| |

The EU AI Act Is Here. U.S. Companies Operating in Europe Should Act Now.

The EU AI Act has been gradually coming into force since 2024. Phase 1 prohibitions on unacceptable-risk AI took effect in February 2025. Obligations on providers of general-purpose AI (GPAI) models came online in August 2025. Obligations on high-risk AI systems — the substantive core of the Act — phase in through August 2026 and August 2027.

If your business has customers in the EU and uses AI in your products or services, you are likely within the Act’s scope. The Act is extraterritorial: it applies based on where the AI’s output is used, not where your business is located.

What “high-risk” means

The Act designates AI systems as high-risk when used in:

  • Biometric identification and categorization
  • Critical infrastructure (energy, water, transport)
  • Education and vocational training (admissions, scoring)
  • Employment (recruitment, performance, termination)
  • Essential private and public services (credit scoring, social benefits, emergency services)
  • Law enforcement, migration, justice administration

Obligations on high-risk AI

  • Risk management system: continuous, documented, throughout the AI lifecycle.
  • Data governance: training, validation, and testing data must meet quality criteria.
  • Technical documentation: detailed enough for regulators to assess compliance.
  • Logging and traceability: automatic record-keeping of system events.
  • Transparency and human oversight: users must be informed; humans must be able to intervene.
  • Accuracy, robustness, cybersecurity: demonstrable and tested.

What this means for your business

U.S. companies often assume that EU AI obligations only apply to AI vendors. That’s incorrect. If you deploy a high-risk AI system in the EU — using a third-party vendor’s model for hiring, credit scoring, or healthcare triage — you have deployer obligations under the Act, regardless of where the model was built.

Carlson Firm clients with EU exposure are working through three streams in parallel: (1) inventorying AI systems and classifying each against the Act’s risk tiers; (2) negotiating vendor contracts to allocate compliance responsibilities clearly between provider and deployer; and (3) building the internal governance — risk management, human oversight, logging — that the Act requires.

The August 2026 high-risk deadlines are closer than they appear. Companies that wait until Q2 will be working under enforcement pressure rather than ahead of it.

Similar Posts