Non-EU Companies and the EU AI Act: Are You In Scope?

The extraterritorial scope test (Article 2)

Article 2 of the EU AI Act defines who is covered. The regulation applies to:

• Providers placing AI systems on the EU market, regardless of where the provider is established
• Providers and deployers whose AI systems' outputs are used within the EU
• Importers and distributors of AI systems located in the EU
• Deployers of AI systems who are established or located in the EU

The practical test is simple: does your AI system's output reach or affect people in the EU? If yes, the Act applies to you.

The territorial reach mirrors GDPR's approach: the EU regulates based on where the effect lands, not where the company is headquartered. Incorporation in Delaware, Cayman Islands, Singapore, or anywhere else outside the EU is not a carve-out.

The EU representative requirement

If you're a non-EU provider placing an AI system on the EU market, you must appoint an EU representative by August 2, 2026 (Article 22 of the regulation). This is a hard legal requirement, not a recommendation.

What the EU representative must do:

• Act as the legal point of contact between your company and EU regulatory authorities
• Be authorized to receive enforcement notices, requests for documentation, and communications from national market surveillance authorities on your behalf
• Maintain or have access to your technical documentation and compliance records
• Be established in one of the EU member states (not UK, Switzerland, or EEA non-EU countries)

Who can serve as your EU representative: any natural or legal person established in the EU. In practice, this is typically a law firm with EU AI Act expertise, a compliance consultancy, or a dedicated EU representative service. The representative can cover multiple non-EU providers. Appointing the wrong entity (one that isn't actually established in the EU or doesn't have the right authority) doesn't satisfy the requirement.

Failure to appoint an EU representative when required is itself a violation subject to penalty under Chapter VIII.

What changes based on your risk tier

The specific obligations that apply to your company depend on which tier your AI systems fall into:

Prohibited AI (immediate, regardless of location)

The prohibitions in Chapter II apply globally. If your AI system uses subliminal manipulation, exploits vulnerable individuals, deploys real-time biometric identification in EU public spaces without authorization, or implements social scoring, you must cease those activities. There are no carve-outs for non-EU companies and no grace periods remaining (prohibited practices became binding February 2, 2025).

General-purpose AI (GPAI) models

If you place GPAI models on the EU market, including via API access to EU customers, the full Chapter V obligations apply from August 2, 2025 (already active). This includes: technical documentation per Annex XI, transparency information for downstream operators, a copyright compliance policy documenting how training data was sourced and what opt-outs you honor, and an acceptable-use policy. If your GPAI model exceeds the systemic risk threshold (10^25 FLOPs training compute, or Commission-designated), additional obligations apply including adversarial testing and incident reporting to the EU AI Office.

Limited-risk systems (Article 50 transparency)

If your AI system interacts with EU users (chatbots, voice agents, customer service AI), generates content that EU persons might believe is human-created (AI-written text, images, audio, video), or involves emotion recognition, Article 50 transparency obligations apply from August 2, 2026. The disclosure must be clear and timely, before the user commits to the interaction. Not in the terms of service. Not in a footer. Not after the conversation starts.

Annex III high-risk systems (deferred to December 2, 2027)

If your AI system falls in an Annex III high-risk category (biometric identification, critical infrastructure, education, employment decisions, access to essential services, law enforcement, border management, justice) and it's used to make or assist decisions about EU persons, full conformity assessment obligations, quality management system requirements, registration in the EU AI Act database, and post-market monitoring obligations apply from December 2, 2027. Begin preparation now: conformity assessment documentation takes 3-6 months to complete properly.

Practical steps for non-EU companies before August 2, 2026

Enforcement reach against non-EU companies

A common misconception is that EU enforcement can't reach non-EU companies in practice. This understates both the mechanism and the commercial stakes:

• Documentation requests: EU Market Surveillance Authorities can formally request compliance documentation from non-EU providers via their EU representative. Failure to respond or provide adequate documentation is itself an enforceable violation.
• Market withdrawal: National authorities can require AI systems to be withdrawn from the EU market or restricted from EU distribution. For a SaaS company with significant EU revenue, this is an existential risk.
• Fine calculation on global turnover: The maximum fine of 7% applies to global annual turnover, not EU-only revenue. A company with $100M in global revenue and 10% from the EU still faces a maximum fine of $7M calculated on global revenue, not $700K on EU revenue.
• Commercial pressure: EU enterprise customers increasingly require suppliers to demonstrate EU AI Act compliance as a procurement condition. Non-compliance becomes a sales disqualifier before enforcement action is ever needed.