EU AI Act for US companies: what you're required to do and when
Your headquarters are in the US. Your compliance obligation is not. Here's exactly where the EU AI Act reaches across the Atlantic — and what you need to do before it catches you unprepared.
The EU AI Act is not a European regulation that happens to mention foreign companies. It is a regulation with explicit extraterritorial reach, designed using the same long-arm architecture as the GDPR. If your AI system is used by anyone in the European Union — whether you sell to them directly, license to a partner who does, or embed AI features in software deployed there — you are in scope.
For US compliance teams, this is the moment to stop treating the EU AI Act as someone else's problem and start treating it as a product requirement, a vendor obligation, and a sales prerequisite. Enterprise customers in Europe are already asking for compliance evidence. Regulators are already active. The enforcement timeline is not abstract — it is a set of specific dates, several of which have already passed.
This guide covers every dimension of EU AI Act compliance that US companies need to understand: what triggers the obligation, which role you occupy under the regulation, what your risk tier means for your workload, where GPAI obligations apply, how the Act stacks with GDPR, and what the timeline actually requires of you at each stage.
What puts a US company in scope
The Act applies to you if you are placing an AI system on the EU market or putting it into service in the EU. Both of those terms are defined broadly and interpreted broadly.
Placing on the market means making an AI system available for the first time in the EU, whether for payment or free of charge. If you have EU customers using your AI product, you have placed it on the market.
Putting into service means deploying an AI system for use in the EU by an end user. If you are a US company using AI internally to make decisions that affect EU employees, EU customers, or EU citizens, you may be putting it into service in the EU.
The scenarios that most commonly catch US companies off guard:
API endpoints available to EU customers. If your AI API can be called by users with EU IP addresses or EU billing addresses, you are on the EU market. Geo-restriction of documentation or marketing does not help if the API itself is accessible.
SaaS products with EU users. If your platform has EU subscribers, the AI features embedded in that platform are on the EU market. This applies even if your EU business is small relative to your US business.
AI features inside products shipped to Europe. IoT devices, robotics, industrial equipment, vehicles, and any physical goods with embedded AI that are sold into Europe fall under the Act — and in many cases carry additional obligations because they are also regulated products under existing EU product safety legislation.
Licensing to EU-facing partners. If you license your AI model or platform to a partner who has EU customers, you are a provider in the EU supply chain. Your downstream partner's EU exposure is your exposure too. See the supply chain liability section below.
Internal AI use affecting EU employees or customers. A US company using AI to screen EU job applicants, assess EU customer creditworthiness, or make decisions about EU individuals is deploying AI in the EU, even if the system runs entirely on US infrastructure.
The test is not where your company is incorporated or where your servers are. The test is where the AI system's effects land.
Your role under the Act — and why it determines everything
The EU AI Act assigns obligations based on your role in the AI supply chain. Most US companies occupy more than one role simultaneously, and your obligations differ significantly depending on which role applies to which system.
Provider — you develop an AI system and place it on the EU market under your own name or trademark, or have it developed and place it under your name. Providers carry the heaviest obligations: risk management systems, technical documentation, conformity assessment, EU Declaration of Conformity, post-market monitoring, and registration in the EU database for high-risk systems.
If you build AI products and sell them to EU customers, you are a provider. Full stop.
Deployer — you use an AI system under your own authority for a specific purpose. Deployers have narrower but real obligations: conducting fundamental rights impact assessments for certain high-risk systems, implementing human oversight in the deployment context, monitoring the system in use, reporting serious incidents, and verifying that your provider has completed conformity assessment.
If you use a third-party AI platform internally — for HR decisions, customer scoring, content moderation — you are a deployer. The provider's compliance does not eliminate yours.
Importer — you place an AI system on the EU market that was developed by a provider established outside the EU. This is a role that many US companies create inadvertently when they set up EU subsidiaries or EU-based distribution arrangements. Importers must verify that the provider has completed conformity assessment, that technical documentation is available, and that the system bears the CE marking where required.
Distributor — you make an AI system available on the EU market without placing it there yourself. Distributors must verify that systems carry the required markings and documentation before making them available.
The dual-role reality for US companies: if you build AI and also use third-party AI, you are simultaneously a provider for the systems you ship and a deployer for the systems you use internally. Both sets of obligations apply in parallel. Your GDPR team already navigates this kind of layered responsibility — the AI Act requires the same structural thinking.
Risk tier classification: what it means for US companies specifically
Your compliance workload is determined by which risk tier each of your AI systems falls into. The [EU AI Act risk classification guide](https://joingrasp.com/eu-ai-act/risk-classification) covers the full tier structure in detail. Here is how each tier applies specifically to US company scenarios.
Prohibited — banned since February 2025
Prohibited AI practices have been unlawful in the EU since February 2, 2025. If any of your systems perform these practices and are accessible in the EU, you are already in violation.
Prohibited practices include social scoring systems that evaluate individuals and use those scores to treat them differently in unrelated contexts, subliminal manipulation below the threshold of conscious awareness, exploitation of vulnerable populations, biometric categorisation based on sensitive characteristics, real-time remote biometric identification in publicly accessible spaces outside narrow law enforcement exceptions, and emotion recognition in workplaces and educational institutions.
US companies to watch: if your platform includes any employee monitoring AI, sentiment analysis of customer interactions, or behavioural scoring that affects access to services, audit these features against the prohibited list before anything else.
High-risk — the tier with the most compliance weight
High-risk AI systems are those operating in the categories listed in Annex III of the Act. For US companies, the most commonly triggered categories are:
Employment and workforce management. AI used in hiring — CV screening, candidate ranking, interview analysis, shortlisting — is high-risk. So is AI used for performance evaluation, promotion decisions, task allocation, and termination. If your HR tech product has AI-powered candidate screening and you sell it to European companies, you are a provider of a high-risk AI system. If you use such a platform internally for EU employees, you are a deployer of one.
Access to essential services. AI that makes or significantly influences decisions about credit, insurance, healthcare, or housing is high-risk. US fintech companies, insurtech platforms, and health tech companies selling into Europe need to map every AI feature against this category.
Education and vocational training. AI that determines access to educational institutions, evaluates students, or monitors behaviour during assessments is high-risk. EdTech companies with EU customers should classify their assessment and admissions AI as high-risk by default and work backward from there.
Biometric identification. Any system that identifies individuals from biometric data operates in a high-risk category, with certain practices in the prohibited tier.
Critical infrastructure. AI managing energy, water, transport, or digital infrastructure is high-risk. US companies providing AI to European utilities, logistics operators, or telecoms should classify those systems accordingly.
High-risk obligations for providers include a risk management system maintained throughout the system lifecycle, technical documentation to the Annex IV standard, data governance requirements for training data, transparency and instructions for use, human oversight mechanisms, accuracy and robustness requirements, conformity assessment before EU deployment, EU Declaration of Conformity, CE marking where applicable, registration in the EU AI database, and post-market monitoring.
For the full conformity assessment process, see the [EU AI Act conformity assessment guide](https://joingrasp.com/eu-ai-act/conformity-assessment).
The enforcement date for Annex III high-risk systems is December 2, 2027. Following the AI omnibus political agreement of May 7, 2026, this deadline was extended from August 2026. That extension is not a reason to defer — building a compliant technical file for a single high-risk system takes three to six months minimum. US companies that wait until mid-2027 will not finish in time.
Limited risk — transparency obligations that are already live
Limited-risk systems carry transparency obligations that apply from August 2, 2026. For US companies, the most common triggers are:
Chatbots and conversational AI. Any system that interacts directly with EU users in a way that could be mistaken for a human must disclose that it is an AI at the start of the interaction. This applies to customer service bots, sales assistants, internal helpdesk tools, and any AI-powered messaging interface accessible to EU users.
Synthetic media generators. AI that generates images, audio, or video of real people must label the output as AI-generated. This applies to marketing tools, video production platforms, and any generative AI used to create synthetic media distributed in the EU.
If your product includes either of these features and has EU users, transparency disclosure requirements are not a future obligation. They apply now.
Minimal risk — inventory and monitor
Most AI features — spam filters, recommendation engines, fraud detection, productivity AI, search — fall into minimal risk. No specific EU AI Act obligations apply beyond existing EU law.
This does not mean these systems are invisible to compliance. Every AI system in your EU-facing stack should be inventoried and classified. The inventory is the foundation that makes everything else manageable — and the first thing a regulator or enterprise customer will ask for.
GPAI obligations: the section most US companies miss
General Purpose AI models — large-scale AI systems trained on broad data that can be applied across a wide range of tasks — carry their own set of obligations under the Act that are separate from the risk tier framework. These obligations apply from August 2, 2026.
If your company develops or fine-tunes a foundation model, a large language model, a multimodal model, or any AI system intended for general use across multiple applications, GPAI obligations may apply to you regardless of where your customers are — because the model's effects reach the EU through your customers' deployments.
GPAI obligations for all GPAI model providers include:
Technical documentation of the model's training methodology, data sources, and performance evaluation, sufficient for providers who deploy your model in EU-facing products to meet their own compliance obligations.
A policy for complying with EU copyright law — specifically, an opt-out mechanism for content rightsholders who have reserved their rights under the text and data mining exception.
A summary of the content used to train the model, published and accessible.
Additional obligations for GPAI models with systemic risk — models trained on compute above 10^25 FLOPs, or designated by the European AI Office — include adversarial testing, incident reporting to the European AI Office, cybersecurity measures, and energy efficiency reporting.
For US companies building foundation models that power EU-facing applications: GPAI obligations are not your customers' problem to solve alone. The technical documentation you provide them directly determines whether they can meet their own high-risk compliance requirements. This is both a regulatory obligation and a commercial one — enterprise EU customers will require GPAI-compliant documentation as a procurement condition.
How the EU AI Act stacks with GDPR
US companies subject to GDPR because they process EU personal data now have a second layer of EU regulation to navigate. The two frameworks overlap significantly but are not duplicates.
Where they align:
Both require documented risk assessment before deploying systems that process personal data. A GDPR Data Protection Impact Assessment (DPIA) and an EU AI Act Fundamental Rights Impact Assessment (FRIA) cover overlapping ground — run them in parallel and integrate the outputs rather than treating them as separate documents.
Both require transparency disclosures to individuals affected by automated processing. GDPR Article 22 already requires specific disclosures for solely automated decisions with significant effects. The AI Act's transparency obligations add to this, particularly for limited-risk systems.
Both require documented accountability structures, named ownership, and records of processing and governance decisions.
Where they diverge:
GDPR is fundamentally about data. The AI Act is fundamentally about systems and their effects on people. A system can trigger AI Act obligations without processing personal data — and a system can process personal data in ways that trigger GDPR obligations without falling into a regulated AI Act tier.
GDPR applies to any processing of EU personal data. The AI Act applies to AI systems placed on the EU market or put into service there. The triggers are different, which means your compliance mapping needs to assess both independently and then identify the overlap.
The practical implication for US compliance teams: your GDPR programme is the foundation, not the ceiling. EU AI Act compliance requires extending your existing governance infrastructure — not replacing it. Data governance policies, DPIA processes, breach notification procedures, and data subject rights mechanisms all carry forward. What needs to be added is AI-specific: risk classification, technical documentation, human oversight mechanisms, conformity assessment for high-risk systems, and GPAI documentation where applicable.
Supply chain liability: the scenario most US companies miss
The EU AI Act creates compliance obligations throughout the AI supply chain, not just at the point of sale to the end user. For US companies, this creates two distinct exposures.
As a provider whose systems are integrated by EU partners. If you license your AI model or platform to a European company that integrates it into their product and sells it into the EU market, you are a provider of an AI system on the EU market. Your EU partner's compliance obligations upstream of you do not eliminate yours. If your model is used in a high-risk application, the technical documentation, training data governance, and performance standards must meet the Act's requirements at the model level — not just at the application level.
Enterprise EU customers are already including EU AI Act compliance warranties in procurement contracts. If you cannot produce Annex IV-standard technical documentation for your model, you are a risk your EU partners cannot accept. This is becoming a sales qualification issue, not just a legal one.
As a deployer using third-party AI that affects EU individuals. If you use a third-party AI system internally to make decisions about EU employees, EU customers, or EU partners, you are a deployer with your own obligations. Your vendor's compliance certificate does not transfer their obligations to you or eliminate yours. You must verify conformity assessment completion, implement human oversight in your specific deployment context, conduct a fundamental rights impact assessment for certain high-risk categories, and monitor the system in use.
The supply chain implication: every AI vendor in your stack that touches EU-facing processes needs to be assessed for their EU AI Act compliance posture. This is not a one-time vendor questionnaire. It is an ongoing monitoring obligation.
The enforcement timeline: what is due and when
February 2, 2025 — already passed Prohibited AI practices became unlawful. If you have EU-facing AI that falls into any prohibited category, you are already in violation. Audit and remediate immediately.
August 2, 2026 — nine weeks away GPAI model obligations apply. Transparency obligations for limited-risk systems apply — chatbot disclosures, synthetic media labelling. General-purpose AI governance rules take effect. If your product has a customer-facing chatbot accessible to EU users, disclosure is legally required from this date.
December 2, 2027 — eighteen months away High-risk AI system obligations under Annex III fully apply. Conformity assessment must be complete before this date for any high-risk system you are deploying in the EU. Technical files must be audit-ready. Post-market monitoring must be operational.
August 2, 2028 — two years away High-risk AI in regulated products — medical devices, machinery, vehicles, and other CE-marked product categories — must meet conformity assessment requirements. Third-party notified body involvement is required for many of these categories.
The planning implication: eighteen months to December 2027 sounds comfortable. It is not. Inventorying every EU-facing AI system, classifying each by risk tier, building technical documentation for high-risk systems, completing fundamental rights impact assessments, implementing human oversight, and establishing post-market monitoring is a minimum six-month programme for a single high-risk system. Organisations with multiple high-risk systems in their stack should be starting now.
Practical steps for US compliance teams
Step 1 — Build the EU-facing AI inventory. List every AI system your organisation develops, licenses, or uses that is accessible to EU users or that affects EU individuals. Include embedded AI features inside existing platforms. Include AI used internally for decisions about EU employees. Include models licensed to EU partners. The inventory is the foundation. Without it, you cannot classify, assess, or document anything.
Step 2 — Map your role for each system. For each system in the inventory, determine whether you are a provider, deployer, importer, or distributor — or a combination. Your obligations differ materially depending on the role. Do this before you start any compliance work, or you will spend time on obligations that do not apply to you and miss ones that do.
Step 3 — Classify every system by risk tier. Apply the prohibited check first. Then assess each remaining system against the Annex III high-risk categories. Assign limited-risk classification to chatbots, synthetic media generators, and emotion recognition systems outside prohibited contexts. Assign minimal risk by elimination. Document the classification rationale for every system — the classification decision is itself an auditable record.
Step 4 — Prioritise GPAI assessment. If you develop or fine-tune any general-purpose AI model, assess GPAI obligations immediately. August 2026 is the compliance date and it is close. Technical documentation for GPAI models needs to be drafted, reviewed, and ready.
Step 5 — Begin technical documentation for high-risk systems. For each high-risk system where you are a provider, begin building the Annex IV technical file. Start with system description, intended purpose, and architecture. Add training data governance documentation. Commission bias and subgroup performance testing. Document human oversight mechanisms. This is a multi-month deliverable — start it now.
Step 6 — Conduct fundamental rights impact assessments. For each high-risk system where you are a deployer — particularly employment, education, and essential services AI — begin the FRIA process. Align it with your existing DPIA process where data processing is involved. Document harm scenarios, affected populations, mitigation measures, and residual risk.
Step 7 — Implement and document human oversight. For every high-risk system, implement meaningful human oversight — not a policy that says overrides are permitted, but a documented mechanism that gives reviewers access to reasoning, training on system limitations, authority to override without consequence, and a log of override decisions. See the [EU AI Act conformity assessment guide](https://joingrasp.com/eu-ai-act/conformity-assessment) for what meaningful oversight requires in practice.
Step 8 — Prepare transparency disclosures for August 2026. For every limited-risk system, draft and implement disclosures. Chatbots need to identify themselves as AI at the start of every interaction. Synthetic media needs labelling. Do not wait until August — build this into your product release cycle now.
Step 9 — Establish vendor assessment processes. For every third-party AI system in your EU-facing stack, establish a process for verifying conformity assessment completion, requesting technical documentation, and monitoring for vendor changes that affect your compliance posture. Build this into vendor contracts and renewal processes.
Step 10 — Build the ongoing monitoring infrastructure. Post-market monitoring is a legal requirement for high-risk AI providers, not a best practice. Define performance metrics, establish monitoring cadence, build incident logging, and set re-assessment triggers before your December 2027 deadline.
What EU enterprise customers are already asking for
Compliance requirements are not only regulatory. They are becoming commercial prerequisites. US companies selling AI products into Europe are already encountering these requirements in enterprise procurement:
Completed or in-progress EU AI Act risk classification for all product AI features. Evidence of conformity assessment for high-risk systems. GPAI technical documentation for underlying models. Contractual warranties of compliance. Named data protection officers and AI governance contacts. Incident reporting SLAs aligned with EU AI Act notification requirements.
If you cannot produce these on request, you are losing enterprise deals in Europe to competitors who can. The compliance programme is also the sales programme.
Where to start if you are behind
If your organisation has not yet begun EU AI Act compliance work, the most important first step is inventory and classification — knowing what you have and what tier it falls into. Everything else — documentation, oversight, conformity assessment, GPAI compliance — flows from that foundation.
The [EU AI Act compliance checklist](https://joingrasp.com/blog/eu-ai-act-compliance-checklist) covers the full programme from inventory through to audit-ready governance posture, with each step mapped to the enforcement timeline.
For US companies, the specific priority is identifying EU-facing systems and classifying them before August 2026. The GPAI and limited-risk obligations that apply from that date affect a significant proportion of US AI companies — and they are nine weeks away.
Grasp maps every AI tool in your organisation to its EU AI Act obligations — including extraterritorial obligations for US companies with EU users. See your full compliance picture in one place. [Book a demo →](https://joingrasp.com/book-demo)
This article is for informational purposes only and does not constitute legal advice. For advice specific to your organisation's circumstances, consult qualified legal counsel with EU regulatory expertise.
