The EU AI Act is now fully in effect, and its impact is being felt far beyond Europe. Here's what US companies need to know.
Who It Affects
The Act applies to any company whose AI systems are used in the EU market β even if the company itself is based in the US. If you have EU customers, your AI features need to comply. This includes everything from recommendation algorithms to customer service chatbots to hiring tools.
Risk Categories
The Act classifies AI systems into four risk tiers:
- Unacceptable risk: Banned entirely. Includes social scoring, real-time biometric surveillance in public spaces, and manipulative AI that exploits vulnerabilities.
- High risk: Subject to strict requirements. Covers AI in hiring, credit scoring, medical devices, education, and critical infrastructure. Requires conformity assessments, human oversight, and documentation.
- Limited risk: Transparency obligations only. Users must be informed they are interacting with AI (chatbots, deepfakes).
- Minimal risk: No additional requirements. Most consumer-facing AI (spam filters, AI-powered video games) falls here.
What US Companies Should Do Now
- Audit your AI systems: Create an inventory of all AI systems in use or development, and classify each by risk tier.
- Document everything: High-risk systems need detailed technical documentation, including training data provenance, testing methodology, and human oversight protocols.
- Build compliance into the pipeline: If you're developing AI features, involve legal early. The cost of retrofitting compliance is significantly higher.
- Monitor enforcement: The first major enforcement actions are expected in Q3 2026. Watch how they play out β they'll set the tone.