The EU AI Act Is Live: What You Actually Need to Do

Q: Q: Does the EU AI Act apply to my company if we're based outside Europe?

**A:** Yes, if your AI systems produce effects within the EU. The Act applies to providers and deployers whose systems impact EU citizens, regardless of where the company is headquartered. A U.S. or Asian firm selling AI-powered hiring tools to European employers, for example, must comply fully.

Q: Q: What's the difference between a "provider" and a "deployer" under the Act?

**A:** A **provider** develops or commissions an AI system for market placement, bearing primary responsibility for conformity assessments and documentation. A **deployer** uses an AI system under its authority—such as a bank implementing a vendor's credit scoring algorithm—with obligations focused on human oversight, input data quality, and monitoring for risks.

Q: Q: Are open-source AI models exempt from the Act?

**A:** General-purpose AI models released under free and open-source licenses receive partial exemptions, provided they don't present systemic risks or fall under prohibited categories. However, once such models are fine-tuned or integrated into high-risk applications, downstream obligations activate for the deployer.

Q: Q: When do the different compliance deadlines take effect?

**A:** The Act follows a staggered timeline. Prohibited practices took effect immediately upon enactment. Obligations for general-purpose AI models and governance requirements for high-risk systems phase in through 2026 and 2027. Organizations should consult the official implementation calendar, as specific dates vary by risk classification.

EU AI Act compliance guide 2026: What companies need to do now that Europe's AI law is enforced. No-nonsense practical steps for AI users. Technology sector exp

---

The regulatory landscape surrounding artificial intelligence has shifted decisively. With the EU AI Act now in force, organizations operating within—or selling into—the European market face a compliance framework unlike any other globally. This isn't merely a European concern; the Act's extraterritorial reach means that any company deploying AI systems affecting EU citizens must align with its requirements, regardless of where that company is headquartered.

What distinguishes this legislation from earlier tech regulations is its risk-based architecture. Rather than applying uniform rules across all AI applications, the Act stratifies obligations according to potential harm. High-risk systems—those deployed in healthcare, education, employment, and law enforcement—carry the heaviest burdens: mandatory conformity assessments, human oversight protocols, and detailed documentation trails. Prohibited practices, including social scoring and real-time biometric identification in public spaces, carry penalties reaching 7% of global annual turnover. This tiered approach demands that organizations conduct precise internal audits to classify their AI inventory accurately, a task complicated by the increasingly blurred boundaries between general-purpose models and specialized applications.

Industry observers note that the Act is already reshaping competitive dynamics. Smaller AI vendors, lacking the legal infrastructure of major platforms, are confronting difficult choices: absorb substantial compliance costs, restrict market access, or pursue strategic partnerships with better-resourced firms. Meanwhile, the emergence of "AI compliance as a service"—consultancies and software tools promising streamlined adherence—has created a secondary market now projected to exceed €3 billion annually by 2027. For enterprise leaders, the strategic imperative extends beyond checkbox compliance; early investments in governance frameworks may yield competitive advantages as procurement criteria across the EU increasingly favor demonstrably compliant suppliers.

---

Frequently Asked Questions

Q: Does the EU AI Act apply to my company if we're based outside Europe?

A: Yes, if your AI systems produce effects within the EU. The Act applies to providers and deployers whose systems impact EU citizens, regardless of where the company is headquartered. A U.S. or Asian firm selling AI-powered hiring tools to European employers, for example, must comply fully.

Q: What's the difference between a "provider" and a "deployer" under the Act?

A: A provider develops or commissions an AI system for market placement, bearing primary responsibility for conformity assessments and documentation. A deployer uses an AI system under its authority—such as a bank implementing a vendor's credit scoring algorithm—with obligations focused on human oversight, input data quality, and monitoring for risks.

Q: Are open-source AI models exempt from the Act?

A: General-purpose AI models released under free and open-source licenses receive partial exemptions, provided they don't present systemic risks or fall under prohibited categories. However, once such models are fine-tuned or integrated into high-risk applications, downstream obligations activate for the deployer.

Q: When do the different compliance deadlines take effect?

A: The Act follows a staggered timeline. Prohibited practices took effect immediately upon enactment. Obligations for general-purpose AI models and governance requirements for high-risk systems phase in through 2026 and 2027. Organizations should consult the official implementation calendar, as specific dates vary by risk classification.

Q: How does the Act interact with existing regulations like GDPR?

A: The AI Act complements rather than replaces existing law. GDPR's data protection principles remain fully applicable, and organizations must navigate overlapping requirements—particularly around automated decision-making, transparency, and data subject rights. Legal teams should treat AI Act compliance as additive to, not substitutive for, established privacy frameworks.