1. The three triggers for non-EU companies
Article 2(1) defines the territorial scope of the EU AI Act. It applies to:
- Providers that place AI systems on the EU market or put them into service in the EU — regardless of where the provider is established
- Deployers of AI systems that are established or located in the EU
- Providers and deployers established outside the EU when the AI system's output is used in the EU
The third trigger is the most significant for non-EU companies: if your AI system's output — its recommendations, decisions, classifications, or generated content — is consumed by people or organisations in the EU, the regulation can apply even if your company has no EU presence whatsoever.
2. Scenarios that bring you in scope
US SaaS company selling AI-powered HR software to European employers. The AI screens CVs of EU-based job applicants.
UK company using an AI chatbot on their EU-facing website. The chatbot interacts with EU consumers in real time.
Indian company with no EU office but employing staff in Germany and using AI for performance monitoring of those employees.
US company providing AI credit-scoring API to EU banks. The AI's output directly influences lending decisions for EU consumers.
3. Scenarios that keep you out of scope
US company using AI solely for internal operations in the US, with no EU employees, EU customers, or EU market presence.
Canadian company providing AI services exclusively to Canadian government agencies with no connection to EU territory or persons.
4. The authorised representative requirement
Article 22 requires non-EU providers of high-risk AI systems to appoint an authorised representative established in the EU before placing their system on the EU market. This requirement applies to providers — companies that develop and market high-risk AI.
The authorised representative:
- Is established in one of the EU member states where the system is placed on the market or put into service
- Acts as the formal point of contact with EU national competent authorities and market surveillance authorities
- Holds a copy of the EU Declaration of Conformity and the technical documentation
- Can be required by national authorities to provide documentation and cooperate with audits
- Can be held jointly liable with the provider for non-compliance in some circumstances
The authorised representative can be a law firm, a compliance consultancy, or any legal entity established in the EU and willing to accept the mandate in writing. The appointment must be in a written mandate that specifies the representative's tasks and the AI systems covered.
5. What non-EU companies must do
Non-EU companies in scope have the same obligations as EU-based companies in the same role — provider or deployer. There is no reduced compliance track for non-EU businesses.
| Role | Key obligations | Deadline |
|---|---|---|
| Non-EU provider of high-risk AI | Annex IV technical documentation, conformity assessment, CE marking, EU AI database registration, appoint authorised representative, supply instructions for use to deployers | 2 Aug 2026 |
| Non-EU deployer with EU operations | All Article 26 obligations: human oversight, log retention, worker notification, AI literacy, use per instructions | 2 Aug 2026 |
| Non-EU company with EU-facing chatbot | Article 50(1) chatbot disclosure — inform users they are interacting with AI | 2 Aug 2026 |
| All non-EU companies with EU staff or EU AI use | Article 4 AI literacy — staff dealing with AI must have sufficient AI literacy | Already in force |
Practical steps for non-EU companies
- Determine your role. Are you a provider (you built and sell AI) or a deployer (you use third-party AI in your operations)? This determines which obligations apply. Use the free risk checker to confirm your classification.
- Map your EU exposure. List every AI system you use or sell that touches EU users, EU employees, or EU market outputs. For each, determine whether it is high-risk under Annex III.
- Appoint an authorised representative if you are a provider of high-risk AI selling into the EU. Do this before your next EU customer deal.
- Start AI literacy training now. Article 4 is already in force. If you have EU-based staff using AI, you are already behind.
- Add Article 50 disclosures to any EU-facing chatbot or conversational AI. Use the free disclosure generator.
- Review HR AI use. If you use AI in recruitment or performance management for EU employees, the full high-risk deployer obligations apply — including pre-deployment worker notification.
6. Enforcement against non-EU companies
Enforcement of the EU AI Act against non-EU companies follows the same model as GDPR enforcement. National market surveillance authorities in each member state can investigate and sanction non-EU companies whose AI systems affect persons in that state. The authorised representative is the enforcement target for procedural matters; the non-EU provider remains liable for substantive compliance.
Non-EU companies with no EU presence at all — and no authorised representative — remain theoretically subject to fines, but enforcement is practically harder. However, any EU subsidiary, EU distribution partner, or EU customer relationship creates a jurisdictional hook for national authorities.
The maximum fines are the same as for EU companies: up to €35 million or 7% of worldwide annual turnover for prohibited practice violations, and up to €15 million or 3% of turnover for high-risk AI non-compliance.
FAQ
Does the EU AI Act apply to UK companies after Brexit?
The UK is no longer subject to EU law, and the EU AI Act does not apply automatically to UK-based companies. However, UK companies that provide or deploy AI systems affecting EU users are in scope under Article 2's territorial reach — exactly as any other non-EU company would be. The UK is also developing its own AI governance framework, but it is separate from the EU AI Act.
We have EU customers but our AI processing happens entirely in the US. Are we in scope?
Yes. Where the AI processing happens is irrelevant — what matters is where the output is used and who it affects. If your AI's outputs influence decisions about EU users or are consumed by people in the EU, you are in scope. This is a fundamental aspect of the extra-territorial design of the regulation.
Our EU customers are businesses, not consumers. Does that change anything?
No. The EU AI Act applies based on the risk category and use case of the AI system, not the type of end customer. A high-risk AI system sold to EU businesses (B2B) is subject to the same obligations as one sold directly to consumers. The relevant question is whether the AI's outputs ultimately affect natural persons in the EU.
Can we use the same authorised representative as our GDPR Article 27 representative?
Yes, if that representative is willing to take on the additional mandate and has the capacity to fulfil the EU AI Act representative obligations. The roles are distinct in their legal content — the GDPR representative handles data protection authority contact, the AI Act representative handles market surveillance authority contact — but they can be the same legal entity.