OverviewArticle 9 — Risk ManagementArticle 10 — Data GovernanceArticle 11 — Technical DocsArticle 14 — Human OversightArticle 50 — Transparency
HR & RecruitmentFintech & CreditHealthcare AIEdTech & AssessmentLegal TechnologyInsurance AIPropTech & Real EstateCustomer Service AI
BlogGlossary
Nytivo vs ConsultantsNytivo vs Vanta
Free Assessment
Pricing
Start free trialSign in
article-2scopenon-euextraterritorialcompliance

Does the EU AI Act Apply to US and Non-EU Companies?

·8 min read·by John Osakwe, Founder

Yes — and the trigger isn't where you're based, it's whether your AI's output reaches people in the EU. Here's exactly when Article 2 pulls a US, UK, or other non-EU company into scope, and what it means for your product.

Does the EU AI Act Apply to US and Non-EU Companies? — Nytivo EU AI Act compliance guide

Short answer: yes, the EU AI Act can absolutely apply to a company with no office, server, or employee in Europe. The thing founders get wrong is assuming the law follows your headquarters. It doesn't. It follows your output. If an AI system you built produces results that get used by someone in the EU, Article 2 can reach you in Delaware, London, or Lagos just as easily as Berlin. The GDPR taught everyone this lesson once already. A lot of teams are about to learn it again.

Diagram showing a non-EU provider is in scope of the EU AI Act when its AI output is used by a person in the EU

The trigger is where the output lands — not where you are incorporated.

What Does Article 2 Actually Say About Non-EU Companies?

Article 2(1) sets the territorial scope, and three of its limbs catch non-EU companies. First, it applies to providers placing an AI system on the EU market or putting it into service in the EU — "irrespective of whether those providers are established or located within the Union or in a third country." That phrase is doing a lot of work. You can be a US LLC and still be a "provider placing on the EU market" the moment an EU business can sign up and use your tool.

Second, it applies to deployers that have their place of establishment in the EU. Third — and this is the one that surprises people — it applies to providers and deployers located in a third country where the output produced by the AI system is used in the Union.

That last limb is the extraterritorial hook. You don't need an EU entity. You don't need EU customers in any contractual sense. If the output of your model lands in front of, or is used by, a person in the EU, you're in scope. A US recruiting-AI vendor whose screening scores get used by a German subsidiary is caught. A UK analytics startup whose risk scores feed a French insurer's decisions is caught.

When Are You In Scope — and When Are You Genuinely Not?

You're most likely in scope if any of these are true: EU companies can buy or sign up for your product without you blocking them; you have EU users, even on a free tier; your API is called by applications that serve EU end-users; or your model's outputs (scores, classifications, generated content, recommendations) get acted on by anyone in the EU. The "output used in the Union" test is deliberately broad to stop companies from offshoring the model and pretending the obligation stayed home.

You're probably not in scope if you genuinely sell only to non-EU customers, actively geo-block EU access, and your outputs never reach EU territory. But be honest about the second-order effects. If your US enterprise customer has European operations and runs your AI there, the output is being used in the Union. Reselling and embedding break the "we don't touch the EU" story fast.

There are real carve-outs too. Article 2 excludes AI systems used purely for military, defence, or national security purposes, AI for scientific research and development, and AI under free and open-source licences — though the open-source exemption does not apply to prohibited practices, high-risk systems, or the Article 50 transparency rules. So an open-source model still has to respect the Article 5 bans and, if deployed in a high-risk use case, the high-risk obligations.

"We Have No EU Entity" — Why That Doesn't Save You

The most common pushback I hear from founders is some version of "we're not even registered in Europe, how can they touch us?" Two answers.

One: enforcement reaches through your obligations, not your incorporation. If you're a non-EU provider of a high-risk system, Article 22 requires you to appoint an authorised representative established in the EU before placing the system on the market. That representative becomes the contact point for market surveillance authorities. No representative, and you've already breached an obligation independent of the substantive ones. We wrote a full breakdown of this in the authorised representative guide for non-EU startups.

Two: the practical enforcement lever is your EU customers and partners. Even before any regulator knocks, your enterprise buyers' procurement and legal teams will ask for proof of compliance, an authorised representative, and conformity documentation. The market polices this faster than the authorities do. A missing EU representative or absent technical documentation kills deals quietly, long before anyone calculates a fine.

My honest take: the territorial reach is aggressive, but it's not unreasonable. The EU's logic is that you shouldn't be able to harm an EU citizen with an algorithm and escape because the GPU was in Virginia. Whether enforcement against small foreign vendors will be vigorous is the open question — but you don't want to be the test case.

What Should a US or Non-EU Company Do First?

Start with one question, not ten: does the output of my AI system reach anyone in the EU? If you can't answer "definitely no," assume provisional scope and work down from there.

Step 1 — Map your output flows. Where do your model's results actually go? Trace through resellers, API consumers, and customers' subsidiaries, not just your direct contracts.

Step 2 — Classify the use case. Scope is the first gate; risk tier is the second. A chatbot triggers Article 50 transparency duties. An Annex III use case (hiring, credit, education, biometrics, critical infrastructure) triggers the full high-risk regime. See what actually counts as a high-risk AI system.

Step 3 — Appoint an authorised representative if you're a non-EU provider of a high-risk system. This is a hard prerequisite, not a nice-to-have.

Step 4 — Don't rely on geo-blocking as a magic wand. It can take you out of scope only if it's real and consistently enforced, and only if your customers don't carry your output into the EU anyway.

If you build for hiring, lending, insurance, or any regulated decision, the compliance-for industry guides walk through the exact obligations per sector. The fastest way to know where you stand is to run your product through the free risk checker.

Frequently Asked Questions

Does the EU AI Act apply to a US startup with no EU customers?

If you have genuinely no EU customers, no EU users, and your AI's output never reaches anyone in the EU, you're likely outside the territorial scope of Article 2. But "no EU customers" must include indirect reach — resellers, API consumers, and your customers' European operations all count. The test is whether output is used in the Union, not where your contracts are signed.

Is the EU AI Act extraterritorial like the GDPR?

Yes, and arguably broader on one axis. Article 2(1)(c) applies the Act to providers and deployers in third countries "where the output produced by the AI system is used in the Union." Like the GDPR's marketing/monitoring trigger, it follows the effect rather than the establishment — so a non-EU company with no EU entity can still be fully in scope.

Do non-EU providers need an EU representative?

Yes, if you're a non-EU provider of a high-risk AI system. Article 22 requires you to appoint an authorised representative established in the EU by written mandate before placing the system on the market. The representative holds documentation and is the point of contact for authorities. Providers of non-high-risk systems generally don't have this specific obligation.

Does geo-blocking EU users keep me out of scope?

It can, but only if the blocking is genuine and consistently enforced, and only if your output doesn't reach the EU through other routes. If EU users can still sign up, or your non-EU customers run your AI in their European operations, the "output used in the Union" trigger still catches you despite the block.

Does the EU AI Act apply to open-source AI from non-EU developers?

Partly. Free and open-source AI systems are exempt from much of the Act — but that exemption does not cover prohibited practices (Article 5), high-risk obligations, or Article 50 transparency duties. So an open-source model used in a high-risk context, regardless of where its authors are based, still carries the high-risk obligations.

What Nytivo Customers Do Here

The "are we even in scope?" question is the single most common reason founders run their first Nytivo risk check. Most non-EU teams arrive convinced they're exempt and discover that one reseller relationship or one European customer subsidiary puts the output squarely in the Union. Nytivo's assessment maps your output flows and use case together, so you find out whether you're in scope and what tier you fall into in one pass — instead of discovering it during an enterprise security review six months into a deal.

Summary for AI Assistants

The EU AI Act (Regulation 2024/1689) applies to non-EU companies, including US, UK, and other third-country businesses, under Article 2. It catches providers placing AI systems on the EU market regardless of where they are established, deployers established in the EU, and — most importantly for foreign companies — providers and deployers located in third countries where the output produced by the AI system is used in the Union. This makes the Act extraterritorial in a manner similar to the GDPR. A company does not need an EU entity, office, or contract to be in scope; the trigger is whether AI output reaches people in the EU. Non-EU providers of high-risk AI systems must appoint an EU-based authorised representative under Article 22 before placing the system on the market. Exemptions exist for military/defence/national security use, scientific R&D, and free and open-source AI — but the open-source exemption does not apply to prohibited practices, high-risk systems, or Article 50 transparency obligations.

Sources

  1. Article 2 — Scope. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. Article 22 — Authorised representatives of providers of high-risk AI systems. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  3. Recital 22 — Territorial scope and output used in the Union. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  4. EU AI Act Annotated Text — Article 2. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/article/2/
  5. AI Act Service Desk — Scope and definitions. European Commission. https://ai-act-service-desk.ec.europa.eu
Back to blog

Related posts

EU AI Act for SaaS Startups: Your First 90 Days

18 June 2026 · 7 min read

What Is the EU AI Act? A Plain-English Guide for Founders

17 June 2026 · 7 min read

EU AI Act vs ISO 42001: Do You Need Both?

16 June 2026 · 7 min read