EU AI Act in plain English for U.S. businesses with EU exposure. Updated for the May 7, 2026 Digital Omnibus provisional agreement that postponed Annex III
By Matthew Bertram · President of ModalPoint, CEO of EWR Digital · 2026
The EU AI Act is the world’s first comprehensive AI law. It applies extraterritorially, which means a U.S. company can be on the hook for compliance even if it does not have an office, employee, or server inside the European Union. Most U.S. coverage of the law is six months out of date. Here is what changed in early May 2026 and what U.S. businesses should actually be paying attention to.
This guide is for U.S.-based executives, board members, and counsel who export to the EU, sell software used by EU customers, or operate in industries where EU customers might end up using your AI features. AI-curious audience, plain English on top, citation-dense legal layer at the bottom.
That is the gist. The detail follows.
The EU AI Act follows the GDPR template. It applies based on the location of the customer and the use, not the location of the company. If your AI product is used by a person in the EU, or if your AI produces outputs used in the EU, you are in scope. This is the same extraterritorial reach that pulled thousands of U.S. companies under GDPR in 2018.
Three concrete examples of when U.S. companies are in scope:
If your business has zero EU customers, EU users, or EU outputs, the AI Act does not directly apply to you. But the trend is clear: the U.S. federal government, state governments (Texas, Colorado), and other jurisdictions are watching the EU AI Act closely. The compliance practices you build for EU exposure are the ones that will scale to whatever lands next at home.
This is the part most U.S. legal commentary has not caught up to yet. On May 7, 2026, after months of negotiation and a first trilogue that collapsed at the end of April, the European Parliament and the Council reached a provisional agreement on what is being called the Digital Omnibus on AI. The deal does several things at once.
Important caveat: the agreement is provisional. It must be formally adopted by the Council and the Parliament before August 2, 2026. If adoption stalls, the original AI Act deadlines snap back into force. As of mid-May 2026, the institutions have stated their intent to adopt before the deadline. Track this; do not assume it.
A Texas-based SaaS vendor sells customer-service AI to a Berlin retailer. Today, the vendor must already comply with the prohibited-practices list and GPAI model obligations if applicable. After the Omnibus is adopted, the vendor has until December 2, 2027 instead of August 2, 2026 to bring any high-risk Annex III uses into compliance. The vendor uses the additional time to build the technical documentation, conformity assessment, post-market monitoring, and EU database registration that high-risk obligations require.
A Houston medical device manufacturer ships an AI-enabled diagnostic tool to a hospital in Milan. The AI is a safety component. Annex I obligations apply. The Omnibus pushes Annex I to August 2, 2028. The manufacturer has the time to align the AI conformity assessment with the existing CE-marking process for the medical device, rather than running parallel compliance regimes.
A Texas C&I manufacturer with zero EU sales and no EU users. The AI Act does not apply. But the company should still pay attention because (a) the EU framework is the template U.S. states are starting to follow, (b) the practices it requires (inventory, classification, technical documentation, post-market monitoring) are exactly what NIST AI RMF, ISO 42001, and any future federal U.S. AI regime will also require. Building EU-grade documentation is overkill for U.S. operators today and table stakes by 2027.
The Omnibus does not move the prohibited-practices list, the AI literacy obligation, or the GPAI obligations. Those were already in force in 2025 and they remain in force.
Several categories of AI use are flatly prohibited in the EU. Subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, certain real-time biometric identification in public spaces by law enforcement, and certain emotion-recognition uses in workplaces and schools. The new Omnibus prohibition on AI-generated CSAM and non-consensual intimate imagery joins this list with a December 2, 2026 deadline.
Providers and deployers must take measures to ensure a sufficient level of AI literacy among staff and any other persons dealing with AI systems on their behalf. This is not a heavy obligation but it is a real one. Document the training your team has received.
Providers of General Purpose AI models (the foundation models that power generative AI assistants and other broadly capable systems) must comply with technical documentation, training data summary disclosures, downstream provider information, and certain risk-mitigation requirements. A two-year grace period applies to GPAI models that were already on the market on August 2, 2025. Most U.S. operators are deployers of GPAI rather than providers, but if you fine-tune or substantially modify a GPAI model, you may inherit provider obligations.
If you run a U.S. industry association whose members export to the EU, sell software to EU customers, or have EU operations, your audience needs the current picture. Most legal commentary your members are reading is from before May 7, 2026. The new dates, the new prohibitions, and what U.S. companies actually have to do in 2026 versus 2027 versus 2028 is a useful 30-minute talk for an executive audience.
That is a more current and more practical talk than what most AI-regulation speakers are delivering this year. If you are programming an upcoming event, here is the speaking page. Back to the practical guidance.
Primary sources: the European Commission’s AI Act page (digital-strategy.ec.europa.eu) and the implementation timeline tracker maintained by the Future of Life Institute.
The next sections cover the formal regulatory framing for general counsel, compliance officers, and AI governance professionals. Skip ahead if you do not.
The AI Act establishes four risk tiers. Unacceptable risk (prohibited under Article 5). High risk (Annex III standalone uses and Annex I AI components in regulated products; the heaviest compliance regime). Limited risk (transparency obligations, including the watermarking and AI-interaction disclosure requirements). Minimal risk (no specific obligations). General Purpose AI models are regulated as a separate category, with additional rules for systemic-risk GPAI.
Eight domains: biometric identification and categorization, critical infrastructure management, education and vocational training, employment and worker management, access to essential services (credit scoring, insurance), law enforcement, migration and border control, administration of justice and democratic processes. The Omnibus extends compliance to December 2, 2027.
AI safety components in products subject to existing EU sectoral safety law (machinery, medical devices, toys, marine equipment, civil aviation, motor vehicles, agricultural vehicles, recreational craft, lifts). The Omnibus shifts to sectoral primacy with an equivalence clause and pushes compliance to August 2, 2028.
Tiered. Most serious violations (prohibited practices): up to EUR 35 million or 7 percent of total worldwide annual turnover, whichever is higher. Non-compliance with high-risk system obligations: up to EUR 15 million or 3 percent of global turnover. Provision of incorrect, incomplete, or misleading information to authorities: up to EUR 7.5 million or 1 percent of global turnover. SMEs and startups face proportionally lower caps.
National competent authorities in each member state enforce most of the AI Act for systems placed in their jurisdiction. The European AI Office (within the Commission) has direct enforcement authority over GPAI models. The European Artificial Intelligence Board coordinates among national authorities and provides guidance.
The EU AI Act is one of four anchor standards capital-intensive and regulated-industry operators are tracking in 2026: NIST AI RMF (federal U.S. voluntary), ISO 42001 (international management standard, certifiable), the EU AI Act (statute, where applicable), and a growing patchwork of U.S. state laws including TRAIGA in Texas and Colorado’s AI Act. The four overlap. None substitutes for any other.
For the broader four-standard treatment, see the 2026 AI Governance Framework implementation guide. For the federal U.S. piece specifically, see the NIST AI RMF implementation guide. For the Texas state-law picture, see TRAIGA: What Texas Businesses Actually Have to Do.
The companion question most operators are not yet asking: how AI engines describe your company is also a governance surface. AI governance and AI visibility are a two-layer control system, and the visibility layer becomes evidence in the same regulatory inquiries.
Most U.S. legal commentary on the EU AI Act is six months out of date. The May 2026 Omnibus deal changed the operative dates and added a new prohibition. U.S. boards and association audiences need the current picture, told plainly, with examples from their industry and a clear map of what to do this year versus 2027 versus 2028.
That is the talk I deliver. Houston-based, working with U.S. companies that have EU exposure across C&I, medical, and energy. Plain English. Real industry examples. Honest about what the law actually requires now, what is coming, and what just got pushed back.
Matt Bertram is the founder of EWR Digital (Houston), president of ModalPoint (an AI governance advisory holding the DIG framework), an IAPP member and AIGP candidate (cert track approximately July 2026, see published thought leadership and institutional affiliations), a member of the NIST AI Safety Institute Consortium (Cyber AI Profile and Zero Trust Communities of Interest), a Goldman Sachs 10,000 Small Businesses graduate (Houston Cohort, April 2026), and the moderator of record on the Ericsson Enterprise Wireless AI panel at the Offshore Technology Conference 2026 with co-panelists from Bechtel and Rockwell Automation. Texas A&M, Class of 2006.
This guide describes the EU AI Act as enacted in 2024, with the May 7, 2026 Digital Omnibus provisional agreement reflected. The Omnibus must be formally adopted before August 2, 2026 to take legal effect; until then, the original AI Act deadlines technically remain in force. Statutory and regulatory text is the controlling authority; nothing on this page is legal advice. Consult qualified EU counsel for any specific compliance question.
EU AI Act Article 12 (automated logging) and Article 26(5) (human oversight by persons with the necessary authority) require a runtime discipline most U.S. companies have not yet built. For the framework - see Decision Integrity as the Article 12 substrate.
Matthew brings this to mainstage keynotes and closed-door board briefings. Check availability → · More insights