Does the EU AI Act Apply to Your Business?
Many organisations assume the EU AI Act only applies to companies headquartered in Europe.
The EU AI Act has extraterritorial reach. This means it can apply to organisations outside the EU, including Australian mid-sized and enterprise businesses.
This article helps you assess, at a high level, whether the EU AI Act may apply to your organisation and where the most common exposure points sit. This article is provided for general information purposes only and does not constitute legal advice.
When the EU AI Act Can Apply Outside the EU
The EU AI Act may apply if your organisation:
offers AI-enabled products or services to customers in the EU, or
deploys AI systems whose outputs affect individuals located in the EU
Location of headquarters is not determinative. Use, impact, and offering matter more than geography.
Step 1: Are You Using AI?
Start with a broad view. AI under the EU AI Act is defined widely.
AI can include:
machine learning systems
generative AI tools
automated decision-making or scoring systems
recommendation, classification, or prediction tools
Think about:
Do you use AI internally (e.g. HR, analytics, automation, coding tools)?
Is AI embedded in your products or services?
Do your vendors use AI as part of what they provide to you?
If the answer is yes to any of these, continue.
Step 2: Does Your AI Interact with EU Users or Markets?
The EU AI Act may apply if your AI systems:
are offered to EU-based customers or users
support services provided to EU clients
influence decisions about people located in the EU
are embedded in platforms used by EU residents
This can occur even where:
the system is developed outside the EU
the organisation has no EU office
AI is only one component of a broader service
Think about:
Do you have EU customers, users, or counterparties?
Do AI outputs affect people located in the EU?
Do contracts or platforms operate globally by default?
Step 3: What Type of AI Are You Using?
The EU AI Act classifies AI systems by risk level. Obligations increase with risk.
Broadly, AI systems fall into categories such as
Prohibited AI – certain uses are banned entirely
High-risk AI – strict compliance obligations apply
Limited-risk AI – transparency obligations apply
Minimal-risk AI – generally permitted
High-risk AI commonly includes systems used in:
recruitment and employment decisions
credit or eligibility assessments
education and training
access to essential services
biometric identification
Think about:
Do any AI systems influence employment, pricing, access, or eligibility?
Are decisions automated or heavily AI-assisted?
Could outcomes materially affect individuals?
Step 4: Are You Relying on Vendors That Use AI?
Many organisations do not build AI themselves but inherit AI risk through vendors.
Common examples:
SaaS platforms with AI-driven features
analytics, fraud, or scoring tools
customer support or chatbot solutions
HR or workforce analytics platforms
Under the EU AI Act, vendor AI use can still create compliance obligations for customers, depending on role and deployment.
Think about:
Do your vendors disclose AI use clearly?
Do contracts address AI compliance responsibilities?
Step 5: Beware the "Shared Responsibility" Trap
Crucially, vendor compliance does not equal customer compliance. Even if your vendor is fully compliant as a "Provider," the Act creates a chain of responsibility.
If you use a high-risk AI system, you (as the "Deployer") generally must:
Follow the vendor’s "Instructions for Use" precisely.
Implement human oversight (real people watching the AI).
Monitor the system for errors or bias.
Ensure input data is relevant and representative.
Think about:
Do we have the internal governance to follow the vendor’s instructions?
If we use the tool incorrectly, does liability shift back to us?
Step 6: Can You Demonstrate Governance?
A recurring issue for mid-sized and enterprise organisations is not technical capability, but governance evidence.
The EU AI Act expects documented processes, not informal controls.
This includes:
AI risk assessments
data governance and bias controls
human oversight arrangements
technical documentation
monitoring and review processes
Think about:
Do you maintain an AI register or inventory?
Are AI risks assessed per use case?
Is accountability assigned and documented?
Key Takeaway
The EU AI Act may apply to your organisation even if you are not based in Europe.
Exposure often arises through:
global customers
embedded AI tools
vendor platforms
automated decision-making
Organisations that perform early scoping and classification are better positioned to manage compliance without slowing adoption.
Free Resource: Vendor Due Diligence Template
Are you unsure if the software you rely on is compliant? Don't guess—ask.
We have created a free Vendor Due Diligence Letter you can send to your software suppliers. This template helps you:
Ask the right technical questions about AI integration.
Force vendors to clarify if they are a "Provider" or "Deployer."
Uncover hidden obligations that may shift liability onto you.
Email us at hello@pixellegal.com.au with the subject line "Vendor Template" and we will send you a copy immediately.
Need Deeper Support?
If you need more than just a template, we can help you map your entire compliance landscape. Contact us at hello@pixellegal.com.au to discuss a Preliminary AI Risk Assessment.
This assessment helps you:
Map your exposure: We identify which of your systems or vendor contracts may trigger EU AI Act obligations.
Clarify your role: We determine if you are a "Provider" (developer) or "Deployer" (user), so you know exactly which rules apply to you.
Prioritise action: We give you a clear roadmap of which compliance gaps to tackle first, avoiding unnecessary work on low-risk tools.
Disclaimer
This article is provided for general information purposes only and does not constitute legal advice.
It does not take into account your organisation’s specific circumstances, systems, or regulatory obligations. You should obtain tailored legal advice before taking action in relation to the EU AI Act or any AI governance or compliance matters.
