Quick answer

The EU AI Act applies to anyone who develops, sells, imports, distributes, or professionally uses AI systems in the EU, and to companies outside the EU whose AI output is used inside the EU. Exemptions cover military uses, pure scientific research, personal non-professional use, and, with conditions, free and open-source AI.

Updated June 2026 · MmowW AI Compliance

Who Does the EU AI Act Apply To? Scope and Exemptions Explained

Who Does the EU AI Act Apply To

Article 2 of Regulation (EU) 2024/1689 draws the boundaries of the law. In short, the Act applies across the entire AI value chain: the organisations that build AI, the ones that sell and ship it, and the ones that use it at work. It applies regardless of company size, from global platforms to a five-person agency, although smaller companies benefit from proportionate fines and support measures. It also applies regardless of where a company is headquartered, as long as its AI systems or their outputs reach the EU market or people in the EU. The question for most businesses is therefore not whether the Act applies to them, but in which role and at what intensity.

The Six Operator Roles

The Act uses the umbrella term operator for everyone with duties under the law, then splits that into specific roles.

RoleWho it meansTypical obligation level
ProviderDevelops an AI system or has one developed, and places it on the market or puts it into service under its own name or trademarkHeaviest: full compliance for high-risk systems
DeployerUses an AI system under its own authority in a professional contextModerate: oversight, monitoring, transparency to affected people
ImporterEstablished in the EU and places on the market an AI system bearing the name of a non-EU entityVerification: checks the provider did its homework
DistributorMakes an AI system available on the EU market without being provider or importerDue care: checks markings and documentation are present
Product manufacturerIntegrates an AI system into a physical product sold under its own nameTakes on provider duties in defined cases
Authorised representativeEU-based entity appointed in writing by a non-EU providerActs as the provider's point of contact for authorities

One organisation can hold several roles at once. A software company might be a provider of its own product and a deployer of the third-party AI tools its staff use internally.

How Far Does the Act Reach Outside the EU

The Act has deliberate extraterritorial reach. Three situations pull a non-EU company into scope. First, placing an AI system on the EU market, for example selling AI software to EU customers, regardless of where the seller sits. Second, putting an AI system into service in the EU. Third, and broadest, when the output produced by an AI system is used in the EU, even if the system itself runs on servers elsewhere and the operator has no EU establishment. A recruitment platform in the United States screening candidates for a Berlin employer is covered. Non-EU providers of high-risk systems must also appoint an authorised representative inside the EU.

Does It Apply to Individuals

Not in their private lives. The Act explicitly excludes natural persons using AI in the course of a purely personal, non-professional activity. Someone using a chatbot to plan a holiday or generate birthday card text has no obligations. The line is professional use: the moment AI is used in the course of business, employment, or another professional activity, the user becomes a deployer. A sole trader using an AI tool to screen freelance applicants is acting professionally and is in scope.

Which Uses Are Exempt

Article 2 carves out several areas. AI systems placed on the market or used exclusively for military, defence, or national security purposes are outside the Act, reflecting the limits of EU competence. AI systems and models developed and used solely for scientific research and development are exempt, as is research, testing, and development activity on AI before it is placed on the market, although testing in real-world conditions has its own rules. International cooperation with third-country authorities for law enforcement and judicial purposes can fall outside scope under conditions. Finally, the Act does not apply to AI released under free and open-source licences, unless the system is a prohibited practice, qualifies as high-risk, or triggers the transparency rules. Open-source general-purpose models also lose part of this exemption when they pose systemic risk.

What About Public Authorities

Public bodies are squarely in scope when they deploy AI, and several of the high-risk categories in Annex III, such as migration, law enforcement, and administration of justice, are aimed primarily at them. Public authorities deploying high-risk AI face an extra duty: a fundamental rights impact assessment before first use. EU institutions themselves are covered through parallel arrangements, with the European Data Protection Supervisor acting as their watchdog.

Which Sectors Feel It Most

While the Act is horizontal and applies to all sectors, the practical weight lands unevenly. Human resources and recruitment feel it strongly because AI used for hiring, promotion, and monitoring is high-risk. Financial services feel it through credit scoring and life and health insurance pricing, which are high-risk uses. Education is affected through admission, assessment, and proctoring systems. Manufacturers of machinery, medical devices, toys, and vehicles encounter the Act through AI safety components in regulated products. Meanwhile a typical marketing agency, online shop, or consultancy mostly meets the Act through transparency duties and staff AI literacy.

How to Work Out Your Own Position

Walk through four questions for each AI system you touch. One: do we develop it and offer it under our name? If yes, we are a provider. Two: do we use it professionally? If yes, we are a deployer for that system. Three: do we bring someone else's AI into the EU or pass it along the chain? That makes us an importer or distributor. Four: are any of our uses within the exempt categories such as research or purely personal use? Document the answers. This role mapping is the foundation of every other compliance step, because the Act never asks what AI you have in the abstract; it asks what role you play for each specific system. Companies that skip this step routinely over-comply in some areas and under-comply in others.

Worked Examples Across Common Business Types

Concrete cases make the scope rules easier to apply. An online retailer in Spain using a third-party chatbot and a demand-forecasting tool is a deployer of both; its duties are transparency for the chatbot and basic literacy for staff. A Munich software firm selling an AI-powered applicant-tracking system is a provider of a high-risk system and carries the full provider programme. A Tokyo analytics company with no EU office that scores insurance applicants for a French insurer is in scope because its output is used in the EU, and it must appoint an authorised representative. A freelance designer using image generators for client work is a deployer in a professional context, with disclosure duties where outputs could mislead. A university research lab building experimental models purely for publication sits in the research exemption until anything is placed on the market. The same technology can sit in different scope positions depending entirely on who offers it, to whom, and for what purpose.

How Scope Interacts with Other EU Laws

Being in or out of the AI Act says nothing about your duties under other regimes. GDPR continues to apply whenever personal data is processed, including by exempt research systems. Product safety law, consumer protection law, and employment law all continue alongside. Conversely, complying with GDPR does not satisfy the AI Act: the two laws protect different things and demand separate, if overlapping, documentation. Financial services firms face an additional layer through sector supervision, and manufacturers of regulated products meet the AI Act through their existing conformity assessment routes. The practical consequence is that scope analysis under the AI Act should slot into a wider map of obligations rather than being run as an isolated exercise, and the people who maintain your GDPR records are usually the right people to maintain the AI inventory too.

When Scope Questions Are Genuinely Hard

Some boundary cases resist quick answers and deserve documented analysis. Dual-use systems serving both civilian and defence customers fall in scope for the civilian side. A group structure where a non-EU parent builds AI and an EU subsidiary deploys it splits roles across entities, each with its own duties. Research projects that drift into pilot deployments with real users can exit the research exemption without anyone noticing the moment of transition. Free community tools that a company later commercialises move from the open-source carve-out into full provider territory. In each of these situations, the safe method is the same: write down the facts, map them against Article 2 and the role definitions in Article 3, record your conclusion with reasoning and a date, and set a trigger to revisit the analysis when the facts change. Authorities reviewing a borderline case respond very differently to a reasoned, documented position than to silence.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.