Understanding the EU AI Act: What US Companies Need to Know

Why the EU AI Act Matters to US Companies

The European Union's Artificial Intelligence Act, formally adopted in March 2024 and entering into force on August 1, 2024, is the first binding, horizontal regulatory framework for artificial intelligence anywhere in the world. For US companies, the instinct may be to dismiss it as a European concern. That would be a mistake.

The EU AI Act has extraterritorial reach. It applies to any organization that places an AI system on the EU market or whose AI system's output is used within the EU, regardless of where the provider is headquartered. If your SaaS product uses machine learning to make recommendations, score risk, filter content, or automate decisions, and any of your customers or end users are in the EU, the regulation likely applies to you.

This mirrors the pattern set by the GDPR, which reshaped global data privacy practices despite being an EU regulation. Companies that waited until enforcement to address GDPR paid the price in fines, lost contracts, and operational disruption. The AI Act is following the same trajectory, and the compliance window is already narrowing.

Risk-Based Classification: The Core Framework

The EU AI Act organizes AI systems into four risk tiers. Your compliance obligations depend entirely on which tier your system falls into.

Unacceptable Risk (Prohibited)

These AI practices are banned outright with very limited exceptions. The prohibitions took effect on February 2, 2025, making them the first provisions to become enforceable. Prohibited practices include:

• Social scoring systems that evaluate individuals based on social behavior or personality characteristics, leading to detrimental treatment
• Real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions for specific serious crimes)
• AI systems that exploit vulnerabilities of specific groups due to age, disability, or socioeconomic situation
• AI systems that deploy subliminal, manipulative, or deceptive techniques to distort behavior in ways that cause significant harm
• Emotion recognition systems in workplaces and educational institutions
• Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases
• Biometric categorization systems that infer sensitive attributes such as race, political opinions, or sexual orientation

If your AI system falls into any of these categories, the only compliant path is to cease offering it in the EU market.

High Risk

High-risk AI systems face the most extensive compliance requirements. These include AI used in critical infrastructure (energy, transport, water), education and vocational training (scoring, admissions), employment (recruitment, performance evaluation, termination decisions), essential services (credit scoring, insurance pricing, emergency dispatch), law enforcement, migration and border control, and the administration of justice.

High-risk systems must satisfy requirements for risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity. Providers must conduct conformity assessments before placing these systems on the market and register them in an EU-wide database.

The high-risk obligations become fully enforceable on August 2, 2026.

Limited Risk

AI systems that interact directly with people (chatbots, deepfake generators, emotion recognition in permitted contexts) must meet transparency obligations. Users must be informed that they are interacting with an AI system, and AI-generated or manipulated content must be labeled as such. These transparency rules apply from August 2, 2025.

Minimal Risk

AI systems that pose negligible risk, such as spam filters, AI-enabled video games, or inventory management systems, face no specific obligations under the Act, though providers are encouraged to follow voluntary codes of conduct.

The Enforcement Timeline

The EU AI Act does not land all at once. It follows a phased enforcement schedule that gives organizations time to prepare, but several deadlines have already passed or are approaching fast.

Already in effect:

• August 1, 2024: The Act entered into force
• February 2, 2025: Prohibited AI practices became enforceable; AI literacy obligations took effect

Coming soon:

• August 2, 2025: Obligations for general-purpose AI (GPAI) models, including transparency and systemic risk requirements for large models; governance structures and penalties become operational; transparency obligations for limited-risk systems take effect
• August 2, 2026: Full enforcement of high-risk AI system requirements, including conformity assessments, technical documentation, and registration; all remaining provisions become applicable
• August 2, 2027: Extended deadline for high-risk AI systems that are safety components of products already regulated under specific EU product legislation

US companies should not wait for the 2026 deadline to begin preparation. Conformity assessments, technical documentation, and risk management systems take months to build. Organizations that start now will have a significant advantage over those that treat this as a future problem.

Who Exactly Is in Scope

The Act defines several roles, each with different obligations:

Providers are organizations that develop an AI system or have one developed on their behalf, and place it on the EU market or put it into service under their own name or trademark. This is the role with the heaviest compliance burden. If you are a US software company selling an AI-powered product to EU customers, you are likely a provider.

Deployers are organizations that use an AI system under their authority, excluding personal non-professional use. EU-based companies using your AI product are deployers and will expect you, as the provider, to have fulfilled your obligations.

Importers and distributors are entities in the EU supply chain that make non-EU AI systems available on the EU market. They have due diligence obligations to verify that providers have met their requirements.

Authorized representatives are entities established in the EU that providers outside the EU must appoint to act on their behalf for compliance purposes. If you are a US-based provider with no EU entity, you will need to designate an authorized representative, similar to the GDPR representative requirement under Article 27.

The practical takeaway: if your AI system reaches EU users through any channel, direct sales, partnerships, OEM agreements, or embedded in a larger product, you need to determine your role under the Act and understand the corresponding obligations.

Relationship to NIST AI RMF and ISO 42001

US companies already investing in AI governance frameworks are better positioned than they might think. The EU AI Act does not exist in isolation, and its requirements overlap significantly with two frameworks that are gaining traction in the US market.

NIST AI Risk Management Framework (AI RMF 1.0)

The NIST AI RMF provides a voluntary, flexible framework for managing AI risks across the lifecycle. Its four core functions, Govern, Map, Measure, and Manage, align closely with the EU AI Act's requirements for risk management systems, documentation, and ongoing monitoring.

Organizations that have implemented the NIST AI RMF will find that much of the groundwork for EU AI Act compliance is already in place: risk identification and assessment processes, governance structures, documentation practices, and measurement approaches. The gap analysis focuses on areas where the EU AI Act imposes prescriptive requirements that the NIST framework leaves to organizational discretion, such as conformity assessment procedures and the EU database registration.

ISO/IEC 42001 (AI Management System)

ISO 42001 establishes requirements for an AI management system (AIMS) following the familiar Plan-Do-Check-Act structure. It covers AI policy, risk assessment, controls, operational procedures, performance evaluation, and continual improvement.

An ISO 42001-certified management system demonstrates a mature, systematic approach to AI governance that auditors and regulators recognize. While ISO 42001 certification does not automatically satisfy EU AI Act requirements, it provides the management infrastructure, documentation discipline, and audit trail that make demonstrating compliance substantially easier.

The practical approach: build your AI governance program around NIST AI RMF and ISO 42001, then layer on the EU AI Act's specific prescriptive requirements. This gives you a program that satisfies US market expectations, EU regulatory requirements, and customer due diligence requests with a single, coherent framework.

A Compliance Approach for US Companies

If you are a US company with AI systems that reach the EU market, here is a structured approach to compliance:

Step 1: Inventory and classify your AI systems. Catalog every AI system your organization develops, deploys, or distributes. For each system, determine whether it falls into the prohibited, high-risk, limited-risk, or minimal-risk category. This classification drives every subsequent obligation.

Step 2: Determine your role under the Act. Are you a provider, deployer, importer, or distributor? Most US companies selling AI products to EU customers will be providers, which carries the most extensive requirements.

Step 3: Appoint an EU authorized representative. If you have no legal entity in the EU, you must designate an authorized representative established in an EU member state. This representative acts on your behalf for compliance verification, documentation access, and communication with market surveillance authorities.

Step 4: Build or extend your risk management system. The Act requires a documented risk management system that operates throughout the AI system's lifecycle. If you already have NIST AI RMF or ISO 42001 processes in place, extend them to cover the Act's specific requirements.

Step 5: Prepare technical documentation. High-risk AI systems require comprehensive technical documentation covering design, development, testing, and validation. This must be prepared before the system is placed on the EU market and kept current throughout the system's lifecycle.

Step 6: Implement transparency and human oversight measures. Ensure your AI systems provide clear information to deployers and end users about the system's capabilities, limitations, and intended use. High-risk systems must include mechanisms for effective human oversight.

Step 7: Plan for conformity assessments. High-risk AI systems must undergo conformity assessment before market placement. Depending on the domain, this may be a self-assessment or require a third-party notified body. Begin the assessment process well ahead of the August 2026 deadline.

Step 8: Monitor the regulatory landscape. The EU AI Office is developing implementing acts, delegated acts, standards, codes of practice, and guidance documents that will fill in the details. Track these developments through resources like the Regulatory Radar and adjust your compliance program accordingly.

Penalties

The EU AI Act's penalty structure is designed to command attention, particularly for larger organizations.

Prohibited AI practices violations: Up to 35 million EUR or 7% of global annual turnover, whichever is higher.

High-risk and other substantive violations: Up to 15 million EUR or 3% of global annual turnover, whichever is higher.

Providing incorrect or misleading information to authorities: Up to 7.5 million EUR or 1% of global annual turnover, whichever is higher.

For SMEs and startups, the Act provides proportionate caps to avoid disproportionate impact, but the fines remain significant relative to company size.

These penalties are enforced by national market surveillance authorities in each EU member state, coordinated by the EU AI Office. The enforcement mechanisms include market surveillance, complaints, and ex officio investigations.

The lesson from GDPR enforcement is clear: regulators start with guidance and warnings, then move to significant fines against high-profile targets to establish precedent. US companies operating in the EU should not assume geographic distance provides insulation from enforcement.

Next Steps

The EU AI Act is not a future concern. Prohibited practices are already enforceable, transparency obligations take effect in August 2025, and high-risk requirements land in August 2026. Companies that begin preparation now will have a meaningful advantage in terms of compliance readiness, customer trust, and competitive positioning.

Top Floor helps organizations build AI governance programs that satisfy the EU AI Act alongside US frameworks like NIST AI RMF and international standards like ISO 42001. Whether you need a gap assessment, a full governance buildout, or ongoing compliance management, our practitioners bring the cross-framework expertise to get it done efficiently.

For organizations also navigating US state privacy laws alongside the EU AI Act, our guide on US State Privacy Laws covers the domestic regulatory landscape.

Track evolving AI regulation timelines and requirements on the Regulatory Radar, or contact our team to discuss your compliance strategy.

Related Reading

If you are building an AI governance program, these resources provide additional context on the frameworks and regulations that intersect with the EU AI Act:

• ISO 27001 vs. SOC 2: Which Should You Pursue First? -- Many organizations pursuing AI compliance also need a foundational information security framework in place. This guide helps you choose the right starting point.
• Vendor Risk Management Program Guide -- AI supply chain risk is a core concern under the EU AI Act. A mature vendor risk management program is essential for organizations that rely on third-party AI components.
• US State Privacy Laws Guide -- For US companies, domestic privacy regulation is evolving in parallel with the EU AI Act. Understanding both landscapes is critical to a coherent compliance strategy.

Ready to build an AI governance program that covers the EU AI Act, NIST AI RMF, and ISO 42001? Contact Top Floor for a consultation.