Skip to main content
GeraCompliance/Guides/AI Act for US Companies
EU AI Act

Does the EU AI Act Apply to US Companies?

Last updated June 2026 · 8 min read

Quick Answer

Yes — the EU AI Act applies to US companies whenever they place an AI system or general-purpose AI model on the EU market, or when the output of their AI system is used in the EU, even with no EU establishment. US providers of high-risk systems or GPAI models must appoint an EU authorised representative. The same fine ceilings apply (up to €35M / 7% of global turnover). Like GDPR before it, the AI Act reaches well beyond Europe's borders.

The EU AI Act Is Extraterritorial — Just Like GDPR

US companies that assumed the EU AI Act was “a European problem” learned the same lesson GDPR taught a decade earlier: EU digital regulation follows the market, not the company's address. Article 2 of the AI Act sets out a deliberately broad scope. If your AI touches the EU market or EU users, you are very likely in scope no matter where you are headquartered, where your servers sit, or where your engineers work.

The Three Triggers That Pull You In

A US company falls under the Act through any of three routes:

  • Placing on the EU market. If you sell, license, or otherwise make an AI system or GPAI model available in the EU under your name or trademark, you are a provider in scope.
  • Output used in the EU. This is the catch-all. If the output your AI system produces is used by someone in the EU — a recommendation, a score, a generated document, a decision — the Act applies to you as a provider or deployer located outside the EU, even if everything else about you is American.
  • Affecting EU persons through the supply chain. Importers and distributors in the EU have their own duties, which creates contractual pressure up the chain onto US providers to supply compliant systems and documentation.

Are You a Provider or a Deployer?

Your obligations depend on your role. A provider develops an AI system or GPAI model (or has it developed) and places it on the EU market under its own name — this is most US AI vendors and SaaS companies. A deployer uses an AI system under its authority in a professional setting — for example, a US company using an AI hiring tool that screens EU-based applicants. Providers carry the heavier load (documentation, conformity assessment, CE marking); deployers carry oversight, logging, and intended-purpose duties. Use our high-risk definition guide to see which category and risk tier you sit in.

The EU Authorised Representative Requirement

This is the obligation most US companies miss. If you are a non-EU provider of a high-risk AI system or a GPAI model, you must — by written mandate, before going to market — appoint an authorised representative established in the EU. This representative acts as your compliance point of contact: keeping documentation available to authorities, cooperating with regulators, and registering the system. It is a formal legal appointment, not a casual arrangement, and operating in the EU without one where required is itself a breach.

A Compliance Roadmap for US Companies

1. Inventory and classify. List every AI system you offer into, or whose output reaches, the EU, and map each to the four risk tiers. Our free classifier does this quickly.

2. Screen for prohibited uses. Article 5 bans are already enforceable; a US company can be fined for a prohibited deployment reaching the EU. Clear these first.

3. Build documentation for high-risk systems. Stand up the risk management system and Annex IV technical file, then run the conformity assessment.

4. Appoint your EU representative if you are a high-risk or GPAI provider.

5. Leverage NIST. If you already follow the NIST AI Risk Management Framework, much of your risk-management evidence maps onto the AI Act's requirements — reuse it rather than starting over. Our AI governance guide shows how the frameworks line up.

GeraCompliance helps US companies meet the EU AI Act without an EU legal team: a free risk classifier, ready-to-use templates, and a fixed-scope sprint that delivers documentation in days.

Frequently Asked Questions

Does the EU AI Act apply to US companies?

Yes, in many cases. The EU AI Act applies extraterritorially: a US company is in scope if it places an AI system or general-purpose AI model on the EU market, or if the output produced by its AI system is used in the EU — regardless of whether the company has any establishment or presence in the EU. A US SaaS vendor whose AI features are used by EU customers is therefore typically covered.

What is the "output used in the EU" rule?

Under Article 2, the Act applies to providers and deployers located outside the EU where the output produced by the AI system is used within the EU. This is the broadest trigger: even if your company, servers, and users sit in the US, if the AI-generated output is put to use by someone in the EU, the Act can apply.

Do US companies need an EU authorised representative?

Yes, if they are a provider of a high-risk AI system or a general-purpose AI model and are established outside the EU. Before placing the system on the EU market, the non-EU provider must appoint, by written mandate, an authorised representative established in the EU to act on its behalf for compliance matters, including keeping documentation available to authorities.

Is a US company a provider or a deployer under the AI Act?

You are a provider if you develop an AI system or GPAI model (or have it developed) and place it on the EU market or put it into service under your own name or trademark. You are a deployer if you use an AI system under your authority in a professional context. A US software vendor selling an AI product into the EU is usually a provider; a US firm merely using an AI tool internally that affects EU individuals may be a deployer.

What are the fines for US companies under the EU AI Act?

The same penalty tiers apply to non-EU companies: up to €35 million or 7% of global annual turnover for prohibited practices, €15 million or 3% for most high-risk and GPAI obligations, and €7.5 million or 1% for supplying incorrect information. Enforcement reaches US companies through their EU authorised representative, EU market access, and the EU operators in their supply chain.

How does the EU AI Act interact with US AI rules?

The US has no single federal AI law equivalent to the EU AI Act; it relies on sectoral rules, state laws (such as Colorado's AI Act and various biometric and automated-decision laws), and federal guidance like the NIST AI Risk Management Framework. A US company serving the EU generally needs to meet the EU AI Act on top of its domestic obligations, and the NIST AI RMF is a useful bridge because it maps well to the Act's risk-management requirements.

US company serving the EU? Check your exposure

Classify your AI free to see if the Act applies to you, then get compliant with our templates or sprint.

Classify My AI →Get Expert Help

Related Guides & Tools

EU AI Act Explained·AI Governance Framework·AI Act Fines·GeraCash