Does the EU AI Act apply to US-only companies with no EU customers?

Only if the output of the AI system is used in the Union. Pure US-domestic operations with no EU output, no EU customers and no EU subsidiary are outside Article 2.

Is using a US-built LLM via API to serve EU users covered?

Yes. If you deploy a GPAI model and the output is used in the EU, you are a provider or deployer in scope. The upstream model provider also has Chapter V obligations.

Does the GDPR-style "one-stop shop" exist for the AI Act?

No. National market surveillance authorities of each Member State enforce in their territory, coordinated by the European AI Board. The AI Office is the single supervisor only for GPAI.

Can a US company use its US-based subsidiary as the EU authorised representative?

No. Article 22 requires the representative to be established in the Union. Many providers use specialised compliance firms, EU law firms, or their own EU subsidiary.

What if a non-EU provider does not appoint an authorised representative?

Placing a high-risk AI system on the EU market without an appointed authorised representative is itself an infringement of Article 22, subject to Tier 2 fines under Article 99 of up to €15M or 3% of global turnover.

Last reviewed: May 2026 · 9 min read

Does the EU AI Act Apply to US Companies? Yes — Here Is When

Q: Do US companies need ISO 42001 to comply with the EU AI Act?

No. ISO 42001 is not mandatory under the AI Act. It is a useful operational backbone for risk management, documentation and post-market monitoring, and supervisory authorities have signalled it as relevant evidence of due diligence.

How the EU AI Act's extraterritorial scope works

Article 2(1) sets out the personal scope. The Regulation applies to providers placing AI systems on the market or putting them into service in the EU, irrespective of where the provider is established. It applies to deployers established in the EU. And it applies to providers and deployers established outside the EU when the output produced by the AI system is used in the Union. The output-use trigger is the broadest and is what catches most US companies.

The four scenarios that put a US company in scope

You sell an AI product or SaaS to EU customers. You are a "provider" placing the system on the EU market and are subject to the Act in full, including conformity assessment for high-risk systems and the GPAI obligations for general-purpose AI models.
You deploy AI inside an EU subsidiary or branch. The EU entity is a "deployer" and must meet deployer obligations under Article 26 (and Article 27 FRIA for public-interest deployers).
You operate AI in the US but the output is used in the EU. Article 2(1)(c) captures this: even with no EU presence, if your model's output reaches an EU user as part of a service, you fall in scope as a provider or deployer depending on your role.
You are part of an upstream/downstream AI value chain that touches the EU. GPAI providers supplying downstream developers who put systems on the EU market are inside Chapter V; component providers must give downstream providers the technical documentation needed for high-risk classification.

What stays outside the Act

Article 2 also lists carve-outs. The Act does not apply to AI systems exclusively for military, defence or national security purposes; to AI systems used for scientific research and development; to AI research, testing and development before placing on the market (with limits on real-world testing); to public authorities of a third country acting in the framework of international cooperation for law enforcement and judicial purposes (subject to safeguards); or to personal non-professional use.

The authorised representative requirement

Non-EU providers of high-risk AI systems must, by written mandate, appoint an authorised representative established in the Union before placing the system on the EU market (Article 22). The representative:

Verifies the EU declaration of conformity and technical documentation have been drawn up.
Keeps a copy of those documents at the disposal of national authorities for ten years.
Provides authorities with all information and documentation necessary to demonstrate conformity, including access to logs.
Cooperates with authorities on corrective action.
Terminates the mandate and informs the provider and authority if the provider acts contrary to its obligations.

Non-EU providers of GPAI models have a parallel obligation under Article 54: they must appoint an authorised representative in the EU before placing the model on the market.

How extraterritorial enforcement actually happens

National market surveillance authorities and the AI Office can request information and documentation directly from the authorised representative and impose fines under Article 99 on the provider. Practical enforcement levers include: refusal of EU database registration, CE marking withdrawal, recall and withdrawal orders, distribution bans across the single market, and the administrative fines themselves — payable through the EU presence of the authorised representative or through EU subsidiaries.

Interaction with US frameworks

The EU AI Act and the US framework are not equivalent. The NIST AI Risk Management Framework is voluntary and outcome-focused; ISO/IEC 42001 is a certifiable management system standard; the EU AI Act is binding sectoral product safety regulation. There is no mutual recognition. However, NIST AI RMF and ISO 42001 controls map well onto the AI Act's risk management, documentation and post-market monitoring requirements, and US companies that already operate an ISO 42001 AI management system will recognise most of the operational scaffolding the AI Act asks for. See our ISO 42001 vs ISO 27001 comparison for the management system context.

State-level US AI laws and the EU AI Act

Colorado SB 24-205, the New York City AEDT law, and the emerging Texas Responsible AI Governance Act create overlapping but distinct obligations from the EU AI Act — primarily around employment, bias auditing and disclosure. None substitute for AI Act compliance when the AI system is placed on the EU market or its output is used in the EU.

What US companies should do in 2026

Map every AI system, model and embedded AI feature to EU exposure (EU customers, EU subsidiaries, EU output use).
Run the Article 5 prohibited-practice screen against every system in scope.
Classify in-scope systems against Annex III; document Article 6(3) exemption assessments where applicable.
For each high-risk system, identify whether you are provider, deployer, or both.
If you are a non-EU provider, appoint an EU authorised representative under Article 22 (and Article 54 for GPAI).
Build the technical documentation pack to Annex IV and the risk management evidence to Article 9.
Align with the timeline: prohibitions apply now, GPAI from 2 August 2025 for new models, full Annex III high-risk obligations from 2 August 2026.