Many executives still assume the EU AI Act applies only to European technology companies building advanced AI systems.

That assumption is often wrong.

A company can fall within the Act’s scope even if it is headquartered outside Europe, purchases rather than develops AI, or has no obvious “AI product.” Exposure can arise through European customers, employees, subsidiaries, distributors, products, or decisions affecting people in the EU.

The real question is not simply whether your company uses AI. It is whether a particular AI system, model, organization, and use case create a regulated connection to the European Union.

Here is a five-minute screening test.

  1. Does your company offer an AI system or model in the EU?

Start with the most direct route to exposure.

The EU AI Act applies to providers that place AI systems or general-purpose AI models on the EU market. A company does not necessarily need offices, employees, or legal entities in Europe to qualify. A U.S. software company that makes an AI-enabled product available to European customers may still be within scope.

Ask:

• Do European customers have access to your AI-enabled products?
• Do you license, sell, or distribute AI software in the EU?
• Is your AI functionality embedded in another product sold in Europe?
• Do European partners or resellers make the system available there?

A company should not treat the absence of a European headquarters as a safe harbor.

  1. Does anyone in your organization use AI in the EU?

Your company may also be exposed as a deployer, the Act’s term for an organization using an AI system under its authority.

This can include an EU subsidiary or business unit using AI for:

• recruiting and candidate screening
• employee evaluation or workforce management
• customer service
• fraud detection
• credit or insurance decisions
• access to essential services
• biometric identification or categorization
• safety-related processes

This matters because many organizations look only at AI systems they sell. They overlook internally purchased tools used by human resources, finance, security, compliance, or operations.

A multinational may therefore be both a provider and a deployer, depending on the system and business activity.

Do not assess the company once and assign it a single label. Determine the company’s role separately for each AI system.

  1. Are the system’s outputs used in the EU?

This is the provision most likely to surprise non-European companies.

The Act can apply to providers and deployers established outside the EU where the output produced by an AI system is used in the Union.

Consider a U.S.-based company that:

• evaluates European job candidates from an American office
• generates risk scores used by an EU subsidiary
• supports decisions concerning European customers
• produces recommendations used by European employees
• remotely operates an AI-enabled service delivered in Europe

The processing location alone does not settle the question. A system operated in the United States may still create EU exposure when its outputs are used in Europe.

This is why geographic analysis must follow the complete business process, not merely the location of the server, vendor, or development team.

  1. What role does your company play?

Once a potential EU connection has been identified, determine the company’s legal role.

The answer affects which obligations may apply.

Your organization may be acting as:

Provider: Develops an AI system or model, or has one developed, and places it on the market or puts it into service under its name or trademark.

Deployer: Uses an AI system under its authority, except for purely personal, non-professional activity.

Importer: Places an AI system from a non-EU provider on the EU market.

Distributor: Makes an AI system available in the EU supply chain without being the provider or importer.

Product manufacturer: Places a product on the market with an AI system under its own name or trademark.

Role determination is not always intuitive. A company that substantially modifies a high-risk system, changes its intended purpose, or puts its own name on it may inherit provider-level responsibilities.

Procurement language does not necessarily control the outcome. Calling yourself a customer or implementation partner does not make it legally so.

  1. What does the system actually do?

Being within the Act’s territorial scope does not automatically mean the system is high-risk.

Scope and classification are separate decisions.

After establishing that the Act may apply, ask whether the system falls into one of the Act’s regulatory categories:

• prohibited AI practices
• high-risk AI systems
• systems subject to transparency obligations
• general-purpose AI models
• general-purpose AI models with systemic risk
• systems that do not fall within the more demanding categories

High-risk classification often depends on the system’s intended purpose and context of use, not simply the underlying technology.

Use cases involving employment, education, access to essential services, law enforcement, migration, biometrics, or critical infrastructure deserve particular attention. But even within these areas, classification can depend on what function the system performs and whether a statutory exception applies.

A generic statement that “we use generative AI” is therefore almost useless for compliance analysis. The organization needs to know what the system does, who uses it, who is affected, and how its outputs influence decisions.

Interpreting your results

Your company likely warrants a formal scope assessment if you answered yes to any of the following:

• You provide an AI-enabled product or model to the European market.
• Employees or subsidiaries use AI in the EU.
• AI outputs are used in European operations or decisions.
• You import, distribute, or embed third-party AI in products offered in Europe.
• AI affects hiring, employment, credit, insurance, education, safety, or access to important services.
• Your company develops or supplies general-purpose AI models.

That does not mean the system is prohibited or high-risk. It means there is enough of a connection to stop relying on assumptions and conduct a documented assessment.

What companies should do next

Do not begin by launching an enterprise-wide compliance program or purchasing another governance platform.

Begin with four foundational steps:

  1. Inventory the systems.

Identify internally developed, purchased, and embedded AI across products and business functions.

  1. Map the geography.

Record where systems are offered, operated, and used, and where their outputs affect people or decisions.

  1. Assign operator roles.

Determine whether each legal entity acts as provider, deployer, importer, distributor, or product manufacturer.

  1. Document classification decisions.

Record the intended purpose, applicable category, evidence considered, accountable owner, and conditions that could trigger reassessment.

This foundation matters because the AI Act is not one undifferentiated compliance regime. It imposes different requirements based on the system, model, role, risk category, and context of use.

The bottom line

Your company does not need to be European, build foundation models, or market itself as an AI company to face EU AI Act exposure.

A European employee using an AI hiring tool, a U.S. platform serving European customers, or an algorithmic output used by an EU business unit may be enough to require closer analysis.

The first step is not compliance.

It is classification: identifying the system, establishing the EU connection, determining your role, and documenting why particular obligations do or do not apply.

Without that foundation, the organization cannot reliably comply with the Act. More importantly, it cannot defend its decisions when a regulator, customer, auditor, or board member asks how those conclusions were reached.

Not sure whether the EU AI Act applies to your organization or what to do next? Reach out to discuss a practical exposure assessment and a defensible path forward.

The screening framework is intended for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel regarding specific compliance obligations.

Keep Reading