The EU AI Act is the first comprehensive AI regulation from a major economic bloc. It classifies AI systems by risk, bans some uses outright, and imposes heavy obligations on "high risk" deployments. Most US marketers saw the headlines and moved on, assuming none of it applied to them. That assumption is wrong in three ways, and getting it wrong is increasingly expensive.
Note: this post is not legal advice. Talk to a real lawyer before making compliance decisions. What follows is the operational pattern we're seeing across client work.
Reason 1: the Brussels effect
When a large, wealthy market sets a regulatory standard, global companies usually comply everywhere rather than run two versions of their product. GDPR was the textbook example — US companies that had no EU users still ended up building GDPR-compliant workflows because their vendors did.
The same thing is happening with the AI Act. Your CRM, your marketing platforms, your email tools, and your advertising partners — all of them are building AI Act compliance into their product. Which means your defaults are quietly changing without any action on your part.
Reason 2: if you sell to any customer in the EU, you're covered
This is the part most US companies miss. The AI Act applies based on where the affected users are, not where your company is incorporated. If you run a US SaaS company that has a handful of EU customers and your onboarding flow uses AI scoring to decide who gets free-tier access — congratulations, you're operating a covered AI system under EU law.
"A handful of EU customers" covers a lot of US companies. Check your user list before concluding you're exempt.
Reason 3: US state laws are already following the pattern
California, New York, Colorado, Illinois, and Texas have all introduced or passed AI-related legislation that maps closely onto the AI Act's risk framework. The terminology differs. The structure is converging. Companies that build for the EU standard are mostly getting the US state compliance work for free. Companies that haven't are doing it piecemeal.
What marketing teams actually need to do
The operational asks for a marketing team are narrower than they sound:
- Inventory your AI systems. Every tool, every vendor, every internal script. What data do they use? What decisions do they make?
- Classify by risk tier. Most marketing AI is low or minimal risk. A few categories (credit scoring, employment ads, housing ads) are high risk and trigger heavy obligations.
- Document meaningful human oversight. For any system that makes automated decisions affecting users — lead routing, content filtering, pricing — there must be a clear human-in-the-loop.
- Build a transparency register. Users have the right to know when they're interacting with AI and what data is being used. Your consent flows should reflect this.
- Keep logs. For the systems that matter, log inputs, outputs, and decisions with enough fidelity to answer questions three years later.
The tools where you're most exposed
In our audits, the highest-risk tools tend to be the ones marketers think about least:
- AI lead scoring and routing systems
- Automated content moderation and comment filtering
- Dynamic pricing engines
- AI-written outbound email at scale
- Chatbots that don't clearly identify as AI
None of these are banned. All of them require documentation, oversight, and honest user disclosure you may not currently have.
The companies that got GDPR right in 2018 spent the next six years winning deals against companies that didn't. The AI Act cycle is playing out the same way.
This isn't an argument for panic. It's an argument for catching up now, while the grace periods are still open and the penalties are still theoretical.
Want this working inside your own stack?
NetWebMedia builds AI marketing systems for US brands — from autonomous agents to full AEO-ready content engines. Book a free 30-minute strategy call and we'll map out the highest-ROI next step for your team.
Book a Free Strategy Call →