This blog post is part of our series on the European Union’s Artificial Intelligence (AI) Act.
As we explained in our July 2024 blog post, the EU’s AI Act establishes an extensive regulatory framework for AI and will be fully effective starting 2 August 2026, with some requirements (such as AI literacy education and banned AI practices) taking effect from 2 February 2025.
The AI Act has an extraterritorial reach and applies to companies outside the EU as well. It’s important to assess whether your company falls under the AI Act and what obligations you might need to meet. This blog post explains the triggers that could place your company within its scope.
Key takeaways
- The AI Act is applicable along the entire value chain and covers a very wide scope of stakeholders, meaning that most organizations using AI in some capacity will fall within its scope.
- Your organization’s role under the AI Act (i.e., whether you’re a provider, deployer, etc.) determines your obligations, which means that you will need to understand your organization’s classification pursuant to the AI Act.
- The AI Act has an extraterritorial effect, meaning that even organizations not located in the EU may fall within its scope.
Pay attention if developing, selling, importing, manufacturing, distributing or deploying AI
The AI Act is applicable along the entire AI value chain, imposing compliance obligations onto a broad range of stakeholders – namely, providers, deployers, importers, distributors and product manufacturers – at least when there is a link with the EU.
Like other EU digital strategy laws – such as the Digital Services Act, Digital Markets Act, Digital Governance Act, Data Act and Cyber Resilience Act – or the General Data Protection Regulation, the AI Act has an extraterritorial effect and will apply to:
- Providers placing AI systems or general-purpose AI models on the market in the EU or putting into service AI systems or placing on the market general-purpose AI models in the EU, irrespective of whether those providers are located within or outside the EU.
- Deployers of AI systems that have their place of establishment in or that are located within the EU.
- Providers and deployers of AI systems that have their place of establishment or that are located in a third country in situations where the output produced by the AI system is used in the EU.
- Importers and distributors of AI systems into or within the EU.
- Product manufacturers which place an AI system on the market or put into service an AI system within the EU together with their product and under their own name or trademark.
The table below provides extended definitions and examples for each stakeholder along the value chain.
‘Provider’ | Organizations will be deemed to be a provider in two instances – if they develop an AI system or general-purpose AI model or have a third party develop an AI system or general-purpose AI model for them – provided in each case that they place such AI system or general-purpose AI model on the market or put the AI system into service under their own name or trademark. Where the output of its AI system is used in the EU, a provider will fall within the scope of the AI Act if it does either of the following: – Makes an AI system or general-purpose AI model available on the EU market for the first time. – Supplies an AI system of general-purpose AI model for a deployer to use or for its own use in the EU market. It is important to note that the AI Act does not extend to AI systems which are released under free and open-source licenses (unless these are placed on the EU market or put into service as a high-risk or prohibited AI system or where the AI system creates a transparency risk). Examples – The European Commission provided the following example for organizations which would be deemed a provider pursuant to the AI Act: a developer of a CV screening tool. – Company X, a software developer located in the US, is developing a novel AI system that it offers in the EU – because Company X as a provider falls within the scope of ‘making an AI system available on the EU market for the first time’, it will fall within the scope of the AI Act. |
‘Deployer’ | An organization using an AI system (but not a general-purpose AI model) under its authority will be a deployer, except where the AI system is used in the course of a personal, nonprofessional activity. A deployer will fall within the scope of the AI Act if either of the follow apply: – It has its place of establishment, or is located, in the EU. – The output of the AI system is used in the EU. Examples – The European Commission provided the following example: a bank buying a CV screening tool developed by a third party. – Any company located – or having its place of establishment – in the EU or where the output of the AI system is used in the EU, will fall within the scope of being a deployer, provided that the AI system is used in a professional activity. For example, Company F (located in France) using AI for its internal logistics purposes. |
‘Importer’ | The AI Act sets out that an importer will be an organization – located or established in the EU – which places an AI system on the market, where such system bears the name or trademark of an entity established outside the EU. Example – Company A (located in the US) develops an AI system called ‘A-AI,’ then Company B (located in Spain) places on the market in Spain the ‘A-AI’ system developed by Company A. |
‘Distributor’ | Pursuant to the AI Act, a distributor is an organization (other than a provider or importer) providing an AI system or general-purpose AI model for distribution or use on the EU market. It is important to note that a distributor does not need to be the first organization in the AI value chain that releases an AI system or general-purpose AI model on to the EU market. Example – A sales company based in Denmark that distributes AI systems or general-purpose AI (GPAI) on the EU market that it has not developed itself. |
‘Product manufacturer’ | While the concept of a ‘product manufacturer’ is not defined in the AI Act, the definition from the EU harmonization legislation listed in Annex I to the AI Act is used. A product manufacturer will fall within the scope of the AI Act where they place on the market, or put into service, an AI system together with their product under their own name or trademark. Example – A car manufacturer that has embedded AI-enabled driver’s assistance in its newest generation of cars. |
Exceptions
The AI Act includes a few exceptions that exempt certain organizations from having to adhere to its regulations:
- AI systems where and in so far as they are placed on the market, put into service, or used with or without modification exclusively for military, defence or national security purposes, regardless of the type of entity carrying out those activities.
- Public authorities in a third country or international organizations meeting the requirements of one of the aforementioned determinations of the AI Act, where those authorities or organizations use AI systems in the framework of international cooperation or agreements for law enforcement and judicial cooperation with the EU or with one or more member states, provided that such a third country or international organization provides adequate safeguards with respect to the protection of fundamental rights and freedoms of individuals.
- AI systems or AI models, including their output, specifically developed and put into service for the sole purpose of scientific research and development.
- Organizations carrying out research, testing, and development activities regarding AI systems or AI models prior to being placed on the market or put into service.
- Natural persons using AI systems in the course of a purely personal, nonprofessional activity.
- AI systems released under free and open-source licences, unless they are placed on the market or put into service as high-risk AI systems, prohibited AI system or an AI system which would be subject to transparency obligations.
What does this mean for your organization?
For organizations, comprehending the extent of the AI Act is essential to identify your responsibilities and establish a suitable AI governance and compliance framework. An organization will need to:
- Identify the AI system(s) and general-purpose AI model(s) you develop, have requested to be developed and/or use.
- Determine the category you fall into (e.g., provider, deployer, importer, distributor), as each has specific obligations and responsibilities.
- If you are not located in the EU, assess whether and to which extent your AI system or general-purpose AI model has an EU nexus which may trigger the extraterritorial effect of the AI Act.
Finally, and as we will discuss in a subsequent blog post in this series, it is crucial to understand where your AI system lies on the risk spectrum (e.g., Article 5 for prohibited AI, Article 6 for high-risk AI, etc.), as this will establish specific obligations related to the risks under the AI Act.
At Cooley, we are happy to assist you in determining your organization’s determination pursuant to the AI Act, as well as navigate the obligations and challenges that come with compliance.