← All posts

The EU AI Act Applies to You Even If You're Not in Europe — Here's What Australia, the US, and the UK Need to Do

The EU AI Act Applies to You Even If You're Not in Europe — Here's What Australia, the US, and the UK Need to Do
TL;DR

The EU AI Act imposes fines up to 7% of global annual turnover and applies extra-territorially. Australian companies selling SaaS into the EU, US tech firms with European users, and UK businesses operating across the Channel are all exposed. Each country faces unique compliance challenges: Australia's emerging AIDA creates parallel obligations, US companies are the primary enforcement target, and UK businesses face post-Brexit regulatory divergence. The compliance infrastructure built for the EU AI Act will satisfy most other emerging frameworks.

The European Union's Artificial Intelligence Act is the most consequential AI regulation in the world. The penalties are the largest ever attached to technology governance: up to thirty-five million euros or seven per cent of global annual turnover for prohibited practices, whichever is greater. For a mid-sized company doing fifty million dollars globally, that is three and a half million. For a multinational with ten billion in revenue, it is seven hundred million. These are not compliance-department numbers. These are boardroom-survival numbers.

The Act took effect in stages. Prohibited practices were banned from February 2025. General-purpose AI rules kicked in from August 2025. Most other obligations apply from August 2026. High-risk AI systems listed in Annex III face their deadline in August 2027. The timeline is not theoretical. Enforcement is already underway. And the Act applies to organisations far beyond Europe's borders.

The EU AI Act has extra-territorial reach. It applies to any provider placing an AI system on the EU market, regardless of where the provider is established. It applies to any deployer of an AI system located in the EU. And critically, it applies to any provider or deployer whose AI system's output is used in the EU. If your AI produces a result that someone in Europe relies on, the Act may apply to you, even if you have never set foot in Brussels. This means companies in Australia, the United States, and the United Kingdom all need to understand their exposure. Here is what each country needs to know.

Australia: Your EU Customers Make You Liable

Australian businesses often assume European regulation is someone else's problem. The EU AI Act makes that assumption dangerous. If you are an Australian company that sells products or services into the European Union, or that provides AI tools used by EU-based customers, or whose AI outputs are consumed in the EU, the Act applies to you.

The most common Australian exposure is through SaaS. An Australian company builds an AI-powered platform — a recruitment tool, a financial analytics engine, a customer service chatbot — and sells it globally. EU customers subscribe. The AI processes data from and makes decisions affecting people in Europe. Under the Act, the Australian provider is placing an AI system on the EU market. The obligations attach.

A second exposure path is through supply chains. An Australian manufacturer uses AI in quality control. The products are exported to Europe. If the AI system's outputs affect product safety and those products enter the EU market, the Act may apply. The same logic applies to Australian companies whose AI-powered services are used by European clients to make decisions about European individuals — a recruitment platform used to screen EU candidates, an insurance underwriting model used for EU policies, a healthcare diagnostic tool deployed in EU hospitals.

The practical steps for Australian companies start with an honest inventory: does your AI touch the EU market in any way? If yes, you need to classify your AI systems under the Act's risk categories. Prohibited practices — social scoring, real-time biometric surveillance in public spaces, emotion recognition in workplaces — must be eliminated immediately if you have any EU exposure at all. High-risk systems require conformity assessments, technical documentation, risk management systems, and human oversight. Limited-risk systems require transparency obligations. Even minimal-risk systems benefit from voluntary codes of conduct that may become market expectations.

The overlap with Australia's own emerging regulation adds complexity. AIDA, when it passes, will impose its own classification and compliance framework. An Australian company that builds AI compliance for the EU market will be substantially ahead of domestic competitors when Australian regulation arrives. An Australian company that ignores the EU Act because "we don't operate in Europe" but actually serves EU customers through a SaaS platform is exposed to penalties it may not discover until an EU regulator makes contact.

United States: The Biggest Fines Will Land Here First

American technology companies are the primary target of the EU AI Act, whether by design or by market reality. The largest AI providers — the companies whose models and platforms are used globally — are predominantly American. They have significant EU operations. They process data from millions of European users. Their AI outputs are consumed across the EU market. Under the Act, they are provider, deployer, importer, and distributor, often simultaneously, for different parts of their AI portfolio.

The US exposure is not limited to the giants. Mid-sized American SaaS companies selling AI-powered tools into Europe face the same obligations as Australian counterparts. US startups that place AI systems on the EU market through app stores, API access, or direct sales are captured. US enterprises that deploy AI internally but whose EU subsidiaries use the outputs are captured. The Act does not distinguish between a purpose-built EU product and a global platform that happens to have EU users.

The penalty structure is calibrated to American scale. Seven per cent of global annual turnover for a company like Microsoft, Google, or OpenAI is a number measured in billions. These companies have the compliance infrastructure to manage the Act, and they are building it. The greater risk is to mid-market American companies that assume EU regulation does not apply to them, or that their EU exposure is too small to matter, or that the EU will not enforce against non-European companies. The GDPR enforcement record disproves all three assumptions. The EU has fined American companies hundreds of millions of euros under the GDPR, including Meta's 1.2 billion euro fine in 2023. The same regulatory machinery now has an AI-specific mandate and larger penalties.

The practical steps for US companies depend on market position. If you are a provider — you develop and sell AI systems — you need to classify every system under the Act's risk framework, implement the required compliance measures for each category, and prepare for conformity assessment where required. If you are a deployer — you use AI systems in your EU operations — you need to ensure the systems you deploy are compliant, implement human oversight, and monitor for risks. If you are both, which most US companies with EU operations are, you need to do both.

The timing matters. The staggered enforcement dates mean different obligations apply now versus in 2027. Prohibited practices are already banned. General-purpose AI rules are already in force. High-risk system obligations arrive in August 2027. US companies that start their compliance programme now will be ready when each deadline lands. Companies that wait until 2027 to address a 2025 obligation are already in breach.

United Kingdom: The Post-Brexit Divergence Trap

The United Kingdom is in a uniquely complicated position. Post-Brexit, the UK is not bound by EU regulation. It is developing its own AI framework, currently through a context-based, principles-driven approach rather than the EU's risk-based, rules-driven model. But UK companies that operate in or sell into the European Union remain subject to the EU AI Act. And the UK's own framework may diverge from the EU's in ways that create compliance friction for companies operating in both markets.

The UK government has signalled a pro-innovation approach to AI regulation, relying on existing regulators — the ICO, the FCA, the CMA, the EHRC — to apply principles within their existing remits rather than creating a single AI regulator or a comprehensive AI statute. This is philosophically different from the EU's approach. It is also, at the time of writing, less prescriptive and less punitive. But the direction of travel is toward greater regulation, not less. The UK's AI white paper and subsequent consultations indicate that if the principles-based approach does not deliver adequate protection, legislation will follow.

For UK companies, the immediate priority is EU AI Act compliance if they have any European operations, customers, or users. The post-Brexit reality is that UK companies selling into the EU face the same obligations as American or Australian companies, without the benefit of being inside the regulatory development process. They must comply with a law they had no role in shaping, enforced by regulators in a jurisdiction they are no longer part of.

The divergence risk is that UK companies build compliance for the EU AI Act, and then the UK introduces a different framework requiring different documentation, different risk classifications, or different oversight mechanisms. Companies operating in both markets would need to maintain dual compliance — expensive, complex, and prone to gaps. The prudent approach is to build compliance infrastructure that satisfies the more demanding standard (currently the EU's) while monitoring UK developments and adapting as the domestic framework crystallises.

The practical steps for UK companies mirror those for any non-EU entity with EU exposure: classify your AI systems, implement the required measures for each risk category, document everything, and prepare for the deadlines. The additional UK-specific step is to engage with the domestic regulatory development process. The ICO, FCA, and other regulators are actively consulting on AI guidance. Companies that contribute to those consultations shape the framework they will eventually need to comply with.

The Common Thread: Start Now, Wherever You Are

Across Australia, the United States, and the United Kingdom, the advice converges. The EU AI Act applies to you if your AI touches the European market in any way. The penalties are large enough to matter. The deadlines are staggered, meaning some obligations are already in force and more are coming. And the compliance infrastructure you build for the EU will substantially satisfy the requirements of Australia's AIDA, any future US federal AI legislation, and the UK's evolving framework.

The first step is an AI inventory. What systems do you have? What do they do? Who do they affect? Where are the outputs used? If any touch the EU, you are in scope.

The second step is classification. Under the EU AI Act, systems fall into four categories: prohibited (banned entirely), high-risk (conformity assessment, technical documentation, risk management, human oversight), limited-risk (transparency obligations), and minimal-risk (voluntary codes). Classification determines everything that follows. Get it wrong and your compliance programme is built on the wrong foundation.

The third step is independent verification. The Act requires documented evidence of compliance. A self-assessment by the team that built or bought the AI system is not independent verification. A vendor's marketing materials are not documented evidence. An external audit that examines the model, the training data, the bias testing, the decision logic, and the oversight mechanisms is what regulators will expect to see.

The organisations that will thrive under the EU AI Act are the ones that started building compliance infrastructure before they were legally required to. They will be ready when each deadline arrives. Their compliance will be a competitive advantage — the audited, verified, documented AI system that sophisticated customers choose because the alternative carries regulatory risk. The organisations that will struggle are the ones waiting until August 2027 to discover that their prohibited practice was banned in February 2025.

The EU AI Act is not a future problem. It is a now problem, phased over time, with penalties that scale to your global revenue. Whether you are in Sydney, San Francisco, or London, if your AI touches Europe, Europe's regulation touches you.

Book a scoping call to discuss EU AI Act compliance auditing for your AI systems, wherever you are based.

Frequently asked questions

Does the EU AI Act apply to companies outside Europe?

Yes. The Act applies to any provider placing an AI system on the EU market, any deployer using AI in the EU, and any organisation whose AI outputs are used in the EU — regardless of where the company is based. Australian, American, and British companies with EU customers or users are all in scope.

What are the fines under the EU AI Act?

The maximum penalties are €35 million or 7 percent of global annual turnover for prohibited practices, whichever is greater. For other violations, fines reach €15 million or 3 percent of global turnover. For a multinational with €10 billion in revenue, that is up to €700 million.

When do EU AI Act obligations take effect?

Prohibited practices were banned from February 2025. General-purpose AI rules took effect from August 2025. Most other obligations apply from August 2026. High-risk AI systems listed in Annex III face their deadline in August 2027.

How should Australian companies prepare for the EU AI Act?

Australian companies should inventory all AI systems that touch the EU market, classify them under the Act's risk categories, implement required compliance measures, and obtain independent verification. The compliance infrastructure built for the EU Act will also satisfy Australia's emerging AIDA requirements.

Is the UK covered by the EU AI Act after Brexit?

UK companies are not automatically covered by the EU AI Act, but any UK company that sells into or operates in the EU market is subject to it. The UK is developing its own AI framework that may diverge, creating dual compliance complexity for companies operating in both markets.