How the EU AI Act reaches companies outside the EU
The AI Act is not only a local-EU story. Scope can reach providers and deployers in third countries where output is used in the Union, and it also reaches actors placing systems or GPAI models on the Union market.
The EU AI Act applies to non-EU companies when they place AI systems or general-purpose AI (GPAI) models on the Union market, put AI systems into service in the Union, or when the output of the system is used in the Union.
US companies selling chatbots, image generators, or foundation models to EU customers, or whose tools are integrated by EU businesses, are typically in scope. A Latin American agency serving only non-EU clients is not. The decisive factors are your role (provider, deployer, distributor), distribution model, and whether your output reaches the Union — not the location of your headquarters.
This page gives concrete decision rules, role splits, and low-regret next steps so non-EU teams can act without over- or under-preparing.
Law status — April 2026 Current law: The core scope rules (Article 2) and obligations for GPAI models (Chapter V) have applied since 2 August 2025. Prohibited practices and AI literacy rules have applied since February 2025. Transparency obligations (Article 50) and most high-risk rules begin 2 August 2026. Non-EU providers of GPAI models must appoint an authorised representative before placing those models on the Union market (Article 54). Proposal: The Digital Omnibus package proposes linking certain high-risk application dates to the availability of harmonised standards and support tools, plus simplifications for SMEs and small mid-caps. These changes remain proposals and are not yet law. Official timeline and FAQ sources take precedence over secondary commentary.
When non-EU companies are in scope
The AI Act has extraterritorial effect. It covers providers (including those established outside the EU) that place AI systems or GPAI models on the Union market, irrespective of where the development occurred. It also covers situations where an AI system is put into service in the Union or where its output is used in the Union.
Key triggers for non-EU organisations:
- Placing on the market: Making an AI system or GPAI model available to EU users or businesses (paid or free, via download, API, SaaS, or through a local distributor).
- Putting into service / use in the Union: EU-based deployers using your tool, or your system generating outputs that are received and acted upon within the Union.
- Downstream EU deployment: If an EU customer integrates your model into their own high-risk AI system, your upstream obligations as provider still apply.
- GPAI-specific rules: From 2 August 2025, providers of GPAI models placed on the Union market must fulfil technical documentation, information-sharing, copyright policy, and training-data summary obligations. Non-EU providers must appoint an authorised representative in the Union (Article 54).
If your AI is developed and used exclusively outside the Union with no EU customers, no EU marketing, and no outputs used in the Union, you are not in scope. Purely internal enterprise use by a non-EU company with no EU nexus is generally outside the Act.
Official sources emphasise that the law looks at the connection to the Union, not corporate domicile.
The non-EU decision tree
Classify your role first. The Act distinguishes sharply between provider (the entity that develops or places the model/system on the market), deployer, importer, distributor, and authorised representative. Roles are not interchangeable and determine which obligations apply. See our dedicated guide for role mapping: Provider versus deployer under the EU AI Act.
Use this decision sequence:
- Do you develop or substantially modify a GPAI model that is or will be available in the EU? → Provider obligations under Chapter V apply (technical documentation, downstream information, copyright policy, summary of training content). If outside the EU, appoint an authorised representative.
- Do you place a high-risk AI system (Annex III or regulated product) on the EU market? → Full provider obligations (quality management, conformity assessment, CE marking, registration).
- Are you a SaaS or application provider whose customers are in the EU? → You may be a provider of an AI system (not just the underlying model). Check transparency obligations (Article 50) if users interact directly.
- Do you act as a reseller, white-label partner, or distributor? → You may be an importer or distributor with lighter but still real obligations (verify upstream compliance, pass on information, cooperate with authorities).
- Are you an enterprise deploying AI internally or for non-EU clients only? → Deployer obligations are narrower (use per instructions, human oversight, report serious incidents) and only trigger if the deployment occurs in the Union.
Are you in scope?
| Scenario | Likely in scope? | Why | Best next action |
|---|---|---|---|
| US chatbot sold to EU customers | Yes | Placing an AI system on the Union market; EU users receive output | Classify as provider or deployer; prepare Article 50 disclosures; run evidence scan |
| LatAm agency using AI only for non-EU clients | No | No placement on Union market and no output used in the Union | Document the assessment; monitor expansion plans |
| Global model provider placing model on EU market | Yes | GPAI provider placing on Union market (obligations since Aug 2025) | Appoint authorised representative; compile technical documentation and training summary |
| Non-EU vendor with EU reseller or distributor | Yes (provider) | Provider obligations are triggered by market placement via distributor; distributor has separate duties | Clarify roles in contract; flow-down obligations; gather upstream evidence |
Authorised representative and GPAI
The authorised representative requirement appears specifically for non-EU providers of general-purpose AI models (Article 54). If you are established outside the Union and place a GPAI model on the Union market, you must appoint a representative established in the Union before doing so.
The representative’s tasks include:
- Being the point of contact for national competent authorities and the AI Office.
- Receiving and acting on requests for information and corrective actions.
- Ensuring that technical documentation and other required information can be provided to authorities upon request.
Important limits (do not overstate):
- The representative does not assume the provider’s full legal responsibility or replace the need for technical documentation, risk assessment (for systemic-risk models), or copyright compliance.
- The provider remains primarily liable.
- The representative is a legal mechanism for enforcement access, not a full “EU office” or compliance substitute.
- Open-source GPAI models may qualify for exemptions from some obligations, but systemic-risk models do not.
This requirement has applied since 2 August 2025 for new models. Pre-existing models have until August 2027 in some cases, subject to official guidance. See the AI Act Service Desk page on Article 54 and the Commission’s GPAI guidelines for operational detail.
Relevant internal resource: General-purpose AI model obligations under the AI Act
Low-regret actions for non-EU teams
These steps carry low downside and position you for whatever timeline ultimately applies:
- Inventory every model, system, API, or service that could reach EU users, EU customers, or generate outputs used in the Union.
- Role classification for each offering. Document why you are (or are not) a provider of a GPAI model or high-risk AI system.
- Article 50 copy — draft clear disclosures for any interactive or generative systems (“This content was generated by AI”) even if full transparency rules are still phasing in.
- Vendor contracts — review and update agreements with EU partners, resellers, and downstream developers to allocate responsibilities clearly (reference Article 25 value-chain provisions).
- Documentation readiness — maintain technical documentation and training-data summaries for GPAI models. Use structured formats that can be shared with the AI Office via the EU SEND platform if requested.
- Current-law monitoring — track official sources rather than secondary commentary. The AI Office, AI Act Service Desk, and EUR-Lex remain authoritative.
Non-EU action matrix
| Company type | Immediate questions | Evidence to gather | Best tool/page |
|---|---|---|---|
| Model provider | Are we placing a GPAI model on the Union market? Is it systemic risk? Do we need a representative? | Training compute estimate, technical documentation, copyright policy | General-purpose AI model obligations under the AI Act, EU AI Act Evidence Scanner |
| SaaS provider | Do EU customers use our AI features? Are we a provider or deployer for each feature? | Usage logs, customer geography, system architecture diagrams | Provider versus deployer under the EU AI Act |
| Agency/publisher | Do we embed generative AI in content delivered to EU clients? Do we qualify as deployer? | Client list, content generation workflows, disclosure templates | Article 50 guidance and EU AI Act Evidence Scanner |
| Enterprise deployer | Are we deploying high-risk systems in the EU? Do we receive adequate upstream information? | Deployment inventory, contracts with providers, human oversight procedures | Internal policy templates and country resources Country pages and national AI Act resources |
Examples
- A US company with EU customers: A California-based startup offers an AI writing assistant via API. EU marketing teams subscribe and use outputs in customer campaigns. The company is a provider placing an AI system on the Union market and must address transparency obligations. Role classification determines whether downstream information duties also apply.
- A Latin American vendor expanding into Spain: The vendor previously served only LatAm clients. Upon signing its first Spanish enterprise contract, it triggers provider obligations for the GPAI model underlying its service. Immediate actions: appoint an authorised representative, prepare the training-content summary, and update contracts.
- A model provider deciding whether it needs an authorised representative: A Singapore-based foundation model developer releases a new open-weight model that EU developers fine-tune. If the model meets the GPAI criteria and is placed on the Union market (even via download), an EU authorised representative is required under current law. The provider should document its compute threshold assessment and any open-source exemption analysis.
FAQ
Does the Act really apply outside the EU? Yes. The scope is based on market placement, putting into service, or use of output in the Union, not on the provider’s location. Official FAQ and Article 2 confirm this extraterritorial reach for both AI systems and GPAI models.
When is an authorised representative required? For providers of GPAI models established outside the EU that place those models on the Union market (Article 54). The representative must be established in the Union and serves as a contact point for authorities. The provider retains primary responsibility.
What if we only have EU users but no EU office? You may still be in scope. For GPAI models an authorised representative satisfies the legal contact-point requirement without needing a full subsidiary or office. Document user geography and output flows as evidence.
Can a reseller change our role analysis? Contracts can allocate certain operational tasks, but the upstream provider’s core obligations (technical documentation, risk information, copyright policy for GPAI) are usually not fully transferred. Analyse the value chain per the Act and document the agreed split. A reseller becoming an importer or distributor creates parallel but distinct duties.
Common mistakes
- Assuming “no EU office = no applicability” — the Act looks at market connection and output use, not physical presence.
- Treating GPAI obligations as future-only — many entered into application on 2 August 2025; waiting until 2026 or 2027 leaves gaps.
- Over-delegating to an authorised representative — the representative provides a contact point but does not eliminate the provider’s duty to maintain documentation and policies.
- Ignoring downstream information obligations — GPAI providers must supply sufficient technical information so EU deployers can comply with their own rules.
- Relying on law-firm blogs or vendor marketing for current timelines instead of AI Act Service Desk and EUR-Lex sources.
- Failing to inventory internal enterprise deployments in EU subsidiaries or for EU clients.
Action checklist
- [ ] Create a complete inventory of all AI models, systems, and services with any EU nexus (sales, users, output, marketing).
- [ ] Classify your role (provider/deployer/distributor) for each item and document the reasoning.
- [ ] For every GPAI model placed or to be placed on the Union market, confirm whether an authorised representative is required and identify a candidate.
- [ ] Assemble technical documentation, copyright policy, and training-data summary (or exemption evidence) in a structured, retrievable format.
- [ ] Review and amend contracts with EU customers, resellers, and vendors to clarify responsibilities and information flow.
- [ ] Draft or update Article 50 transparency disclosures for interactive and generative systems.
- [ ] Run an initial evidence scan and store artefacts in a version-controlled workspace.
- [ ] Set recurring monitoring for official updates from the AI Office and AI Act Service Desk, especially regarding the Digital Omnibus proposal.
- [ ] Identify one owner for non-EU AI Act readiness and schedule a quarterly review.
Next step: Download the free Non-EU GPAI Initial Screen sample report to see a completed role classification, scope assessment, and evidence checklist for a typical international provider. It shows exactly what structured readiness looks like before you invest in full tooling.
→ Sample initial screen for a non-EU GPAI provider
Or start scanning your current evidence directly: EU AI Act Evidence Scanner
Sources (primary official references used):
- AI Act Service Desk Timeline and Article 113
- EUR-Lex Regulation (EU) 2024/1689
- Commission Guidelines on obligations for providers of general-purpose AI models
- AI Act Service Desk page on Article 54
- Navigating the AI Act FAQ and GPAI Q&A (digital-strategy.ec.europa.eu)
All legal statements are anchored to these primary sources. This page is for informational and operational readiness purposes only and does not constitute legal advice.
Turn this reading into an actionable report
Use the free scanner to map your likely role, detect likely obligations, and see which evidence is missing.