AI Act Compliance
for Non-EU Businesses

01

What the AI Act Is

Regulation (EU) 2024/1689, commonly known as the AI Act, is the world’s first comprehensive legal framework governing artificial intelligence systems. It entered into force on 1 August 2024 and applies in a phased manner through 2027.

The AI Act establishes a risk-based classification system for AI systems and places obligations on providers, deployers, importers, and distributors operating in or affecting the EU market. It is directly applicable across all 27 EU member states without requiring transposition into national law.

02

Does It Apply to You?

The AI Act applies extraterritorially. A company incorporated in the United States, United Kingdom, or anywhere outside the EU is still subject to the Regulation if either of the following conditions is met:

• the AI system or GPAI model is placed on the EU market (sold, licensed, or otherwise made available);
• the output of the AI system is used within the EU — even if the system itself operates entirely outside EU territory.

The Regulation targets four categories of actors in the AI value chain:

• Providers — entities that develop or have an AI system developed and place it on the market or put it into service under their own name or trademark.
• Deployers — entities or natural persons that use an AI system in a professional context (businesses using AI tools internally or in customer-facing processes).
• Importers — entities established in the EU that place on the market an AI system supplied by a provider established outside the EU.
• Distributors — entities in the supply chain, other than the provider or importer, that make an AI system available on the EU market.

Each role carries distinct obligations. A single company may simultaneously act as provider and deployer, triggering obligations under both categories.

03

Risk Classification

The AI Act organises AI systems into four risk tiers. The tier determines which obligations apply and how stringent they are.

General-purpose AI (GPAI) models — including large language models — are subject to a separate framework within the AI Act, with additional obligations applying to models presenting systemic risk (defined as models trained with computing power exceeding 10²⁵ FLOPs).

04

Phased Implementation Timeline

The AI Act does not apply all at once. Obligations enter into force in stages:

• 1 August 2024 — Regulation enters into force.
• 2 February 2025 — Prohibited AI practices become enforceable. AI literacy obligations for providers and deployers apply.
• 2 August 2025 — GPAI model obligations apply. Governance structure (AI Office, national authorities) operational.
• 2 August 2026 — High-risk AI system obligations under Annex I apply. Notified body requirements for conformity assessment.
• 2 August 2027 — High-risk AI systems under Annex II (embedded in regulated products) must comply.

05

Key Obligations by Role

Providers of High-Risk AI Systems

• Establish and maintain a quality management system (QMS).
• Conduct and document conformity assessment before placing the system on the EU market.
• Draw up EU Declaration of Conformity and affix CE marking where required.
• Register the system in the EU database for high-risk AI systems.
• Prepare and maintain technical documentation demonstrating compliance.
• Implement post-market monitoring and report serious incidents to national authorities.
• Appoint an EU-established authorised representative if the provider is outside the EU.

Deployers of High-Risk AI Systems

• Use AI systems only for their intended purpose as described in the provider’s instructions.
• Implement human oversight measures as specified by the provider.
• Conduct and document a fundamental rights impact assessment (FRIA) where required.
• Monitor the system’s operation and report incidents to the provider.
• Keep logs of system operation for the required retention period.

Providers of GPAI Models

• Prepare and maintain technical documentation of the model.
• Publish and maintain a summary of training data used (copyright compliance).
• Comply with EU copyright law, including by establishing a policy on text and data mining.
• For systemic-risk models: conduct adversarial testing, report serious incidents, implement cybersecurity measures.

All Actors (Limited Risk)

• Ensure users are informed when they are interacting with an AI system (chatbot transparency).
• Label AI-generated content, including synthetic audio, video, and images.

06

Required Documentation

Documentation is central to AI Act compliance. Most obligations for high-risk systems cannot be met without a complete, accurate, and up-to-date documentary record. The following documents are required or recommended depending on the applicable risk tier and role:

Technical Documentation (Annex IV)

A structured record describing the AI system’s purpose, capabilities, design logic, training data, performance metrics, risk management measures, and post-market monitoring plan. Required for all high-risk AI system providers before placing the system on the EU market.

EU Declaration of Conformity

A formal declaration, signed by the provider, confirming that the AI system meets all applicable requirements of the AI Act. Must reference the specific provisions with which the system complies and be kept updated throughout the system’s lifecycle.

Instructions for Use

Concise, complete documentation addressed to deployers, describing the system’s intended purpose, performance characteristics, known limitations, human oversight requirements, and technical specifications for integration.

Fundamental Rights Impact Assessment (FRIA)

Required for deployers who are public bodies or private entities providing certain public services. Must assess the impact of high-risk AI use on fundamental rights, including non-discrimination, privacy, and due process.

Quality Management System Documentation

Internal policies, procedures, and records constituting the QMS. Must cover the full lifecycle: design, development, testing, deployment, monitoring, and incident response.

GPAI Model Documentation

Technical documentation and training data summary for general-purpose AI model providers. For systemic-risk models, extended documentation covering adversarial testing results and incident logs is additionally required.

07

Penalties

Non-compliance with the AI Act carries significant financial exposure. Penalties are calculated as the higher of a fixed maximum or a percentage of global annual turnover:

• Prohibited AI practices: up to €35,000,000 or 7% of total worldwide annual turnover of the preceding financial year, whichever is higher.
• Non-compliance with other obligations (high-risk systems, GPAI models): up to €15,000,000 or 3% of total worldwide annual turnover.
• Incorrect or misleading information provided to authorities: up to €7,500,000 or 1% of total worldwide annual turnover.

For SMEs and start-ups, the lower of the two figures (absolute cap or percentage) applies where the percentage-based calculation would yield a higher amount than the fixed cap — providing partial protection, though not exemption.

Enforcement is carried out by national market surveillance authorities and, for GPAI models, by the AI Office at EU level. Member states are required to designate competent authorities and establish effective, proportionate, and dissuasive penalty regimes.

08

Next Steps for Your Business

A structured approach to AI Act compliance typically follows four stages:

1. Inventory and classification. Map all AI systems used or offered by your business. Determine which role you occupy (provider, deployer, importer, distributor) and classify each system by risk tier.
2. Gap assessment. Compare your current documentation, governance processes, and technical measures against the requirements applicable to each system and role.
3. Documentation preparation. Draft or commission the required documents: technical documentation, declarations of conformity, instructions for use, QMS procedures, and any impact assessments.
4. Ongoing compliance. Establish post-market monitoring, incident reporting procedures, and a review schedule aligned with the AI Act’s phased implementation calendar.

Non-EU businesses with no EU establishment must appoint an EU-based authorised representative before obligations under the high-risk provisions become enforceable. This representative acts as the point of contact for national authorities and assumes responsibility for verifying that documentation requirements are met.