Does the EU AI Act apply to US companies?

Yes, if your AI system or its output is used in the EU: for example, you have EU customers, or EU-based staff use it. Location of the provider doesn't exempt you.

When does the EU AI Act take effect?

It entered into force on 1 August 2024 and applies in phases: bans from Feb 2025, general-purpose AI rules from Aug 2025, and most high-risk obligations from 2 August 2026.

What is the simplest first step for a small team?

Write and circulate an AI usage policy, keep a short register of the AI tools you use, and make sure anyone using AI understands the basics. That satisfies the AI-literacy duty and starts your transparency obligations.

EU AI Act

Regulation (EU) 2024/1689, the EU Artificial Intelligence Act · European Union

The EU AI Act is the world's first comprehensive AI law. It takes a risk-based approach: it bans a small set of 'unacceptable-risk' uses, places strict obligations on 'high-risk' systems, sets transparency rules for limited-risk systems (like chatbots and deepfakes), and largely leaves minimal-risk uses free. It also adds duties for providers of general-purpose AI models.

Who it applies to

Any organisation that puts an AI system on the EU market or whose AI output is used in the EU. That includes non-EU companies with EU users or staff.

Key points

Phased timeline

Prohibited-AI bans and AI-literacy duties applied from 2 February 2025. General-purpose AI model obligations applied from 2 August 2025. Most high-risk obligations apply from 2 August 2026, with some extended to 2027.

AI literacy (Article 4)

Providers and deployers must ensure staff who use AI on their behalf have a sufficient level of AI literacy. A documented internal policy and training is the simplest way to evidence it.

Risk tiers

Unacceptable (banned, e.g. social scoring), high-risk (e.g. hiring, credit, biometric: strict controls), limited-risk (transparency, e.g. disclose AI chatbots and label deepfakes), and minimal-risk (no extra duties).

Penalties

Up to €35m or 7% of global annual turnover for prohibited-AI breaches; lower tiers for other infringements.

What a small team should do

Most SMBs are deployers, not providers, of high-risk AI, so the immediate duties are AI literacy (Article 4), transparency (tell people when they're talking to AI or seeing AI-generated content), and not using any banned practices. A written AI usage policy plus a record of which tools you use covers the practical first steps.

How a policy helps: An AI usage policy is the cleanest evidence of Article-4 AI literacy: it tells staff what's allowed, names approved tools, and is something you can show you trained people on.

FAQ

Does the EU AI Act apply to US companies?: Yes, if your AI system or its output is used in the EU: for example, you have EU customers, or EU-based staff use it. Location of the provider doesn't exempt you.
When does the EU AI Act take effect?: It entered into force on 1 August 2024 and applies in phases: bans from Feb 2025, general-purpose AI rules from Aug 2025, and most high-risk obligations from 2 August 2026.
What is the simplest first step for a small team?: Write and circulate an AI usage policy, keep a short register of the AI tools you use, and make sure anyone using AI understands the basics. That satisfies the AI-literacy duty and starts your transparency obligations.