← Back to blogDo US AI SaaS Companies Need to Comply with the EU AI Act?
2026-06-29·5 min read·US Companies, Extraterritorial, AI Act Basics
The short answer
If your AI system's output is used in the EU — even if your company, servers, and team are entirely in the US — the AI Act likely applies to you. Like GDPR, the AI Act has extraterritorial reach.
The actual scope test (Article 2)
The AI Act applies to:
- Providers placing AI systems on the market in the EU, regardless of where the provider is established.
- Providers and deployers in a third country where the output produced by the AI system is used in the EU.
- Importers and distributors of AI systems in the EU.
- Deployers of AI systems that have their place of establishment or are located within the EU.
Point 2 is the one US founders miss: you don't need EU offices, EU servers, or an EU entity. If EU-based users receive output from your AI system — a scored resume, a chatbot reply, a generated recommendation — you're in scope.
Common "we're US-only" scenarios that are actually in scope
- Your marketing says "US company" but your Stripe/signup flow doesn't block EU signups.
- You sell to US enterprise customers, but their own end-users or employees are in the EU (e.g. a US HR SaaS used by a multinational's EU offices).
- Your product is accessible via a public website with no geographic restriction, and EU users can and do sign up.
What's genuinely out of scope
- AI systems developed and used exclusively for military, defence, or national security purposes.
- AI systems used exclusively outside the EU with no EU-based users and no output consumed in the EU (rare for a public SaaS product).
- Pure R&D activity before market placement (though this changes the moment you have EU users testing it).
What compliance actually looks like for a US-based team
You don't need an EU subsidiary for most obligations. What you likely need:
- An EU representative (Article 22) if you're a non-EU provider placing a high-risk system on the EU market — this is a designated contact point in the EU, not a full legal entity.
- The same documentation obligations as an EU company — risk classification, technical file, human oversight, transparency disclosures — there's no "US company" carve-out on substance.
- A decision on whether to geofence EU users — some US companies choose to block EU signups entirely rather than build compliance. This is a legitimate business choice, but it needs to be a deliberate one, not a default.
The investor angle
US-based AI startups raising from EU-connected VCs, or selling into enterprise deals with EU counterparties, increasingly get AI Act questions in due diligence — independent of whether you have EU offices. "We're a US company" is not an answer that satisfies a diligence checklist anymore.
Bottom line
Being US-based does not exempt you. The relevant question isn't where you're incorporated — it's whether your AI system's output reaches EU users. If it does, scope the same way an EU company would.