Skip to content

Reg Intel

US vs EU AI Regulation: A US Practitioner’s Guide (2026)

·

·

Reading time calculated on load

·

Last reviewed: April 29, 2026

If you operate an AI system from the United States and your products are accessible to users in the European Union, the EU AI Act applies to you — even if your headquarters, servers, and engineering team are entirely in California or Texas. This is the first thing US practitioners need to understand, and it is the question this article answers from the US side. For the global side-by-side comparison across all 11 dimensions, see our definitive EU vs US AI regulation comparison — that piece is the keystone. This piece is the practitioner companion: extraterritoriality, state-laws-as-EU-mirror, and the dual-jurisdiction compliance baseline.

Key Takeaways

  • The EU AI Act applies extraterritorially. If your AI system’s output is used in the EU, you are likely a “deployer” or “provider” under Article 2 — regardless of where you are incorporated.
  • Five US states already mirror the EU model. Colorado SB 24-205 borrows directly from EU Annex III. Texas TRAIGA, Illinois HB 3773, NYC Local Law 144, and California’s ADMT rules each implement EU-adjacent concepts at the state level.
  • EU AI Act compliance is a substantial down payment on US compliance. A working FRIA, model documentation, and post-market monitoring program covers most of what Colorado, Texas, and California require — though state-specific gap closures remain.
  • The Trump administration’s March 9, 2026 executive order signals federal-state preemption conflict. US-headquartered companies with state operations should expect federal preemption challenges to escalate through 2026-2027.
  • Dual-jurisdiction compliance is a five-step program. EU AI Act baseline + state-law gap closure + federal sector-regulator alignment + documentation discipline + monitoring across both regimes.

Does the EU AI Act apply to my US company?

The EU AI Act applies to US companies in three scenarios. The threshold question is not where you are incorporated — it is where your AI system’s output is used.

Scenario 1: You are a “provider” placing an AI system on the EU market. Article 2(1)(a) of the AI Act applies to “providers placing on the market or putting into service AI systems or placing on the market general-purpose AI models in the Union, irrespective of whether those providers are established or located within the Union or in a third country.” If you sell, license, or make available an AI system in the EU — directly or through a partner — you are a provider.

Scenario 2: Your AI system’s output is used in the EU. Article 2(1)(c) extends to “providers and deployers of AI systems that have their place of establishment or are located in a third country, where the output produced by the AI system is used in the Union.” This is the broadest hook. A US-based hiring AI used by a US recruiter to screen a candidate located in the EU is covered. A US-based credit-scoring model used by a US lender to evaluate an EU-resident borrower is covered.

Scenario 3: You are an importer, distributor, or authorized representative. Articles 2(1)(d), (e), and (f) cover the supply-chain roles. If you import US-developed AI into the EU as a reseller, the obligations apply to you.

The decision tree:

  1. Does your AI system serve EU end users, directly or indirectly? If yes, you are likely covered.
  2. Is the system listed in Annex III as high-risk? Annex III covers eight areas: biometrics, critical infrastructure, education, employment, essential services and benefits, law enforcement, migration, and democratic processes. See our Annex III explained page for full detail.
  3. If yes to both: you must complete a Fundamental Rights Impact Assessment (FRIA), conformity assessment, post-market monitoring program, and registration in the EU AI Office’s database — regardless of where you are headquartered.

The penalty structure is meaningful: up to €35 million or 7% of global annual turnover for prohibited-practice violations, up to €15 million or 3% for high-risk-system violations, and up to €7.5 million or 1% for incorrect, incomplete, or misleading information. These are the highest AI penalties in any jurisdiction.

US practitioners often assume the AI Act is “an EU problem.” It is not. It is a US problem with EU jurisdiction.

A quick five-dimension comparison

For the full 11-dimension comparison, see the definitive EU vs US comparison. The compressed view below gives US practitioners the orientation they need before deciding whether to invest in dual-jurisdiction compliance.

Dimension EU AI Act United States (federal + state)
Structure Single horizontal law (Regulation 2024/1689) No federal AI law; 8 states have enacted comprehensive AI laws; 12+ federal sector regulators
Risk classification 4 tiers: unacceptable, high-risk (Annex III), limited risk, minimal risk No federal classification; Colorado SB 24-205 and Texas TRAIGA borrow EU “high-risk” framing for state-level use
Enforcement body EU AI Office + Member State authorities FTC (cross-sector), SEC, FDA, EEOC, CFPB (sector); state AGs; municipal bodies (NYC DCWP)
Penalty caps Up to €35M or 7% global turnover (prohibited practices) Up to $53,088 per violation (FTC Section 19); $1M (CA SB 53); $5,000-$25,000 (state-level); BIPA private right of action ($1,000-$5,000 per violation, class-action multipliers reach 9 figures)
Substantive obligations Pre-deployment conformity assessment + FRIA + post-market monitoring + EU database registration (high-risk only) Sector-specific: NIST AI RMF voluntary; FTC substantiation requirements; Colorado reasonable-care duty; Texas AG cure period; California ADMT pre-use notice + opt-out

The key practitioner observation: the EU runs one law with horizontal reach. The US runs many laws with vertical (sector or jurisdiction) reach. For a US company serving EU users, EU AI Act compliance is the higher operational lift up front. For a US company serving only US users, state-by-state compliance becomes the higher lift over time as the patchwork tightens.

Where state laws mirror the EU model

Five US state-level frameworks now borrow directly or indirectly from the EU AI Act. This convergence is the single most important fact for US practitioners thinking about dual-jurisdiction compliance: doing the EU work positions you well for state work, and vice versa.

Colorado AI Act (SB 24-205) — the closest US analog. SB 205 uses “high-risk artificial intelligence system” terminology borrowed directly from EU Annex III. The covered domains (employment, lending, housing, insurance, healthcare, education, government services) overlap heavily with Annex III Areas 3-8. Colorado requires a reasonable-care duty for both developers and deployers, algorithmic impact assessments (analogous to FRIA), and consumer disclosures. Effective June 30, 2026. The proposed Colorado KILO / ADMT Framework would replace SB 205 with a disclosure-driven model effective January 1, 2027 if passed.

Texas Responsible AI Governance Act (TRAIGA) — uses “high-risk AI system” framing similar to Colorado and EU. Effective January 1, 2026. Texas AG holds exclusive enforcement with a 60-day cure period. The 60-day cure is more defendant-friendly than EU’s no-cure model, but the substantive requirements track Annex III concepts.

Illinois HB 3773 (IHRA AI Amendment) — narrower than EU but functionally equivalent for the employment use case. Effective January 1, 2026. Imposes employer liability for algorithmic discrimination and removes statutory affirmative defenses for AI-driven hiring decisions. Where EU AI Act Annex III Area 4 covers “employment, workers’ management, and access to self-employment,” HB 3773 covers the same ground for any Illinois-located employee.

NYC Local Law 144 (AEDT) — predates the EU AI Act but converges on the same audit logic. In effect since July 2023. Annual bias audit + candidate notice + impact-ratio publication for AI used in hiring decisions. The EU’s Annex III Area 4 obligations include similar testing requirements via conformity assessment; LL 144’s bias audit is operationally close to what EU notified bodies will require.

California ADMT Rules (CPPA) — the most procedural of the state-level frameworks. Effective January 1, 2026 (risk assessments) and January 1, 2027 (ADMT obligations). Requires pre-use notice, consumer opt-out, access right, and risk assessment for “Automated Decisionmaking Technology” used for “significant decisions.” The California risk assessment maps closely to the EU FRIA structure.

For the broader picture across all 8 enacted state AI laws plus 1,561 pending bills, see the US State AI Laws Tracker.

Where EU AI Act compliance satisfies US requirements

The single most useful frame for dual-jurisdiction companies: where can one compliance program satisfy both regimes? The answer is mostly yes, with state-specific gap closures.

EU AI Act obligation What it satisfies in the US What still needs gap closure
FRIA (Fundamental Rights Impact Assessment) Colorado algorithmic impact assessment; California ADMT risk assessment; NYC LL 144 bias audit foundation State-specific format requirements; jurisdiction-specific protected-class enumerations
Conformity assessment + technical documentation NIST AI RMF map/measure/manage documentation; SEC AI advertising substantiation Sector-specific evidence requirements (FDA SaMD; CFPB adverse action notices)
Post-market monitoring FTC Section 5 substantiation under March 2026 Policy Statement; Colorado deployer duty to monitor for foreseeable risks State-specific incident reporting timelines
EU database registration (Article 71) No US analog — but creates auditability that satisfies FTC and SEC inquiry Document the registration as evidence of compliance posture
Transparency obligations (Article 50) California SB 942/AB 853 (CAITA); Utah AIPA disclosure requirement Tennessee ELVIS Act for voice/likeness specifically
GPAI provider obligations (Article 53) California SB 53 frontier-model transparency for >10^26 FLOP models NY State RAISE Act for high-risk frontier deployment
Prohibited practices (Article 5) FTC unfairness theory; state social-scoring bans EEOC Title VII for prohibited employment AI

The practical takeaway: a US company that has built EU AI Act compliance for its EU operations has likely built 60-70% of what it needs for state-law compliance in Colorado, California, Texas, and Illinois. The remaining 30-40% is jurisdiction-specific format and protected-class adjustments — meaningful but tractable.

The reverse is less true. A US company that has built compliance for state laws alone has usually NOT built EU-required technical documentation, conformity assessment, or registration. EU AI Act compliance has a higher floor.

A dual-jurisdiction compliance baseline (five steps)

For US-headquartered companies that need to operate compliantly in both regimes, the path is consistent. The order matters: items higher in the list reduce the work for items lower in the list.

  1. Map your AI portfolio against EU Annex III and US state-law scopes. For each AI system, identify (a) whether it serves EU users directly or indirectly, (b) which Annex III area it falls into if any, and (c) which US state laws apply (employment AI in Illinois? high-risk system in Colorado? AEDT in NYC?). Most US companies discover at least one system that triggers both.

  2. Build the EU AI Act baseline first. A Fundamental Rights Impact Assessment, technical documentation per Annex IV, post-market monitoring plan, and EU database registration covers more US ground than building US-state compliance first. Use the NIST AI Risk Management Framework as the documentation backbone — it is referenced in EU technical standards and increasingly cited in FTC consent orders.

  3. Layer state-specific gap closure. Once the EU baseline exists, add: Colorado-specific algorithmic impact assessment format, California ADMT pre-use notice and opt-out mechanism, NYC LL 144 bias audit publication, Illinois HB 3773 documentation of human review, and Texas TRAIGA AG-cure-period response procedure. These are mostly format and disclosure layer additions, not new substantive testing.

  4. Add federal sector-regulator alignment. If you operate in financial services, healthcare, employment, or critical infrastructure, add the relevant federal layer: FDA Predetermined Change Control Plan for medical AI, FTC substantiation discipline for any consumer-facing claims, SEC AI advertising compliance for investment advisers, and EEOC adverse impact testing for hiring AI.

  5. Build a single monitoring system. EU post-market monitoring, US state incident reporting (Colorado), federal FTC monitoring under the March 2026 Policy Statement, and SEC AI washing disclosure all converge on the same operational requirement: detect AI failures, document them, escalate appropriately. Build one telemetry system that feeds all four reporting channels rather than four parallel systems.

This program covers 90%+ of the substantive compliance load for AI systems operating in both jurisdictions. The remaining 10% is jurisdiction-specific procedural work: filing deadlines, format requirements, protected-class enumerations.

When do you need both EU and US AI specialists?

The answer is sooner than most US legal teams expect. The EU AI Act’s extraterritoriality reach plus the FTC’s expanded Section 5 enforcement under the March 11, 2026 Policy Statement means that almost any consumer-facing AI deployment now creates dual-jurisdiction exposure.

You need both specialists when:

  • Your AI system serves users in both jurisdictions. EU AI Act conformity assessment is technically distinct from US substantiation discipline. Both are required.
  • You are a frontier model developer. California SB 53 and EU Article 53 GPAI obligations create overlapping but not identical reporting obligations. Coordinated disclosure planning prevents accidental contradiction.
  • You are responding to an enforcement inquiry. FTC investigations now routinely ask about EU AI Act compliance posture as evidence of due diligence; EU AI Office inquiries reciprocally consider US enforcement records.
  • You are negotiating a B2B contract with a multi-jurisdictional buyer. Procurement teams at Fortune 500 buyers are increasingly demanding both EU and US compliance attestations as supplier onboarding requirements.
  • You are litigating an algorithmic discrimination claim. The Mobley v. Workday class certification (N.D. Cal. May 2025) extended liability to AI vendors as employer agents. EU AI Act conformity documentation is increasingly admitted as evidence of (or failure of) reasonable care.

For US-headquartered companies that have not yet built EU compliance: start with the definitive EU vs US comparison, then the Annex III explained reference, then engage EU counsel to scope a FRIA program. The entry cost is real, but it is one-time. The ongoing operational lift after the baseline is built is small relative to the per-state US compliance work that would otherwise accumulate.

Sources

  • Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union.
  • EU AI Act Article 2 (scope and territorial application); Article 5 (prohibited practices); Article 6 (high-risk classification); Annex III (high-risk areas).
  • Federal Trade Commission. “AI Policy Statement on Section 5 Application.” March 11, 2026.
  • Colorado General Assembly. “SB 24-205 — Consumer Protections for Artificial Intelligence.” May 2024. https://leg.colorado.gov/bills/sb24-205
  • Texas Legislature. “HB 149 — Texas Responsible AI Governance Act (TRAIGA).” June 22, 2025.
  • Illinois General Assembly. “HB 3773 — Illinois Human Rights Act AI Amendment.” 2024.
  • New York City Department of Consumer and Worker Protection. “Local Law 144 of 2021.” Effective July 5, 2023.
  • California Privacy Protection Agency. “ADMT Final Rules.” Effective January 1, 2026 / January 1, 2027. https://cppa.ca.gov/announcements/2025/20250923.html
  • California Office of the Governor. “Governor Newsom Signs SB 53 — Frontier AI Transparency Act.” September 29, 2025.
  • White House. “Executive Order: Ensuring a National Policy Framework for Artificial Intelligence.” December 2025; March 9, 2026 amendment.
  • NIST. “AI Risk Management Framework (AI RMF 1.0).” January 2023.
  • US Court Decisions: Mobley v. Workday Inc. (N.D. Cal. — class certification May 2025).

Reg Intel is not a law firm and does not provide legal services. This article is for informational purposes only and should not be relied upon as legal advice. Consult qualified counsel for your specific compliance situation.

Disclaimer

This content is for informational and educational purposes only. It does not constitute legal advice. AI regulation varies by jurisdiction and changes frequently. Consult qualified legal counsel for advice specific to your organization’s circumstances and jurisdiction. Reg Intel is not a law firm and does not provide legal services.

The Weekly Brief

5 AI regulation developments that matter. Every Tuesday.

Reg Intel
Published: April 29, 2026 · Updated: April 30, 2026
Source: https://reg-intel.com/us-vs-eu-ai-regulation/