Skip to main content
Does the EU AI Act Apply to Companies Outside the EU?
Compliance Guides

Does the EU AI Act Apply to Companies Outside the EU?

AI Comply HQ Team7 min read

The Short Answer: Your Address Does Not Save You

If you sell into the EU, serve EU users, or your AI's output lands in the EU, the EU AI Act applies to you. It does not matter that your company sits in San Francisco, London, or Singapore. The Act follows your AI's reach, not your postcode. If you have lived through GDPR, this will feel familiar.

So the real question is not "are we exempt because we're outside the EU?" It is "does our AI touch the EU?" The free risk check answers that in about 90 seconds, with no signup to see your result.

See if the Act reaches you (90 seconds)

The Three Ways a Non-EU Company Gets Pulled In

Article 2 draws the boundary, and it is wide. You are in scope if any one of these is true:

  • You place an AI system on the EU market or put it into service in the EU. Selling or offering your AI to EU customers counts, established in the EU or not.
  • You are a deployer located in the EU. An EU branch or subsidiary using AI is covered directly.
  • Your system's output is used in the EU. Even if you and your users sit outside the EU, output that ends up used in the EU puts you in scope.

That third test is the one non-EU companies miss. Your servers, your staff, and your customers can all sit outside Europe, and a single result that lands in the EU still pulls you in.

What "Output Used in the EU" Looks Like

A few concrete cases make it real:

  • A US hiring platform scores candidates, and some of those candidates are in the EU. The output (a ranking) is used in the EU.
  • A non-EU analytics vendor produces an AI risk score that a client relies on to make a decision about a person in Germany. The output is used in the EU.
  • A content tool generates copy that gets published to an EU audience. The output reaches the EU.

In each case the company never set up shop in Europe. The Act still applies.

Your situationIn scope?
Non-EU SaaS with EU customersYes
Non-EU vendor whose AI output reaches people in the EUYes
Any team established or located in the EU using AIYes
No EU users, no EU output, no EU marketNot under the AI Act

Not sure which row is you? The risk check settles it in about 90 seconds.

Check your EU exposure free

Non-EU Providers of High-Risk Systems Need an EU Representative

If you are a provider based outside the EU putting a high-risk system on the EU market, Article 22 adds a step you cannot skip: you must appoint an authorised representative established in the EU, in writing, before the system goes on the market. They hold your technical documentation and act as the contact point for the authorities. Providers of general-purpose AI models have a parallel duty under Article 54.

This one surprises non-EU teams, because it is a real appointment with a real paper trail, not a box to tick later.

"Isn't This Just Like GDPR?"

Yes, in spirit. GDPR reached you if you handled the data of people in the EU, wherever your servers lived. The AI Act borrows the same logic for AI systems. The rough rule of thumb: if GDPR applied to your business, the AI Act deserves a look too. We break down where the two overlap and where they differ in our guide to the EU AI Act vs GDPR.

What Non-Compliance Costs, Wherever You Are

The penalties do not stop at the border. Fines reach €35 million or 7% of global turnover for prohibited practices, and €15 million or 3% for most other breaches. For SMEs, the Act charges the lower of the two. Enforcement reaches non-EU companies through their EU representatives, their importers, and plain market access: a system that cannot show compliance can be kept off the EU market. See our full breakdown of fines and penalties.

In Scope. Now What?

Finding out you are in scope is not the disaster it sounds like. For most non-EU companies the path is short:

  • Classify each system's risk tier. Most land in limited or minimal risk.
  • If anything is high-risk, appoint your EU authorised representative and assemble the technical file.
  • Add the Article 50 transparency notices wherever they apply.
  • Keep the evidence in one place, so you can show it the moment an authority or an enterprise customer asks.

UK and US companies sit squarely in this bucket. Since Brexit, the UK is a third country like any other, so a UK firm whose AI output reaches the EU is treated the same as a company in New York or Toronto.

Your Next 90 Seconds

  1. Check your reach. The risk check tells you whether the Act applies and at what risk tier, in about 90 seconds.
  2. Map the duties. AI Comply HQ turns the answer into your exact obligations and drafts the documentation. A consultant charges €10,000 or more for the same scoping. Our plans start at $97 a month, and the check is free.
  3. Stay ready. One dashboard tracks your systems, your representative duties, and every deadline.
Start your free 7-day trial

Frequently Asked Questions

We have no office or staff in the EU. Are we still covered? Possibly. If your AI's output is used in the EU, or you offer the system to EU customers, Article 2 brings you into scope no matter where you are based.

We are a US SaaS with a handful of EU customers. Does the Act apply? Most likely yes. Serving EU users, or producing output used in the EU, is enough. The size of your EU footprint affects the relief you get, not whether the law applies.

Do we need an EU authorised representative? If you are a non-EU provider of a high-risk system or a general-purpose AI model, yes. Articles 22 and 54 require one, appointed in writing before the system reaches the EU market.

Does this work the same way as GDPR? The extraterritorial logic is the same: the law follows the people affected, not your company's location. If GDPR applied to you, plan for the AI Act too.

For more, see whether small companies have to comply, how to tell if you are a provider or a deployer, what your AI chatbot owes, and the full EU AI Act FAQ.

Update: Where the Digital Omnibus Stands (June 12, 2026)

A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.

Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.

We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.

Ready to assess your EU AI Act compliance?

Start a guided compliance interview, get your AI system's risk classification, and generate an audit-ready report.

Start Your Free 7-Day Trial

Not ready to sign up? Take the free 90-second risk check →