The EU AI Act applies to providers regardless of whether they are established in the EU or in a third country, when the AI system is placed on the EU market or its output is used in the EU. For US companies, this means the same extraterritorial reach as the GDPR — with Annex III high-risk obligations applying 2 December 2027 post-trilogue.
Article 2(1) of the EU AI Act applies to providers placing AI systems on the Union market or putting them into service in the Union, irrespective of whether those providers are established within the Union or in a third country. It also applies to providers and deployers when the output produced by the AI system is used in the Union.
This means a US company with no EU office, no EU employees, and no EU entity can still be fully within scope if its AI system's output affects people in the EU. The corollary, under Article 22, is that any such non-EU provider must appoint an EU Authorised Representative — a role that SecureFound, our strategic partner in Spain, is purpose-built to perform.
If your AI-powered hiring tool (resume screening, video interview analysis, candidate ranking) processes applications from EU-based candidates or evaluates EU-based employees, you are likely operating a high-risk AI system under Annex III, category 4. This is the single most common trigger for US companies.
Fintech companies and insurtech providers that serve EU customers with AI-driven credit scoring, underwriting, or risk assessment fall under Annex III, category 5.
If you provide an AI system that an EU-based company deploys for high-risk purposes, you are the provider and the registration obligation falls on you. The EU deployer may also have separate obligations, but this does not remove yours.
Identity verification, facial recognition, or emotion recognition systems offered to EU-based customers trigger Annex III, category 1.
The EU AI Act's extraterritorial scope mirrors the GDPR's approach. When the GDPR took effect in 2018, many US companies initially assumed it did not apply to them. Enforcement actions — and contract requirements from EU business partners — quickly changed that assumption. The AI Act will follow the same trajectory.
Companies that treated GDPR compliance as a competitive advantage (rather than a burden) are now better positioned for AI Act compliance. The same opportunity exists today.
The Digital Omnibus political agreement of 7 May 2026 deferred Annex III obligations from 2 August 2026 to 2 December 2027. The runway is meaningful but the work is the same:
Operational deadlines that do not move: Article 50 transparency obligations and AI Office full enforcement powers apply 2 August 2026; the new Article 5 prohibition on AI-generated NCII/CSAM and Article 50(2) watermarking grandfathering close on 2 December 2026; Article 4 AI literacy is in force since 2 February 2025. If your systems generate synthetic content or interact with humans, those obligations apply now, not in 2027.
Implementation Timeline — full post-trilogue calendar
Penalty Structure — fines apply to non-EU providers equally
EU Authorised Representative via SecureFound — mandatory for non-EU providers
Lexara Advisory and SecureFound (Spain) guide US companies through every step — one transatlantic engagement, two jurisdictions.
Contact Lexara Advisory →Lexara Advisory LLC is an AI governance consulting firm, not a law firm. SecureFound (SECURE FOUND, S.L., Spain) is the strategic EU partner providing Article 22 / Article 54 EU Authorised Representative services. This content is for informational purposes only and does not constitute legal advice.
🤖 AI — not a human or lawyer