The EU AI Act for US Boards: A Reference Guide

Overview

Regulation (EU) 2024/1689, commonly known as the EU AI Act, is the European Union's comprehensive regulation governing artificial intelligence. It entered into force on August 1, 2024, and applies in phases through 2028. The Act is the world's first comprehensive legal framework for AI, predating comparable comprehensive legislation in the United States, the United Kingdom, China, and Canada — though all of those jurisdictions are pursuing AI regulation through other instruments.

For US companies, the EU AI Act is significant for two reasons that are easy to overlook. First, it applies extraterritorially in a range of scenarios that capture most US companies operating in or selling into the EU market. Second, the obligations it imposes — documentation, conformity assessment, post-market monitoring, incident reporting — produce compliance infrastructure that is influencing US AI governance practice generally, similar to how GDPR's privacy infrastructure influenced US privacy practice starting in 2018.

This reference is for US boards, audit committees, GCs, and CCOs. It covers when the Act applies to US companies, how its risk-tier classification works, what high-risk system and GPAI provider obligations require, the application timeline (and the proposed Digital Omnibus deferral of high-risk deadlines), penalties, and practical compliance steps.

When does the EU AI Act apply to US companies?

The Act's extraterritorial reach is articulated in Article 2 and is broader than many US companies initially appreciate. Five distinct scenarios trigger application:

1. The US company is a provider placing an AI system on the EU market

A US company that develops an AI system and licenses, sells, or otherwise makes the system available to EU customers is a provider under the Act. This includes US software companies with EU customers, US cloud-AI services available in the EU, and US AI products distributed by EU resellers. The provider bears the primary substantive obligations under the Act.

2. The US company is a deployer using AI in ways that affect the EU

A US company using an AI system whose output is used in the EU is a deployer under the Act. This includes US companies using AI hiring tools to screen EU candidates, US companies using AI underwriting tools to evaluate EU loan applications, and US companies using AI customer service tools to interact with EU customers.

3. The US company provides a general-purpose AI (GPAI) model used in the EU

A US company that develops a GPAI model — a model designed for general-purpose use, capable of performing distinct tasks — and that is integrated into AI systems available in the EU is subject to GPAI provider obligations. This category captures OpenAI, Anthropic, Google, Meta, and similar developers of foundational models.

4. The US company's AI affects EU residents

Where a US company uses AI to make decisions about EU residents — even without offering products or services in the EU — the Act may apply on the theory that the AI system is being deployed in the EU through its effects on EU persons. This is the most legally contested scenario; companies should treat it as creating risk until the Commission and the Court of Justice of the European Union clarify the boundary.

5. Authorized representatives, importers, and distributors

Article 2 also captures authorized representatives, importers, and distributors of AI systems in the EU. US companies acting through these intermediaries should ensure the intermediaries understand their own obligations under the Act.

Risk-tier classification

The Act's defining structural feature is its four-tier risk classification. Each tier carries a different set of obligations.

Prohibited AI practices

Article 5 prohibits certain AI practices outright. These include: AI systems that exploit vulnerabilities of specific groups (e.g., children, persons with disabilities), social scoring systems used by public authorities, real-time remote biometric identification in publicly accessible spaces by law enforcement (with limited exceptions), AI systems that infer emotions in workplace and educational settings, biometric categorization based on protected characteristics, and untargeted scraping of facial images for facial recognition databases.

The May 7, 2026 political agreement on the Digital Omnibus added a new prohibition on AI systems used to generate non-consensual sexual or intimate content or child sexual abuse material (CSAM).

High-risk AI systems

Annex III of the Act lists AI systems classified as high-risk. The high-risk category includes AI systems used in:

• Biometric identification and categorization (when not prohibited)
• Critical infrastructure (energy, traffic, water)
• Education and vocational training (admissions, evaluation, grading)
• Employment and workforce management (recruitment, candidate selection, performance evaluation, task allocation, monitoring, promotion, termination)
• Access to essential services (credit scoring, social benefits, emergency services)
• Law enforcement
• Migration, asylum, and border control
• Administration of justice and democratic processes

Additionally, AI systems that are safety components of products covered by EU harmonization legislation listed in Annex II (medical devices, toys, lifts, machinery, in vitro diagnostic devices, watercraft, and similar regulated product categories) are automatically classified as high-risk.

Limited-risk AI systems

AI systems that interact with humans, that generate or manipulate content, or that recognize emotions are subject to transparency obligations even when not high-risk. Users must be informed when they are interacting with AI, and AI-generated content must be identifiable as such (with the deepfake transparency provisions advancing on a separate, accelerated timeline under the Omnibus).

Minimal-risk AI systems

AI systems not falling into the prohibited, high-risk, or limited-risk categories are minimal-risk. The vast majority of AI systems in commercial use fall into this category. The Act imposes no specific obligations on minimal-risk systems beyond voluntary codes of conduct.

High-risk system obligations

Companies that provide or deploy high-risk AI systems must comply with an extensive set of substantive obligations. The provider obligations (Articles 16-22) are the most extensive and include:

• Risk management system. Establishment of a continuous, iterative risk management process across the AI system lifecycle (Article 9).
• Data governance. Training, validation, and testing data must meet quality criteria, including being relevant, representative, free of errors, and complete (Article 10).
• Technical documentation. Comprehensive technical documentation must be maintained, available to authorities on request (Article 11).
• Record-keeping. Automatic logging of events throughout the AI system lifecycle (Article 12).
• Transparency and information for deployers. Deployers must receive sufficient information to understand and use the system appropriately (Article 13).
• Human oversight. The system must be designed to allow effective human oversight (Article 14).
• Accuracy, robustness, and cybersecurity. Systems must achieve appropriate levels of accuracy, robustness, and cybersecurity (Article 15).
• Quality management system. Providers must establish a quality management system (Article 17).
• Conformity assessment. Before placing a system on the market, providers must conduct conformity assessment, in some cases involving notified bodies.
• EU declaration of conformity and CE marking.
• Registration in the EU database for high-risk AI systems.
• Post-market monitoring. Ongoing monitoring of system performance and reporting of serious incidents.

Deployers of high-risk AI systems (Article 26) bear narrower but still substantive obligations: using the system per provider instructions, ensuring human oversight, monitoring operation, and — for public authorities and certain other deployers — conducting fundamental rights impact assessments.

GPAI provider obligations

The Act devotes a separate set of obligations to providers of general-purpose AI models (Articles 50-55). These obligations are in force as of August 2, 2025. They include:

• Technical documentation for the model and its training process
• Information for downstream providers who integrate the GPAI model into their AI systems
• Compliance with Union copyright law, including respect for opt-out mechanisms in text and data mining
• Public summary of training data sufficient for copyright holders to identify potentially copyrighted content

Providers of GPAI models that present systemic risk — a category that captures the largest and most capable foundation models — face additional obligations including model evaluations, serious incident tracking, cybersecurity protections, and reporting to the AI Office.

Application timeline

The EU AI Act phases in over four years following entry into force on August 1, 2024:

• February 2, 2025 — Prohibited AI practices ban and AI literacy obligations took effect
• August 2, 2025 — Governance provisions and GPAI provider obligations took effect; the AI Office became operational
• August 2, 2026 (original) — High-risk system obligations for stand-alone systems take effect
• August 2, 2027 (original) — Full applicability, including obligations for high-risk systems embedded in regulated products and certain transitional rules

The Digital Omnibus proposal would adjust the high-risk timeline (see next section).

The Digital Omnibus deferral

On November 19, 2025, the European Commission published the Digital Omnibus on AI — a legislative proposal to amend the AI Act in light of delays in the development of harmonized standards and the establishment of national competent authorities. The most consequential change is the deferral of high-risk system obligations.

On May 7, 2026, the European Council and Parliament reached a political agreement on the Omnibus. The provisional agreement includes:

• Stand-alone high-risk AI systems: compliance deadline deferred from August 2, 2026 to December 2, 2027
• High-risk AI systems embedded in regulated products: compliance deadline deferred from August 2, 2027 to August 2, 2028
• Transparency provisions for AI-generated content: grace period reduced from 6 months to 3 months, with new deadline of December 2, 2026
• New prohibition on AI used to generate non-consensual sexual or intimate content or child sexual abuse material
• Regulatory sandbox deadline postponed to August 2, 2027

As of the date of this article (May 9, 2026), the political agreement has not yet been formally adopted. Formal adoption typically follows political agreement by 2-4 months. Until formal adoption, the original August 2, 2026 deadline for high-risk obligations remains the operative legal date.

For US boards, the practical implication is to continue compliance preparation against the original timeline. The Omnibus does not relieve any substantive obligation; it only shifts the deadline. All preparation work — risk management systems, data governance, technical documentation, conformity assessment procedures, post-market monitoring — remains required. The additional time provided by the Omnibus is best used for refinement and external review of compliance posture, not for delaying the work.

Penalties

The EU AI Act establishes tiered administrative fines based on the severity of the violation:

Violation category	Maximum fine
Prohibited AI practices (Article 5)	€35 million or 7% of worldwide annual turnover, whichever is higher
Other Act violations (high-risk obligations, GPAI obligations, etc.)	€15 million or 3% of worldwide annual turnover
Supplying incorrect, incomplete, or misleading information to authorities	€7.5 million or 1% of worldwide annual turnover

Fines apply to both EU and non-EU companies offering AI systems in the EU. Smaller companies and SMEs may be subject to reduced maximum amounts under proportionality principles, but the worldwide turnover percentages are an absolute cap with no carve-out.

EU governance and enforcement

Enforcement is shared between two layers:

The AI Office

Established within the European Commission and operational since August 2025, the AI Office is responsible for governing GPAI provider obligations, coordinating across Member States, and enforcing rules on a subset of certain AI systems. The AI Office is the primary point of contact for US companies on GPAI obligations.

National competent authorities

Each EU Member State designates one or more national competent authorities to oversee and enforce the Act's rules within its territory. These authorities handle enforcement of high-risk system obligations, market surveillance, and most penalty determinations. The pace of authority designation has been slower than originally anticipated, contributing to the Digital Omnibus deferral rationale.

The European AI Board

A coordination body composed of representatives from each Member State, supporting consistent application of the Act across the EU.

Interaction with US frameworks

US companies subject to the EU AI Act are typically also subject to one or more US frameworks. The interaction patterns to understand:

NIST AI Risk Management Framework

The NIST AI RMF (NIST AI 100-1) is voluntary in the US but increasingly referenced in federal procurement, sector-specific guidance, and state regulation. Adopting NIST AI RMF practices produces documentation and processes that materially overlap with EU AI Act obligations. Most US multinationals build a unified AI governance program using NIST as the architectural framework, then layer in EU-specific obligations (CE marking, EU database registration, EU declaration of conformity) where applicable.

ISO/IEC 42001

ISO/IEC 42001 (the AI management system standard) maps closely to EU AI Act obligations. Companies pursuing ISO 42001 certification are building infrastructure substantially equivalent to what the EU AI Act requires. The European Commission has indicated that harmonized standards under the Act will likely incorporate or reference ISO 42001, though the formal harmonization process is one source of the standards delays that prompted the Omnibus deferral.

State AI laws

For US companies subject to both the EU AI Act and state laws like Illinois HB 3773, Colorado AI Act, NYC LL 144, or California ADMT, the practical compliance approach is to build a unified governance program that satisfies the most rigorous applicable requirement at each component. The EU AI Act's high-risk system obligations typically set the most rigorous bar; satisfying those generally satisfies parallel US state obligations as a matter of substantive compliance, though the formal compliance artifacts (notices, audit trails, regulatory filings) differ across jurisdictions.

Practical compliance steps for US companies

A US company evaluating its EU AI Act exposure should work through the following sequence:

Step 1 — Determine applicability

Map the company's AI activities against the five extraterritoriality scenarios above. Document the determination in writing. For activities that do not clearly fall in or out of scope, treat them as in-scope and revisit if and when the Commission or Court of Justice clarifies the boundary.

Step 2 — Build the AI inventory

Catalog every AI system in scope. For each, document: the function, the EU exposure, the role (provider, deployer, both), the risk-tier classification, and the relevant obligations.

Step 3 — Classify each system into risk tiers

For each in-scope AI system, determine whether it is prohibited, high-risk, limited-risk, or minimal-risk. The high-risk determination requires careful analysis of Annex III categories and Annex II product types. Document the classification and the rationale.

Step 4 — Build compliance posture for high-risk and GPAI systems

For each high-risk system or GPAI model, build the substantive compliance infrastructure: risk management system, data governance, technical documentation, record-keeping, human oversight, accuracy and robustness measures, quality management system, conformity assessment, EU database registration, and post-market monitoring.

Step 5 — Establish governance and reporting

Designate the board committee responsible for EU AI Act oversight (typically audit, risk, or technology committee). Establish a quarterly reporting cadence. Document the oversight in committee minutes.

Step 6 — Engage with the EU regulatory process

Monitor the Commission's guidance, the AI Office's pronouncements, the development of harmonized standards, and the formal adoption of the Digital Omnibus. Participate in public consultations where applicable. Build relationships with the relevant national competent authorities in Member States where the company has significant operations.

Step 7 — Coordinate with US compliance frameworks

Build a unified governance program that satisfies the EU AI Act alongside applicable US frameworks (NIST, state laws, sector regulations). Do not run parallel programs; they will diverge over time and produce contradictory outputs.

---

This article was last reviewed on May 9, 2026, two days after the European Council and Parliament reached political agreement on the Digital Omnibus. The article will be updated when the Omnibus is formally adopted (expected mid-to-late 2026), when the AI Office issues additional guidance, and quarterly otherwise. For US companies preparing for EU AI Act compliance alongside applicable US state and federal frameworks, see the Multi-Jurisdictional AI Compliance Review service. The Illinois AI Legislative Ecosystem tracker provides parallel real-time tracking of US state AI regulatory developments.