Why this matters even if you're based in the US
The EU AI Act applies to any organization that deploys or provides AI systems used in the European Union — regardless of where that organization is headquartered. If your company has EU customers, EU employees, or AI systems that produce outputs affecting EU residents, the Act applies to you. The extraterritorial reach mirrors the model established by GDPR, and enforcement will follow the same pattern: regulators will pursue organizations with EU market presence first.
The timeline you need to know
The Act entered into force in August 2024. Most obligations follow a phased implementation schedule. Prohibited AI practices — systems that manipulate behavior, exploit vulnerabilities, or conduct unauthorized biometric surveillance — became enforceable in February 2025. High-risk AI system obligations, which affect the broadest range of commercial deployments, become enforceable in August 2026. General-purpose AI model rules, which cover systems like large language models used in commercial products, became effective in August 2025.
What counts as high-risk
The Act classifies AI systems as high-risk based on the domain in which they operate and the potential for harm to fundamental rights. High-risk categories include AI used in hiring and employment decisions, credit scoring and financial services, educational assessment, healthcare diagnosis and treatment, law enforcement, critical infrastructure management, and systems that determine access to essential public services. If your organization uses AI in any of these domains — including third-party AI tools used for these purposes — you are likely subject to high-risk obligations.
This is the classification question your board should be asking right now: which AI systems we currently use or deploy would be classified as high-risk under the Act? Most organizations cannot answer this question because they have not completed an AI system inventory. That gap is itself a compliance risk.
What high-risk providers must do
Organizations that provide high-risk AI systems face the most substantial obligations. They must implement a quality management system covering the AI development lifecycle, conduct conformity assessments before market placement, register systems in the EU AI Act database, prepare technical documentation demonstrating conformity, and establish post-market monitoring processes. Human oversight mechanisms must be embedded in the system design itself — not bolted on afterward.
Organizations that deploy high-risk AI systems developed by others carry a different but still significant set of obligations. Deployers must conduct fundamental rights impact assessments, implement human oversight, maintain usage logs for a minimum of six months, and report serious incidents to national authorities.
The board conversation you need to have
EU AI Act compliance is not an IT project. It is a governance question that requires board-level attention for three reasons. First, the penalties for non-compliance are material: up to €35 million or 7% of global annual turnover for prohibited practice violations, and up to €15 million or 3% for other violations. Second, compliance requires decisions about which AI systems to continue using and which to modify or retire — decisions with significant business implications. Third, the Act's transparency and accountability requirements will be visible to customers, partners, and regulators in ways that affect market position.
Your board should be asking: Which of our AI systems would be classified as high-risk? Have we completed a fundamental rights impact assessment for those systems? Do we have the technical documentation required for conformity assessment? Is our AI governance program capable of supporting ongoing compliance obligations?
Where to start
The most urgent first step is an AI system inventory. You cannot assess your compliance posture without knowing what AI systems your organization uses, who uses them, for what purpose, and whether any qualify as high-risk under the Act's classification framework. This inventory should cover internally developed systems, third-party AI tools, and AI embedded in enterprise software platforms — the last category being the most commonly overlooked.
Once you have an inventory, the next step is a classification assessment against the Act's risk categories. For systems that qualify as high-risk, a gap analysis against the applicable requirements will define your compliance roadmap. Organizations with August 2026 deadlines for high-risk obligations have a narrow window to complete this work.
Clavant conducts EU AI Act readiness assessments specifically designed for US organizations with EU market exposure. If your organization has not yet assessed its EU AI Act posture, that work should begin now.