EU AI Act Scope: Who Needs to Comply and Who Is Exempt

The EU AI Act applies to any organisation that develops, sells, imports, distributes or uses an AI system connected to the EU market, regardless of where that organisation is based. Regulation (EU) 2024/1689 defines the EU AI Act scope by role and risk level, not by company size or sector. Six operator categories, a narrow set of exemptions, and an extraterritorial reach that extends well beyond EU borders.

Who Does the EU AI Act Apply To

The EU AI Act applies to providers, deployers, importers, distributors, product manufacturers and authorised representatives whenever their activity touches the EU market. Company size is irrelevant. A 50-person fintech and a 5,000-person manufacturer carry the same classification for the same system.

Article 2(1) lists seven triggers, and the European Commission’s regulatory framework page walks through the rationale behind each. The short version: if you build an AI system, use one professionally, bring one into the EU, or sell one anywhere in the supply chain, you are in scope. The full list runs from market placement by providers through to the rights of affected persons located in the Union. The regulation does not care whether you recognise yourself in the description. It cares whether your activity fits one of the seven definitions.

In our assessment, the category that catches the most companies off guard is deployer. Article 3(4) defines a deployer as any natural or legal person, public authority, agency or other body using an AI system under its own authority, except for personal, non-professional purposes. That covers every company that uses AI professionally. Not just companies with AI departments. Not just companies that train models. Every company that runs a chatbot, a screening tool, a recommendation engine or an automated decision system as part of its operations.

Take a company with 180 employees that buys an AI chatbot for customer support. No AI development, no AI sales, no AI department. In its own view, it purchased an ordinary SaaS tool. Under the AI Act, it is deploying an AI system in a business process, which triggers obligations under Article 26. That means following the provider’s instructions, ensuring human oversight, monitoring performance and maintaining logs. The questions the procurement team never asked are now compliance obligations. Does this system interact with customers? Could it fall into a high-risk use case? Who is trained to oversee it? What happens when it gets something wrong? The AI Act Readiness Assessment maps this classification step by step.

Provider, Deployer, Importer, Distributor. Which Role Is Yours

Your role under the AI Act is fixed by what you do with the system, not by what you call yourself. The classification matters because providers carry the heaviest obligations and deployers carry a lighter, operational set.

The definitions sit in Article 3. A provider develops or commissions an AI system and puts it on the market under its own name. The qualifier “whether for payment or free of charge” means giving it away does not get you out. A deployer uses a system professionally under its own authority. An importer brings a third-country system into the EU. A distributor makes it available further down the chain. No size threshold, no revenue floor, no sector limitation on any of these.

Provider duties under Article 16 mean building quality management systems, producing technical documentation, running conformity assessments, applying CE marking and registering in the EU database. Deployer duties under Article 26 are lighter but still operational. You follow the provider’s instructions, ensure human oversight, monitor performance and maintain logs. Getting the role wrong is not an academic exercise. It creates financial exposure you can estimate with the AI Act fines calculator.

Three concrete examples. A SaaS company that develops and ships its own AI model is a provider. A company that purchases a third-party AI HR screening tool to filter job applicants is a deployer. An EU business that buys AI systems from a US vendor and resells them under the original brand is an importer.

Then there is Article 25, which deserves its own warning. A deployer, distributor, importer or any third party is treated as a provider of a high-risk AI system if it puts its own name or trademark on the system, makes a substantial modification, or changes the intended purpose so that the system becomes high-risk. In our assessment, this is where the most compliance surprises will land. A company takes an open-source model, fine-tunes it on proprietary data, and builds an internal system for candidate assessment, credit scoring, claims triage or employee evaluation. In that company’s mind, it is not an AI provider. It is just using an open-source tool. Under Article 25, it has become a provider with the full weight of Article 16 obligations. The companies most likely to trip over this are precisely the ones that think open-source keeps them safe.

EU AI Act Exemptions for Military, Open Source, Research and Personal Use

The EU AI Act carves out a narrow set of exemptions. Military and national security use, pure scientific research, certain free and open-source AI components, and personal non-professional activity all fall outside scope. But these carve-outs are narrower than they look, and several collapse the moment a system reaches the market or qualifies as high-risk.

The military exemption under Article 2(3) requires “exclusively” defence or national security purpose. The moment a system serves both civilian and military functions, the exemption evaporates. Research and pre-market development are exempt per Article 2(6) and 2(8), which sounds generous until you read the fine print. Testing in real-world conditions is carved back in. If your R&D team is piloting an AI system with actual users or real data in a production-like environment, the research exemption will not protect them.

The open-source exemption under Article 2(12) is the most misread provision in the entire regulation. It applies only when the AI component is not placed on the market or put into service as a high-risk system, and does not fall under the prohibited practices in Article 5 or the transparency obligations in Article 50. Open-source status does not survive high-risk classification. It does not survive market placement. Monetised components lose the exemption entirely. If you are counting on an open-source licence to keep you outside scope, read Article 2(12) again. The exemption is closer to a riddle than a safe harbour.

Personal, non-professional use is exempt under Article 2(10). An employee using a personal AI tool for a hobby is exempt. The same employee using the same tool at work is not.

Beyond exemptions, Article 5 outright prohibits certain AI practices: social scoring by public authorities, untargeted facial image scraping, subliminal manipulation causing significant harm, emotion recognition in workplaces and educational institutions, and exploitation of vulnerable groups. All banned since 2 February 2025. The AI literacy obligation under Article 4, in force since the same date, requires providers and deployers to ensure sufficient AI understanding among staff. The Digital Omnibus, provisionally agreed on 7 May 2026 but not yet formally adopted, proposes to soften this from a binding company-level duty to a Member State-led framework. Until it is published in the Official Journal, the original wording applies.

EU AI Act Extraterritorial Scope. Does It Apply Outside the EU

Yes. The EU AI Act’s extraterritorial scope means the regulation reaches organisations with no EU establishment whenever their AI systems touch the Union market. Under Article 2(1)(a), a provider is covered if it places a system or general-purpose AI model on the EU market. Under Article 2(1)(c), both providers and deployers are covered where the output produced by their system is “used in the Union.” For a non-EU business, either trigger is enough.

The logic parallels GDPR Article 3(2), which catches non-EU data controllers who target or monitor people in the EU. Teams that already mapped their GDPR territorial exposure can reuse that framework as a starting point. The triggers differ. GDPR fires on processing personal data of EU residents. The AI Act fires on market placement and output use in the Union. But the operational question is the same. Does your product or service touch EU territory? If yes, the regulation follows you home.

Concrete example. A US SaaS company selling an AI-powered analytics tool to EU customers is a provider under Article 2(1)(a) and must comply even with no EU office, no EU employees and no EU servers. For high-risk systems, that provider must also appoint an authorised representative in the Union under Article 22. The cost of getting this wrong is quantifiable against the AI Act penalty structure, where fines reach €35 million or 7% of global annual turnover for the most serious violations per Article 99(3).

How to Check Your AI Act Obligations Now

Start with the inventory. You cannot classify an obligation you cannot see, and most organisations discover they are running considerably more AI than anyone on the leadership team suspected. List every AI system in use across the business, who supplied each one, and what it actually does. Everything that follows depends on that list existing.

Classify each system by role and risk. Take the free AI Act Readiness Assessment to map your systems to the right operator category and risk tier. This is the foundation step. Skip it and every subsequent decision is guesswork.

Check the deadline that applies to each system. Prohibited practices and AI literacy obligations have applied since 2 February 2025. General-purpose AI model rules have applied since 2 August 2025. The original high-risk obligation date under the current text is 2 August 2026. The Digital Omnibus, provisionally agreed on 7 May 2026, would push standalone high-risk systems (Annex III) to 2 December 2027 and product-embedded AI (Annex I) to 2 August 2028. Formal adoption is expected before August 2026 but has not happened yet. Until the amendment is published in the Official Journal, the original dates remain legally binding. The EU managed to amend a regulation before most companies had finished reading it, which tells you something about the pace of this space. Track the current state on the EU compliance deadline tracker.

Quantify your exposure. See what non-compliance would cost with the AI Act fines calculator.

Assign the duties that match each role. Provider systems trigger Article 16, which means quality management, technical documentation, conformity assessment, CE marking and EU database registration. Deployer systems trigger Article 26 and its operational set around use per instructions, human oversight, monitoring and logging.

Reassess whenever you modify a system. Article 25 can change your role overnight. Every time you fine-tune, rebrand or repurpose an AI system, recheck the classification. The regulation does not grandfather previous assessments.