March 9, 2026
6 min read
Share article

Does the EU AI Act Apply to US-Based AI Agencies?

EU AI Act extraterritorial scope for US agencies

The most common question US agency owners ask about the EU AI Act is also the one they get wrong most often: "I'm in the US, so this doesn't apply to me, right?" Not necessarily. According to the European Commission, the Act can reach non-EU providers and deployers when the output of an AI system is used in the EU, and the law becomes fully applicable on 2 August 2026. Combine that with fines of up to €35M or 7% of global turnover for the worst breaches, and the geography of your office stops being the deciding factor.

This article is general information, not legal advice. Extraterritorial scope is one of the most fact-specific areas of the Act, so treat the scenarios below as prompts for a conversation with a qualified attorney, not a substitute for one.

Why a European law can bind a US company

The EU AI Act follows a pattern American agencies should already recognize from GDPR: it protects people in the EU regardless of where the company processing their data sits. The Act's scope provisions deliberately capture providers and deployers established outside the EU when the output produced by their AI system is used within the Union. The logic is that a person in Berlin is affected by an AI decision whether the server, the developer, or the agency lives in Ohio or in Amsterdam.

For agencies, the trigger is the output, not the headquarters. If a system you built produces a result that lands in front of, or acts upon, someone in the EU, you are in the zone where the Act may apply. That is a wider net than most US operators assume.

The output-in-the-EU trigger, concretely

"Output used in the EU" sounds abstract until you map it to the work agencies actually do. Consider a few realistic builds:

A US agency builds an AI screening tool for a client's hiring pipeline. The client has a subsidiary in France, and the tool scores French applicants. The output, a ranking, is used in the EU.

A US agency deploys an AI voice agent for a SaaS company whose customers include German businesses. The agent's responses reach people in Germany. The output is used in the EU.

A US agency runs an AI content system that generates product descriptions published on a store that ships to and markets in Spain. The generated content is consumed in the EU. In each case, the physical location of the agency is beside the point.

When a US agency is most likely caught

You are at higher risk of being in scope when several factors stack up. The most important signals to watch:

Your client, or your client's customers, are in the EU. Even one European end market can be enough if the AI output reaches those users.

The system influences a high-risk outcome, such as employment, credit, education, or access to services. High-risk classification raises the stakes and the obligations, and while the Digital Omnibus (provisional agreement 7 May 2026) defers Annex III high-risk duties to 2 December 2027, the classification and the direction of travel are clear.

You are branding the system as your own product. That can make you a provider, which carries the heaviest obligations. If you are unsure whether you are a provider or a deployer, our plain-English EU AI Act explainer walks through the difference.

What you are probably safe from

Not every US build triggers the Act, and it helps to know where the edges are. If your systems only ever process and produce output for users physically in the US, with no EU end market, the extraterritorial hook generally does not attach. Purely internal tooling that never touches EU residents is typically out of scope. Minimal-risk automation like spam filtering faces no new obligations regardless of geography. The point is not to panic, but to look honestly at where your output lands.

Practical triggers to audit in your book of business

Rather than guess, run a short audit of your active engagements. For each client, ask three questions. First, does this system's output ever reach a person or business in the EU? Second, does the output influence a decision about that person, or is it just informational? Third, is the use case anywhere near a high-risk category? Any "yes" on the first question is a flag to look closer, and a "yes" on all three is a clear signal to get legal advice before your next renewal.

This kind of intake pairs naturally with how you already scope and price work. When you assemble a proposal, capturing the client's markets and end users up front makes classification far easier later. A structured proposal is a good place to record those facts so they do not get lost after the deal closes.

How this differs from GDPR, and where it overlaps

If you already handle GDPR because you route client data through LLMs, you have a head start, but the two regimes are not the same. GDPR is about personal data and its lawful processing; the AI Act is about AI systems and the risk they create. A build can trigger both at once, for example an EU-facing hiring tool that also processes candidate data. Because they stack, agencies serving European markets increasingly need to think about data-processing obligations and AI obligations together. We cover the data side in client data privacy for AI agencies.

What to do before August 2, 2026

Treat the deadline as a prompt to get organized. Map which of your clients have EU exposure, classify those systems by risk, and document your reasoning. Build Article 50 disclosures into anything that interacts with or generates content for EU users. Clarify in your contracts whether you are acting as provider or deployer, so liability sits where you intend. And when a project has real EU exposure and any high-risk flavor, get a qualified attorney involved early rather than after a complaint.

The uncomfortable truth is that "we're a US agency" is not a shield. The comfortable truth is that the agencies who understand this early can turn it into an advantage, offering European-ready builds and clear disclosures while competitors are still insisting the rules stop at the Atlantic. Platforms like Ciela make it easy to show a prospect exactly how a compliant, disclosed build behaves, which is a strong signal to any client with customers in the EU.

Ciela is the demo platform for AI agencies and AI consultants. It turns any prospect's website into a live, personalized AI demo (chat, voice, or missed-call text-back) you can send before the first call.

Build a free live AI demoCiela pricingNiche demo playbooksAll agency playbooks

Community · Training

Join First Client Club — 215+ AI agency owners.

First Client Club is our free community for AI automation agency builders. Get our outbound-with-live-demos platform, AI content templates, and a room of operators landing clients in days.

Join First Client Club, free
22 people joined this week