EU AI Act: Yes, it’s Critical in the US

Artificial IntelligenceEmpowered by AIAI in Education
Written By Janet Johnson

The European Union’s Artificial Intelligence Act is no longer just a European story.

It’s a sweeping global regulation that’s already shaping how AI is built, marketed, and used internationally.

If you’re a US company deploying AI—whether in edtech, healthcare, finance, or any sector that operates, sells to, or influences anyone in the EU—the EU AI Act lands in your court.

Even if you’re not building foundational AI models from scratch (hello OpenAI, Anthropic, Google, Meta and more…) , compliance is essential if your offerings integrate, adapt, or rely on AI in ways that touch EU users or data. The AI Act’s “extraterritorial effect” means you can face real enforcement - including steep fines and market exclusion - even without any European office or staff.

Its risk-based rules set global expectations and are likely to be mirrored by regulators across the US and beyond (it’s happened many times before, e.g. GDPR).

Proactively aligning with the AI Act’s “deployer and downstream provider” requirements isn’t just compliance. It’s how you show your product’s users, schools, and policymakers you’re credible, future-ready, and trustworthy in a world demanding more ethical, transparent AI.

Understanding Your Role

Organizations that build on top of, fine-tune, or distribute existing AI models (yes, without developing the core models themselves) typically fall into the “downstream provider” or “deployer” categories under the EU AI Act.

Who is a Downstream Provider or Deployer?

  • Downstream Provider: Integrates third-party general-purpose AI (GPAI) models into their own products or services and may fine-tune or modify these models for market use under their own name.

  • Deployer: Uses AI systems for their own organizational or business processes (such as an edtech platform using a licensed AI model for personalized learning suggestions OR a service provider to schools, like a back office provider).

Key Obligations for Deployers and Downstream Providers

The AI Act’s main focus for downstream organizations is ensuring the responsible use of AI—especially when models are sourced from others. Your obligations depend on whether you modify/fine-tune the models (“downstream provider”), simply deploy them as part of your offering (“deployer”), or both:

1. Follow Provider Instructions and Documentation

You must use the AI system in line with the instructions, technical documentation, and limitations provided by the original model provider. This is non-negotiable—failure to adhere can shift greater liability right onto you. Even the AI literacy among your teams must showcase a confirmed, technical understanding of how AI works, proportionate to the level of technical knowledge required for every employees’ role. Including:

  • Practical understanding - for deployers, an understanding of how to make the most of AI Systems including, for example how to construct an effective prompt for a generative AI System.

  • Ethical understanding - an understanding of the ethical implications of AI, along with (combined with the technical understanding pillar) the shortfalls and limitations of AI Systems.

2. High-Risk System Responsibilities

If you deploy or integrate AI in contexts the law deems “high-risk” (such as student assessment or recruitment tools), you have enhanced responsibilities to:

  • Maintain logs and records of system use (for a minimum of six months).

  • Conduct regular data protection and risk assessments.

  • Inform individuals they’re interacting with an AI system and, if required, that automated decisions may impact them.

  • Monitor the system’s operation for risks to health, safety, or fundamental rights—and suspend use and notify both the provider and authorities if serious issues arise.

3. Input Data Control

If you supply or control the data used by the AI system (like uploading your own learning datasets), you are responsible for ensuring its quality, relevance, and representativeness for the system’s intended use.

4. Cooperation & Transparency

  • You must cooperate with EU regulators and the original provider.

  • If you make substantial modifications or “white-label” the system, you may become subject to a provider’s full obligations.

  • Make sure any synthetic or AI-generated content (like images or text) is properly labeled as such when presented to users.

5. Accessibility & Non-Discrimination

AI systems used in sectors covered by EU accessibility directives (including EdTech) must meet relevant accessibility standards and should be monitored to prevent discrimination or bias (ibid).

When Does a “Downstream Provider” Become a “Provider” Under the Act?

If you substantially fine-tune or modify a foundation model—for example, by retraining it with significant new resources or releasing it under your own branding—EU law may reclassify you as the “provider,” with far greater documentation, risk, and transparency obligations. In most EdTech use cases, simply integrating or lightly customizing a third-party model does not trigger this, but significant changes for general-purpose uses might.

Where the GPAI Code of Practice Fits In

For deployers and downstream providers, the GPAI Code of Practice mainly matters as an excellent foundational governance framework you should expect from model creators. It ensures you get the necessary documentation, transparency, and information to meet your own AI Act obligations—and signals which upstream partners are reliable. The onus of direct Code compliance falls on original model providers, unless you cross the threshold into more substantive modification.

The EU’s approach is fast becoming the international benchmark for responsible AI. By putting deployer and downstream provider responsibilities at the foundation layer of your compliance strategy, you don’t just avoid penalties—you gain trust, resilience, and alignment with the next era of digital regulation.

Go forth and productize. Let us train your employees on AI literacy properly, based on technical, practical and ethical understanding. These foundational elements from the EU AI Act and GPAI Code of Practice will serve you well wherever you do business in the world.

Resources from AIGG on your AI Journey

Is your organization ready to navigate the complexities of AI and build trust with confidence?

At AIGG, we understand that adopting AI isn’t just about the technology—it’s about doing so responsibly, ethically, and with a focus on protecting privacy while building trust. We’ve been through business transformations before, and we’re here to guide you every step of the way.

Whether you’re an edtech organization, school district, government agency, other nonprofit or business, our team of expert guides—including attorneys, anthropologists, data scientists, and business leaders—can help you craft programs and practices that align with your goals and values. We’ll also equip you with the knowledge and tools to build your team’s literacy, your responsible practices, TOS review playbooks, guidelines, and guardrails as you leverage AI in your products and services.

Don’t leave your AI journey to chance.

Connect with us today for your free AI Tools Adoption Checklist, Legal and Operational Issues List, and HR Handbook policy. Or, schedule a bespoke workshop to ensure your organization makes AI work safely and advantageously for you.

Your next step is simple—reach out and start your journey towards safe, strategic AI adoption and deployment with AIGG.

Let’s invite AI in on our own terms.

Janet Johnson

Founding member, technologist, humanist who’s passionate about helping people understand and leverage technology for the greater good. What a great time to be alive!

Previous

Building trust and resilience on a GPAI Code foundation
Next

“HIPAA doesn’t apply to public schools.” That statement is technically correct, and dangerously misleading.