Potentially yes. The EU AI Act has extraterritorial scope (Art. 2.1) similar to GDPR. If you provide AI systems to EU users, your AI output is used within the EU, or your AI systems affect persons located in the EU, the regulation likely applies to you. This includes US SaaS companies with EU customers, US AI startups whose APIs are used by European businesses, and any US firm deploying AI that EU employees or customers interact with. Non-compliance by non-EU companies can result in market access restrictions.

A Provider (Art. 3.3) is an organisation that develops an AI system and places it on the market or puts it into service under their own name — essentially the company that builds and distributes the AI. A Deployer (Art. 3.4) is an organisation that uses an AI system under its authority for professional purposes — essentially any business that uses AI in their operations, whether built in-house or licensed from a third party. Providers face the heaviest obligations including technical documentation, conformity assessments, and CE marking. Deployers have lighter but still significant obligations, especially for high-risk AI.

High-risk AI systems fall into two categories. First, AI systems that are safety components of regulated products (machinery, medical devices, vehicles, aviation equipment — covered under Art. 6.1 and Annex II). Second, standalone AI systems listed in Annex III: biometric identification, critical infrastructure management, educational assessment, employment and HR decisions, access to essential services (credit, insurance), law enforcement, migration and asylum, and justice administration. If your AI system makes, assists with, or significantly influences decisions in any of these areas, it is likely high-risk.

The key dates are: prohibited practices (Art. 5) have been applicable since 2 February 2025. GPAI model obligations (Chapter V) apply from 2 August 2025. High-risk AI system requirements (Art. 6–49, covering Annex III systems) become fully applicable from 2 August 2026. High-risk AI systems that are safety components of Annex II products have until 2 August 2027. This means organisations should be planning and building compliance programmes now, not waiting for enforcement dates.

Generally, conformity assessments are the responsibility of Providers, not Deployers. However, as a Deployer using a high-risk AI system, you are responsible for ensuring that the Provider has completed the required conformity assessment and that the system has a CE marking and valid EU Declaration of Conformity before you deploy it. Additionally, deployers of certain systems (e.g. public authorities using high-risk AI) must conduct a Fundamental Rights Impact Assessment (FRIA) under Art. 27.

Fines are tiered by severity: Violations of prohibited practices (Art. 5) — up to €35,000,000 or 7% of total worldwide annual turnover (whichever is higher). Non-compliance with most other obligations — up to €15,000,000 or 3% of global annual turnover. Providing incorrect, incomplete, or misleading information to authorities — up to €7,500,000 or 1.5% of global annual turnover. For SMEs and startups, the financial penalties are capped at the lower of the absolute amount or the percentage of turnover, whichever applies more favourably.

Open-source AI components and models benefit from some exemptions — specifically, providers that release AI models under open-source licences (making weights and parameters publicly available) are partially exempt from certain GPAI obligations. However, these exemptions do not apply when: (1) the open-source GPAI model has systemic risk (generally models exceeding 10^25 FLOPS training compute), (2) the model is used in prohibited practice applications, or (3) the AI system is used as a high-risk system. The open-source exemption protects research and community model sharing, not commercial AI deployments in high-stakes contexts.

A General Purpose AI model (GPAI) is an AI model trained on large amounts of data with broad capabilities that can be integrated into many different AI systems and applications. Think: large language models, multimodal foundation models, large image generation models. Providers of GPAI models must: provide technical documentation to downstream developers, comply with EU copyright law, publish summaries of training data, cooperate with the EU AI Office, and have policies to prevent downstream misuse. GPAI models classified as having "systemic risk" (based on training compute or other criteria set by the Commission) face additional obligations including adversarial testing, cybersecurity measures, and incident reporting.

Using commercial AI services for typical business productivity tasks (drafting emails, summarising documents, coding assistance) generally places you as a Deployer of a limited-risk or minimal-risk AI system. Your primary obligation in most cases is transparency — if customers or employees interact with AI-generated outputs, they should be informed. However, if you integrate these AI services into applications that make high-risk decisions (employment screening, credit assessment, healthcare triage), the analysis becomes more complex. You should review the Terms of Service and compliance documentation from your AI provider, who bears Provider obligations. You, as the deployer, are responsible for ensuring appropriate use within your operational context.

Article 4 of the EU AI Act requires that providers and deployers ensure their staff have an adequate level of AI literacy — meaning a sufficient understanding of AI systems' capabilities and limitations, relevant regulation, and the ability to use AI responsibly. This is not just an HR box-ticking exercise; it is a compliance obligation. Organisations are expected to take measures — training programmes, awareness campaigns, technical education — proportionate to the AI systems they use and the staff roles involved. Compliance programmes should include staff AI literacy assessments and documented training plans.

No. The EU AI Act and GDPR operate in parallel and must both be complied with. The AI Act governs AI system development, deployment, and use. GDPR governs personal data processing. AI systems that process personal data must comply with both regulatory frameworks simultaneously. In practice, this means your AI compliance programme must integrate data protection impact assessments (DPIA under GDPR) with AI risk management (under the AI Act), and your AI governance structures must account for data subject rights alongside AI system oversight requirements. The European Data Protection Supervisor and national data protection authorities will cooperate with AI market surveillance authorities on enforcement.

The EU AI Office, established within the European Commission, is the central regulatory body for the EU AI Act. It has primary competence over GPAI models (including systemic-risk models), develops codes of practice, issues guidance and technical standards, coordinates with national competent authorities, and conducts investigations and enforcement actions for GPAI model violations. Each EU member state must also designate a national competent authority responsible for supervising AI systems within their territory (except GPAI models, which remain centralised at EU level).

AI regulatory sandboxes (Art. 57–63) are controlled environments established by national competent authorities where innovative AI systems can be developed, trained, tested, and validated under regulatory supervision before full market deployment. They are specifically prioritised for SMEs and startups. Benefits include: direct access to regulatory guidance, reduced compliance uncertainty during development, ability to test potentially high-risk AI under supervision, protection from enforcement action while operating in the sandbox (subject to conditions), and faster regulatory learning cycles. Organisations should contact their national competent authority to inquire about sandbox availability — several EU member states (Spain, Denmark, Netherlands) have been active in establishing early sandbox programmes.

For high-risk AI systems, Annex IV of the EU AI Act specifies exactly what technical documentation must contain: a general description of the system and its intended purpose; a description of design specifications including architecture, algorithms, and design choices; information on training, validation, and testing data; description of the monitoring, functioning and control of the system; description of the risk management system; description of any changes throughout lifecycle; list of harmonised standards applied; EU Declaration of Conformity; and post-market monitoring plan. For limited-risk or minimal-risk systems, a lighter-touch internal AI inventory with basic risk notes is a sensible starting point. Build documentation habits now — retroactively documenting complex AI systems is significantly harder than documenting as you build.

When procuring AI systems (particularly those that could be high-risk), review vendor contracts for: access to technical documentation and instructions for use; confirmation of conformity assessment completion and CE marking; data processing terms compatible with your GDPR obligations; incident notification obligations and timelines; warranties about system accuracy, robustness, and bias testing; provisions allowing human oversight and override; clear allocation of Provider vs. Deployer obligations; compliance with the AI Act and disclosure of any regulatory issues; and contractual commitments to notify you of any changes that affect risk classification. As a deployer, you cannot contract away your AI Act obligations — they run alongside, not in place of, provider contractual obligations.