We are a US company with no EU office and our customers are US-based. Are we in scope?

Possibly. The "output used in the EU" trigger means scope depends on whether the AI's outputs are used in the EU - not where your customers are. If your US customers use your AI to interact with EU users, or if any EU users directly access your AI, you may be in scope. The analysis is fact-specific.

What is an authorised representative and do we need one?

An authorised representative is an EU-established individual or entity you designate in writing to act on your behalf vis-a-vis EU authorities. For non-EU providers of high-risk AI systems it is mandatory (Article 22). The representative must be genuinely empowered - they can be contacted by authorities, receive and act on orders, and cooperate on conformity assessments.

Is the AI Act like GDPR for AI - in terms of extraterritorial reach?

The analogy is apt. Like GDPR, the AI Act uses a market-effects principle: if you are offering AI in or targeting the EU market, or your AI outputs are used in the EU, you are subject to the rules regardless of where you are based. The penalty exposure is similar in scale: up to €35m/7% of global turnover for the most serious breaches.

When do these obligations actually apply to us?

Article 5 prohibitions have applied since 2 February 2025. GPAI rules (Chapter V) apply from 2 August 2025. Most other obligations - including high-risk AI - apply from 2 August 2026 under current law (with the Digital Omnibus possibly deferring high-risk Annex III to 2 December 2027, but this is not yet adopted as of 9 June 2026).

Are open-source AI models we distribute exempt?

Open-source GPAI models are exempt from some Article 53 documentation duties - but this exemption does NOT apply if the model has systemic risk. And the open-source exemption does not override the prohibitions (Article 5) or the high-risk AI rules. So if you distribute an open-source high-risk AI system, you carry provider obligations.

EU AI Act topic guide

EU AI Act for US (and non-EU) companies: extraterritorial scope explained

The EU AI Act is not just for EU businesses. Like the GDPR before it, it was designed to reach global providers whose AI products and services affect people in the EU. The "output used in the EU" trigger in Article 2 is the key - even a US company with no EU office or customers can be in scope if the results of its AI reach EU users. This guide explains the extraterritorial reach and what non-EU companies need to do.

Reviewed by the AI Act Navigator team · Last updated 9 June 2026

TL;DR

The Act applies to providers that place AI on the EU market or put it into service in the EU - regardless of where the provider is established.
It also applies to providers and deployers established outside the EU where the output of the AI system is used in the EU.
A US SaaS vendor whose AI outputs reach EU users is likely a regulated provider under the Act.
Non-EU providers of high-risk AI must appoint an EU-based authorised representative (Article 22).
Notable exclusions: military/defence/national security; AI solely for scientific R&D; purely personal non-professional use.

Classify your AI system Obligations guide

Scope

What this covers

Providers established outside the EU that place an AI system or GPAI model on the EU market (i.e. make it available to EU users, businesses or public bodies).
Providers established outside the EU where the output produced by the AI system is used in the EU - even if the provider has no EU establishment and no EU customers as such.
Deployers established outside the EU where the output of the AI system they use is applied in the EU.
Importers and distributors of AI systems in the EU supply chain, and product manufacturers placing AI-embedded products on the EU market under their own name.
The authorised representative requirement (Article 22): non-EU providers of high-risk AI systems must appoint an EU-established authorised representative in writing, granting them power to act on the provider's behalf toward EU national authorities.

Exclusions from scope (Article 2): AI used exclusively for military, defence or national security purposes by Member States; AI solely for scientific research and development; AI placed on the market or put into service by international organisations for law enforcement purposes; purely personal non-professional use. Open-source AI is not automatically excluded - it is only exempt where it is not high-risk, not prohibited, and does not carry GPAI systemic risk.

Source: Regulation (EU) 2024/1689 (EUR-Lex)

Compliance challenges

Key compliance challenges

The "output used in the EU" test is broad and not yet tested in enforcement - it likely captures any AI service whose outputs (generated content, decisions, recommendations) reach EU-located persons, even if the contract is with a non-EU entity.
Appointing an authorised representative: this requires an EU-established individual or entity with real authority and accountability - it cannot be an empty post-box arrangement.
Simultaneous obligations: a non-EU high-risk AI provider must meet all the same Chapter III obligations as an EU provider (risk management, data governance, conformity assessment, CE marking, registration in the EU database, post-market monitoring).
GPAI extraterritorial scope: a non-EU company training and distributing a GPAI model that EU users access is in scope for GPAI Chapter V obligations.

The EU AI Act applies a risk-based approach: obligations scale with the level of risk posed. AI Act high-level summary

What to do

Determine whether your AI products or services reach EU users, EU-based businesses, or EU public bodies - if yes, you are likely in scope.
Classify your AI systems under the Act's risk tiers (prohibited, high-risk, transparency-risk, minimal risk) to understand which obligations apply.
Identify any high-risk AI systems: these require the full Chapter III compliance programme and an EU authorised representative.
If you provide GPAI models accessible to EU users: assess GPAI Chapter V obligations (applicable since 2 Aug 2025).
Appoint an EU authorised representative for high-risk systems (required by 2 Aug 2026 under current law); register high-risk systems in the EU AI database.
Review contracts with EU customers to ensure they contain the required information and documentation handover for deployers.

For the full obligations breakdown, see the AI Act obligations guide, and for role-specific duties see the provider vs deployer guide.

FAQ

AI Act for US companies: common questions

We are a US company with no EU office and our customers are US-based. Are we in scope?: Possibly. The "output used in the EU" trigger means scope depends on whether the AI's outputs are used in the EU - not where your customers are. If your US customers use your AI to interact with EU users, or if any EU users directly access your AI, you may be in scope. The analysis is fact-specific.
What is an authorised representative and do we need one?: An authorised representative is an EU-established individual or entity you designate in writing to act on your behalf vis-a-vis EU authorities. For non-EU providers of high-risk AI systems it is mandatory (Article 22). The representative must be genuinely empowered - they can be contacted by authorities, receive and act on orders, and cooperate on conformity assessments.
Is the AI Act like GDPR for AI - in terms of extraterritorial reach?: The analogy is apt. Like GDPR, the AI Act uses a market-effects principle: if you are offering AI in or targeting the EU market, or your AI outputs are used in the EU, you are subject to the rules regardless of where you are based. The penalty exposure is similar in scale: up to €35m/7% of global turnover for the most serious breaches.
When do these obligations actually apply to us?: Article 5 prohibitions have applied since 2 February 2025. GPAI rules (Chapter V) apply from 2 August 2025. Most other obligations - including high-risk AI - apply from 2 August 2026 under current law (with the Digital Omnibus possibly deferring high-risk Annex III to 2 December 2027, but this is not yet adopted as of 9 June 2026).
Are open-source AI models we distribute exempt?: Open-source GPAI models are exempt from some Article 53 documentation duties - but this exemption does NOT apply if the model has systemic risk. And the open-source exemption does not override the prohibitions (Article 5) or the high-risk AI rules. So if you distribute an open-source high-risk AI system, you carry provider obligations.

Get AI Act-ready

Use the risk classifier to find your system's tier, then explore the obligations and checklist for your role.

Classify your AI system

This is guidance, not legal advice

This is guidance to help you understand how the EU AI Act applies to ai act for us companies, not legal advice. For decisions specific to your organisation, confirm with the official sources we link or a qualified legal adviser.

Sources

[1]Regulation (EU) 2024/1689 (EU AI Act) - EUR-Lexretrieved 9 Jun 2026
[2]European Commission: AI regulatory frameworkretrieved 9 Jun 2026
[3]AI Act Explorer: high-level summaryretrieved 9 Jun 2026
[4]AI Act implementation timelineretrieved 9 Jun 2026
[5]Council of the EU: Digital Omnibus provisional agreement, 7 May 2026retrieved 9 Jun 2026

The AI Act Brief

Subscribe to The AI Act Brief

We watch Brussels so you don't. Plain-English EU AI Act updates, free.

No spam. Unsubscribe anytime.

categoryWhat this covers

priority_highKey compliance challenges

checklistWhat to do

helpAI Act for US companies: common questions