The EU AI Act has extraterritorial reach. If your organization is headquartered in New York and deploys AI systems that affect individuals in the EU — through customers, employees, or partners — you are directly subject to its obligations. This guide covers what that means in practice before August 2, 2026.
⚠️ August 2, 2026 — Full EU AI Act obligations for high-risk AI systems. Compliance readiness must be established now.
The Extraterritorial Question
The most common misconception about the EU AI Act among US-based organizations is that it only applies to European companies. It does not. Like GDPR before it, the EU AI Act is designed to protect individuals in the EU regardless of where the organization deploying the AI system is located.
Article 2 of the EU AI Act establishes its scope explicitly: the regulation applies to providers and deployers of AI systems whose outputs are used in the EU. A New York-based company that uses an AI hiring tool to screen candidates who are EU residents, deploys a credit scoring model that evaluates EU customers, or uses a fraud detection system that processes EU transaction data is operating within the scope of the Act — regardless of where its servers are located or where it is incorporated.
The question is not whether your company is European. The question is whether your AI systems produce outputs that affect people in the EU.
The practical test: Do any of your AI systems make decisions about, or produce outputs that affect, individuals located in the EU? If yes — through customers, employees, partners, or users — the EU AI Act applies to your organization regardless of where you are based.
Annex III — High-Risk AI Systems
The EU AI Act uses a risk-based classification system. Most AI systems fall into the minimal or limited risk categories and face few obligations. The compliance burden falls primarily on high-risk AI systems — those listed in Annex III of the regulation.
For New York organizations, the most relevant Annex III categories are:
Employment & HR
AI systems used for recruitment, CV screening, candidate evaluation, performance monitoring, promotion decisions, or termination. NYC Local Law 144 creates parallel obligations for employers using automated employment decision tools in New York City.
Financial Services
Credit scoring, creditworthiness assessment, algorithmic lending decisions, fraud detection systems used in determining access to financial products. Fintech companies operating in both US and EU markets face dual compliance exposure.
Immigration & Border
Automated document verification, algorithmic assessment of visa or asylum applications, border control systems. Organizations involved in immigration processing for EU-bound individuals face strict classification obligations.
Criminal Justice
Algorithmic risk assessment tools, predictive policing systems, recidivism prediction models. Systems used in liberty-affecting decisions face the highest scrutiny under Annex III.
Healthcare
Clinical decision support systems, AI diagnostics tools, patient risk stratification models intended to be used as medical devices or in clinical care settings affecting EU patients.
Education
AI systems used for student assessment, proctoring, learning analytics, or access decisions in educational institutions with EU students. EdTech companies with EU users face direct classification obligations.
If your organization deploys any system in these categories that produces outputs affecting EU individuals, that system is presumptively high-risk under Annex III and triggers the full compliance framework.
What High-Risk Classification Requires
A high-risk AI system under the EU AI Act is not simply subject to disclosure obligations. It triggers a comprehensive compliance framework that must be operational before the system is deployed — or, for existing systems, before August 2, 2026.
Article 9 — Risk Management System
A documented risk management system covering the entire lifecycle of the AI system — from design through deployment and post-market monitoring. Must identify known and reasonably foreseeable risks, estimate and evaluate risks, and implement risk mitigation measures. Updated continuously, not as a one-time exercise.
Article 10 — Data Governance
Training, validation, and testing datasets must meet quality criteria. Documentation of data collection, preparation practices, and examination for possible biases. For systems that affect protected characteristics — hiring, credit, criminal justice — this is a high-scrutiny obligation.
Article 11 + Annex IV — Technical Documentation
Comprehensive technical documentation prepared before market placement. Annex IV specifies the required content: system description, design specifications, development process, training methodology, performance metrics, known limitations, and post-market monitoring plan. Must be kept updated throughout the system’s lifecycle.
Article 13 — Transparency & Instructions for Use
High-risk AI systems must be designed to be sufficiently transparent to enable deployers to interpret outputs and use them appropriately. Instructions for use must include information about the system’s purpose, performance, limitations, and conditions under which it should not be used.
Article 14 — Human Oversight
High-risk AI systems must be designed to allow effective human oversight during their use. Deployers must assign qualified individuals to exercise oversight, understand the system’s capabilities and limitations, and be able to disregard, override, or intervene in outputs. This is not a checkbox — it requires documented procedures and designated personnel.
Article 17 — Quality Management System
Providers must implement a quality management system covering the entire AI system lifecycle. Includes written policies, techniques for design and training, testing procedures, accountability frameworks, and post-market monitoring.
Article 71 — EU AI Database Registration
High-risk AI systems must be registered in the EU AI database before deployment or use in the EU market. Registration requires the Annex IV technical documentation to be in place. The August 2026 deadline is when this obligation becomes enforceable for most high-risk systems.
Deployer vs. Provider — a critical distinction: The EU AI Act distinguishes between providers (those who develop or place AI systems on the market) and deployers (those who use AI systems in their operations). If you use a third-party AI tool — an HR screening platform, a credit model, a fraud detection API — you are a deployer. Deployer obligations exist independently of provider obligations. Your vendor’s compliance does not substitute for yours.
Article 4 — AI Literacy Is Already in Force
Article 4 of the EU AI Act is the provision most frequently overlooked by US organizations — and it has already applied since February 2025.
Article 4 requires that providers and deployers of AI systems take measures to ensure their staff have sufficient AI literacy — the knowledge, skills, and understanding needed to work with AI systems responsibly and in compliance with the Act. This obligation applies to all AI systems, not only high-risk ones. It covers any personnel involved in the deployment, oversight, or decision-making supported by AI systems.
For a New York organization with EU operations, Article 4 compliance means:
Assessing current AI literacy levels across relevant roles — legal, compliance, technical, operational, and management staff who interact with AI systems or their outputs.
Implementing structured training appropriate to each role’s level of AI interaction. The regulation specifies that training must be proportionate to the nature of the AI systems, their intended purpose, and the risks involved.
Documenting literacy measures as part of the broader compliance record. Regulators examining EU AI Act compliance will look at Article 4 measures alongside the high-risk system obligations.
The February 2025 application date means organizations that have not yet taken Article 4 measures are already in a position of non-compliance. This is not a future obligation — it is a current one.
The August 2026 Deadline — What Must Be in Place
February 2025 — Already in force: Prohibited practices banned. Article 4 AI literacy obligations apply to all providers and deployers with EU exposure.
2 August 2026 — The deadline: Full high-risk system obligations apply. Article 9 risk management, Article 10 data governance, Annex IV technical documentation, Article 13 transparency, Article 14 human oversight, Article 17 quality management, and Article 71 EU AI database registration must all be operational. Fines: up to €15M or 3% of global turnover for high-risk violations; up to €35M or 7% for prohibited practices.
2 August 2027 — Next wave: Stricter rules apply to AI used as safety components in products already regulated by EU product safety law — medical devices, toys, machinery, vehicles.
The practical implication for New York organizations is that preparation must begin now. The August 2026 deadline is not a filing date — it is the date by which a fully operational compliance infrastructure must exist. For most organizations starting from scratch, the realistic preparation timeline is 12–16 weeks for a focused engagement. That puts the latest viable start date in April or May 2026.
NYC Local Law 144 — Parallel Obligation
New York City Local Law 144 creates a parallel compliance obligation that operates independently of the EU AI Act. LL144 applies to employers using automated employment decision tools (AEDTs) in hiring or promotion decisions for positions in New York City — regardless of whether the organization has EU exposure.
Under LL144, employers must conduct annual bias audits of their AEDTs performed by an independent auditor, publish a summary of audit results, and notify candidates or employees before using an AEDT to evaluate them.
For New York organizations subject to both LL144 and the EU AI Act’s employment provisions under Annex III, the compliance frameworks overlap but do not substitute for each other. A unified compliance approach that addresses both frameworks simultaneously is more efficient than treating them as separate exercises.
Where to Start
For a New York organization assessing EU AI Act exposure for the first time, four initial questions define the scope:
1. Inventory. What AI systems does the organization currently deploy or use — including third-party tools, vendor-provided models, and embedded AI features in SaaS platforms?
2. EU exposure. For each system identified, does it produce outputs affecting EU individuals — directly or indirectly?
3. Annex III classification. For systems with EU exposure, does the system fall into one or more Annex III categories?
4. Gap analysis. For systems classified as high-risk, what documentation, risk management procedures, human oversight mechanisms, and quality management structures currently exist — and what needs to be built before August 2, 2026?
For most mid-size New York organizations with EU exposure, a structured gap analysis and remediation roadmap can be completed in 8–12 weeks — leaving adequate time before the August 2026 deadline for implementation and documentation.
—
This practice note was written by Constantin Razvan Gospodin, Legal AI Risk Manager and founder of Lexara Advisory LLC — an AI governance consulting firm serving organizations in New York and across the United States. European-barred attorney (ICATF nº 5961). Schedule a consultation →
Lexara Advisory LLC — AI governance consulting, not legal practice. Nothing on this site constitutes legal advice.
Leave a Reply