EU AI Act for US Companies: Extraterritorial Scope and What to Do

Dernière mise à jour : mai 2026 · Temps de lecture : 10 minutes

No EU Presence Required to Be in Scope

The EU AI Act is not limited to European companies. Like the GDPR before it, it follows the effect — not the establishment. A US company with no EU entity, no EU staff, and no EU servers is still in scope if its AI system's outputs are used inside the European Union.

This is not a grey area. It is written directly into Article 2 of the regulation.

For US companies that provide AI tools, models, or applications to European customers — or whose platforms are used by EU residents — the AI Act creates mandatory compliance obligations that apply from 2 August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement) for high-risk systems, and from 2 August 2025 for GPAI model providers.

The Exact Legal Basis: Article 2

Article 2 of the AI Act sets the scope of the regulation. It applies to:

Providers placing AI systems on the EU market or putting them into service in the EU, regardless of where the provider is established (Article 2(1)(a))
Deployers established or located within the EU (Article 2(1)(b))
Third-country providers and deployers where the output of the AI system is used in the Union (Article 2(1)(c))

Article 2(1)(c) is the provision that captures US companies with no EU presence. The trigger is the use of the output in the EU — not the location of the provider, the servers, or the processing.

Practical examples of what triggers scope:

A US SaaS company whose AI-powered hiring tool is used by a European employer to screen candidates in France → in scope
A US LLM provider whose API is called by a German software company → the US company is a GPAI provider subject to Articles 51–56
A US analytics platform whose AI risk scores are used by a Dutch bank to make credit decisions → in scope under Annex III §5
A US company whose AI chatbot is embedded in an EU e-commerce site → in scope for transparency obligations

What does not trigger scope:

AI systems used exclusively for US customers with no EU user base
Internal R&D and pre-market development activities (Article 2(6) and (8))
AI used exclusively for military or national security purposes (Article 2(3))
Personal, non-professional use by individuals (Article 2(10))

The GDPR Comparison — and Where It Differs

The extraterritorial model mirrors the GDPR's "market participant" test, but with important differences:

Dimension	GDPR	EU AI Act
Trigger	Processing personal data of EU residents	AI output used in the EU
Role distinction	Controller / Processor	Provider / Deployer / Importer / Distributor
Representative required	Yes (Article 27 GDPR)	Yes (Article 22 AI Act) — for high-risk providers
Fines	Up to 4% global turnover	Up to 7% (prohibited), 3% (GPAI/high-risk), 1% (information)
Enforcement body	National DPAs	AI Office + national market surveillance authorities

If your company is already GDPR-compliant, you have the compliance infrastructure. But the AI Act requires a separate assessment — the legal triggers, the obligations, and the documentation requirements are distinct.

The Authorized Representative Requirement (Article 22)

Non-EU providers of high-risk AI systems must appoint an authorised representative established in the EU before placing their system on the market. This is a hard requirement, not optional.

The representative must be designated by written mandate and is responsible for:

Confirming that the EU Declaration of Conformity and technical documentation are properly prepared and conformity assessments have been completed
Keeping records available to competent authorities for 10 years
Providing authorities with all necessary information to demonstrate system compliance
Cooperating with competent authorities on risk reduction and mitigation
Fulfilling registration obligations in the EU database for high-risk AI systems

Critically: The representative can terminate the mandate if they have reason to believe the provider is in violation of the regulation — and must immediately notify market surveillance authorities when doing so. Choosing a competent, trustworthy EU representative is therefore not a formality.

For GPAI model providers: Article 54 imposes the same representative requirement. If you provide an LLM or foundation model to EU customers and are not established in the EU, you need an EU representative.

There is no equivalent requirement for deployers of limited-risk or minimal-risk systems.

Four Compliance Scenarios for US Companies

Scenario 1 — US Company Providing a High-Risk AI System to EU Customers

You are a provider under the AI Act. You must comply with the full framework: risk management system, technical documentation, conformity assessment, EU Declaration of Conformity, registration in the EU database, and appointment of an EU authorised representative.

Deadline: 2 August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement).

Scenario 2 — US Company Providing a GPAI Model (LLM, Foundation Model)

You are a GPAI provider subject to Articles 51–56. At minimum, you must comply with Article 53: technical documentation, downstream provider information, copyright policy, public training data summary. If your model exceeds 10²⁵ FLOPs training compute, you face additional systemic risk obligations under Article 55.

You must appoint an EU authorised representative (Article 54).

Deadline: 2 August 2025 (already in force).

Scenario 3 — US Company Integrating Third-Party AI into Its Own Product

If you integrate a third-party AI model (from OpenAI, Google, Anthropic, etc.) into a product you sell to EU customers, you are likely a provider of the resulting AI system — even if you did not build the underlying model. The obligations of the AI Act fall on whoever places the final system on the EU market.

You are responsible for conformity assessment, documentation, and EU Declaration of Conformity for your integrated product.

Scenario 4 — US Company Deploying AI Internally for EU Operations

If your company has EU employees or EU operations and uses an AI system to make decisions affecting those people (performance monitoring, task allocation, hiring), you are a deployer subject to Article 26 obligations: human oversight, log retention, worker notification, and potentially a Fundamental Rights Impact Assessment.

The Five Steps US Companies Must Take Now

Step 1 — Map Your EU AI Footprint

Identify every AI system or model that has any output used in the EU. This includes systems used directly by EU customers, systems integrated into products sold in the EU, and internal systems affecting EU employees. Many US companies underestimate this surface area.

Step 2 — Classify Each System

For each system in scope, determine its risk tier:

Does it fall into an Annex III domain? → High-risk, full compliance framework
Is it a GPAI model? → Articles 51–56
Does it interact with users without identifying itself as AI? → Limited risk, Article 50 transparency
Does it do none of the above? → Minimal risk, no mandatory obligations

Step 3 — Appoint an EU Authorised Representative

If you provide a high-risk AI system or a GPAI model to the EU market, appoint an EU-established authorised representative by written mandate. This person or entity is your legal point of contact with EU authorities. Do not wait until your system is already deployed.

Step 4 — Build the Required Documentation

For high-risk systems: technical documentation (Annex IV), risk management records, conformity assessment, EU Declaration of Conformity, and registration in the EU database.

For GPAI models: technical documentation (Annex XI), downstream provider information package (Annex XII), copyright policy, and public training data summary.

Step 5 — Implement Governance Processes

The AI Act is not a one-time compliance exercise. High-risk systems require ongoing risk monitoring, post-market surveillance, incident reporting, and log retention. Build these into your engineering and operations workflows before the August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement) deadline.

Common Mistakes US Companies Make

"We have no EU entity so we're not covered." Wrong. The trigger is the use of outputs in the EU, not establishment. Article 2(1)(c) is unambiguous.

"Our EU customers are responsible for compliance." Partially. EU deployers have their own obligations under Article 26. But US providers of high-risk systems cannot shift their Article 9–49 obligations to customers. Both sides of the chain have independent duties.

"We'll wait for enforcement." Risky. GPAI obligations have been in force since August 2025. High-risk system obligations apply from August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement). The AI Office has published guidance that non-compliance will be actively investigated — and fines apply to global annual turnover, not just EU revenue.

"The GDPR covered this." No. GDPR compliance is necessary but not sufficient. The AI Act has distinct legal triggers, separate documentation requirements, and different obligations. A GDPR-compliant company may still have significant AI Act gaps.

How DilAIg Helps US Companies

DilAIg's platform is built for exactly this situation: a company outside the EU that needs to understand whether the AI Act applies, what it requires, and how to document compliance efficiently.

The 50-question audit determines your risk tier and role in the AI value chain regardless of your establishment. For high-risk systems, it generates the four mandatory documents — FRIA, EU Declaration of Conformity, Technical Documentation (Annex IV), and Transparency Notice — as professional drafts structured to EU regulatory requirements.

Start your free AI Act audit →

Book a demo →

FAQ: EU AI Act and US Companies

Does the AI Act apply if we only have US servers?

Yes. Server location is irrelevant. The trigger is whether your AI system's output is used in the EU.

Do we need an EU entity to comply?

No. You need an EU authorised representative (a person or company with an EU address) if you provide high-risk AI systems or GPAI models. That representative acts as your legal point of contact with EU authorities but does not need to be an entity you own.

What if our EU customers sign a contract saying they are responsible for AI Act compliance?

Contractual allocation of responsibility between parties is permitted for some obligations. But core provider obligations — technical documentation, conformity assessment, EU Declaration of Conformity — cannot be contractually transferred to customers. Deployer obligations (Article 26) remain with the deployer regardless of contract terms.

Are US government agencies exempt?

The AI Act excludes AI systems used exclusively for national security, military, or defence purposes (Article 2(3)). This exemption applies to the specific system and use case — not to an entire company's portfolio.

What are the fines and who enforces them?

The AI Office enforces GPAI obligations. National market surveillance authorities enforce high-risk system obligations. Fines are calculated on global annual turnover: 7% for prohibited practices, 3% for most violations, 1% for incorrect information. The "global" basis means EU enforcement reaches US revenue.

Key Takeaways

The EU AI Act applies to US companies under Article 2(1)(c): if AI outputs are used in the EU, you are in scope
This mirrors the GDPR extraterritorial model but with distinct obligations and triggers
High-risk system providers must appoint an EU authorised representative before market placement
GPAI model providers (LLMs, foundation models) must comply with Articles 51–56 — deadline was August 2025
High-risk system obligations apply from August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement)
Contractual transfers to EU customers do not eliminate provider obligations
DilAIg's audit determines your risk tier and generates mandatory compliance documents