Quick answer

The EU AI Act applies to companies with no EU presence in three situations: placing an AI system on the EU market, putting one into service in the EU, or when the output of an AI system is used in the EU. Non-EU providers of high-risk systems must also appoint an EU-based authorised representative.

Updated June 2026 · MmowW AI Compliance

EU AI Act for Non-EU Companies: How Extraterritorial Reach Works

How Does the EU AI Act Reach Non-EU Companies

Regulation (EU) 2024/1689 was written with global supply chains in mind, and Article 2 extends its scope well beyond the borders of the Union. A company headquartered in New York, London, Tokyo, or Singapore is covered in three situations. First, when it places an AI system or a general-purpose AI model on the EU market, meaning it makes the system available for distribution or use in the EU, whether for payment or free of charge. Second, when it puts an AI system into service in the EU. Third, and most far-reaching, when both providers and deployers are located outside the EU but the output produced by their AI system is used within the EU. The location of servers, the place of incorporation, and the currency of the contract are all irrelevant; what matters is where the system, or its results, lands.

What the Output-Use Rule Means in Practice

The output-use provision exists to stop circumvention. Without it, a company could run a hiring algorithm in a third country, send only the shortlist into the EU, and claim the AI itself never touched Europe. Under the Act, that shortlist is output used in the Union, and the operators behind it are in scope. Practical examples make the reach visible. A US analytics firm scoring loan applicants for a Dutch bank is covered. An Indian outsourcing provider running AI-driven CV screening for a client in Ireland is covered. A Japanese manufacturer whose predictive maintenance system produces alerts acted on in its German plant is covered. The recitals indicate the rule targets output intended for use in the EU, so a purely domestic American deployment whose results incidentally reach an EU traveller is not the aimed-at case, but any deliberate servicing of EU customers, employees, or operations through AI should be treated as in scope.

Which Non-EU Businesses Are Most Exposed

Business typeTypical triggerLikely role
SaaS vendors selling to EU customersPlacing an AI system on the EU marketProvider
Platforms offering AI features to EU usersMaking the system available in the EUProvider
Outsourcing and services firms processing for EU clientsOutput used in the EUDeployer, sometimes provider
Multinationals with EU subsidiariesGroup tools deployed in EU entitiesProvider at parent level, deployer at EU entity
Model developers offering APIs reachable from the EUPlacing a general-purpose model on the marketGPAI model provider

The Authorised Representative Requirement

Before placing a high-risk AI system on the EU market, a provider established outside the Union must appoint, by written mandate, an authorised representative established in the EU. The representative keeps a copy of the technical documentation and the declaration of conformity at the disposal of authorities for ten years, verifies that the conformity assessment and registration were carried out, cooperates with authorities on request, and can be addressed by regulators in place of the distant provider. The representative must terminate the mandate if it considers the provider is acting contrary to the Act, which makes the role a genuine control point rather than a mailbox. Providers of general-purpose AI models established outside the EU must likewise appoint an authorised representative before placing their models on the Union market. Choosing and contracting this representative is one of the longer lead-time items for non-EU providers, so it belongs early in the project plan.

How Enforcement Works Across Borders

Enforcement against non-EU operators runs through several channels. Market surveillance authorities can require corrective action, restrict, withdraw, or recall non-compliant systems from the EU market, which for a software product means EU customers can no longer lawfully be served. Fines can be imposed on the EU footprint of the business and pursued against the operator itself; for general-purpose model providers, the European Commission enforces directly with fines of up to 3 percent of worldwide annual turnover or 15 million euros, whichever is higher. The authorised representative, importers, and distributors inside the EU each carry duties and can face consequences, which in practice pushes compliance pressure up the chain to the foreign provider. And commercially, EU business customers are themselves deployers with their own obligations, so they increasingly refuse to buy from vendors who cannot demonstrate compliance. For most non-EU companies, losing procurement eligibility is the sanction that bites first.

Does Compliance at Home Count for Anything

Partially. Companies aligned with recognised frameworks, such as management-system standards for AI or national risk frameworks, will find the concepts of the EU Act familiar: risk management, documentation, human oversight, monitoring. But no foreign framework substitutes for the Act's specific requirements, classifications, or registration. The reverse direction is also worth noting: many global companies are choosing to run a single AI governance programme built to EU standards and apply it worldwide, because maintaining one high bar is cheaper than maintaining several inconsistent ones. That mirrors what happened with EU data protection law, where the EU rulebook quietly became the global default for multinational policy.

A Compliance Sequence for Non-EU Companies

Step one: map EU exposure honestly. List every product, contract, and internal workflow where an AI system or its output touches EU customers, users, employees, or operations. Step two: classify each exposed system under the Act's risk tiers, paying particular attention to employment, credit, education, and biometric uses. Step three: assign roles. The same group may be a model provider in one place, a system provider in another, and a deployer through its EU subsidiaries. Step four: for high-risk provider positions, start the heavy items immediately: technical documentation, conformity assessment, registration, and the authorised representative mandate. Step five: fix the transparency layer, ensuring chatbots and generated content disclose themselves to EU users. Step six: prepare the evidence pack your EU customers will request, because their deployer duties depend on your cooperation. Step seven: assign ownership for monitoring EU guidance, harmonised standards, and national enforcement practice as they develop.

Common Mistakes Made by Non-EU Firms

Four errors recur. Treating the Act as a future problem because headquarters is elsewhere, when key provisions have applied since February 2025 and the general application date is August 2, 2026. Assuming that selling through a local reseller transfers responsibility, when the foreign provider remains the provider and the reseller becomes a distributor with its own checking duties. Geofencing as a paper exercise, claiming EU users are blocked while sales teams actively serve them, a contradiction discoverable from the company's own marketing. And ignoring the output-use rule in services businesses, where no software is ever shipped to Europe but EU-bound decisions are produced daily. Each mistake is avoidable with the same instrument: a written EU exposure map, reviewed whenever products or markets change.

How the Act Interacts with Data Transfer and Privacy Rules

Non-EU companies serving Europe usually already navigate GDPR, and the two regimes travel together without merging. GDPR governs the personal data flowing into and out of an AI system, including international transfer mechanisms; the AI Act governs the system itself, its classification, documentation, and oversight. A US firm processing EU candidate data through a screening model therefore answers two sets of questions: lawful basis, transparency, and transfers under GDPR, and high-risk system duties under the AI Act. The overlap is also an asset. The GDPR machinery most exporters built after 2018, records of processing, representatives in the Union, impact assessments, vendor contracts, provides ready scaffolding for AI Act work, and the EU representative experience in particular makes the authorised representative concept familiar. Companies should resist the urge to run the two programmes in separate silos: a single register tracking systems, data flows, classifications, and responsibilities serves both laws and halves the maintenance.

What to Watch as Implementation Matures

The framework around the Act is still filling in: harmonised standards are being developed, Commission guidelines continue to arrive, national authorities are building enforcement practice, and public debate has included proposals to adjust parts of the timeline. None of this changes the planning baseline, the obligations and dates in the regulation itself, but it does reward attention. Non-EU companies should assign someone, internal or external, to track three streams: Commission and AI Office publications, the standards that will define presumption of conformity for high-risk systems, and the practice of the market surveillance authority in their main EU member state of business. Early movers gain twice: they avoid rework by aligning with standards as they land, and they accumulate the documented good-faith engagement that authorities weigh when deciding how hard to press a foreign operator.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.