The EU AI Act Is Now Law — and It Reaches Further Than You Think
Is your organization ready for the EU AI Act? The EU Artificial Intelligence Act (Regulation 2024/1689) entered into force in August 2024. The first compliance deadlines hit in February 2025, with additional phases rolling out through 2026. If you’ve been waiting to see if it’s “real” or if it actually applies to you, stop waiting. It’s real, and it probably does apply to you.
Governing AI in your organization is not unlike managing a new hire with exceptional talent but unpredictable judgment. The capability is valuable. The risk management is what most companies underestimate. The scope issue is the biggest misunderstanding. The EU AI Act doesn’t just apply to EU companies. It applies to any company that places AI systems on the EU market, puts them into service in the EU, or if the output of an AI system is used in the EU. For US companies, that’s a huge catch-all. If you have EU customers, EU employees, or EU data, you’re almost certainly in scope. What makes this especially relevant for privacy professionals is that AI governance and privacy governance are increasingly inseparable. The intersection is where the real risk lives. And it’s a new domain for many organizations—one that traditional privacy and compliance teams aren’t always equipped to navigate.
A Quick Map of the EU AI Act (Without the Legal Boilerplate)
The EU AI Act takes a “risk-based” approach. It defines four risk categories:
Prohibited AI: Practices that are banned outright. These include social scoring systems (using AI to assess social worth or loyalty), subliminal manipulation (hidden techniques to distort behavior), real-time biometric surveillance in public spaces (with very narrow exceptions for law enforcement). These prohibitions took effect February 2, 2025. If you’re doing any of these things, you need to stop immediately. Violating these bans carries significant legal consequences.
High-risk AI: Systems that have significant potential to harm fundamental rights or safety. These include AI used in employment hiring and worker management, education (student evaluation, course recommendations), essential services (credit decisions, insurance underwriting), law enforcement (suspect identification), migration and asylum decisions, administration of justice. High-risk AI triggers the most stringent requirements: technical documentation, human oversight, quality control, risk assessments. These requirements begin taking effect August 2026.
Limited-risk AI: Systems that create transparency risks. Chatbots, deepfakes, generated content that isn’t clearly labeled as AI-generated. These require transparency disclosures. Rules for limited-risk AI take effect August 2026 (the same phase as high-risk AI obligations).
Minimal-risk AI: Everything else. Very low risk or no real impact on rights or safety. Spam filters, recommendation systems for entertainment. These face minimal EU AI Act requirements (though they may still be subject to GDPR or other regulations).
The key deadline for mid-market companies: August 2026, when high-risk AI provisions take effect. If you’re using AI in any of the high-risk categories, you need a governance and documentation program in place by then.
How US Companies Get Caught in Scope
The EU AI Act applies if you “place an AI system on the EU market” or “put it into service in the EU.” Here’s what that means in practice:
You sell to EU customers. If you offer a SaaS product, software, or service to anyone in the EU, even if they’re a small percentage of your customer base, you’re placing the product on the EU market. That makes you responsible for compliance.
You have EU employees or contractors. If people in the EU use your internal tools or systems powered by AI, you’re putting them into service in the EU.
You process data from EU residents. If you use AI to make decisions about EU residents (credit decisions, hiring decisions, insurance underwriting, targeted advertising), that output is being used in the EU, triggering compliance requirements.
You partner with EU companies. If you provide AI services or AI-powered components to companies that operate in the EU, you may be liable as a provider or a processor.
For most mid-market tech companies, at least one of these applies. The US-only play is rare. So assume the EU AI Act applies to you unless you can explicitly say you have zero EU presence, zero EU customers, and zero EU data processing.
The Intersection of AI and Privacy: Where the Risk Lives
This is where AI governance becomes a privacy issue, and where many organizations are unprepared.
General Data Protection Regulation (GDPR) Article 22 restricts automated decision-making on individuals. It says you generally can’t make significant decisions about people using automated processing alone without human involvement. The EU AI Act’s high-risk AI provisions overlap significantly with Article 22. If you’re using AI to make employment decisions, credit decisions, or legal determinations, you’re hit by both regulations.
But the requirements are different. GDPR Article 22 requires human involvement in the decision. The EU AI Act requires technical documentation, risk assessments, training data documentation, model cards, audit trails, and ongoing monitoring. These overlap but serve different purposes. They work together, but they’re not the same thing.
On top of that, using AI on personal data raises data protection issues that traditional AI governance doesn’t always address: consent for use in AI training, transparency about how personal data is being used to train or power AI systems, data minimization, purpose limitation, and the risk of re-identification from AI-generated insights.
The organizations that are handling this well are the ones treating AI governance and privacy governance as linked disciplines, not separate domains. They’re asking: What personal data are we feeding into this AI system? What consent do we have? What are we training on? Can we re-identify individuals from the outputs? Are we making decisions with this AI that affect legal rights?
What “High-Risk AI” Means in Practice
The EU AI Act’s high-risk categories are broad. Here are some concrete examples:
Hiring and worker management: Resume screening tools, interview analysis systems, performance monitoring AI, promotion recommendations. If an AI system is making or significantly influencing hiring, firing, or compensation decisions, it’s high-risk.
Education: Systems that evaluate student performance, recommend courses or educational paths, or determine eligibility for educational programs. This includes learning platforms that use AI to personalize content.
Essential services: AI used by banks for credit decisions, by insurance companies for underwriting, by utilities for service access. If the decision affects a person’s access to essential services, it’s likely high-risk.
Law enforcement: Facial recognition, suspect identification, predictive policing. Very clearly high-risk.
Migration and asylum: Systems that assess asylum claims, determine deportation, or make decisions about immigration status.
Administration of justice: Systems that predict recidivism, recommend sentences, or assess bail eligibility.
If you’re not in any of these categories, you’re likely low- or minimal-risk. If you are, you need a compliance program.
What US Companies Should Be Doing Right Now
Inventory your AI systems. What AI systems are you using? Where? For what purpose? Who built them? Are they proprietary or third-party? Do they touch EU data or EU users? This inventory is the foundation. Without it, you can’t assess risk or plan compliance.
Classify by risk. Look at each system and determine if it falls into the prohibited, high-risk, limited-risk, or minimal-risk categories. Be honest about the risks. If a system makes decisions that affect legal rights, it’s high-risk, even if you don’t think of it as “AI.”
Prioritize high-risk systems. These need governance and documentation now, with full compliance required by August 2026. Start with systems that make decisions about EU residents or that are clearly in the high-risk categories.
Document training data and model provenance. Where did the training data come from? What personal data is in there? Can you re-identify individuals? Has the data been consented to for AI training? Is it biased? You need this documentation for high-risk systems. If you can’t answer these questions, that’s a red flag about your system’s readiness.
Implement explainability and audit trails. For high-risk systems, you need to be able to explain why a decision was made. You need audit trails that show what data was used, what the system recommended, and whether a human reviewed it. This requires building systems that are interpretable, not just accurate.
Conduct risk assessments. For high-risk AI, you need a documented risk assessment: What could go wrong? Who could be harmed? What’s the likelihood and impact? What controls are you putting in place? This is similar to a DPIA under GDPR, but focused on the AI system itself.
Plan human oversight workflows. For high-risk systems, you can’t rely on the AI alone. You need humans in the loop reviewing and validating decisions, at least for high-stakes cases. Design these workflows now, before you’re required to have them in place.
Why AI Governance Requires Both Technical and Privacy Expertise
This is the critical point. AI governance isn’t just a technical problem, and it’s not just a privacy problem. It’s both.
A data engineer can tell you whether a model is statistically accurate and whether it generalizes well. But they might not know that the training data contains personal data that wasn’t properly consented to, or that the model perpetuates discrimination based on protected characteristics, or that users should be notified that AI is making decisions about them.
A privacy professional can tell you whether you have proper legal basis and consent for using personal data in an AI system. But they might not understand the technical risks of model drift, data poisoning, or adversarial attacks that could cause a system to fail or make biased decisions.
The organizations getting this right are assembling multi-disciplinary teams: data scientists, engineers, privacy professionals, compliance experts, and legal counsel. They’re asking both technical questions (Is the model robust? Can it be explained?) and privacy/governance questions (Do we have consent? Does the system treat people fairly? Are we transparent with users?). They’re treating AI governance as a discipline that spans technology, privacy, and ethics.
If your organization is approaching AI governance as purely technical or purely legal/privacy, you’re missing half the picture. And the EU AI Act requires both perspectives to be present.
