EU AI Act for US Companies: Extraterritorial Compliance Guide

Does the EU AI Act Apply to Your US Company?

Yes, in any of these scenarios:

• You place an AI system on the EU market (sell, license, or make available to EU customers)
• You provide an AI system whose output is used in the EU
• You deploy an AI system within the EU, regardless of where the system is hosted
• You are a US-based provider whose model is integrated into a downstream EU product

Cloud-hosted SaaS counts. Web-based AI tools accessible to EU users count. There is no de minimis threshold for EU exposure.

EU Representative Requirement

Article 22 requires non-EU providers to appoint an authorized representative:

Non-EU providers of high-risk AI systems must designate an EU-established authorized representative before placing the system on the EU market. The representative is the point of contact for EU regulators and must hold the technical documentation.

What US Companies Must Do

A practical compliance roadmap for US-headquartered organizations:

• Inventory AI systems with any EU exposure
• Classify each under Article 6 / Annex III
• Implement Article 9–14 controls for high-risk systems
• Designate an EU representative if you're a non-EU provider of high-risk AI
• Complete conformity assessment and CE marking
• Register in the EU AI database
• Decide which authority is your lead supervisor (typically the country of your EU representative)

Interaction with US Frameworks

US companies can leverage existing compliance programs:

• NIST AI RMF aligns well with Article 9 risk management and is a useful crosswalk
• NYC LL144 (HR AI bias audits) overlaps with Annex III employment-AI obligations
• State laws (CO AI Act, CT, IL) are converging on a similar risk-based model — a single internal program can serve multiple jurisdictions
• SOC 2 / ISO 27001 are not substitutes for AI Act conformity but the controls ladder up cleanly