EU AI Act Compliance

EU AI Act for Non-EU Companies: What You Must Do Before August 2026

If your company is based outside the EU but deploys AI systems to European users, the EU AI Act applies to you. Here is exactly what that means and what you need to do.

· 6 min read · By

EU-law graduate (Maastricht University) · MSc International Tax Law (AI & technology). Builds AI systems and advises SMEs on EU AI Act compliance.

The EU AI Act applies to eu ai act non eu companies just as firmly as it applies to Dutch or German businesses. If you ship an AI-powered product to a user in Amsterdam, Paris, or Warsaw, you are inside the scope of this regulation. Location of incorporation does not create an exemption.

This matters for US SaaS platforms, UK software vendors, Swiss HR tech providers, and anyone else whose output reaches people on European soil. The rules are not limited to companies with a legal entity in the EU. They follow the AI system to wherever its effects land.

What Article 2 Actually Says

Article 2 of the EU AI Act sets the territorial scope. The regulation applies to:

  • Providers who place an AI system on the EU market or put it into service in the EU, regardless of where the provider is established.
  • Deployers of AI systems who are located in the EU.
  • Providers and deployers located outside the EU when the output of the AI system is used inside the EU.

That last bullet is the critical one. A US company whose AI model produces decisions affecting EU residents is a provider under the Act. A Swiss platform whose outputs are consumed by EU-based HR departments falls in scope. The physical location of your servers is irrelevant. What matters is where the effect lands.

There are limited carve-outs: AI systems used exclusively for military or national security purposes by non-EU countries, and research activities not yet placed on the market. Standard commercial SaaS products do not qualify for these exemptions.

The Risk Class Determines Your Obligations

Not every obligation kicks in on day one. The AI Act is structured around four risk categories: unacceptable risk (banned outright), high risk, limited transparency risk, and minimal risk.

If your product falls into the high-risk category defined in Annex III, the compliance burden is substantial. High-risk use cases include AI used in recruitment and CV screening, creditworthiness assessment, biometric identification, education and vocational training, and critical infrastructure management.

For high-risk systems, non-EU providers must meet requirements that include:

  • Conformity assessments before placing the system on the EU market
  • Technical documentation proving the system meets accuracy, robustness, and cybersecurity standards
  • Registration in the EU database for high-risk AI systems (operational from August 2026)
  • Post-market monitoring and incident reporting obligations

Limited-risk systems, such as chatbots, carry lighter obligations: primarily transparency requirements under Article 50, which require users to be informed they are interacting with an AI.

Article 22: The Authorized Representative Requirement

This is where many non-EU companies get caught off guard. Article 22 requires that any provider established outside the EU who places a high-risk AI system on the EU market must appoint an authorized representative located in the EU before that system reaches European customers.

The authorized representative is not a formality. They carry real legal weight. Specifically:

  • They must be designated in writing by the non-EU provider.
  • They act as the single point of contact for EU market surveillance authorities.
  • They verify that the conformity assessment has been completed and that the required technical documentation exists.
  • They can be held jointly liable for non-compliant systems.

This is analogous to the GDPR's Article 27 representative requirement, which many US companies already handle through a European law firm or compliance service. The AI Act representative is a separate appointment and covers different obligations.

If you have a US-based SaaS platform used by 5,000 EU employees for performance appraisals or recruitment shortlisting, that system very likely qualifies as high-risk under Annex III. Without an authorized representative in place, you cannot legally place that system on the EU market once the high-risk provisions are fully enforced.

Key Dates Non-EU Companies Must Track

The AI Act entered into force on 1 August 2024. Obligations phase in over a 36-month transition period:

  • 2 February 2025: Prohibited AI practices (Article 5) became enforceable. If any feature of your product involves social scoring of natural persons or real-time biometric surveillance in public spaces, this has already applied.
  • 2 August 2025: Obligations for General-Purpose AI (GPAI) model providers take effect, plus AI literacy requirements under Article 4 apply to all operators.
  • 2 August 2026: High-risk AI system obligations under Annex III become fully enforceable. This is the deadline for conformity assessments, EU database registration, and authorized representatives.

The 2026 deadline feels distant. It is not. Conformity assessments, technical documentation, and governance processes take months to prepare properly. Companies that start in early 2026 will miss the window.

What US SaaS Platforms Need to Do Now

If your product is used by EU customers, here is the practical sequence:

Step 1: Classify your system. Map every AI feature against the Annex III categories. This is not a legal opinion exercise; it is a product and compliance team exercise that should take two to four weeks.

Step 2: Check for prohibited features. Article 5 bans are already active. Subliminal manipulation, social scoring, and certain biometric categorisation features are illegal now, not in 2026.

Step 3: Appoint an authorized representative if required. If you have any Annex III use cases, you need a named entity in an EU member state. This should be a contracted service with clear accountability, not a loose arrangement with a local partner.

Step 4: Prepare technical documentation. Article 11 specifies what this documentation must contain, including system architecture, training data, performance metrics, and intended purpose. Start drafting now; it is not a short document.

Step 5: Build your conformity assessment process. Most Annex III systems can self-assess using internal procedures. Some categories, particularly biometric systems and certain critical infrastructure applications, require third-party notified bodies.

Step 6: Register in the EU AI database. Once operational, the EU database for high-risk AI will require providers to submit key information about their systems. This is a public-facing registry. Regulators and users will be able to look your product up.

Penalties Are Designed to Reach You

The fines under the AI Act are structured as percentages of global annual turnover. For violations involving prohibited practices, the maximum is €35 million or 7% of global annual turnover, whichever is higher. For high-risk system non-compliance, it is €15 million or 3%. For incorrect or misleading information provided to authorities, €7.5 million or 1.5%.

These figures apply to global turnover. A US company with $200 million in worldwide revenue faces a potential €14 million fine for high-risk non-compliance, even if its EU revenue is modest. The enforcement mechanisms are built to ensure that extra-territorial application has real teeth. EU market surveillance authorities can coordinate with each other and can effectively block non-compliant products from the EU market.

The Interaction With GDPR

Many non-EU companies already have GDPR compliance programmes in place. The AI Act works alongside GDPR, not instead of it. AI systems that process personal data must comply with both frameworks simultaneously. Where AI systems are used in high-risk contexts and involve personal data, a Data Protection Impact Assessment (DPIA) under GDPR and a Fundamental Rights Impact Assessment (FRIA) under the AI Act will often need to run in parallel.

The European Commission's guidance on AI and data protection confirms that the two frameworks are complementary and that supervisory authorities are expected to coordinate enforcement.

If you already have an Article 27 GDPR representative in the EU, that person or entity cannot automatically serve as your Article 22 AI Act representative. These are separate legal appointments covering separate obligations.

One Action to Take This Week

Pull a list of every AI feature in your product that touches EU users. Mark each one against the Annex III category list. If anything appears on that list, schedule an authorized representative review before the end of the quarter. That single step keeps you on the right side of the August 2026 deadline.

Not sure where your product sits on the risk spectrum? Run your AI system through the free 2-minute compliance check at comply.khairos.ai and get a clear starting point.

Need help getting compliant?

The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.

Start the free check →