Bringing your AI to the EU: what non-EU providers must know about the EU AI Act

Whether you are based in the US, the UK, Switzerland, the Gulf or anywhere else: if your AI system is placed on the EU market — or if its output is used in the EU — the EU AI Act applies to you. This article walks through what that means in practice, role by role.

Does the AI Act actually apply to you?

Article 2(1) is deliberately broad. The Regulation reaches providers who place AI systems on the EU market regardless of their location, and it reaches providers and deployers outside the EU whose system’s output is used in the EU. Three quick examples: a US SaaS company selling AI-powered analytics to European customers is covered. A Swiss medical AI exporter is covered. An Indian back-office whose AI results are sent to an EU operator is covered.

Your role decides your obligations

• Provider — you develop the AI system (or have it developed) and put it on the EU market under your own name or trademark.
• Deployer — you use an AI system under your authority in a professional context; for non-EU deployers, if the output is used in the EU.
• Importer — established in the EU, you place on the market an AI system bearing the name of a person established outside the EU.
• Distributor — anyone else in the supply chain making the system available on the EU market.

Providers and deployers carry the heaviest set of duties; importers and distributors carry due-diligence and corrective-action duties (more on those in the dedicated supplier-audit article).

Authorised Representative (Article 22) — the door key

Before placing a high-risk AI system on the EU market, a non-EU provider must appoint, by written mandate, an Authorised Representative established in the Union. The representative keeps the technical documentation, registers the system in the EU database where required, is the contact point for market-surveillance authorities and may terminate the mandate if the provider acts against AI Act obligations. The minimum content of the mandate is set out in Annex V.

For limited- or minimal-risk AI and for general-purpose AI models there are different mechanisms (a GPAI provider outside the EU must also appoint a representative under the GPAI chapter). The point: identify what kind of system you place on the market before you assume one mechanism fits all.

The conformity path for high-risk systems

• Classify against Annex III (use-case based) and Annex I (safety component of regulated products under EU harmonisation law).
• Build the management-system requirements: risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), record-keeping and logs (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness/cybersecurity (Art. 15).
• Run the conformity assessment (Art. 43) — typically internal control for Annex III systems, with third-party assessment in safety-component cases.
• Affix the CE marking, draw up the EU declaration of conformity and register the system in the EU database (Art. 71).

What happens if you ignore it

Article 99 sets the maximum fines: prohibited practices up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher; high-risk and other operator violations up to EUR 15 million or 3%; supplying incorrect, incomplete or misleading information up to EUR 7.5 million or 1.5%. SMEs and start-ups are subject to the lower of the two figures. These are caps, not standard fines — but the headline numbers are what board rooms react to.

The Digital Omnibus may move the high-risk dates

On 7 May 2026 the EU institutions reached a provisional political agreement that would postpone the high-risk applicability — Annex III systems to 2 December 2027 and Annex I to 2 August 2028 — and ease some AI literacy requirements. It is not yet formally adopted. Plan against the original dates and treat the relief as a buffer.

A pragmatic order of operations

• Decide whether you place AI on the EU market or use it for the EU.
• Map your role: provider, deployer, importer, distributor.
• If you are a non-EU provider of high-risk AI: appoint your Authorised Representative early — the mandate takes time to negotiate.
• Build a management system (ISO/IEC 42001 is the most direct way to deliver the AI Act’s evidence load).
• Run the conformity assessment, CE-mark, register, document.

The AI Act does not stop at the EU border. It reaches every provider whose system touches the EU market — but the workload is structured. With the right management system in place, most of it is documentation you would build anyway.

Note on scope: this article covers AI compliance only. Tax, labour, corporate, immigration and contract questions about entering the German or EU market require a licensed German lawyer or tax advisor. I focus on ISO/IEC 42001, ISO/IEC 27001 and AI Act readiness — and work with a network for the rest.