If your AI system lands in the EU market or its output is used in the EU, you are in scope — regardless of where your company is headquartered.
Last updated April 21, 2026 · Every fact traceable to a public source
The EU AI Act has extraterritorial reach similar to GDPR. Scope is defined by Article 2 and attaches based on who you are (provider, deployer, importer, distributor, or product manufacturer) and where the system's output is used, not where you are based.
Any natural or legal person who develops an AI system or general-purpose AI model, or has one developed, and places it on the EU market or puts it into service under their own name or trademark. Most obligations — especially for high-risk systems — fall on providers.
Anyone using an AI system under their authority, except where the use is purely personal and non-professional. Deployers have lighter but still meaningful obligations: ensure proper use, human oversight, and (for some systems) fundamental-rights impact assessments.
Yes. A non-EU provider placing an AI system on the EU market is in scope. More expansively, a non-EU provider or deployer is in scope when the output of the system is used in the EU — even if neither party has any EU establishment. This matches the GDPR-style extraterritorial model.
Yes. Certain exemptions exist for AI developed or used exclusively for military, defense, or national security purposes; for scientific research and development before placement on market; and for purely personal, non-professional use by individuals. Free and open-source AI has partial exemptions except when placed on the market as a high-risk system or when it is a general-purpose AI model with systemic risk.
This FAQ is editorial. No vendor can pay to be included, highlighted, or ranked in answers. Paid listing tiers affect profile depth only — never rankings or commentary. Read our methodology for details.