EU AI Act 2026: what changes for non-EU companies

Why you (non-EU company) should care

The EU AI Act is European regulation. But Article 2 (Territorial Scope) makes it clear: it applies to any company that places an AI system in the European market OR whose system output is used inside the EU.

In plain words: if you’re a SaaS in the US, Brazil, India, or anywhere selling to European clients, you’re in scope. If you have European users on your product (even free), you’re in scope. If your company serves Portugal, Spain or Germany in any way, AI Act applies.

Maximum fine: up to EUR 35 million or 7% of global revenue, whichever is higher.

This post is the overview we apply when consulting non-EU companies who discover they are exposed to the AI Act.

Timeline 2026 — where we are

The AI Act formally entered into force on August 2, 2024. Obligations phased in:

• Feb 2, 2025: prohibited practices + AI literacy obligation (in force).
• Aug 2, 2025: governance rules + GPAI obligations (Claude, GPT, Gemini, etc.) — in force.
• Aug 2, 2026 (original): full application, including Annex III (high-risk systems).
• AI Act Omnibus deal — May 7, 2026: Annex III postponed to Dec 2, 2027 (+16 months). Article 50 transparency pulled forward to Dec 2, 2026.

Status today (May 2026):

• In force now: AI literacy + GPAI rules + prohibited practices.
• In force Dec 2026 (short-term): Article 50 — transparency on synthetic content + nudifier ban.
• In force Dec 2027 (medium-term): Annex III — high-risk systems (HR, scoring, biometrics, etc.).

The 4 risk categories

Category 1: prohibited

In force since Feb 2025. Categorically banned practices:

• Government social scoring (China-style).
• Subliminal manipulation.
• Exploitation of vulnerability (age, mental condition).
• Biometric categorization by sensitive attributes (race, religion, sexual orientation).
• Real-time remote biometric identification in public spaces (strict law-enforcement exceptions only).

For mid-market non-EU: in practice no SMB hits these. Big tech can.

Category 2: high-risk (Annex III) — postponed to Dec 2027

Systems where failure has significant impact on fundamental rights. List (Annex III):

1. Safety components in regulated products (toys, machinery, medical devices).
2. Biometrics for identification or categorization.
3. Critical infrastructure management (water, electricity, transport).
4. Education and vocational training — system deciding admission, evaluation, allocation.
5. Human resources — recruitment, CV screening, performance evaluation, scoring for promotion/dismissal.
6. Access to essential services (welfare, financing, credit scoring).
7. Law enforcement.
8. Migration / asylum / border control.
9. Administration of justice and democratic processes.

For non-EU companies, the most common cases hitting Annex III:

• HR-tech selling screening to an EU enterprise.
• Fintech with credit scoring serving an EU customer.
• Edtech with automated evaluation used by an EU school.

Obligations (when in force):

• Documented risk management system.
• Auditable training and test dataset.
• Detailed technical documentation.
• Audit trail of outputs.
• Mandatory human oversight.
• Demonstrable robustness + cybersecurity.
• Registration in the EU database for high-risk systems.
• Conformity assessment before market placement.

Category 3: limited risk (Article 50) — in force Dec 2026

Transparency obligations:

1. Systems interacting with humans (chatbots) — user must know they are talking to AI.
2. Systems generating synthetic content (image, video, audio, text) — output must be marked as AI-generated, machine-readable.
3. Explicit deepfake — nudifier prohibition + obligation to mark deepfakes.
4. Emotional recognition + biometric categorization — disclosure to user.

For mid-market non-EU, this hits sooner. If you:

• Run a WhatsApp/web chatbot serving EU customers → need disclaimer.
• Generate image or video via AI for an EU-targeted campaign → need machine-readable watermark (C2PA is the emerging standard).
• Use voice cloning or AI avatars → same.

Category 4: minimal risk — no specific obligations

Everything else. But even here, AI literacy obligation (Article 4) already in force requires your team operating AI to have minimum training.

Practical roadmap for non-EU companies

Phase 1 — Mapping (month 1)

List all AI systems you use OR offer. For each:

• What risk category?
• Which EU countries are you in (including cookies + leads + transactions)?
• Is European personal data processed?

Output: simple matrix system × category × EU exposure.

Phase 2 — Article 50 quick wins (months 2-6, before Dec 2026)

Action items for chatbot + content generators:

1. Chatbot: add clear disclaimer on first message (“This is an automated assistant”).
2. Synthetic content: implement C2PA or equivalent metadata on all AI generation output going to an EU audience.
3. Use documentation: internally log all cases where your AI generates synthetic content. Keep audit trail.

Typical cost: 40-80 hours of eng + design. Do it now, not later.

Phase 3 — Annex III preparation (months 6-18, before Dec 2027)

If you’re in an Annex III category:

1. Governance: appoint DPO (Data Protection Officer) or equivalent. Create documented AI risk policy.
2. Dataset hygiene: document origin, content, known bias of each training dataset. For model vendors (Claude/GPT/Gemini), request AI Act compliance statement.
3. Audit trail: implement complete logging of inputs + outputs + automated decisions. Retain for at least 6 months.
4. Human oversight: ensure every high-stakes decision can be reviewed by a human. Can’t be fully autonomous.
5. Robustness: adversarial tests, security review, incident plan.
6. Conformity assessment: hire EU-certified entity OR self-assess following CE standard.

Typical cost for SMB with 1-2 high-risk systems: USD 60k-200k over 18 months. Not trivial.

Strategic decision

If you’re in Annex III and don’t see clear return from the EU market:

• Option A: invest in compliance, keep the market. Makes sense if EU is > 20% of revenue or strategic for next 3 years.
• Option B: geo-fence the product. Stop serving EU. Makes sense if EU is < 10% of revenue and compliance would cost more than that revenue.

There’s no Option C: “ignore and hope to not get caught”. A fine of 7% of global revenue collapses a company.

What US AI vendors are doing

Anthropic, OpenAI, Google have published AI Act compliance statements for use of their models. When you use Claude/GPT/Gemini in your system, part of the burden is theirs (they’re the “provider” of the GPAI). You’re the “deployer” in AI Act language.

This means: you don’t have to document Claude’s training (Anthropic does). But you do have to document how you USE Claude in your system, especially if it’s high-risk.

Ask vendors for:

• AI Act compliance statement.
• DPA (Data Processing Agreement).
• Technical document on robustness + known bias.

Anthropic and Google have this ready in 2026. OpenAI too. If a vendor doesn’t have it, consider migrating.

Comparison with US / Brazil / other regulations

Aspect	EU AI Act	Brazil PL 2338/2023	US (state-level + EO)
Status	In force	In discussion, likely 2027	Patchwork: NIST AI RMF + state laws (CA, NY, CO)
Structure	4 risk categories	Similar, based on EU AI Act	Sectoral (HIPAA, ECOA, FCRA)
Fine	7% revenue or EUR 35M	TBD, likely similar	Varies; FTC enforcement increasing
LGPD/GDPR overlap	Yes, complementary	LGPD in force; AI Act BR would be additional	HIPAA for health; CCPA for consumer

Strategy: company that prepares for EU AI Act will be 80% ready for AI Act BR when it arrives, and substantially aligned with US sectoral requirements.

FAQ

I’m a US freelancer selling prompt engineering services to an EU client. Am I affected? If you only sell a service (don’t deploy an AI system), you’re neither “provider” nor “deployer” in the AI Act sense. Your client is, and may request documentation about the work.

I have a B2B SaaS with 5% EU customers. Worth the compliance? Depends. If you fall in limited-risk category (chatbot + content), yes — effort is small. If Annex III high-risk, consider geo-fence or comply only if strategic.

Is Anthropic Claude AI Act compliant? Yes. Anthropic published the Mythos System Card covering AI Act requirements for GPAI. Check current version.

Can I be punished for a European user accessing my US/BR site without me wanting? Technically yes if you offered the AI service to them. Proactive geo-fence (IP-based) is a reasonable defense.

Next steps

• Apply Phase 1 (mapping) to your stack this month. It’s 2-4 hours of self-assessment.
• SkilLab Workshop — Consulting & Training. AI Act + local data protection compliance implementation for non-EU companies. Details.
• SkilLab AI Newsletter. Sign up below.

Also read

• Internal AI usage policy — template — editable template.
• AI in HR — legal limits — particular Annex III case.
• Agent Trust Stack — policy file in YAML — Trust Stack as code.

---

By Ivan Prado · SkilLab AI · May 2026. Translated and adapted from the PT-BR original.