Article 2(1) of the EU AI Act has no geographic carve-out for non-EU providers. If your AI system reaches EU users or produces outputs used in the EU, you face the same obligations and penalties as EU-based companies — with one additional step.
Same penalties — no geographic discount
Non-EU providers face the full penalty scale under Art 99: up to €35M / 7% for prohibited practices, €15M / 3% high-risk violations, and €7.5M / 1% for incorrect information. Enforcement is via EU market surveillance authorities (Arts 74–84) acting against the AI system placed on the EU market — not against the provider's home jurisdiction.
Unsure if your AI system is in scope under EU law? Regumatrix runs the Art 2(1) scope test and full classification in under a minute →
If any one of these applies to your AI system, you are subject to the EU AI Act. They are not a hierarchy — meeting any trigger is sufficient.
Providers placing an AI system on the EU market are covered regardless of whether the provider is established in the Union or a third country. 'Placing on the market' means first making the system available for distribution or use in the Union.
Providers and deployers of AI systems where the output is used in the Union are in scope — even if neither the provider nor the deployer has any EU presence. A US company whose AI output is used by EU clients or affects EU residents is covered under this limb.
Importers (Art 3(6)) and distributors (Art 3(7)) who operate within the EU supply chain have their own, lighter obligations under Arts 23–24. The product manufacturer or provider does not escape obligations simply because EU distribution is handled by a third party.
Providers of high-risk AI systems established outside the Union must appoint an authorised representative established in the EU (Art 22) before placing the system on the market. The representative acts on the provider's behalf for EU regulatory purposes.
The EU AI Act does not apply to AI systems used exclusively for military, national security, or purely personal non-commercial purposes — or to AI research and development before any market placement. These exclusions are narrow; a dual-use system that has any commercial deployment in the EU does not qualify.
Non-EU providers follow the same compliance path as EU providers, plus the authorised representative step. These steps apply if you are placing a high-risk AI system on the EU market for the first time.
Apply the Art 2(1)(a)–(f) triggers to your system. If any trigger is met, you are subject to the EU AI Act. Scope exclusions under Art 2(3) apply only to military, national security, and purely personal non-commercial use outside the Union.
Determine if your system performs a function listed in Article 5 (prohibited), Annex III (high-risk), or Article 50 (limited-risk transparency obligations). The obligations stack — high-risk systems must also comply with Article 50 where relevant.
For high-risk AI systems, appoint a natural or legal person established in the EU before placing the system on the market. The representative's details must appear in technical documentation and the EU AI database registration.
Conduct the applicable conformity assessment — for most Annex III systems, internal control under Annex VI; for certain biometric and safety component systems, accredited notified body involvement under Annex VII. Compile technical documentation to the Annex IV standard.
High-risk AI system providers must register in the EU database maintained by the AI Office before or at the point of placing the system on the market or into service. The registration is public. Some providers of general-purpose AI models must also register under Article 71(2).
For providers of high-risk AI systems established outside the EU, Art 22 requires appointment of an authorised representative before placing the system on the EU market. The representative must:
Note: the authorised representative carries obligations but not the full provider liability. If the provider fails to comply, enforcement actions run against the provider — the representative is not a shield.
Before placing your AI system on the EU market, verify you have:
No changes are proposed under COM(2025) 836 or COM(2025) 837 to the territorial scope provisions under Art 2 or the authorised representative requirement under Art 22.
Yes. Article 2(1)(a) covers providers placing an AI system on the Union market regardless of whether those providers are established in the Union or in a third country. Article 2(1)(c) additionally covers providers and deployers where the output produced by the AI system is used in the Union. Physical presence in the EU is not required — what matters is whether the AI system's reach and outputs affect EU residents. This mirrors the GDPR's extraterritorial reach and is a deliberate policy choice by the EU legislator.
An authorised representative is a natural or legal person established in the Union who holds a written mandate from a provider established outside the Union to carry out specified obligations on the provider's behalf (Article 3(5)). For providers of high-risk AI systems established outside the EU, appointing an authorised representative before placing the system on the EU market or putting it into service is required under Article 22. The representative's name and contact details must appear in the EU database (Article 71) and in the Declaration of Conformity. For non-high-risk AI, there is no mandatory authorised representative requirement — though some providers appoint one for operational convenience.
No, unless the reseller substantially modifies the system or puts their own trademark on it. A reseller who simply distributes your AI product without modification is a distributor (Article 3(7)) or importer (Article 3(6)) — their obligations are lighter (Art 23–24). You, the original developer, remain the provider and retain all provider obligations under the EU AI Act. However, if the reseller puts their own brand on the system, makes substantial modifications that remain high-risk, or changes the intended purpose to make it high-risk, they become the provider under Article 25.
The same requirements apply. There is no geographic discount on compliance obligations or penalties. A non-EU provider of a high-risk AI system must complete the same conformity assessment, maintain the same technical documentation under Annex IV, register in the EU AI database under Article 71, issue the same Declaration of Conformity, and affix CE marking as an EU-based provider. The only additional step is the authorised representative requirement under Article 22. Penalties under Article 99 apply regardless of where the provider is established — enforcement is via market surveillance of the EU market where the product is placed.
Not reliably. If your AI system is offered globally or accessible to EU users, or if your EU-based clients use your system such that outputs affect EU residents, you are likely in scope under Article 2(1)(a) or (c). Terms of service restrictions do not reliably prevent scope application where actual usage in the Union is objectively foreseeable. The test is whether the system is placed on the EU market or its outputs are used in the EU — not whether the provider intended EU users to have access.
AI Provider Obligations
Full Chapter III provider obligation stack — Arts 9–21, conformity, CE marking
EU AI Act Fines and Penalties
Four penalty tiers — €35M/7%, €15M/3%, SME inverse cap explained
High-Risk AI Checklist
Classify your system against all 8 Annex III domains
Prohibited AI Practices — Article 5
All 8 banned uses — these apply globally regardless of provider location
General-Purpose AI Models (GPAI)
Arts 53–55 obligations for GPAI model providers, including non-EU developers
EU AI Act Overview
Full regulatory structure — risk categories, timelines, obligation map
Regumatrix runs the Art 2(1) scope test, classifies your system, and returns a clear compliance roadmap — covering authorised representative, conformity assessment, documentation, and registration requirements.
Get started free