Does the EU AI Act Apply to Your Business?

Written By Calina .

Many organisations assume the EU AI Act only applies to companies headquartered in Europe.

The EU AI Act has extraterritorial reach. This means it can apply to organisations outside the EU, including Australian mid-sized and enterprise businesses.

This article helps you assess, at a high level, whether the EU AI Act may apply to your organisation and where the most common exposure points sit. This article is provided for general information purposes only and does not constitute legal advice.

When the EU AI Act Can Apply Outside the EU

The EU AI Act may apply if your organisation:

  • offers AI-enabled products or services to customers in the EU, or

  • deploys AI systems whose outputs affect individuals located in the EU

Location of headquarters is not determinative. Use, impact, and offering matter more than geography.

Step 1: Are You Using AI?

Start with a broad view. AI under the EU AI Act is defined widely.

AI can include:

  • machine learning systems

  • generative AI tools

  • automated decision-making or scoring systems

  • recommendation, classification, or prediction tools

Think about:

  • Do you use AI internally (e.g. HR, analytics, automation, coding tools)?

  • Is AI embedded in your products or services?

  • Do your vendors use AI as part of what they provide to you?

If the answer is yes to any of these, continue.

Step 2: Does Your AI Interact with EU Users or Markets?

The EU AI Act may apply if your AI systems:

  • are offered to EU-based customers or users

  • support services provided to EU clients

  • influence decisions about people located in the EU

  • are embedded in platforms used by EU residents

This can occur even where:

  • the system is developed outside the EU

  • the organisation has no EU office

  • AI is only one component of a broader service

Think about:

  • Do you have EU customers, users, or counterparties?

  • Do AI outputs affect people located in the EU?

  • Do contracts or platforms operate globally by default?

Step 3: What Type of AI Are You Using?

The EU AI Act classifies AI systems by risk level. Obligations increase with risk.

Broadly, AI systems fall into categories such as

  • Prohibited AI – certain uses are banned entirely

  • High-risk AI – strict compliance obligations apply

  • Limited-risk AI – transparency obligations apply

  • Minimal-risk AI – generally permitted

High-risk AI commonly includes systems used in:

  • recruitment and employment decisions

  • credit or eligibility assessments

  • education and training

  • access to essential services

  • biometric identification

Think about:

  • Do any AI systems influence employment, pricing, access, or eligibility?

  • Are decisions automated or heavily AI-assisted?

  • Could outcomes materially affect individuals?

Step 4: Are You Relying on Vendors That Use AI?

Many organisations do not build AI themselves but inherit AI risk through vendors.

Common examples:

  • SaaS platforms with AI-driven features

  • analytics, fraud, or scoring tools

  • customer support or chatbot solutions

  • HR or workforce analytics platforms

Under the EU AI Act, vendor AI use can still create compliance obligations for customers, depending on role and deployment.

Think about:

  • Do your vendors disclose AI use clearly?

  • Do contracts address AI compliance responsibilities?

Step 5: Can You Demonstrate Governance?

A recurring issue for mid-sized and enterprise organisations is not technical capability, but governance evidence.

The EU AI Act expects documented processes, not informal controls.

This includes:

  • AI risk assessments

  • data governance and bias controls

  • human oversight arrangements

  • technical documentation

  • monitoring and review processes

Think about:

  • Do you maintain an AI register or inventory?

  • Are AI risks assessed per use case?

  • Is accountability assigned and documented?

Key Takeaway

The EU AI Act may apply to your organisation even if you are not based in Europe.

Exposure often arises through:

  • global customers

  • embedded AI tools

  • vendor platforms

  • automated decision-making

Organisations that perform early scoping and classification are better positioned to manage compliance without slowing adoption.

Disclaimer

This article is provided for general information purposes only and does not constitute legal advice.
It does not take into account your organisation’s specific circumstances, systems, or regulatory obligations. You should obtain tailored legal advice before taking action in relation to the EU AI Act or any AI governance or compliance matters.


Calina .
Next

AI in Organisations - Key Risks, Responsibilities + Governance Gaps