The EU AI Act's extraterritorial reach — explained
The EU AI Act is not just a law for European companies. Article 2(1) sets out exactly who it applies to:
Article 2(1)(c): The regulation applies to "providers and deployers of AI systems that are established in third countries, where the output produced by those AI systems is used in the Union."
This is the extraterritoriality clause. In plain terms: if your AI makes decisions or generates content that people in the EU act on — whether they are your customers, employees, or end users — the EU AI Act applies to you, regardless of where your company is registered.
The "output used in the Union" test
The key legal test is not where the AI runs, but where its output is used. Examples of output "used in the Union":
- A US SaaS company's AI feature is used by EU-based customers
- An India-based company uses AI to screen CVs of candidates applying for EU-based roles
- A UK company deploys an AI chatbot on its website that serves EU users
- An Australian company uses AI to approve or decline loans for EU residents
What about companies that only sell to businesses (B2B)?
B2B does not exempt you. If the downstream business is EU-based and uses your AI output within the EU, that is sufficient. The test is whether EU persons are affected by the AI output — whether they are the direct user, a customer, or a candidate.
Provider vs deployer — which are you?
If you build an AI system and place it on the EU market (sell it, license it, offer it as a service), you are a provider. Provider obligations are heavier: Annex IV technical documentation, conformity assessment, CE marking, EU representative appointment.
If you use a third-party AI system in your business operations that affect EU persons, you are a deployer. Deployer obligations are lighter but still real: candidate/user disclosure, human oversight, log retention, registration.
You can be both — if you build an AI product for your own use that also serves EU customers, you may have both sets of obligations.
EU representative requirement
If you are a non-EU provider of a high-risk AI system (or a GPAI model), you must appoint an EU authorised representative — a legal entity or person established in the EU who acts as your point of contact for regulators. This is similar to the GDPR representative requirement. Failing to appoint one is itself an infringement.
Frequently asked questions
Does the EU AI Act apply to US companies?
Yes, if their AI system's output is used in the EU. Article 2(1)(c) explicitly includes providers and deployers established in third countries (which includes the US) where the AI output is used in the Union. The test is not where the company is based — it is where the AI output is consumed.
Does the EU AI Act apply to UK companies post-Brexit?
Yes. After Brexit, the UK is a "third country" for EU law purposes. UK companies are subject to the same extraterritoriality analysis as US or Indian companies. The UK has its own separate AI governance framework, but that does not exempt UK companies from EU obligations when their AI affects EU users. If you serve EU customers or employees with AI, the EU AI Act applies.
We have no EU employees or customers. Are we exempt?
If your AI system genuinely produces no output used in the EU — no EU users, no EU customers, no EU residents in any affected group — you fall outside the scope of Article 2. However, if a single EU resident is in your user base and your AI makes a consequential decision about them (e.g. a credit score, a hiring decision, a content recommendation), that is likely sufficient to trigger scope. Evaluate carefully before concluding you are exempt.
We only use AI internally (not in any product). Does it apply?
Yes, if you use AI in internal processes that affect EU employees. Deployer obligations under Article 26 apply when you use a high-risk AI system in your operations — including HR tools, performance management, or workforce monitoring — and those processes affect EU-based employees. Using AI only to process non-EU data about non-EU people would be out of scope.
What is an EU authorised representative and do I need one?
An EU authorised representative is a legal entity or natural person established in the EU who is formally designated by a non-EU provider to act on their behalf. They are the point of contact for EU market surveillance authorities. Non-EU providers of high-risk AI systems (and providers of GPAI models) must appoint one before placing their system on the EU market. Failing to appoint one can result in fines of up to €15M or 3% of annual turnover.