Does the EU AI Act apply to US companies?

Yes. The EU AI Act has extraterritorial scope. It applies to any provider that places AI systems on the EU market and any deployer whose AI output is used in the EU — regardless of where the company is headquartered.

Does the EU AI Act apply outside the EU?

Yes. Like GDPR, the EU AI Act applies to companies outside the EU if their AI systems are used by people in the EU or produce output that affects people in the EU.

What counts as an AI system under the EU AI Act?

A machine-based system designed to operate with varying levels of autonomy that infers from input how to generate outputs such as predictions, content, recommendations, or decisions. Systems using machine learning, deep learning, NLP, or statistical inference are likely covered.

Does the EU AI Act Apply to Your Company?

I've had this conversation at least thirty times:

Them: "We're a US company. The EU AI Act doesn't apply to us."

Me: "Do you have any customers in Europe?"

Them: "Well, yes, but—"

Me: "Then it applies to you."

The EU AI Act uses the same jurisdictional logic as GDPR: it doesn't matter where your company is incorporated. It matters where your AI system has effects.

The regulation applies to providers (companies that develop AI systems) that place them on the EU market — regardless of where they're based. It also applies to deployers (companies that use AI systems) where the AI output is used in the EU — even if both companies are outside Europe.

The three scenarios that catch people off guard

Scenario 1: The indirect EU user

You're a US SaaS company selling an AI hiring tool to a US recruitment firm. That firm has a Dutch client screening candidates in Amsterdam. Your AI system's output is being used in the EU. The Act applies to you.

Scenario 2: The AI feature you forgot about

Last year your engineering team shipped an AI feature that auto-prioritises tasks based on behaviour patterns. You don't call it "AI" — it's just a smart sorting feature. If it uses machine learning and any users are in the EU, you're likely in scope.

Scenario 3: The output that crosses borders

You operate an AI system entirely in the US. A European subsidiary of one of your clients accesses the reports it generates. The AI output is now being used in the EU.

The good news: risk-based approach

Being in scope doesn't mean heavy compliance obligations. The Act uses a risk-based system — unacceptable, high, limited, and minimal risk. Most AI systems fall into the lower categories with light requirements.

What you should do

Map every product, feature, or internal tool using machine learning. Classify each by risk level. Check your timelines — prohibited practices are already live, Annex III high-risk obligations arrive 2 December 2027. And understand whether you're a provider, a deployer, or both.

The "wait and see" approach worked for about eighteen months with GDPR before the first major fines landed. I wouldn't count on that grace period this time.