Find your AI risk
Blog / Explainer
Explainer

The EU AI Act and Australian Businesses

The deadline for compliance with the EU AI Act is fast approaching. Now is the time for Australian businesses to get prepared.

The EU AI Act and Australian Businesses

A European client emails and asks you to confirm your AI use complies with the EU AI Act.

You’re in Australia. No office in Europe, no European staff, and because of that you may be thinking that European law can’t reach you.

But it can.

The EU AI Act is not a toothless tiger that Australian businesses can simply ignore.

It is a real legal framework with real, business-ending consequences for non-compliance.

Think of it as the AI equivalent of the GDPR, but with sharper teeth.

The EU has a proven track record of enforcing its digital laws globally, and this Act carries maximum penalties of up to €35 million or 7% of global annual turnover, whichever is higher.

For many Australian businesses, a single penalty of that scale is a business death sentence.

This guide sets out to show whether the EU AI Act reaches your Australian business – and why it may matter even sooner than the legal deadline suggests.

I’ll cover two situations, because the Act treats them very differently:

While the obligations carry more weight for second situation, don’t think you’re off the hook because you’re only using AI, not selling it.

The EU AI Act isn’t bound by geography. It’s bound by who your AI affects.

Most people may assume European law only applies to European companies.

This one doesn’t work that way.

If your AI system’s output is used in the EU – a tool that ranks EU job applicants, a model that scores EU customers, a service EU users interact with – you can be in scope even with no European presence at all.

According to the Act, the Regulation applies to providers placing AI systems on the market or into service in the Union, irrespective of whether those providers are established in the Union or in a third country.

This mirrors GDPR, which caught plenty of Australian businesses the same way.

Telling regulators: “But we’re not in Europe” was not a credible defence then either.

First, work out which one you are: deployer or provider

This is the distinction that determines everything else:

A deployer uses an AI system – You bought it, or you subscribed to it, and you use it in your work. Your obligations are real but manageable – transparency, human oversight, using the tool as intended.

A provider builds an AI system and puts it on the market – Your obligations are substantially more detailed: involving risk management, data governance, technical documentation, logging, conformity assessment.

Here’s the trap, which seems to have caught a few startup founders I’ve spoken to:

You can become a provider without building a model.

If you plug into an API like OpenAI or Anthropic, or use an open-source model, you might assume you’re just a user.

But if you fine-tune it, materially alter its output, put your own name on it, or apply it to a specific high-stakes domain – such as HR, fintech, education – you may be legally classified as the provider of that system.

You absorb the liability, even though you’re not nearly on the scale of an OpenAI or Anthropic and you didn’t train a thing.

If you’re a startup using an AI model’s API anywhere in your product and selling it, by far the safest option is to assume you’re a provider until a lawyer tells you otherwise.

Does the Act apply to you? A quick and rough self-check

Give the following four questions some thought and answer honestly:

More “yes” than “no” means you’re likely affected by the act, or close enough that you can’t assume otherwise.

You should also note that this simply rough guidance and should not be taken as legal advice.

But it may give you an indication as to whether you need to assess your exposure in more detail (and if you’re reading this – you probably should).

What is defined as high risk AI?

The EU AI Act flags specific use cases where AI decisions directly impact a person’s life, career, or bank account.

If your business or product does any of the following, you are almost certainly operating in the high-risk zone:

Note that this catches deployers too, not just builders.

An Australian firm using an AI tool to screen job applicants in the EU is in the high-risk zone, even though someone else built the tool.

If you checked any of those boxes, now is the time to stop wondering. The deadlines for high-risk rules are approaching.

Book a chat with a technology lawyer sooner rather than later.

A small upfront outlay now beats a drawn-out legal process and company-destroying fine in a couple of years.

Two deadlines

So far, I’ve spoken mostly about the legal ramifications but if you’re operating in the EU in any capacity, you’re not just running against the regulatory deadline.

There are also commercial considerations to take into account.

The customer deadline is the one that will probably hit your business first.

Even if you’re happy to live in denial and betting on the probability that an EU regulator may never question you, you should still be prepared when your EU customers do.

What “getting ready” actually looks like

While you don’t need to become an EU compliance expert, you do need to have answers ready for the following questions when they come:

At the very least, compiling your AI register is a low investment way to get a head-start on meeting regulatory requirements which only requires a spreadsheet or Notion file.

Starting your AI register

At its most simple, an AI register documents the lifecycle of your AI use. It should show:

Why DIY compliance is a risk

Starting an AI register in a spreadsheet is a great first step. But don’t rely on DIY compliance to protect your business.

Considering the stakes and the size of the penalties, if you have users, data, or clients in the Eurozone, book a chat with a specialised technology lawyer sooner rather than later.

Here’s why.

If you build AI into a product: assume you’re high risk until you’re sure you’re not

If you’re a startup or software companies shipping AI-enabled product, the safest option is to assume you’re high risk until you can definitively prove that you’re not.

The EU AI Act works on a sliding scale of risk, and the boundaries can be blurry. If you don’t know exactly what risk level your AI represents, don’t cross your fingers and assume you’re safe.

The safest rule of thumb: treat your system as high risk from day one.

It is vastly easier – and cheaper – to build documentation, data tracking, and guardrails into your product now, rather than trying to reverse-engineer compliance later when an auditor knocks on your door.

It also has added benefits. It helps future-proof your business if you decide to scale with AI in the coming years, and it encourages good habits around AI hygiene.  

What assuming high risk looks like in practice

Five simple habits to build into your development workflow:

Why it’s worth getting ready now, regardless of your legal standing

Whether or not the EU AI Act legally binds your Australian business depends on specifics only you can check.

But the question underneath isn’t just legal. It’s commercial.

Your EU customers are deciding, right now, whether you’re a supplier who has their AI use handled safely, or one who carries too much risk to deal with.

It’s happening in Europe, and signs indicate it will be happening in Australia very soon too.

Being prepared means knowing what AI you use, who owns it, and being able to show proof when a customer or an auditor asks.

That’s worth having whether the law reaches you or not.

Further reading

Not sure what your team is already using?

A few quick questions. No sign-up, no scanning. See where your AI risk actually is.

Find your AI risk
Paul Bardell
Written by
Paul Bardell · Founder, Certrak

Paul Bardell is the founder of Certrak, which gives Australian businesses one clear record of their AI use. He writes plain-language guidance for people who never signed up to be responsible for AI.