EU AI Act8 min read

Who Needs to Comply with the EU AI Act?

The EU AI Act applies to any organization that develops, provides, imports, distributes, or uses AI systems within the European Union, regardless of where the organization is headquartered. Understanding your role under the regulation determines your specific compliance obligations.

Key Takeaways

Point Summary
Geographic scope Applies to AI systems placed on the EU market or affecting EU residents, regardless of provider location
Key roles Provider, deployer, importer, distributor, with different obligations for each
Non-EU companies In scope if their AI systems are used in the EU or affect EU residents
Size considerations Requirements apply regardless of company size, though some reporting obligations have SME accommodations
Personal use exemption Does not apply to AI used for purely personal, non-professional activities

Quick Answer: The EU AI Act applies to any organization that places AI systems on the EU market or uses AI systems in the EU. This includes non-EU companies whose AI affects EU residents. Your obligations depend on your role: provider, deployer, importer, or distributor. There is no minimum company size threshold.

Geographic Scope

The EU AI Act has broad territorial reach, applying in three main scenarios:

Scenario Description
Providers in the EU Organizations established in the EU that develop or place AI systems on the market
Providers outside the EU Organizations outside the EU that place AI systems on the EU market or put them into service in the EU
Output used in the EU Providers and deployers located outside the EU where the AI system's output is used in the EU

Example scenarios:

  • A US-based SaaS company offering an AI-powered CRM to EU customers falls within scope
  • A Singapore company whose AI generates recommendations viewed by EU users is in scope
  • A Canadian company using AI to make hiring decisions for EU-based roles must comply
  • An Australian AI vendor whose product is distributed by an EU partner is subject to the regulation

The Four Key Roles

The EU AI Act defines distinct roles, each with specific obligations. Organizations may hold multiple roles depending on how they interact with different AI systems.

1. Provider

The organization that develops an AI system or has one developed and places it on the market or puts it into service under its own name or trademark.

You are a provider if you:

  • Build AI systems and sell or license them to others
  • Commission AI development and market the result under your brand
  • Substantially modify an existing AI system such that it becomes a new system
  • Change the intended purpose of an AI system to make it high-risk

Provider obligations for high-risk AI:

Obligation Description
Risk management Implement and maintain a risk management system
Data governance Ensure training data meets quality requirements
Technical documentation Create and maintain detailed documentation
Conformity assessment Complete required assessment procedures
EU registration Register high-risk systems in the EU database
Quality management Establish a quality management system
Post-market monitoring Monitor AI system performance after deployment
Incident reporting Report serious incidents to authorities

2. Deployer

Any natural or legal person using an AI system under their authority, except where the use is for personal, non-professional activities.

You are a deployer if you:

  • Use AI systems provided by another company in your business operations
  • Implement AI solutions to make decisions affecting employees or customers
  • Integrate third-party AI into your products or services

Deployer obligations for high-risk AI:

Obligation Description
Use instructions Follow the provider's instructions for use
Human oversight Assign competent individuals to oversee operation
Input data quality Ensure input data is relevant and appropriate
Monitoring Monitor for risks during operation
Record-keeping Retain automatically generated logs (where applicable)
Inform employees Notify workers subject to AI system decisions
Data protection Conduct fundamental rights impact assessments for certain uses
Incident reporting Report serious incidents to providers and authorities

3. Importer

An organization established in the EU that places an AI system from a third country on the EU market.

You are an importer if you:

  • Purchase AI systems from non-EU providers for EU market distribution
  • Bring AI products from outside the EU to sell within the EU

Importer obligations:

Obligation Description
Verify compliance Ensure provider has completed conformity assessment
Check documentation Verify technical documentation and instructions exist
Contact information Ensure provider contact details are on the system
Storage and transport Maintain conditions that preserve system integrity
Documentation retention Keep copies of required documentation
Cooperate with authorities Provide information and access as requested

4. Distributor

Any organization in the supply chain that makes an AI system available on the EU market, other than the provider or importer.

You are a distributor if you:

  • Resell or distribute AI systems provided by others
  • Make AI systems available to deployers without modifying them

Distributor obligations:

Obligation Description
Verify compliance Check for required conformity marking and documentation
Storage and transport Maintain appropriate conditions
Stop distribution Halt sales if the system is non-compliant
Inform others Notify provider, importer, and authorities of non-compliance

When a Deployer Becomes a Provider

A deployer can become a provider under certain circumstances, taking on full provider obligations:

Trigger Consequence
Own branding Placing a high-risk AI system on the market under your own name
Substantial modification Making a significant change that affects the system's compliance
Purpose change Changing the intended purpose to make a system high-risk

Example: A company deploys a vendor's AI system for internal use (deployer role). If the company then white-labels the system and offers it to customers under its own brand, it becomes a provider with corresponding obligations.

Special Rules for Non-EU Organizations

Non-EU providers and deployers placing AI systems on the EU market or putting them into service in the EU must:

  1. Appoint an authorized representative established in the EU through a written mandate
  2. Ensure the authorized representative has power to:
    • Maintain registration and documentation
    • Provide information to national authorities
    • Cooperate with market surveillance authorities
    • Communicate non-compliance to the provider

The authorized representative has specific obligations under Article 22 and can be held liable for non-compliance with their duties. They must ensure registration, documentation, and cooperation with authorities are maintained.

Exemptions

The EU AI Act does not apply to:

Exemption Description
Military and defense AI systems developed or used exclusively for military purposes
International organizations AI used by public international bodies with immunity privileges
Third-country law enforcement AI used in cooperation with EU member states under specific conditions
Research and development AI used solely for scientific R&D purposes (before market placement)
Personal use AI used by natural persons for purely personal, non-professional activities
Free and open source FOSS AI systems under certain conditions. Exception does not apply if: (1) the FOSS is a high-risk system or used in one, (2) the FOSS is a prohibited practice, or (3) the FOSS is a GPAI model with systemic risk

Important: The R&D exemption ends once the AI system is placed on the market or put into service. Personal use exemption does not apply to AI provided to individuals for personal use by organizations, the organization remains subject to the regulation.

SME Considerations

While the EU AI Act applies regardless of company size, it includes some accommodations for small and medium enterprises:

  • Regulatory sandboxes. Priority access to AI regulatory sandboxes for testing
  • Reduced fees. Lower fees for conformity assessment procedures
  • Guidance. Tailored guidance and support from the AI Office
  • Proportionality. Authorities should consider SME capabilities when enforcing

However, compliance requirements themselves are not reduced based on size. A startup providing a high-risk AI system faces the same substantive requirements as a large enterprise.

Practical Assessment Questions

To determine your obligations, answer these questions:

  1. Do you develop AI systems? If yes, you may be a provider
  2. Do you sell or license AI systems in the EU? Provider obligations apply
  3. Do you use AI systems in your business operations? Deployer obligations apply
  4. Are you outside the EU but offer AI to EU users? You need an EU representative
  5. Do you bring AI systems from outside the EU to the EU market? Importer obligations apply
  6. Do you distribute AI systems you did not create? Distributor obligations apply
  7. Does your AI affect EU residents, even if remotely? The regulation likely applies

How Bastion Helps

Bastion helps organizations understand their EU AI Act obligations:

  • Role assessment. We help determine which roles apply to your organization across different AI systems.
  • Obligations mapping. We identify specific requirements based on your roles and AI system classifications.
  • Non-EU compliance. For organizations outside the EU, we help navigate representative requirements and cross-border obligations.
  • Documentation. We help prepare the technical documentation, risk assessments, and compliance records required for your role.
  • Ongoing monitoring. We track regulatory developments and help you adapt as guidance evolves.

Ready to understand your EU AI Act obligations? Talk to our team

Sources

← PreviousEU AI Act Risk Classification ExplainedNext →EU AI Act Compliance Requirements for SaaS Companies
Back to EU AI Act guides