Skip to content
easyAI
Products▼
  • AI Foundation Audit
  • AI ROI Calculator
  • GDPR Accountability Snapshot
Insights
  • Products
    • AI Foundation Audit
  • Free Tools
    • AI ROI Calculator
    • GDPR Accountability Snapshot
  • Insights
  1. Home
  2. Insights
  3. Who Does the EU AI Act Apply To? US, UK, Swiss Firms

Who Does the EU AI Act Apply To? US, UK, Swiss Firms

The EU AI Act applies by role and market, not location: US, UK and Swiss firms are in scope when they sell AI into the EU or its output is used there.

Who Does the EU AI Act Apply To? US, UK, Swiss Firms
Methodology by Daniela Piskackova — Co-founder & AI Audit Lead·Published July 13, 2026

"Does the EU AI Act even apply to us — we are not in the EU?" is the first question most companies ask, and the honest answer surprises them. The Act's reach is defined by your role and your market, not by where your head office sits. Like the GDPR before it, it is extraterritorial: a US, UK or Swiss company is in scope the moment it places an AI system on the EU market, puts one into service in the EU, or its AI system's output is used in the EU. Here is who is caught, who is not, and how to tell which you are.

Quick Answer. The EU AI Act applies by role and market, not by where a company sits. It covers providers who place AI systems on the EU market, deployers established in the EU, and — extraterritorially — any provider or deployer whose AI output is used in the EU. US, UK and Swiss firms are caught on those triggers.

Last updated: 13 July 2026 · Verified against Regulation (EU) 2024/1689 as amended by the Digital Omnibus (adopted and signed; awaiting Official Journal publication).

Summary

Who does the EU AI Act apply to? — decided by role + market/output, not by where you sit (Art. 2)
│
├─ Reach is by ROLE, not location — and it is extraterritorial (like GDPR)
│   ├─ Provider — places an AI system on the EU market — in scope wherever it is established
│   └─ Deployer — uses AI under its authority — in scope if EU-based OR its output is used in the EU
│
├─ Outside the EU? Still covered — US, UK and Swiss firms included
│   ├─ Sell an AI system into the EU, or its output is used in the EU → in scope (Art. 2(1)(a)/(c))
│   └─ Importers, distributors and AI-bearing product makers on the EU market count too
│
└─ When it does NOT apply — the honest boundary
    ├─ Purely internal non-EU use, nothing placed on the EU market, no output used in the EU
    └─ But scope attaches the moment output reaches the EU or you sell in — so check your role

Who does the EU AI Act apply to?

Scope is set by Article 2 of Regulation (EU) 2024/1689; the roles it uses are defined in Article 3 [1]. Article 2 never asks where you are incorporated. It asks what you do with an AI system and whether that touches the EU. In its own terms, the Regulation applies to:

  • providers placing AI systems on the EU market or putting them into service — irrespective of whether those providers are established in the EU or in a third country [1];
  • deployers of AI systems that have their place of establishment, or are located, within the EU [1];
  • providers and deployers located in a third country, where the output produced by the AI system is used in the EU [1];
  • importers and distributors of AI systems, and product manufacturers placing an AI-bearing product on the EU market under their own name or trademark [1].

Read that list again and the design becomes obvious: the trigger is always a role — provider or deployer — combined with a connection to the EU market or its output. Your office location is never the deciding factor. This is the same extraterritorial reach the GDPR made familiar, and it is deliberate: the EU did not want a rule that a company could escape simply by hosting its servers or its headquarters abroad. For how this sits next to the data-protection rules you already know, see how the AI Act sits alongside GDPR and UK data rules — the extraterritorial logic is nearly identical.

Because "does it apply to us?" is only the first question, it helps to see it against the full set of obligations that follow. For the records a company in scope actually has to keep, work through our complete EU AI Act documentation guide, which maps each duty to a document. This article answers the narrower question that comes before all of that: are you in, and in what role?

The decision reduces to three questions — your role, your market, and where the output lands:

Decision tree for whether the EU AI Act applies to a companyAnswers "does the EU AI Act apply to my company?". If you are neither a provider nor a deployer of an AI system, you are out of scope. If you are a provider and the system is placed on the EU market, put into service in the EU, or its output is used in the EU, you are in scope as a provider; otherwise out of scope. If you are a deployer and you are established or located in the EU, or the system's output is used in the EU, you are in scope as a deployer; otherwise out of scope.

Neither

Provider

Deployer

Yes

No

Yes

No

Does the EU AI Act apply
to my company?

Provider or deployer of
an AI system?

OUT OF SCOPE
no role under the Act

Placed on the EU market /
put into service in the EU,
OR its output used in the EU?

Established or located in the EU,
OR its output used in the EU?

IN SCOPE
as a provider

OUT OF SCOPE
no EU market or output

IN SCOPE
as a deployer

OUT OF SCOPE
purely non-EU use

Role first, then market or output — the two questions that decide EU AI Act scope.

In words, the tree works like this:

  • Neither a provider nor a deployer of an AI system? You have no role under the Act — out of scope.
  • A provider, and the system is placed on the EU market, put into service in the EU, or its output is used in the EU? In scope as a provider — this holds even with no EU establishment.
  • A deployer, and you are established or located in the EU, or the system's output is used in the EU? In scope as a deployer.
  • A provider or deployer with no EU market connection and no output used in the EU? Out of scope — for now.

Not sure which triggers you hit? Free checkers tell you whether the Act concerns you; the free EU AI Act Documentation tool works out your role and generates the actual documents — in ~20 minutes: https://aiprioritymap.com/en/tools/eu-ai-act

Does the EU AI Act apply to US companies?

Yes — whenever a US company crosses one of Article 2's triggers, and most that touch the EU do. A US SaaS vendor that sells an AI-enabled product to EU customers is placing an AI system on the EU market, which makes it a provider in scope under Article 2(1)(a), regardless of having no office, entity or server inside the EU [1]. The Regulation says so in as many words: it applies to providers "irrespective of whether those providers are established or located within the Union or in a third country" [1].

The output trigger reaches further still. A US company whose AI system produces output that is used in the EU is caught under Article 2(1)(c) even where it has no direct EU customer relationship [1]. If your model scores, drafts, ranks or decides something and the result is then used by someone in the EU, that connection alone can pull you into scope. For US companies the practical test is rarely "are we established in the EU?" — it is "does anything our AI produces end up being used there?"

Does it apply to UK companies?

Yes. Since Brexit the United Kingdom is a third country for the purposes of the Act, exactly like the US or Switzerland — and being outside both the EU and the single market changes nothing about the triggers. A UK firm that sells an AI system into the EU is a provider placing it on the EU market, in scope under Article 2(1)(a). A UK firm whose AI system's output is used in the EU is in scope under Article 2(1)(c), even if it never signs an EU customer directly [1].

This bites harder in the UK than many firms expect, because so many UK businesses still serve EU clients, run EU-facing operations, or process work whose results cross the Channel. "We left the EU" is not an exemption from the EU AI Act any more than it was from the GDPR — the reach is defined by the market you touch, not the trade bloc you belong to.

Does it apply to Swiss companies?

Yes. Switzerland is neither an EU nor an EEA member, so for the Act it is a third country — and the analysis is identical to the US and UK cases. A Swiss provider that places an AI system on the EU market is in scope under Article 2(1)(a); a Swiss company whose AI system's output is used in the EU is in scope under Article 2(1)(c) [1]. Proximity to the EU, or bilateral agreements in other areas, does not create an exemption here.

For Swiss firms with EU subsidiaries, EU customers or cross-border data flows, the safe assumption is that at least the output trigger is live. The question to answer is not whether Swiss law mirrors the Act, but whether anything your AI produces is used inside the EU — because that is what Article 2 asks.

Are you a provider or a deployer?

Once you know the Act reaches you, your role decides what you owe — and the two roles carry very different weights. Article 3 defines them [1]:

  • A provider (Article 3(3)) develops an AI system — or has one developed — and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.
  • A deployer (Article 3(4)) uses an AI system under its authority, except where it is used in the course of a purely personal, non-professional activity.

Most companies are deployers. They buy or subscribe to AI tools and use them in their work; they do not build systems and sell them under their own brand. Providers carry the heavier obligations — the Act's high-risk conformity, documentation and post-market duties fall primarily on them — but deployers are far from obligation-free, and a company can be both (for example, if you fine-tune and rebrand a model, you may step into a provider's shoes for that system).

The worked examples below show how role and market combine to decide scope:

EntityIn scope?Role and trigger
US SaaS vendor selling an AI tool to EU customersYesProvider — placing an AI system on the EU market, Art. 2(1)(a)
UK company whose AI system's output is used in the EUYesProvider or deployer — third country, output used in EU, Art. 2(1)(c)
Swiss provider placing an AI system on the EU marketYesProvider — third-country provider on the EU market, Art. 2(1)(a)
EU-based company using a third-party AI tool internallyYesDeployer — established in the EU, Art. 2(1)(b)
Non-EU firm using AI purely domestically, no EU output or salesNoNo EU market connection — outside Art. 2 triggers

Once you are in scope, the question becomes what you owe. Deployers have real duties: ensuring staff are competent under the Article 4 AI-literacy duty, meeting the Article 50 transparency rules that apply from 2 August 2026, and operationalising all of it in an internal AI use policy. For exactly when each duty bites — and what the Digital Omnibus did and did not move — pin the dates to our corrected post-Omnibus timeline. (Verified on 13 July 2026.)

When does the Act NOT apply to you?

The Act is broad, but it is not universal — and overclaiming universal application helps no one. If your company is based outside the EU, uses AI purely internally, places nothing on the EU market, and none of that system's output is used in the EU, you are likely outside Article 2's scope. The Regulation also excludes certain uses regardless of where you sit: AI used by an individual in a personal, non-professional capacity, and — subject to conditions — systems used solely for scientific research and development or for national-security, defence and military purposes [1][2].

Treat "out of scope", though, as a live status, not a permanent one. The triggers in Article 2 are activity-based, so they attach the instant your circumstances change: the moment your AI system's output is used in the EU, or you begin selling into the EU market, you are in — as a provider or a deployer, depending on your role [1]. The safe posture for any company with EU customers, EU operations or cross-border output is to assume the output trigger could apply and to check your role deliberately, rather than to rely on your address as a shield.

The EU AI Act applies by role and market, not by geography. Under Article 2 it reaches providers who place AI systems on the EU market, deployers established in the EU, and — extraterritorially — any provider or deployer whose AI system's output is used in the EU. US, UK and Swiss firms are caught on those triggers; being outside the EU is not an exemption. Work out your role, check whether you touch the EU market or its output, and if you are in, move on to what you owe.

Generate your own EU AI Act report + document pack — free, in ~20 minutes: https://aiprioritymap.com/en/tools/eu-ai-act

Related insights

  • EU AI Act Compliance: The Documentation Guide — the deployer-first path and the document pack that follows once you are in scope.
  • AI Governance: UK GDPR and the EU AI Act — how the Act's extraterritorial reach mirrors the data-protection rules you already run.
  • The EU AI Act Deadlines After the Digital Omnibus — when each duty applies once your company is in scope.

Last updated: July 2026. Version 1.0.

Frequently Asked Questions

Who does the EU AI Act apply to?+
It applies by role and market, not by location. Under Article 2 it covers providers who place AI systems on the EU market, deployers established in the EU, and any provider or deployer whose AI system's output is used in the EU — plus importers, distributors and AI-bearing product makers.
Does the EU AI Act apply to US companies?+
Yes, whenever a US company crosses an Article 2 trigger. A US vendor selling an AI-enabled tool to EU customers is a provider placing an AI system on the EU market. A US company whose AI system's output is used in the EU is also in scope — no EU office required.
Does the EU AI Act apply to UK companies?+
Yes. Post-Brexit the UK is a third country, but that does not exempt it. A UK firm selling AI into the EU is a provider in scope; a UK firm whose AI system's output is used in the EU is caught under Article 2(1)(c). Serving EU clients is enough to attach scope.
Does the EU AI Act apply to Swiss companies?+
Yes. Switzerland is not an EU or EEA member, so it is a third country for the Act — but the same triggers apply. A Swiss provider placing an AI system on the EU market, or a Swiss firm whose AI output is used in the EU, is in scope exactly like a US or UK company.
What is the difference between a provider and a deployer?+
A provider develops an AI system and places it on the market or puts it into service under its own name (Article 3(3)). A deployer uses an AI system under its authority, other than for personal non-professional use (Article 3(4)). Most companies are deployers — they buy and use AI, they do not build and sell it.
When does the EU AI Act not apply to my company?+
If you are outside the EU, use AI purely internally, place nothing on the EU market and none of the system's output is used in the EU, you are likely outside scope. The Act also excludes purely personal use and, on conditions, some research and national-security uses. Scope attaches the moment output reaches the EU.

Sources

  1. 1.Regulation (EU) 2024/1689 — Artificial Intelligence Act, Article 2 (scope) and Article 3 (definitions), CELEX 32024R1689 — European Parliament and Council of the European Union · 2024↗
  2. 2.AI Act Service Desk — scope and application of the EU AI Act — European Commission — AI Act Service Desk · 2026↗
  3. 3.Regulatory framework on AI — European Commission — Shaping Europe's Digital Future · 2024↗

Want this run on your business?

AI Foundation Audit — a structured assessment of your AI footprint: integration risks, governance gaps, ROI opportunities. Delivered as a comprehensive report you can act on.

Start your audit →

You receive your Executive Report and Implementation Brief — tailored to your business and delivered immediately.

AI by the math. No deck, no meetings. No call. Just click.

PRODUCTS
  • AI Foundation Audit
  • All products
COMPANY
  • About
  • Contact
  • info [at] easy-audit [dot] ai
LEGAL
  • Terms of Service
  • Privacy Policy
  • AI Transparency
  • Cookie Policy
  • Complaints

© 2026 easyAI · All rights reserved. · easyAI is operated by DDN Consulting s.r.o., based in the EU.

Inspired by ISO/IEC 42001 + NIST AI RMF + EU AI Act principles. easyAI is not a certification body. Our methodology is inspired by ISO 42001 and NIST AI RMF principles; we do not provide formal certification or conformity audits.

easyAI