EU AI ActScopeApplicabilitySMEs

Does the EU AI Act apply to my business? A quick scope test

Published July 12, 2026 · 5 min read

The most common first question about the EU AI Act is also the most misunderstood: many companies assume it only touches AI vendors, or only EU-based ones. Neither is true. Article 2 of the Act casts a wide, deliberately extraterritorial net. Here is a plain-English test to see whether you are in scope — and what to do next if you are.

You are likely in scope if…

  • You build or brand an AI system and place it on the EU market or put it into service in the EU — even if your company is outside the EU. That makes you a provider.
  • You use an AI system in your business and you are established or located in the EU. That makes you a deployer — and yes, using a third-party tool still counts.
  • You are outside the EU, but the output your AI system produces is used in the EU. This output-based rule is the part most non-EU companies miss.
  • You are a product manufacturer shipping an AI system under your own name, an authorised representative of a non-EU provider, or an importer/distributor of AI systems into the EU.

You are probably out of scope if…

  • You use AI purely for personal, non-professional activity.
  • Your activity is scientific research and development— systems developed and put into service solely for R&D, before any market placement, are excluded.
  • The system is for military, defence or national security purposes only.
  • You release a model under a free and open-source licence unless it is a high-risk system, a general-purpose AI model with systemic risk, or falls under the prohibited (Article 5) or transparency (Article 50) rules.

“In scope” is not the same as “high-risk”

Being in scope only means the Act applies to you — it does not mean you face the heavy obligations. Those depend on your risk tier. Most business AI (chatbots, productivity tools, analytics) is minimal- or limited-risk, where duties are light (often just transparency). The demanding requirements — technical documentation, risk management, conformity assessment — apply to high-risk systems. See our Annex III high-risk guide for what tips a system into that category, and the plain-English overview for the four tiers.

Provider or deployer? It changes your duties

The same organisation can be both. If you build AI, you carry provider obligations; if you buy and use it, you carry the (lighter) deployer obligations — human oversight, using the system as intended, monitoring. And note: if you substantially modify a high-risk system, or put your own name on it, you can become a provider of that system. Getting your role right is the second step after confirming you are in scope.

Find out in two minutes

Rather than guess, run the free EU AI Act Snapshot: describe your AI systems and it returns your risk tier and the obligations that follow — no account, about two minutes. If you are ready to act on the result, the plans start at €0 with a real free tier.