Do I Need to Comply With the EU AI Act? (2026 Guide)

You need to comply with the EU AI Act if you provide, deploy, import, or distribute an AI system with a connection to the EU market — even if your company sits entirely outside the EU. Under Article 2, the Regulation reaches any non-EU provider or deployer whose AI system's output is used in the Union. The only escapes are narrow: purely personal use, military/national security, and pure scientific research. Check your status in 2 minutes →

Who the EU AI Act applies to (Article 2)

The EU AI Act (Regulation (EU) 2024/1689) is built around operator roles, not company size or sector. If you fall into one of these roles and have a nexus to the EU, you are in scope. Article 2(1) names them explicitly:

• Providers that place AI systems or general-purpose AI (GPAI) models on the EU market or put them into service — wherever the provider is established.
• Deployers of AI systems established or located within the EU.
• Providers and deployers established in a third country, where the output produced by the AI system is used in the EU.
• Importers and distributors of AI systems placed on the EU market.
• Product manufacturers placing an AI system on the market under their own name together with a product.
• Authorised representatives of non-EU providers, and affected persons located in the EU.

Notice what is not on that list: there is no revenue threshold, no headcount minimum, no "startups are exempt" carve-out. A two-person company shipping an AI feature to EU users is as much in scope as a multinational. What changes between them is the obligation level — and that depends on your role plus your system's risk tier, which you can map with the free AI Act Assessment.

The single biggest mistake teams make here is assuming "we're just using an AI tool, we didn't build it, so the Act doesn't apply to us." Wrong. Deployers are squarely in scope and carry their own duties under Article 26. Using a third-party model in a professional context puts you on the map.

Does it apply to non-EU companies?

Yes — and this is the part most teams underestimate. The EU AI Act is extraterritorial by design.

Article 2(1)(c) extends the Regulation to providers and deployers located in a third country (outside the EU) "where the output produced by the AI system is used in the Union." There is no requirement that you have an EU office, an EU subsidiary, or an EU bank account. If the result your AI system produces lands in front of someone in the EU, you can be caught.

Concrete examples:

• A US SaaS company runs an AI scoring model on its own servers in California, but the scores are used to make decisions about EU-based job applicants → in scope.
• A UK analytics firm generates AI-written summaries consumed by an EU client's staff → in scope.
• An Indian outsourcing provider runs an AI system whose classifications feed an EU-based platform → in scope.

This "output used in the Union" trigger is what stops companies from dodging the Act simply by hosting their infrastructure abroad. It is the EU AI Act's equivalent of the GDPR's extraterritorial reach — and if GDPR taught the market anything, it's that "we're not an EU company" is not a defence.

Non-EU providers in scope must also appoint an authorised representative in the Union for high-risk systems and GPAI models. So the practical answer to "does the EU AI Act apply to me if I'm outside the EU?" is: check the output, not the office. The Applicability Checker walks you through exactly this nexus test.

Provider vs deployer vs importer vs distributor (Article 3)

Once you know you're in scope, the next question is which role you hold — because your obligations flow from it. Article 3 defines each operator. Most teams are deployers; some are providers without realising it.

The trap is role escalation. Under Article 25, a deployer, distributor, or importer becomes a provider — and inherits the full provider obligation set — if they:

1. put their own name or trademark on a high-risk AI system already on the market, or
2. make a substantial modification to a high-risk system that keeps it high-risk, or
3. change the intended purpose of a system so that it becomes high-risk.

So if you white-label someone else's model and sell it as your own, or fine-tune and re-purpose a system, don't assume you're "just a deployer." You may have stepped into provider obligations. Confirm your risk tier first with Article 6 high-risk classification.

Exclusions: when the EU AI Act does not apply

The exclusions are real but narrow. Don't read them broadly.

• Purely personal, non-professional use (Article 2(10)). A natural person using an AI system at home, off the clock, for their own private purposes is not bound by deployer obligations. The moment use is professional or commercial, this escape closes.
• Military, defence, and national security. AI systems placed on the market, put into service, or used exclusively for military, defence, or national-security purposes fall outside the Regulation — regardless of the operator.
• Pure scientific research and development. AI systems and models developed and put into service solely for scientific research and development are excluded. Note "solely": the moment a research output is placed on the market or used commercially, scope attaches.
• Pre-market R&D activity. Research, testing, and development before a system is placed on the market is excluded — except real-world testing.
• Free and open-source AI gets partial relief, but not where the system is high-risk, falls under the Article 5 prohibitions, or is subject to transparency duties.

If your situation doesn't fit cleanly inside one of these, assume you're in scope and verify. Guessing wrong is expensive — see what penalties look like with the Penalty Calculator.

A simple decision flow

Work through these in order:

1. Is there an AI system or GPAI model involved? No → out of scope. Yes → continue.
2. Is it used purely for personal/private, military/national-security, or pure-research purposes? Yes → likely excluded. No → continue.
3. Do you have an EU nexus? You're established in the EU, OR you place the system on the EU market, OR — even from a third country — the system's output is used in the EU. Any "yes" → in scope.
4. Which role do you hold? Provider, deployer, importer, or distributor (see the table). Did you rebrand or substantially modify a high-risk system? → you may have become a provider under Article 25.
5. What's your risk tier? Prohibited (Art 5), high-risk (Annex III), limited-risk/transparency, or minimal. This sets what you must actually do — run the Assessment to find out.

When do the obligations bite?

Scope is in force now; obligations phase in. Prohibited practices (Article 5) have applied since 2 February 2025. GPAI model obligations have applied since 2 August 2025. High-risk obligations under Annex III apply from 2 December 2027 following the Digital Omnibus. Full dates are on the EU AI Act timeline — but being "in scope" is not a future event. It is true today, and your obligations are already accruing toward those deadlines.

Do I need to comply with the EU AI Act if my company is outside the EU?

Yes, very possibly. Under Article 2(1)(c), the EU AI Act applies to non-EU providers and deployers when the output produced by their AI system is used in the Union — no EU office or subsidiary required. If your AI's results reach people or decisions inside the EU, you're in scope. Non-EU providers of high-risk systems and GPAI models must also appoint an EU authorised representative.

I only use AI tools, I didn't build them. Am I still covered?

Yes. Users of AI systems in a professional capacity are deployers under Article 3, and deployers are explicitly in scope with their own obligations under Article 26 (human oversight, monitoring, using the system per instructions, informing affected persons). Only purely personal, non-professional use is excluded.

Does the EU AI Act apply to small startups and SMEs?

Yes. There is no size, revenue, or headcount exemption in Article 2. Scope depends on your role and EU nexus, not your stage. SMEs do get proportionate support (regulatory sandboxes, simplified documentation, reduced conformity fees), but those ease how you comply — not whether you must.

Can a deployer accidentally become a provider?

Yes — this is a common and costly surprise. Under Article 25, if you put your own name or trademark on a high-risk system, substantially modify it, or repurpose a non-high-risk system so it becomes high-risk, you take on full provider obligations. White-labelling and significant fine-tuning are the usual triggers.

What AI is excluded from the EU AI Act entirely?

Narrowly: AI used purely for personal non-professional activity (Art 2(10)), systems used exclusively for military, defence, or national-security purposes, and AI developed and used solely for scientific research and development. Pre-market R&D (except real-world testing) is also excluded. Open-source AI gets partial relief but not when it's high-risk, prohibited, or carries transparency duties.

Still not sure if the EU AI Act applies to you?

Don't guess — and don't assume you're exempt because you're small or based outside the EU. The scope rules turn on your role and your EU nexus, and the "output used in the Union" test catches far more companies than expected.

Run the free EU AI Act Applicability Checker — answer a few questions about what you build or use and where your output goes, and get a clear verdict on whether you're in scope and which role you hold. If you're in, route straight into the AI Act Assessment to classify your risk tier and see your exact obligations.

Check if the EU AI Act applies to you →