EU AI Act: Does It Apply to Your U.S. Business?

Originally published: Jan. 27, 2026.

By Tracey Birkenhauer, journalist and Chief Impact Officer, STACK Cybersecurity

The European Union's Artificial Intelligence Act represents the first large-scale attempt to regulate AI across an entire economic bloc. For businesses serving European customers or working with EU partners, compliance is now part of doing business.

The Act applies beyond EU borders. If your AI system is used in the EU, the requirements apply.

Understanding the EU AI Act

The Act entered into force on Aug. 1, 2024, with requirements rolling out over several years. It creates a unified framework across all EU member states, replacing what could have been a patchwork of national laws.

At its core is a risk-based model. Systems are categorized based on their potential impact, and requirements scale with that risk.

Risk Categories

Unacceptable Risk

Some uses are banned outright. These include manipulation techniques, social scoring, biometric categorization tied to sensitive attributes, and certain forms of real-time identification.

Those prohibitions took effect in early 2025 and are already enforceable.

High-Risk Systems

High-risk systems face the most requirements. This includes AI used in hiring, credit decisions, healthcare, law enforcement, and critical infrastructure.

Limited Risk

Most generative AI tools fall into this category. The main requirement is transparency, including disclosing when users interact with AI and labeling synthetic content.

Minimal Risk

Lower-risk uses, like spam filters or basic automation, have minimal additional obligations beyond existing laws.

Implementation Timeline

Aug. 1, 2024: The Act entered into force.

Feb. 2, 2025: Prohibited uses became illegal.

Aug. 2, 2025: Rules for general-purpose AI models took effect.

Aug. 2, 2026: High-risk system requirements become enforceable.

2027 and beyond: Additional deadlines apply for certain systems.

The transition is already underway.

General-Purpose AI Models

The Act includes specific requirements for general-purpose models. These systems must be documented, their training data summarized, and downstream use supported with appropriate information.

Models with broader impact face added obligations, including risk assessments and incident reporting.

Penalties for Noncompliance

Prohibited use violations: Up to EUR 35 million or 7% of global revenue

High-risk violations: Up to EUR 15 million or 3%

Providing incorrect information: Up to EUR 7.5 million or 1%

For smaller companies, penalties may be reduced but still significant.

Digital Omnibus Proposal

The Digital Omnibus proposal aims to simplify compliance across EU digital regulations. It may adjust timelines and reduce administrative complexity, especially for smaller businesses.

It doesn’t remove the underlying requirements. The core structure of the AI Act remains in place.

Practical Steps

Start by identifying where AI is already in use across your business.

Map those uses to risk categories so you understand what requirements apply.

Put governance in place that defines what data can be used and how AI tools are accessed.

Document systems, usage, and controls so you have a defensible position.

Monitor guidance from EU regulators and adjust as requirements evolve.

U.S. vs EU Approach

The EU uses a unified, risk-based framework across member states. The U.S. approach is still fragmented across state laws.

Meeting EU requirements often puts a business in a stronger position for U.S. compliance, but it doesn’t remove the need to monitor state-level rules.

For more detail, see our State AI Laws Guide and Federal AI Policy breakdown.

Frequently Asked Questions (FAQs)

Does the EU AI Act apply to U.S. companies?

Yes. If your AI systems are used in the EU or affect EU users, the Act can apply regardless of where your business is based.

When do companies need to comply?

Some requirements are already active. The main deadline for high-risk systems is Aug. 2, 2026.

Are most AI tools high-risk?

No. Most tools fall into the limited-risk category. Risk depends on how the system is used.

What’s the biggest challenge for businesses?

Visibility. Many companies don’t fully know where AI is being used or what data is being shared.

Can tools like ChatGPT or Microsoft Copilot fall under the EU AI Act?

Yes. The classification depends on how the tool is used. A standard chatbot may fall into a limited-risk category, but connecting it to sensitive data, internal systems, or decision-making processes can increase its risk classification under the Act.

What makes an AI system "high-risk" in practice?

An AI system becomes high-risk when it is used to influence decisions that affect people’s rights, financial outcomes, employment, healthcare, or access to services. The same tool may be low risk in one use case and high risk in another depending on how it is deployed.

Does the EU AI Act apply if only part of our business touches the EU?

Yes. The Act can apply to a specific product, service, or workflow rather than your entire business. If any part of your AI system interacts with EU users or data, that portion of your environment may need to comply.

Are penalties actually being enforced yet?

Enforcement is ramping up as deadlines approach. Prohibited uses are already banned, and regulators are building enforcement frameworks. Most enforcement activity will increase after August 2026 when high-risk obligations become fully enforceable.

How does the EU AI Act relate to cybersecurity programs?

The Act overlaps with cybersecurity in areas like logging, access control, data governance, and monitoring. Many of the required controls mirror practices already used in security frameworks such as SIEM monitoring, identity management, and risk management programs.

What is the most common mistake businesses make with AI compliance?

Most businesses assume AI adoption is a future decision. In reality, AI is already in use across employee workflows and SaaS platforms. The biggest gap is not lack of tools, but lack of visibility and governance.