A US company that builds AI tools for European clients didn’t opt into EU AI Act jurisdiction. That doesn’t matter. The Act applies to providers and deployers of AI systems that produce output used by people in the European Union, regardless of where the system was developed, trained, or hosted. According to EU AI Act compliance guidance, a US enterprise whose AI system generates outputs consumed by EU customers, employees, or business counterparties is inside the Act’s scope. Geography of development is irrelevant. Geography of use is everything.
This isn’t theoretical. The deadline is five months away.
What’s Already in Force
Two sets of obligations have been enforceable since February 2, 2025. First, the Act’s prohibited AI practices under Article 5, including social scoring systems, real-time biometric surveillance in public spaces with limited exceptions, and AI that exploits vulnerabilities to manipulate behavior – have been impermissible for over a year. Second, Article 4 AI literacy requirements have been in effect since the same date, obligating providers and deployers to take measures to ensure their staff have sufficient AI literacy for their roles. According to EU AI Act compliance guidance published in March 2026, many US organizations have not yet assessed either set of obligations, despite both being live.
Violations of the prohibited practices provisions carry the Act’s steepest penalties: up to €35 million or 7% of global annual turnover, whichever is higher.
What Comes Into Force on August 2, 2026
Two major compliance regimes activate on August 2, 2026.
The first is the Annex III high-risk AI system framework. The official EU AI Act text defines high-risk systems as those used in sectors including recruitment and HR management, credit scoring, education and vocational training, critical infrastructure, essential public services, law enforcement, migration management, and administration of justice. If your AI system makes consequential decisions in any of these domains for EU users, it is almost certainly Annex III territory. High-risk designation triggers a comprehensive set of obligations: conformity assessments, technical documentation, human oversight requirements, accuracy and robustness standards, and registration in the EU’s AI database. Non-compliance with high-risk obligations carries penalties of up to €15 million or 3% of global annual turnover.
The second is Article 50 transparency. Article 50 transparency obligations require that certain AI systems, including those that generate synthetic content, interact with users as chatbots, or produce AI-generated images, audio, or video, disclose the AI nature of their output. This applies to consumer-facing systems and, in many configurations, enterprise tools that EU employees interact with directly.
The Digital Omnibus Factor
A legislative proposal circulating in EU institutions, known as the Digital Omnibus, has attracted attention in compliance circles because it would reportedly delay the high-risk systems deadline. According to coverage of the proposal, December 2027 has been cited as a possible revised timeline if the Omnibus is adopted. The proposal’s status and outcome remain uncertain.
Here is what US compliance teams should understand about that uncertainty: the Digital Omnibus is not adopted. It is proposed. Legislative proposals in the EU move through a multi-stage process involving the Commission, the Parliament, and the Council. The timeline from proposal to adoption is measured in months at minimum, and the final text of any adopted measure may differ substantially from what is currently circulating. Building your August 2026 compliance program around an unconfirmed delay means accepting the risk that the delay doesn’t materialize, and arriving at August 2026 with incomplete conformity assessments, unregistered high-risk systems, and Article 50 disclosures that don’t exist. That’s a choice, not a strategy.
What US Enterprises With EU Exposure Should Do Now
The practical work has five components.
1. Scope mapping. Identify every AI system your organization provides or deploys that produces output consumed by EU users, employees, or counterparties. This is the threshold question. Systems entirely outside EU consumption are outside scope.
2. Prohibited practices audit. If your organization hasn’t reviewed its AI applications against Article 5’s prohibited practices list since February 2025, that review is overdue. This is already in force.
3. AI literacy assessment (Article 4). What training or competency documentation exists for staff who develop, deploy, or oversee AI systems? Article 4 requires “sufficient AI literacy”, not a defined certification, but a demonstrable effort.
4. High-risk classification analysis. For each in-scope system, assess whether it meets the Annex III criteria. This is where most organizations need legal and technical input. The classification question has significant compliance consequences: high-risk systems require conformity assessments, technical documentation, and EU database registration before the August 2, 2026 deadline.
5. Article 50 transparency review. For consumer-facing AI and enterprise tools with direct EU user interaction, review whether Article 50 disclosures are in place or required.
TJS Synthesis
The EU AI Act is structured as a risk-tiered framework, and the tiering matters for how US enterprises prioritize their compliance work. The February 2025 obligations (prohibited practices and AI literacy) are in force now, they’re not on the August 2026 countdown. The August 2026 obligations (high-risk systems and Article 50) require the most preparation time, particularly the conformity assessment process for Annex III systems. The Digital Omnibus is a real legislative development, but it’s not a compliance plan. Five months is a short runway for organizations that haven’t started. The enterprises that reach August 2, 2026 with their documentation in order will be the ones that treated the deadline as a deadline.