If You Sell to Europe, the EU AI Act Is Already Your Problem
The EU AI Act is not a future problem you can defer until enforcement ramps up. If your company sells to European customers, processes data about EU residents, or deploys AI tools that touch EU operations in any way, the extraterritorial reach of this regulation puts you in scope today. Most US mid-market IT teams I talk to know this at a vague level but haven’t translated it into anything actionable. This post is the translation.
on Unsplash
This isn’t a framework explainer. It’s a working checklist — the kind of thing you can hand to a small IT team and actually make progress on without a dedicated compliance department.
Why US Mid-Market Companies Get Caught Flat-Footed
Large enterprises have GRC platforms, privacy counsel, and compliance teams who started reading the EU AI Act text years ago. Smaller companies have an IT manager who also owns security, vendor management, and probably a few helpdesk tickets. The AI governance gap at the 50–500 employee tier isn’t a knowledge problem — it’s a bandwidth and tooling problem.
The EU AI Act (official text and implementation resources via the European Commission) establishes a risk-tiered framework. Most of the tools your company uses will fall into the “limited risk” or “general purpose AI” categories, which carry transparency and documentation obligations rather than the heavy conformity assessment requirements that apply to high-risk systems. But even limited-risk obligations require you to know what AI tools you’re running, what they’re doing, and whether your vendors have their own compliance posture. Most mid-market companies can’t answer those three questions right now.
The Compliance Checklist
Work through these areas in order. The early items are discovery work; the later ones are governance work. You can’t do the latter without the former.
1. Determine Whether You’re Actually in Scope
The EU AI Act applies to providers and deployers of AI systems. A “provider” places an AI system on the market or into service. A “deployer” uses an AI system in a professional context. If you’ve integrated a third-party AI tool into any customer-facing or internal workflow and that workflow touches EU operations or EU-resident data, you’re likely a deployer under the Act’s definition.
This is a legal determination and this checklist can’t make it for you — but it’s also not a hard call for most companies. If you have EU customers or employees and you’re using AI tools, you should assume you’re a deployer and govern accordingly. The cost of finding out you were wrong is much lower than the cost of being unprepared when a customer’s legal team or a regulator asks the question.
2. Build Your AI Tool Inventory
You cannot govern what you haven’t catalogued. Your first task is a complete inventory of every AI tool in use across the organization — not just IT-sanctioned tools, but the ones your marketing team bought on a credit card and the ones your developers are calling via API. This is harder than it sounds because AI capability is now embedded in tools that weren’t originally AI products: CRMs, writing assistants, recruiting platforms, customer service software.
For each tool, capture the vendor, the use case, the data it touches, and whether it’s customer-facing or internal. That’s the minimum. A complete record also notes the deployment date, the business owner, and what your contract with the vendor actually says about AI use and data handling.
This inventory is the foundation of your AI governance posture — and it’s the first thing any regulator or customer security questionnaire is going to ask about.
3. Classify Each Tool by Risk Tier
The EU AI Act’s risk tiers are: unacceptable risk (prohibited), high risk, limited risk, and minimal risk. The Act also addresses general-purpose AI models (like large language models) separately, with their own transparency and documentation requirements.
For most mid-market companies, the practical question is whether any of your tools fall into the high-risk category. High-risk systems include AI used in employment decisions (screening, evaluation), credit scoring, access to essential services, and certain safety-critical applications. If you’re using an AI-assisted recruiting platform, an automated credit decisioning tool, or any AI that influences access to services in a significant way, those warrant closer scrutiny.
For the majority of your inventory — productivity tools, content generation, summarization, customer support chatbots — you’re looking at limited-risk or general-purpose AI obligations. These primarily require transparency (disclosing that users are interacting with AI) and basic documentation of what the system does and how it’s used.
4. Audit Your Vendor Contracts
As a deployer, you’re relying on your AI vendors to meet their obligations as providers. That reliance needs to be backed by contractual language. Go back to your vendor agreements for every AI tool in your inventory and look for three things: what the vendor discloses about how their AI system works, what data processing terms govern your data and your customers’ data, and what the vendor commits to in terms of their own compliance posture.
Many AI vendors updated their terms in 2024 with EU AI Act and EU data protection language. Many did not, or buried the relevant commitments in documentation that doesn’t get attached to your contract. You need to know which situation you’re in for each vendor. Where contracts are silent or deficient, you need to either push for updated terms or document the risk and make an explicit business decision about it.
5. Establish Transparency Practices for Customer-Facing AI
If your company uses AI in any customer-facing context — chatbots, AI-generated content, automated responses, recommendation systems — the EU AI Act requires that users know they’re interacting with an AI system. This sounds simple, but in practice many companies have added AI features to customer touchpoints without updating their disclosures, terms of service, or customer communications.
Do a pass through your customer-facing products and communications. Anywhere AI generates or substantially influences what a customer sees or receives, you need a disclosure. Check your privacy policy, your website footer, your product UI, and your sales and support workflows. The standard here is that a reasonable user would understand they’re interacting with or receiving output from an AI system.
6. Document Your AI Governance Policies and Controls
Regulators and customers don’t just want to know that you’re using AI responsibly — they want evidence. That means written policies governing AI use, documented controls around your high-risk tools, and a process for reviewing and updating your posture as your AI tool stack evolves.
At minimum, you need: an acceptable use policy for AI tools, a process for approving new AI tools before deployment, a documented review cycle for your AI inventory and risk classifications, and a mechanism for tracking and responding to AI-related incidents. If you don’t have those in place, that’s your governance gap, and it’s the gap that’s hardest to close quickly without some kind of structured framework or tooling to organize the work.
7. Create an Incident Response Plan for AI-Specific Failures
AI systems fail in ways that are different from traditional software failures. They produce incorrect outputs with high confidence, they can behave differently on edge cases than on training data, and when they fail in a regulated context, the failure can have legal or reputational consequences that go well beyond a typical IT incident. Your existing incident response plan probably doesn’t account for this.
For EU AI Act purposes, providers of high-risk AI systems have explicit incident reporting obligations. As a deployer, your obligation is to report incidents to your providers and cooperate with investigations. That cooperation requires you to have logged what happened, when, and what the impact was. A simple AI incident log — noting the tool, the date, the failure mode, and the downstream effect — is the minimum viable record.
Do This Week
If you do nothing else after reading this, build your AI tool inventory. Open a spreadsheet, loop in your department heads, and give yourself a week to produce a complete list of every AI tool your organization uses or has tested in the past year. Include the vendor name, the internal owner, and a one-line description of what the tool does.
That list is the foundation. You can’t classify risk, audit contracts, or build policies without it. And when a customer’s legal team or a regulator asks you to demonstrate your AI governance posture, the inventory is the first thing they’ll want to see. Most mid-market companies can complete this step in a week with an IT manager driving it. It’s not glamorous, but it’s the work that makes everything else possible.
Turning the Checklist Into a Continuous Practice
A one-time compliance checklist is a starting point, not a destination. The EU AI Act has a phased implementation timeline, your vendor landscape will keep changing, and AI capabilities inside your existing tools will keep expanding — often without a new contract or a new purchase order to flag the change.
AI governance has to become an ongoing operational practice, not a project you complete and archive. That means ownership (someone is responsible for the AI inventory and the policy review cycle), tooling (a place to track incidents, manage risk assessments, and store evidence), and a calendar (a defined review cadence so the inventory doesn’t go stale).
If you’re trying to build that practice without a dedicated compliance team, it helps to have a structured framework behind you. InfoDefenders is built specifically for IT teams in this position — practical, not theoretical, and sized for mid-market organizations that don’t have enterprise GRC budgets. Start a free trial and see how it fits your situation. But even before you look at tooling, the inventory step above will give you more clarity about your actual situation than another hour of research will.
The companies that are in the best position on EU AI Act compliance aren’t the ones with the biggest compliance teams. They’re the ones who started the inventory early and built a repeatable process around it. That’s a gap you can close.
