Does the EU AI Act Apply to Indian Companies?
1. The Scenario
A Bengaluru-based HR-tech startup spends eighteen months building an AI résumé-screening tool. Business is healthy, the team is lean, and nobody on the founding bench has opened a European statute. Then a mid-sized German logistics firm signs up as a customer — and three weeks later, its procurement team sends a questionnaire asking the startup to confirm its “Annex III risk classification” and whether it has a “conformity assessment” on file.
The founders assume it’s a misunderstanding — the company is incorporated in India, its servers sit in Mumbai, its investors are all domestic. Surely European law has nothing to do with them.
It does. And the gap between “we’re an Indian company” and “EU law doesn’t apply to us” is exactly where founders, compliance officers, and even experienced lawyers get into trouble.
2. Quick Answer
Yes — the EU AI Act can apply to Indian companies. The Regulation’s scope provision covers any provider or deployer whose AI system is placed on the EU market, put into service in the EU, or whose output is used in the EU — regardless of where the company is incorporated (Regulation (EU) 2024/1689, Art. 2). Incorporation location is irrelevant; what matters is whether the AI system, or its output, touches the EU market or EU users.
Overview
- Applies to Indian companies whose AI touches EU customers, users, or output — incorporation location doesn’t matter.
- Market access and use trigger scope, not where your servers or office sit.
- Transparency duties and GPAI enforcement stay on schedule for 2026; high-risk deadlines are the part moving.
- High-risk (Annex III/I) timelines are shifting later under the pending Digital Omnibus — but only those, not the whole Act.
- Indian IT majors are already signing on early via the EU’s AI Pact (see Section 8).
3. Does This Apply to You?
| Reader | Should you keep reading? |
| Startup founder | Yes — scope analysis should happen before your first EU customer, not after |
| Business / SaaS company | Yes, especially if any feature touches EU users or EU output |
| Developer / engineering lead | Yes — classification decisions usually start with what the product actually does |
| In-house or law firm lawyer | Yes — this is now a live drafting and advisory issue with a moving deadline |
| Researcher | Yes — the 2026 Digital Omnibus is a useful live case study in regulatory sequencing |
| University / research lab | Yes, if any AI tool is deployed, licensed, or commercialised |
| Student | Yes — this is one of the clearest examples of market-based (rather than territorial) jurisdiction in current law |
| Government / public-sector contractor | Yes, if your systems reach EU public bodies or EU residents |
| Enterprise leader | Yes — group-wide AI inventories are now a governance expectation, not a nice-to-have |
4. Why This Matters
Business impact. A growing share of Indian SaaS, HR-tech, edtech, and health-tech revenue comes from EU customers. Losing a deal over an unanswered compliance questionnaire is now a real risk, not a hypothetical one.
Legal impact. The Act’s obligations sit on top of, not instead of, Indian law. A company can be fully DPDP-compliant and still be out of step with EU AI rules.
Compliance impact. Obligations differ by role — provider, deployer, importer, distributor — and by risk tier. Getting the classification wrong cascades into every later decision.
Financial impact. Non-compliant GPAI obligations can draw penalties of €15 million or 3% of global turnover, whichever is higher, once enforcement activates. Annex III high-risk exposure is comparable once its (now-deferred) deadline arrives.
Reputational impact. EU enterprise buyers increasingly treat AI Act readiness as a procurement gate. Failing to answer basic scope questions signals immaturity, even to non-EU-regulated customers.
Practical Insight: Treat the EU AI Act the way you’d treat GDPR exposure a decade ago — as a procurement and contracting issue long before it becomes an enforcement issue.
5. Understanding the Problem
The confusion is understandable. Most founders default to thinking about regulation territorially: if the company is incorporated in India, Indian law governs. The EU AI Act doesn’t work that way. Its scope provision is drafted around market access and use, not incorporation (Regulation (EU) 2024/1689, Art. 2). A company can be entirely Indian on paper and still fall within scope if its product is marketed into the EU, embedded in an EU customer’s workflow, or used by people physically in the EU.
A second misconception: only “big tech” needs to worry. Obligations are risk-based, not size-based — a five-person startup offering an Annex III use case (e.g., recruitment scoring) faces the same classification questions as a multinational (Regulation (EU) 2024/1689, Art. 6 and Annex III).
A third, newer source of confusion has emerged in 2026 itself: the EU’s own high-risk timeline has just moved. By late June 2026, the European Parliament had approved the Digital Omnibus on AI, deferring standalone Annex III high-risk obligations from 2 August 2026 to 2 December 2027, and Annex I (embedded) high-risk obligations from 2 August 2027 to 2 August 2028. Formal Council adoption and Official Journal publication are expected imminently. Until that publication, the original 2024 timeline remains legally binding — though most law firms are already advising clients to plan against the new dates. The delay does not touch Article 50 transparency duties, the Article 51–55 GPAI rules (already in force since August 2025), or the Article 5 prohibitions — so neither “nothing changes” nor “everything is delayed” is correct.
Practical Insight: The Omnibus buys time on the highest-cost obligations (conformity assessment, technical documentation, registration). It buys almost no time on disclosure and labelling obligations, which remain live in 2026.
Implementation Timeline at a Glance
2024 ── AI Act adopted (Regulation (EU) 2024/1689)
↓
2025 ── GPAI provider obligations begin (Aug)
↓
2026 ── Transparency obligations (Art. 50, Aug) + GPAI enforcement starts (Aug)
↓
2027 ── Annex III high-risk obligations (Dec, pending Omnibus adoption — was Aug 2026)
↓
2028 ── Annex I high-risk obligations (Aug, pending Omnibus adoption — was Aug 2027)
Important: Only the 2027/2028 high-risk dates above are subject to the pending Omnibus change. The 2025 and 2026 milestones are unaffected and already binding.
Can I legally sell my AI product in Europe from India?
Yes — there is no rule barring Indian companies from selling AI products into the EU. What changes is the compliance burden, not the legal right to sell. Once your product is placed on the EU market or used by EU customers, you take on the same scope, classification, and disclosure obligations as an EU-based provider (Regulation (EU) 2024/1689, Art. 2). Selling is legal; selling without meeting the applicable obligations is the risk.

6. Step-by-Step Practical Solution
- 1. Map every AI product and use case, not just the company. A company can have nine India-only features and one EU-facing feature; only the latter matters. Build a register of each AI system, its users, markets, data sources, and deployment channels.
- 2. Check whether each system touches the EU market, EU use, or EU output. The Act’s scope covers placing on the market, putting into service, and use in the Union — including where only the output reaches the EU (Regulation (EU) 2024/1689, Art. 2). Document the reasoning; “we assumed we were out of scope” won’t survive a customer audit.
- 3. Classify the risk category, and re-check the date attached to it. The framework recognises unacceptable-risk, high-risk, transparency-risk, and minimal-risk systems (Regulation (EU) 2024/1689, Arts. 5–6, 50). With the high-risk timeline now split into two dates, classification has to answer both what tier a system is in and which deadline applies to that tier.
- 4. Identify your role: provider, deployer, importer, or distributor. Many Indian businesses are simultaneously providers of their own product and deployers of third-party foundation models. Contracts should specify who owns documentation, disclosure, oversight, and incident reporting.
- 5. Prioritise the obligations that are not affected by the delay. Article 50 transparency duties — disclosing AI interaction and labelling certain AI-generated content — stay scheduled for 2 August 2026 (watermarking gets a grace period to 2 December 2026). GPAI documentation, copyright, and systemic-risk obligations under Articles 53 and 55 have applied since 2 August 2025, with enforcement powers activating 2 August 2026. None of this moved.
- 6. Align with Indian privacy law in parallel, not instead. EU AI Act analysis runs alongside, not in place of, obligations under India’s DPDP Act, 2023 and DPDP Rules, 2025 — which themselves apply extraterritorially to entities serving people in India.
Practical Insight: Build a single compliance calendar with both regimes on it. Treating the EU AI Act and India’s DPDP framework as separate projects is the single most common cause of duplicated (and contradictory) governance work.
7. Official Legal Analysis
The foundational text is Regulation (EU) 2024/1689, adopted on 13 June 2024, published in the Official Journal on 12 July 2024, and in force since 1 August 2024. Its purpose is to improve the internal market while promoting trustworthy AI and protecting health, safety, and fundamental rights (Regulation (EU) 2024/1689, Art. 1).
Scope (Art. 2) — the provision that matters most here. It extends to providers placing AI systems on the EU market or putting them into service in the EU regardless of where the provider is established, and separately to providers and deployers in a third country where the system’s output is used in the EU. Incorporation in India does not exclude a company from this provision.
Prohibited practices (Art. 5). A short list of practices is banned outright, including manipulative or exploitative systems. The Digital Omnibus adds a new prohibition on AI-generated non-consensual intimate imagery and CSAM, applicable from 2 December 2026 once formally adopted.
High-risk classification (Art. 6, Annex III). Systems used in employment, education, essential services, and law enforcement are presumptively high-risk, facing requirements on risk management, data governance, documentation, logging, and human oversight (Regulation (EU) 2024/1689, Arts. 8–15). The Annex III application date is set to move to 2 December 2027 under the pending Omnibus amendments.
Transparency (Art. 50). Chatbot and content-generation providers must disclose AI interaction and label specified AI-generated content — scheduled for 2 August 2026, essentially unaffected by the Omnibus. See the European Commission’s regulatory framework overview for the full transparency rule text.
General-purpose AI (Arts. 51–55). GPAI provider obligations — documentation, copyright policy, systemic-risk management — have applied since 2 August 2025, with enforcement powers activating 2 August 2026. Providers can demonstrate compliance via the General-Purpose AI Code of Practice.
Application timeline (Art. 113) is the master clock provision the Omnibus directly amends for the high-risk categories above.
Practical Insight: When a client or counterparty asks “is your system high-risk,” the honest 2026 answer has two parts: the classification (which doesn’t change) and the deadline (which currently does).
8. Real-World Examples
The EU AI Pact and Indian IT majors. The European Commission’s voluntary AI Pact invites companies to commit early to AI Act principles ahead of legal deadlines, including AI governance strategies and high-risk mapping. More than 230 companies had signed by early 2026, across IT, telecoms, healthcare, banking, and aerospace. Indian IT majors Tata Consultancy Services, Infosys, and Wipro were reported among the signatories alongside Google, Microsoft, and Amazon — concrete evidence that large Indian services firms already treat EU AI Act readiness as a client-facing credential.
The GPAI Code of Practice signatory list. Because many Indian products run on third-party foundation models, the model provider’s compliance posture matters downstream. The Commission’s voluntary GPAI Code of Practice — the main route to demonstrating Article 53/55 compliance — has been signed by major model providers, with a “Safety and Security” chapter for the most capable systemic-risk models. A product built on a signatory’s model inherits a more documented, auditable supply chain than one built on a non-signatory’s — worth raising in any AI vendor due-diligence conversation.
Did You Know? Anthropic, Google, Microsoft, OpenAI, and xAI are all among the signatories of the EU’s voluntary GPAI Code of Practice — meaning an Indian product built on any of these providers’ models already sits on a more documented, audit-ready foundation.
Quick-scenario snapshot — where this typically bites:
- Indian SaaS company: an analytics dashboard sold to an EU retailer needs to check whether its scoring features fall under Annex III before signing the contract.
- AI hiring platform: resume-ranking or candidate-scoring tools used by an EU employer are a classic Annex III high-risk use case.
- Healthcare AI startup: diagnostic-support or triage tools reaching EU clinicians face high-risk duties on top of any medical-device rules that already apply.
- University research lab: a research prototype stays largely exempt — until it’s licensed, deployed, or commercialised with EU partners.
- Generative AI application: a chatbot or content generator serving EU users hits Article 50 transparency duties regardless of whether anything else about it is high-risk.

The lesson: EU AI Act readiness is already a visible market signal in vendor selection and procurement, well ahead of most substantive enforcement.
9. Common Mistakes
- Assuming incorporation in India is, by itself, a complete defence.
- Treating the Digital Omnibus delay as a reason to stop all AI Act work in 2026.
- Confusing the AI Act with GDPR, or assuming DPDP Act compliance covers both.
- Classifying a feature as “low risk” without documenting the analysis.
- Ignoring Article 50 transparency duties because “the big deadline moved.”
- Skipping product-level scope analysis in favour of an entity-level assumption.
- Leaving vendor and model-provider due diligence out of the compliance plan.
- Failing to revisit classification when a product or its EU customer base changes.
10. Myth vs Fact
| Myth | Fact |
| “Indian companies are outside the EU AI Act.” | The Act’s scope turns on market access and use, not incorporation (Regulation (EU) 2024/1689, Art. 2). |
| “Only large enterprises need to worry.” | Obligations are risk-based, not size-based (Regulation (EU) 2024/1689, Art. 6). |
| “The Digital Omnibus delayed the whole Act.” | It delays Annex III and Annex I high-risk deadlines specifically — see the Council’s press release. Article 50 transparency duties and GPAI obligations under Articles 51–55 are largely unaffected. |
| “GDPR and the EU AI Act are the same law.” | They are separate frameworks dealing with different things — data protection versus AI system governance — that frequently overlap in practice. |
| “If we’re not ‘high-risk,’ we have nothing to do in 2026.” | Transparency and disclosure duties can apply regardless of risk tier, and GPAI enforcement begins 2 August 2026. |
11. Practical Compliance Checklist
- [ ] Build a product-level inventory of every AI system, not a company-level summary.
- [ ] Flag which systems have EU users, EU customers, or EU-bound output.
- [ ] Classify each system’s risk tier and document the reasoning.
- [ ] Note which deadline applies to each tier under the post-Omnibus timeline.
- [ ] Identify your role (provider/deployer/importer/distributor) for each system.
- [ ] Add or update user-facing AI disclosures ahead of the August 2026 transparency deadline.
- [ ] Confirm watermarking/labelling plans for any generative feature shipping into the EU.
- [ ] Ask AI model vendors whether they are GPAI Code of Practice signatories.
- [ ] Cross-check the same inventory against DPDP Act and DPDP Rules obligations.
- [ ] Update vendor and customer contracts to allocate compliance responsibilities.
- [ ] Set a recurring review date tied to Official Journal publication of the Digital Omnibus.
Estimated compliance effort by company type:
| Company Type | Recommended Immediate Action |
| Startup | Conduct an initial AI inventory and EU-touchpoint scan |
| SME | Risk classification, documentation, and disclosure rollout |
| Enterprise | Establish a standing AI governance program with a named owner |

12. Comparison Table
| Framework | Nature | Status as of mid-2026 | Relevance to Indian companies |
| EU AI Act (Regulation (EU) 2024/1689) | Binding | High-risk deadlines under amendment (Digital Omnibus); transparency and GPAI rules proceeding on original schedule | Mandatory if EU market, use, or output is involved |
| GDPR (Regulation (EU) 2016/679) | Binding | Stable; separate Digital Omnibus track proposes its own amendments, still in early stages | Applies wherever EU personal data is processed |
| India’s DPDP Act, 2023 & DPDP Rules, 2025 | Binding | Phased implementation; substantive obligations due mid-2027 | Domestic baseline, also extraterritorial to entities serving Indian users |
| NIST AI RMF 1.0 | Voluntary | Stable | Useful internal governance scaffold; not a substitute for EU law |
| ISO/IEC 42001:2023 | Voluntary standard | Stable | Formal AI management-system certification option |
| OECD AI Principles | Soft-law | Stable | High-level policy reference point |
| UNESCO Recommendation on the Ethics of AI (2021) | Soft-law | Stable | Global ethics baseline, useful for public-sector and research framing |
What each one actually regulates, at a glance:
EU AI Act → AI system risk & governance
GDPR → Personal data protection
DPDP Act (India) → Indian personal data protection
NIST AI RMF → Voluntary risk-management practice
ISO/IEC 42001 → AI management-system certification
13. Key Takeaways
- The EU AI Act’s scope is market-and-use-based, not incorporation-based — Indian companies aren’t automatically excluded.
- 2026 is a split year: high-risk deadlines are moving later (to Dec 2027/Aug 2028 once formally adopted), but transparency and GPAI obligations are not.
- Compliance work should start at the product level — one AI feature can bring an India-only business into scope.
- EU AI Act readiness is already a procurement signal among EU buyers, independent of when enforcement begins.
- DPDP Act and EU AI Act compliance are parallel, not interchangeable, obligations.
14. What Should You Do Next?
Startup founder. Run a focused scope-and-risk audit this quarter. Identify any EU-facing feature, document your classification reasoning, and assign one internal owner for AI compliance — even if that’s you.
Business / SaaS leadership. Stand up a cross-functional AI governance policy spanning legal, product, engineering, and privacy. Build contract language allocating documentation and disclosure responsibilities clearly.
Lawyer (in-house or firm). Prepare a scope opinion per product line, track the Omnibus through formal adoption, and keep a dated record of which obligations are confirmed versus pending.
Researcher. Use 2026 as a live case study in regulatory sequencing, comparing the Act’s phased timeline against NIST, OECD, and UNESCO’s more static frameworks.
Student. Study the Act as an example of effects-based (rather than territorial) jurisdiction, alongside similar extraterritorial language in GDPR and India’s DPDP Act.
Enterprise leadership. Treat AI system inventories as a standing governance item — classification and deadlines are both moving targets in 2026.
15. Frequently Asked Questions
1. Does the EU AI Act apply to Indian companies?
Yes, if the company’s AI system is placed on the EU market, put into service in the EU, or its output is used in the EU (Regulation (EU) 2024/1689, Art. 2).
2. Do we need an EU office or EU entity for the Act to apply?
No. Scope depends on market access and use, not on where the company is incorporated or where it has offices.
3. Has the Digital Omnibus actually changed the law yet?
Parliament approved the agreed text in mid-June 2026 and Council adoption is imminent, but the amendments take legal effect only on Official Journal publication. Until then, the original 2024 timeline is binding.
4. What’s the biggest deadline Indian companies should track in 2026?
2 August 2026 — for Article 50 transparency duties and the start of GPAI enforcement, both untouched by the Omnibus delay.
5. Are startups exempt from the EU AI Act?
No blanket exemption exists. SMEs (and, under the Omnibus, small mid-caps) get some relaxations on documentation and penalties, but the underlying obligations still apply.
6. Is the EU AI Act the same as GDPR?
No. GDPR governs personal data; the AI Act governs AI system risk, transparency, and governance. They overlap but are legally distinct.
7. Does the Act cover generative AI tools?
Yes — via Article 50 transparency rules and the Article 51–55 GPAI obligations, including the voluntary Code of Practice most major model providers have signed.
8. What if we only have a handful of EU users?
Scope turns on factual use and output, not a minimum user count.
9. Do we need to label AI-generated content?
Yes, for content within Article 50’s scope, with disclosure and watermarking obligations centred on 2 August and 2 December 2026.
10. How does this interact with India’s DPDP Act?
They’re separate, parallel obligations — DPDP-compliant doesn’t mean EU-AI-Act-compliant, and vice versa.
16. Conclusion
For an Indian company, the real question was never “is the EU AI Act European?” It’s whether the business has an EU touchpoint — a customer, a user, an output — that brings it into scope. If yes, 2026 doesn’t let anyone off the hook; it just changes which obligations are urgent right now. Transparency duties and GPAI enforcement are arriving roughly on schedule. High-risk obligations have more runway than a year ago, but that runway exists to be used, not ignored. The companies that come out ahead will treat this as a live, moving compliance calendar rather than a one-time legal memo.
17. Call to Action
“Does the EU AI Act Apply to Indian Companies?” article sits within AspirixWriters’ AI Regulatory Framework hub, alongside guides on GDPR, NIST AI RMF, and AI governance for startups. A natural next read: a dedicated walkthrough of India’s DPDP timeline, or a side-by-side of the EU AI Act, NIST AI RMF, and ISO/IEC 42001 for teams building one internal governance framework.
Related Reading
- AI Regulatory Framework Hub
- EU AI Act 2026: A Clear, Researcher‑Friendly Guide
- GDPR Compliance Basics
- India’s DPDP Act, 2023: What It Covers
- NIST AI RMF Explained
- ISO/IEC 42001 Certification Guide
Written by
Dr. Rekha Khandelwal Legal Researcher | AI Governance Writer | Author | Assistant Professor (Law) Founder – AspirixWriters
About the Author
Dr. Rekha Khandelwal is a legal researcher, educator, author, and AI governance writer specializing in AI regulation, digital law, cyber law, legal research, and emerging technology governance. Through AspirixWriters, she publishes practical, research-backed guides that simplify complex legal and regulatory frameworks for businesses, professionals, researchers, and students.
Author’s Note
This article is intended for educational and informational purposes only. It is based on official legal and regulatory sources available at the time of writing and should not be considered legal advice. The Digital Omnibus on AI discussed in this article had been approved by the European Parliament but was awaiting formal Council adoption and Official Journal publication at the time of writing; readers should verify its final, binding text before relying on the revised dates. Readers should consult legal professionals for advice relating to their specific circumstances.
Review Information
Last Reviewed: June 2026 Next Review: Within 6 months, or immediately upon Official Journal publication of the Digital Omnibus on AI — whichever comes first.
Official References
- Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, OJ L, 2024/1689, 12.7.2024. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
- European Commission, “Regulatory framework on AI” (AI Act overview, scope, timeline, and transparency rules). https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
- EU AI Act Service Desk, “Timeline for the Implementation of the EU AI Act.” https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
- European Commission, “Artificial Intelligence: Council and Parliament agree to simplify and streamline rules” (Digital Omnibus on AI, provisional agreement, 7 May 2026). https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
- European Parliament, “Digital Omnibus on AI” [EU Legislation in Progress briefing]. https://epthinktank.eu/2026/02/12/digital-omnibus-on-ai-eu-legislation-in-progress/
- European Commission, “The General-Purpose AI Code of Practice.” https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai
- European Commission, “Guidelines for providers of general-purpose AI models.” https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers
- European Commission, “The AI Pact.” https://digital-strategy.ec.europa.eu/en/policies/ai-pact
- European Commission, “Over a hundred companies sign EU AI Pact pledges to drive trustworthy and safe AI development.” https://digital-strategy.ec.europa.eu/en/news/over-hundred-companies-sign-eu-ai-pact-pledges-drive-trustworthy-and-safe-ai-development
- Global Consultants Review, “100 IT Firms, Including TCS, Infosys, Wipro Have Signed Euro’s First AI Legal Framework.” https://www.globalconsultantsreview.com/news/100-it-firms-including-tcs-infosys-wipro-have-signed-euro-s-first-ai-legal-framework-nwid-5055.html
- Ministry of Electronics and Information Technology (MeitY), Government of India, “DPDP Rules, 2025 Notified” (press note). https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc20251117695301.pdf
- Shardul Amarchand Mangaldas & Co., “Enforcement of the DPDP Act and notification of the DPDP rules.” https://www.amsshardul.com/insight/enforcement-of-the-dpdp-act-and-notification-of-the-dpdp-rules/
- NIST, “AI Risk Management Framework (AI RMF 1.0).” https://www.nist.gov/itl/ai-risk-management-framework
- OECD, “AI Principles.” https://www.oecd.org/en/topics/sub-issues/ai-principles.html
- UNESCO, “Recommendation on the Ethics of Artificial Intelligence” (adopted November 2021). https://www.unesco.org/en/artificial-intelligence/recommendation-ethics
- Regulation (EU) 2016/679 (General Data Protection Regulation) — European Commission overview. https://commission.europa.eu/law/law-topic/data-protection_en
- Digital Personal Data Protection Act, 2023, Government of India (Ministry of Electronics and Information Technology).
