tier.

For US companies, the most consequential analysis is determining whether any of their AI systems fall into the high-risk category (Annex III). This is where the compliance burden is greatest and where most enforcement action is likely to occur.

High-Risk AI Systems: The Critical Category for US Businesses

Annex III of the EU AI Act lists eight areas in which AI systems are automatically classified as high-risk. These categories were selected because the AI applications within them have the potential to significantly affect people's lives, livelihoods, rights, or safety. Critically, the classification is use-case-specific: the same underlying AI model can be high-risk in one deployment and minimal-risk in another.

The Eight High-Risk Categories

1. Biometric identification and categorization of natural persons — including remote biometric identification systems and AI that categorizes individuals based on biometric data to infer sensitive characteristics such as race, political opinion, or sexual orientation. This applies to HR tech companies and identity verification providers.
2. Management and operation of critical infrastructure — AI used in water, gas, heating, electricity systems, or digital infrastructure that poses risk to the safety or health of individuals. Cloud providers and industrial automation vendors pay close attention here.
3. Education and vocational training — AI used to determine access to educational institutions, evaluate students, or assess learning outcomes, including standardized testing AI. EdTech companies with EU customers face direct obligations.
4. Employment, worker management, and access to self-employment — AI for recruiting and CV screening, assessing candidates during interviews, allocating tasks, monitoring worker performance, or terminating employment contracts. This is one of the most commercially significant categories for US HR software vendors.
5. Access to and enjoyment of essential private and public services — AI used in creditworthiness assessment, credit scoring, life and health insurance risk assessment, dispatching emergency services, and evaluating eligibility for public benefits. US fintech, insurtech, and financial services firms are heavily exposed here.
6. Law enforcement — AI used for individual risk assessments in criminal justice, polygraph systems, deep-fake detection, evidence reliability assessment, crime prediction, and profiling. Primarily affects public-sector vendors but also applies to private companies selling to law enforcement.
7. Migration, asylum, and border control management — AI used to assess risks, verify documents, detect emotional states, and support decisions in immigration and asylum procedures.
8. Administration of justice and democratic processes — AI assisting courts in researching facts and applying the law, and AI used to influence elections. Legal technology companies and civic tech vendors must evaluate their products carefully.

An AI system falling into one of these categories is not automatically high-risk — the Act includes a filtering mechanism (Article 6(3)) that allows providers to self-assess whether a particular system in these categories poses a significant risk given its actual use context. However, this self-assessment must be documented, and the burden of demonstrating that a Tier 2 system is not actually high-risk falls on the provider. Conservative legal advice is generally to treat any Annex III system as high-risk unless there is a well-documented and defensible basis for exclusion.

For guidance on which algorithmic bias and AI transparency obligations apply to your specific AI applications, review our topic-specific pages alongside this guide.

Compliance Requirements for US Companies

The EU AI Act obligations differ significantly based on both risk tier and role in the supply chain. Here is a practical breakdown of what each category requires.

For Providers of High-Risk AI Systems

Providers of high-risk AI systems bear the heaviest regulatory burden. Before placing a high-risk AI system on the EU market, providers must:

• Establish and implement a quality management system covering design and development controls, risk management processes, data governance, testing protocols, and post-market monitoring. This must be documented and auditable.
• Conduct a conformity assessment before market placement — either through internal self-assessment with documentation (for most Annex III systems) or through a third-party notified body (for some biometric and critical infrastructure systems).
• Maintain comprehensive technical documentation covering system design, architecture, training data description, performance metrics, testing results, risk assessment methodology, and instructions for use.
• Implement risk management throughout the system lifecycle — a continuous iterative process that identifies and evaluates risks, adopts risk mitigation measures, and tests residual risks.
• Ensure data governance for training, validation, and testing datasets — including relevance, representativeness, freedom from errors, and documentation of known limitations and biases.
• Provide technical transparency so that deployers can understand how to use the system correctly — including meaningful instructions, technical specifications, and performance benchmarks.
• Enable human oversight by designing systems to allow human monitoring, intervention, and override. The system must display appropriate output uncertainty indicators and allow operators to stop or override the system.
• Achieve required accuracy, robustness, and cybersecurity standards appropriate for the intended purpose. Metrics must be disclosed in the technical documentation.
• Register the AI system in the EU database for high-risk AI systems before market placement.
• Affix a CE conformity marking and issue an EU declaration of conformity.
• Appoint an EU representative if the provider is established outside the EU — this is a specific obligation for US-based companies. The EU representative acts as the point of contact for regulators.
• Maintain post-market monitoring — actively tracking system performance in real-world conditions and reporting serious incidents to market surveillance authorities within defined timeframes.

For Deployers of High-Risk AI Systems

US companies using high-risk AI systems procured from vendors must comply with deployer obligations:

• Use the system only as instructed by the provider and within the intended purpose. Any substantial modification that changes the risk profile may reclassify the deployer as a provider.
• Assign human oversight — designate competent individuals responsible for monitoring the system during operation and trained to identify and address anomalies or risks.
• Conduct a fundamental rights impact assessment (FRIA) before deploying high-risk AI in sensitive areas — specifically required for deployers that are public bodies or private entities providing public services.
• Maintain logs generated automatically by the AI system for at least six months (or longer if required by other EU law) and make them available to authorities on request.
• Provide transparency to affected individuals when the AI system makes or supports consequential decisions about them — including the right to an explanation of the outcome.
• Notify employees and employee representatives of AI systems used in the workplace that monitor or manage workers.

For Providers of General-Purpose AI Models

US companies that develop and release large foundation models — including large language models (LLMs), multimodal models, or other GPAI models — must comply with a distinct set of obligations effective August 2, 2025:

• Prepare and maintain technical documentation covering training methodology, compute used (in floating-point operations), evaluation results, and known capabilities and limitations.
• Comply with EU copyright law, including maintaining a detailed summary of training data that is publicly available.
• Publish a model card or equivalent summary for downstream providers integrating the model into their products.
• Models exceeding the 10²⁵ FLOPs compute training threshold (or otherwise classified as presenting systemic risk) face additional requirements: adversarial testing (red-teaming), incident reporting to the EU AI Office, cybersecurity measures, and energy efficiency reporting.

For Limited-Risk AI Systems

Companies deploying AI chatbots, AI-generated content systems, or emotion recognition tools have lighter obligations — primarily transparency requirements:

• Inform users they are interacting with an AI system (unless obvious from context).
• Mark AI-generated content (images, audio, video, text) in a machine-readable format.
• Disclose when emotion recognition or biometric categorization is used.

Penalties and Enforcement

The EU AI Act's penalty regime is among the most severe in the history of technology regulation — comparable to GDPR but with even higher maximums for the most serious violations. US companies should not discount enforcement risk on the assumption that EU regulators cannot reach them: the GDPR experience demonstrated that European data protection authorities regularly enforce against US companies operating in the EU market.

For SMEs and start-ups, the absolute cap (rather than the percentage) applies where it would result in a lower fine. However, for large US multinationals, the percentage-of-turnover calculation produces fines that can far exceed the stated absolute maxima.

Enforcement Structure

Each EU member state must designate one or more national competent authorities (NCAs) as market surveillance authorities to enforce the Act domestically. These NCAs have broad powers: they can access documentation, conduct audits, order AI systems to be withdrawn from the market, and refer cases for financial penalties. The EU AI Office — housed within the European Commission — has exclusive supervisory jurisdiction over general-purpose AI model providers and can impose penalties directly on GPAI model developers, including those headquartered in the US.

Product liability intersects with the EU AI Act: the EU Product Liability Directive (revised in 2024) extends strict liability to software and AI systems, potentially enabling private civil claims in EU courts against US AI providers when an AI system causes damage. This creates plaintiff litigation risk layered on top of the regulatory penalty exposure.

Our Penalty Tracker documents enforcement provisions across the EU AI Act and US state AI laws for easy comparison.

EU AI Act vs. US State AI Laws: How They Compare

US companies must navigate both the EU AI Act and a growing body of US state-level AI regulation. The two legal regimes differ significantly in scope, structure, and enforcement mechanism. Understanding both is essential for an integrated compliance program. Use our Bill Comparator to run side-by-side comparisons of specific laws.

The divergence between EU and US approaches creates a compliance matrix challenge for US companies: EU obligations require prospective, pre-market conformity work, while US state laws typically impose reactive, post-deployment compliance. Building compliance programs that satisfy both regimes requires systematic product-by-product analysis. Browse our state directory to identify which US state laws are already in effect or approaching effective dates.

Practical Compliance Steps for US Businesses

With high-risk AI system obligations applying from August 2, 2026, companies that have not begun compliance work are already running behind. The conformity assessment process for complex AI systems — including risk management documentation, technical documentation, and third-party audits where required — typically requires 12–18 months to complete. The following steps represent a practical starting framework.

1. Map your AI systems and determine applicability Inventory every AI system your company develops, sells, or uses. For each system, determine: (1) Is it in scope of the EU AI Act? (2) What is the risk tier? (3) Is your company a provider, deployer, importer, or distributor? Document this analysis in a formal AI system register.
2. Appoint an EU representative If you are a US-based provider of high-risk AI systems or a GPAI model, you must designate an EU representative (an entity established in the EU) before placing any high-risk system on the EU market. This is analogous to GDPR's EU representative requirement. Begin identifying candidates now.
3. Establish a quality management system (QMS) For high-risk AI providers, the QMS must cover risk management, data governance, technical documentation, conformity assessment, and post-market monitoring. If your company already maintains an ISO 9001 or ISO 27001 QMS, assess how it needs to be extended. The EU AI Act aligns with forthcoming harmonized standards under development by CEN-CENELEC.
4. Build a risk management process for each high-risk system The risk management process must be iterative across the full product lifecycle: identification and analysis of known and reasonably foreseeable risks, estimation and evaluation of residual risk, and adoption of risk control measures. Document each stage with version-controlled records.
5. Audit your training data Data governance requirements are among the most operationally demanding provisions. Training, validation, and testing datasets must be described in technical documentation with information on their source, purpose, collection methodology, known limitations, and bias mitigation measures. Begin data lineage documentation immediately.
6. Design human oversight into your systems High-risk AI systems must be technically capable of being monitored and overridden by humans. Review your system architecture to ensure human-in-the-loop or human-on-the-loop mechanisms are implemented. This often requires UI/UX design changes, not just policy changes.
7. Prepare technical documentation and conformity assessments For most high-risk systems, conformity assessment is self-conducted but must result in formal documentation. Engage legal counsel and technical experts to draft and review the required documentation package. For biometric AI and certain critical infrastructure AI, third-party notified body involvement is mandatory.
8. Register in the EU database Once conformity assessment is complete, providers must register high-risk AI systems in the EUDAMED-equivalent AI system database operated by the EU Commission before market placement.
9. Implement post-market monitoring Establish processes to actively collect and review data on system performance in the field, track incidents, and update risk assessments. Serious incidents affecting EU users must be reported to national market surveillance authorities. Define what constitutes a "serious incident" under Article 3 before deployment.
10. Train relevant personnel Deployers must ensure that human oversight personnel are appropriately trained. Providers must ensure that instructions for use clearly explain how to interpret system outputs and when to override the system. Document training programs as part of your QMS.

For companies simultaneously managing EU AI Act compliance alongside US state AI law obligations, our Am I Affected? tool and Policy Cheat Sheet can help identify which specific requirements apply to your industry and operational profile.

General-Purpose AI Models: Special Rules for LLM Developers

The EU AI Act contains a dedicated chapter (Chapter V) for providers of general-purpose AI (GPAI) models — broadly, AI models trained on large amounts of data that can be used for multiple downstream tasks. This captures virtually all large language model (LLM) providers: companies like OpenAI, Anthropic, Google DeepMind, Meta, and the dozens of other AI companies offering foundation models via API or open-source release.

Who Is a GPAI Model Provider?

A company is a GPAI model provider if it develops and places a general-purpose AI model on the EU market — including through API access, commercial licensing, or open-source release. Crucially, a company that fine-tunes or modifies an existing GPAI model may also be treated as a provider of the resulting GPAI model if the modification is "substantial."

Systemic Risk Classification

GPAI models presenting "systemic risk" — currently defined as models trained with more than 10²⁵ floating-point operations (FLOPs) or models designated by the EU Commission as presenting systemic risk — face heightened obligations beyond the standard GPAI model requirements. This threshold currently captures the most powerful frontier AI models. Companies should track the EU AI Office's ongoing development of evaluation criteria for systemic risk designation, as the threshold may evolve as compute and capability benchmarks change.

Providers of systemic-risk GPAI models must conduct and document model evaluations, including adversarial testing, before market release and at regular intervals thereafter. Serious incidents — including significant cybersecurity breaches or unintended harmful outputs — must be reported to the EU AI Office promptly.

Related Resources on AI Laws by State

The EU AI Act does not exist in isolation. US companies must track it alongside rapidly evolving US state-level AI regulation. Use the following resources to build a complete picture of your AI compliance obligations:

• State-by-State AI Law Directory — Browse enacted and pending AI legislation across all 50 states, with status, effective dates, and penalty information.
• Am I Affected? Tool — Answer a few questions about your industry and operations to identify which AI laws and bills apply to your business.
• Penalty Tracker — Compare penalty provisions across state and federal AI regulations, including enforcement actions to date.
• Bill Comparator — Run side-by-side comparisons of specific AI bills across jurisdictions, including key obligation differences.
• Compliance Deadlines — A unified calendar of upcoming AI law effective dates, updated daily.
• Algorithmic Bias Regulation — State and federal rules addressing discrimination in automated decision-making.
• AI Transparency Laws — Disclosure and explainability obligations under state AI laws.
• AI Law Glossary — Definitions of key legal and technical terms referenced in AI legislation.
• AI Legislation Trends — Interactive charts showing how AI bills have grown from ~10 in 2016 to 2,182 published in 2026, with breakdowns by state and topic.