EU AI Act vs. US AI Policy: Key Differences Every Multinational Business Must Understand

Here’s the conversation I keep seeing in boardrooms and compliance meetings in early 2026: “We’ve sorted out our EU AI Act compliance program. Are we done?”

The short answer is no. Not if you operate in the United States too.

The EU and US are running two completely different experiments in AI governance right now — different in philosophy, different in legal structure, different in enforcement mechanisms, and different in what they actually require from your compliance team. What satisfies Brussels won’t necessarily satisfy Denver, Sacramento, or Chicago. And what’s fine in Texas might get you a €15 million fine in Frankfurt.

This isn’t just a legal technicality. For any business deploying AI across both markets, this divergence creates a real operational challenge: how do you build a compliance program that works for both without building two entirely separate programs?

“The EU AI Act establishes a comprehensive, binding framework. The United States, by contrast, has no equivalent federal law. The result is a transatlantic compliance asymmetry that multinational businesses are only beginning to navigate.”

— Baker Botts LLP, U.S. Artificial Intelligence Law Update, January 2026

This guide breaks down that asymmetry in practical terms. I’ll cover the structural differences between the EU and US approaches, walk through the key state-level laws that matter in 2026, identify where the two frameworks genuinely overlap (there’s more than you’d think), explain where they fundamentally diverge, and give you a framework for building a dual-market compliance architecture.

This article is part of our EU AI Act Compliance Guide cluster. If you haven’t yet classified your AI systems under the EU AI Act, start with our EU AI Act Classification Guide. For documentation requirements, see our Annex IV Documentation Guide.

Let’s start with the most important thing to understand: the fundamental difference in what kind of regulation each jurisdiction has actually created.

The Structural Difference: One Binding Law vs. a Patchwork

Before comparing specific requirements, you need to understand the deeper structural difference between these two regulatory environments. It’s not just that the EU has stricter rules — it’s that the EU and US have fundamentally different conceptions of what AI governance should look like and who should be doing it.

The EU Approach: Binding, Comprehensive, Centralized

The EU AI Act^[1] is a single, directly applicable regulation that applies uniformly across all 27 EU member states. When it says high-risk AI systems must have an Annex IV technical dossier, that requirement applies whether you’re deploying in Germany, Spain, or Estonia. When it sets a fine of up to €15 million for non-compliance, that figure is the same in every jurisdiction.

This centralization has enormous practical value for multinational companies. One compliance program covers 450 million consumers across a single regulatory framework. The EU AI Act also has a well-defined scope, clear categorization logic, and — unlike US approaches — mandatory obligations that don’t require interpretation of case-by-case agency enforcement postures.

The tradeoff is rigidity and specificity. The EU AI Act is a detailed technical regulation with concrete documentation requirements, conformity assessment procedures, and registration obligations. Complying with it is not cheap, not fast, and not optional if you’re serving EU markets.

The US Approach: Fragmented, Innovation-First, State-Led

The United States has no comprehensive federal AI law.^[2] Full stop. What exists at the federal level in 2026 is a combination of executive orders (which guide federal agencies but don’t directly regulate private companies), enforcement actions by existing agencies applying pre-AI laws to AI use cases, and voluntary standards frameworks.

On January 20, 2025, President Trump revoked Biden’s Executive Order 14110 on AI safety and replaced it with EO 14179, “Removing Barriers to American Leadership in Artificial Intelligence.”^[3] The current administration’s posture is explicit: innovation-first, minimal regulation, deregulatory wherever possible.

Into this federal vacuum, states moved aggressively. Colorado, California, Illinois, Texas, New York City, and a growing number of other jurisdictions have enacted or are enforcing AI-specific laws covering specific use cases, demographics, and sectors. The result, as the December 2025 federal executive order itself acknowledged, is a “patchwork of 50 different regulatory regimes”^[4] — a compliance environment that is simultaneously less demanding than the EU AI Act and, in some respects, more operationally complex because of its fragmentation.

The Federal Preemption Battle: What’s Actually Happening

On December 11, 2025, President Trump signed an executive order titled “Ensuring a National Policy Framework for Artificial Intelligence,”^[4] directing federal agencies to challenge state AI laws deemed inconsistent with the administration’s innovation-first policy. The order established an AI Litigation Task Force within the Department of Justice, directed the Secretary of Commerce to evaluate and publish a list of “onerous” state AI laws by March 11, 2026, and authorized conditioning federal grant funding on states’ compliance with federal AI policy.

Here’s what this executive order does not do: it does not actually repeal or invalidate any state AI law. Executive orders cannot override state laws — that requires either an act of Congress or a successful court ruling on preemption grounds.^[5]

The practical implication is significant: all existing state AI laws remain enforceable today, and your company must continue to comply with them regardless of federal executive action. The Colorado AI Act delayed its own effective date from February 1, 2026 to June 30, 2026 through a separate state legislative process — not because of federal pressure.^[6] Legal challenges to state AI laws will take years to resolve, and the outcome is far from certain.

The Senate’s 99–1 vote to strip a proposed 10-year moratorium on state AI law enforcement from the “One Big Beautiful Bill” budget reconciliation package tells you something important about the political durability of state AI regulation.^[7] For compliance planning purposes, assume state AI laws will continue to be enforceable for the foreseeable future.

The US State-Level Landscape: What Actually Applies in 2026

For a multinational business operating across US markets, the practical compliance question isn’t about federal policy — it’s about which state laws already apply and what they require. Here’s the landscape as of March 2026.

Colorado AI Act (SB 24-205): The Closest US Equivalent to the EU AI Act

Colorado’s AI Act is the most structurally significant state AI law in the US right now — not because it’s the most widely applicable, but because it’s the only US law that attempts something close to the EU AI Act’s comprehensive, risk-based governance framework.

Signed into law on May 17, 2024 and now effective June 30, 2026 (delayed from February 1, 2026),^[6] Colorado’s Act applies to businesses that develop or deploy “high-risk AI systems” affecting Colorado residents. The law’s primary objective is protecting consumers from algorithmic discrimination — unlawful differential treatment or disparate impact based on protected characteristics including race, color, age, disability, religion, sex, and veteran status.

Under the Act, developers of high-risk AI systems must: use reasonable care to prevent known or foreseeable algorithmic discrimination risks; provide deployers with documentation necessary to conduct impact assessments; publish publicly available statements about their high-risk systems; and report discovered algorithmic discrimination to the Colorado Attorney General within 90 days.^[8]

Deployers must implement a risk management policy and program; complete annual impact assessments; notify consumers when a high-risk AI system makes a consequential decision about them; provide consumers the right to appeal adverse decisions via human review where technically feasible; and disclose discovered algorithmic discrimination to the Attorney General within 90 days.^[8]

Enforcement sits exclusively with the Colorado Attorney General — no private right of action. Maximum penalty: $20,000 per violation, counted separately for each affected consumer or transaction.^[9] An AI system that discriminates against 100 consumers could therefore generate up to $2 million in penalties.

Amendment activity is already underway. The 2026 Colorado regular legislative session has seen multiple bills introduced seeking to modify SB 24-205’s scope and requirements — a pattern common with first-generation AI laws as implementation realities emerge.^[8b] Watch for potential narrowing of the “high-risk” definition, expansion of exemptions for specific sectors, and possible shifts in the developer/deployer responsibility balance.

California: Multiple Targeted Laws, No Single Framework

California has taken a markedly different approach from both Colorado and the EU: rather than a single comprehensive AI law, California has enacted multiple targeted statutes addressing specific AI use cases and sectors. As of early 2026, several California AI laws are in effect.

California’s primary frontier AI law is SB 53 (signed September 29, 2025, effective January 1, 2026),^[10c] which replaced the more ambitious (and vetoed) SB 1047. SB 53 requires developers of covered frontier AI models to implement safety and security protocols, publish plain-language summaries of their safety frameworks, and update them annually. It targets large-scale foundation model developers — not application-level deployers.

California also enacted AB 2013, which requires developers of generative AI systems — specifically those capable of generating text, images, audio, or video — trained on data containing personal information to publish documentation about the training data used.^[10] This applies narrowly to generative AI, not all AI systems. Additionally, SB 942 (California AI Transparency Act) requires AI systems with more than one million monthly users to provide AI detection tools, and several separate laws address AI specifically in employment decisions. These laws have different scope definitions, covered entities, and compliance requirements — multiplying the compliance burden for California-facing businesses.

Illinois, Texas, and Other Key State Laws

Several other states have enacted targeted AI laws relevant to specific sectors in 2026.

Illinois amended its Human Rights Act (HB 3773, effective January 1, 2026) to prohibit employer use of AI that discriminates against protected classes.^[10] This applies to any employer using AI in hiring, promotion, or termination decisions affecting Illinois residents. Unlike Colorado’s law, Illinois’ amendment doesn’t require specific documentation or impact assessments — it prohibits discriminatory outcomes and creates civil rights liability for AI-driven discrimination.

Texas enacted the Texas Responsible Artificial Intelligence Governance Act (TRAIGA, HB 149), signed by Governor Greg Abbott on June 22, 2025 and effective January 1, 2026.^[10b] TRAIGA is notably the most business-friendly of the major state AI laws — significantly scaled back from an original draft modeled on the EU AI Act and Colorado’s Act. The final law focuses primarily on prohibiting specific harmful practices (social scoring, intentional discrimination, behavioral manipulation) using an intent-based liability standard rather than imposing affirmative documentation or impact assessment obligations on private companies. Private sector obligations are limited: companies must not intentionally develop or deploy AI for prohibited purposes, and benefit from safe harbor protection if they follow a recognized risk management framework such as NIST AI RMF. Government agencies face stronger disclosure and oversight requirements under the law.

New York City Local Law 144, which has been in effect since July 2023, requires employers and employment agencies using automated employment decision tools to conduct annual bias audits and notify candidates when such tools are used.^[11] This is one of the more mature AI laws in the US, and its enforcement has provided useful precedent for how AI-specific regulations function in practice.

Federal Laws That Do Apply to AI (Even Without a Federal AI Act)

The absence of a federal AI-specific law doesn’t mean the federal government has no role in AI governance. Several existing federal laws are actively being applied to AI systems by their respective enforcement agencies.

The FTC Act (Section 5) prohibits unfair or deceptive acts and practices — the FTC has applied this to AI systems that generate false or misleading outputs and to discriminatory AI in consumer-facing contexts. The Equal Employment Opportunity laws (Title VII, ADA, ADEA) apply to AI-driven hiring and employment decisions — the EEOC has issued guidance making clear that AI tools used in employment are subject to existing anti-discrimination law regardless of whether a human makes the final decision. The Fair Housing Act and Equal Credit Opportunity Act apply to AI used in housing and credit decisions. HIPAA applies to AI systems processing protected health information.^[12]

This means that even for businesses operating only in US markets where no state AI law applies, AI-driven decisions in regulated domains carry federal enforcement risk under existing law. The compliance question is not simply “is there a state AI law here?” but also “does this AI application touch a regulated domain where existing federal law applies?”

EU AI Act vs. US AI Regulation: Side-by-Side Comparison

Let’s put the frameworks directly next to each other. Given the fragmentation on the US side, I’ve structured these comparisons at three levels: EU AI Act vs. the overall US landscape, and EU AI Act vs. Colorado’s Act specifically (as the most directly comparable US law).

Master Comparison Table: 12 Key Dimensions

Dimension	EU AI Act	US Federal Level	Key US State (Colorado)
Legal type	Binding regulation — directly enforceable law	No comprehensive federal AI law; EOs guide agencies only	Binding state statute
Geographic scope	All 27 EU member states — 450M+ consumers	Nationwide (where applicable law applies)	Colorado residents only
Extraterritorial reach	Yes — applies to non-EU companies serving EU users	Varies by agency/law	Applies to businesses “doing business in Colorado”
Core framework	Risk-based tiers: prohibited / high-risk / limited / minimal	Sector-specific agency enforcement under existing law	Risk-based: high-risk AI in consequential decisions
Prohibited AI	Yes — 8 specific prohibited practices (Article 5)	No explicit prohibited AI categories	No explicit prohibited AI categories
Documentation required	Extensive — Annex IV technical dossier, IFU, logs, DoC	No mandatory documentation framework	Impact assessments, risk management documentation, developer disclosures
Bias/discrimination focus	Part of data governance and performance requirements	Existing civil rights law applied to AI outcomes	Primary focus — “reasonable care” standard for algorithmic discrimination
Human oversight	Mandatory for all high-risk AI — Article 14	Not mandated by federal law; encouraged in voluntary frameworks	Consumer right to appeal adverse decisions via human review (where technically feasible)
Maximum financial penalty	€35M or 7% global turnover (prohibited AI); €15M or 3% (high-risk non-compliance)	Varies — FTC can seek significant penalties under Section 5	$20,000 per violation / per affected consumer
Private right of action	No direct private right; AI Liability Directive under development	Yes, under civil rights laws (Title VII, FHA, ECOA)	No — enforcement exclusively by Colorado AG
Conformity assessment	Required before market placement for high-risk AI	Not required	Annual impact assessments required for deployers
GPAI/foundation model rules	Yes — specific GPAI category with systemic risk obligations	Voluntary — NIST AI RMF, OSTP guidance only	No specific foundation model rules

The 12-dimension table above shows the landscape at the macro level. But for practical compliance planning, the most important comparison isn’t EU AI Act vs. “US” (which doesn’t exist as a unified thing) — it’s EU AI Act vs. the specific US law most similar in structure and ambition. That’s Colorado’s AI Act. Here’s where those two frameworks are closest, and where they diverge most sharply.

EU AI Act vs. Colorado AI Act: Detailed Comparison

Colorado’s AI Act is the best US comparator to the EU AI Act, and examining their differences shows exactly where a multinational compliance program needs to do different things for each market.

Element	EU AI Act	Colorado AI Act (SB 24-205)
Modeled on	Risk-based governance framework; GDPR precedent	Partly modeled on EU AI Act, but narrower scope
Primary objective	Safety, transparency, and accountability across all high-risk AI	Preventing algorithmic discrimination in consequential decisions
High-risk definition	8 specific Annex III sectors + Annex I regulated products	AI systems used in “consequential decisions” (employment, housing, healthcare, education, credit, insurance)
Developer obligations	Annex IV technical dossier, IFU, conformity assessment, registration	Reasonable care, documentation to deployers, public statements, 90-day discrimination reporting
Deployer obligations	Deploy within intended purpose, human oversight, logs, monitoring	Risk management policy, annual impact assessment, consumer notification, appeal rights
Bias testing required	Yes — performance disaggregated by demographic in Annex IV	Yes — algorithmic discrimination assessment required
Consumer rights	Right to explanation, human oversight; AI Liability Directive pending	Right to notice, right to appeal adverse decisions via human review
Conformity assessment	Formal — self-assessment or notified body, CE marking	Annual impact assessment — not a formal conformity assessment
Maximum penalty	€35M / 7% turnover (prohibited); €15M / 3% (high-risk non-compliance)	$20,000 per violation / per consumer (no cap)
Private lawsuits	No direct private right under the Act	No private right of action — AG enforcement only
Safe harbor	No explicit safe harbor; conformity assessment creates rebuttable presumption	Rebuttable presumption of compliance if using a recognized risk management framework (e.g., NIST AI RMF)
Effective for US companies	Applies to any US company with EU-facing AI systems	Applies to businesses “doing business in Colorado” with Colorado residents

Where the Frameworks Overlap: The Compliance Dividend

Here’s the good news for multinational compliance teams: investing in EU AI Act compliance doesn’t just cover Europe. A meaningful proportion of that work directly satisfies or substantially advances US compliance obligations too.

Six Areas Where EU Compliance Helps You in the US

1. Bias and algorithmic discrimination testing. The EU AI Act’s requirement for disaggregated performance metrics across demographic subgroups in Annex IV (Section 4) directly addresses what Colorado’s Act calls “reasonable care to prevent algorithmic discrimination.” If you’ve done the demographic performance analysis required for EU compliance, you have the substance of what Colorado needs — though Colorado’s impact assessment format requires specific documentation structures that differ from Annex IV.

2. Risk management systems. The EU AI Act’s Article 9 risk management system, documented in Annex IV Section 5, covers substantially the same ground as Colorado’s required risk management policy and program. Companies complying with Article 9 are well-positioned to satisfy Colorado’s risk management obligations with relatively minor adaptations.

3. Human oversight design. EU AI Act Article 14 requires technical features enabling human oversight, intervention, and override. Colorado’s Act requires deployers to provide consumers the right to appeal adverse decisions via human review where technically feasible. Designing your AI workflows to satisfy Article 14 creates the technical foundation for satisfying Colorado’s human review obligation as well.

4. Documentation culture and litigation defense. The disciplined documentation culture required by Annex IV — version control, living documentation, update triggers, bias assessment records — is exactly what US state laws, federal agency enforcement actions, and civil litigation all benefit from. But the value is even more specific than that.

If you face an FTC enforcement inquiry about AI-driven deception, your Annex IV technical dossier demonstrates you had a documented risk management system and conducted genuine bias testing. If you face an employment discrimination class action over an AI-driven hiring tool, your documented demographic performance disaggregation and human oversight records are your primary defense. If you face a Colorado AG investigation, your impact assessment draws directly from your Annex IV data governance and performance sections. In US enforcement contexts — regulatory and litigation alike — documentation that was built proactively for EU compliance carries significantly more credibility than documentation assembled reactively after an issue surfaces.

5. Transparency and disclosure capabilities. EU AI Act requirements for Instructions for Use and consumer-facing transparency create the technical and process infrastructure for meeting various state-level disclosure requirements — California’s SB 53 transparency obligations, Colorado’s consumer notification requirements, and New York City’s bias audit disclosure rules.

6. Incident monitoring and 90-day reporting infrastructure. The post-market monitoring plan required under EU AI Act Article 72 creates an incident detection and reporting system that directly supports US reporting obligations. This is more than a documentation exercise — it requires building actual monitoring infrastructure: data flows from deployer environments, performance threshold alerts, incident intake processes, and escalation paths.

That same infrastructure supports Colorado’s 90-day algorithmic discrimination reporting obligation, which requires you to report to the Attorney General within 90 days of discovering discriminatory AI behavior. It also positions you for the FTC’s increasing expectation that AI companies have internal incident response programs. Companies without this infrastructure — which many smaller US companies currently lack — face a real vulnerability when AI incidents occur. EU AI Act compliance requirements essentially force you to build it.

NIST AI RMF: The Bridge Between Both Markets

The NIST AI Risk Management Framework (AI RMF 1.0, January 2023)^[13] is the closest thing the US has to a unified AI governance standard — and it serves as an important bridge between EU and US compliance programs.

Why does this matter? Colorado’s AI Act includes a specific safe harbor provision: a rebuttable presumption of compliance exists for developers and deployers that are in compliance with a nationally or internationally recognized risk management framework designated by the Act or the Attorney General.^[8] NIST AI RMF is widely expected to qualify as such a framework. Building your compliance program around NIST AI RMF therefore creates potential safe harbor protection under Colorado law.

Additionally, NIST AI RMF aligns meaningfully with EU AI Act requirements. Both emphasize risk identification and mitigation throughout the AI lifecycle, transparency and documentation, governance structures with clear accountability, and performance monitoring. Companies that align their compliance programs with NIST AI RMF create a foundation that maps well to both EU AI Act Annex IV requirements and US state law compliance.

Where the Frameworks Diverge: The Compliance Gaps You Must Close

The compliance dividend is real — but so are the gaps. There are four areas where EU AI Act compliance genuinely does not transfer to US compliance requirements, and where US obligations create entirely different — sometimes more operationally complex — compliance challenges.

Prohibited AI: No US Equivalent to Article 5

The EU AI Act bans eight specific categories of AI practices outright under Article 5^[1] — including real-time biometric surveillance in public spaces, social scoring by public authorities, and AI exploiting psychological vulnerabilities. These prohibitions apply regardless of how beneficial or commercially valuable the AI might be in other contexts.

The US has no equivalent federal prohibition list. Real-time facial recognition in public spaces, for instance, is not federally prohibited in the US, though a small number of cities (San Francisco, Boston) have banned its use by government entities. Social scoring systems face no federal prohibition. AI that uses psychological profiling for commercial targeting operates in a regulatory space governed by existing consumer protection law — which prohibits deceptive practices but doesn’t categorically ban entire AI modalities.

This divergence creates a specific compliance planning requirement: if you’ve built AI capabilities that comply with US law but would violate EU AI Act Article 5 prohibitions, you need separate product versions or deployment restrictions for EU markets. This is not simply a policy difference — it’s a binary legal line that separates what you can and cannot deploy in the EU, regardless of US acceptability.

Documentation: Annex IV Has No US Counterpart

The EU AI Act’s Annex IV technical dossier requirement — 10 structured sections, 10-year retention, formal Declaration of Conformity, EU database registration — has no direct equivalent in any US law or regulation currently in force. What US law does require for specific sectors is different in both structure and purpose.

Colorado requires impact assessments and risk management documentation, but the format, depth, and legal function of those documents differ significantly from Annex IV. California requires training data documentation under AB 2013, but only for generative AI systems with a narrower scope. Federal agency enforcement actions can require document production in litigation, but there’s no proactive mandatory dossier requirement.

The practical implication: EU AI Act documentation obligations create a documentation burden that has no US analog. Conversely, US compliance in some sectors requires documentation types — particularly employment discrimination audit records, fair lending analysis documentation, and HIPAA-related AI records — that don’t directly map to Annex IV structure.

A dual-market documentation program therefore needs to maintain both the Annex IV dossier for EU compliance and a separate set of sector-specific documentation records for US regulatory and litigation purposes. These can be linked and cross-referenced, but they can’t simply substitute for each other.

Enforcement: Hard Law vs. Soft Pressure and Civil Litigation

EU AI Act enforcement is administrative — national competent authorities investigate, issue findings, and impose fines within a defined regulatory framework. The penalties are large, the framework is clear, and the enforcement process is structured.

US AI enforcement in 2026 operates through three very different mechanisms, each with distinct dynamics. First, state attorney general enforcement under state AI laws (Colorado, California) — structured but limited in penalty scale. Second, federal agency enforcement under existing law (FTC, EEOC, CFPB, HHS) — more powerful but subject to enforcement priority shifts with changing administrations. Third, and often most impactful for US companies, private civil litigation under employment discrimination laws, fair housing laws, and consumer protection statutes — where private plaintiffs can sue directly and class actions can create massive exposure.

The implication for compliance strategy is different for each enforcement mechanism. EU AI Act compliance primarily protects against regulatory fines from defined authorities. US compliance must simultaneously manage regulatory risk, agency enforcement risk, and private litigation risk — three overlapping but distinct threat profiles that require different mitigation approaches.

GPAI and Foundation Models: No US Equivalent

The EU AI Act’s General Purpose AI (GPAI) category^[1] — with its specific documentation, copyright compliance, and systemic risk assessment obligations for large foundation models — has no direct US equivalent. US federal policy on foundation models in 2026 is limited to voluntary guidelines. No state AI law specifically addresses GPAI model developers in the same way.

For companies developing or deploying large language models and other foundation models, GPAI compliance is an entirely EU-specific obligation that creates no offsetting compliance benefit in the US market. The red-teaming, incident reporting, and energy consumption reporting required for systemic-risk GPAI models under the EU AI Act are EU-only requirements.

Where the Compliance Burden Falls: Provider vs. Deployer

This is the divergence that most directly affects how you structure your compliance organization — and it’s the one that gets least attention in comparison articles.

Under the EU AI Act, the heaviest compliance obligations rest with providers — the organizations that develop, train, or place AI systems on the EU market. The Annex IV technical dossier, conformity assessment, CE marking, EU database registration, Instructions for Use — all of these are primary provider obligations. Deployers carry lighter obligations: use the system within its intended purpose, maintain human oversight, keep logs, monitor for issues. The compliance budget and the compliance program leadership therefore sits primarily with AI product teams and the organizations building the AI.

US state law flips this balance in important ways. Colorado’s Act places deployer obligations at its center — annual impact assessments, consumer notifications, appeal rights, 90-day discrimination reporting — rather than developer obligations. Many US businesses that are purely deployers of third-party AI (using Salesforce AI, Microsoft Copilot, or other vendor-built systems in their operations) find that US law creates significant obligations for them even when they didn’t build the AI. Illinois’ Human Rights Act amendment imposes employer liability for discriminatory AI outcomes regardless of whether the employer or a third-party vendor built the tool.

This structural difference has real organizational implications. Your EU AI Act compliance lead might sit in the product or engineering organization because the heaviest obligations are on the builder side. Your US compliance lead might need to sit in HR, legal, or operations because the heaviest obligations are on the deployer/employer side. Building a compliance program that treats both markets through a single organizational lens can create ownership gaps in one or both jurisdictions.

Building a Dual-Market AI Compliance Strategy

The question I hear most often from multinational compliance teams is some version of: “Can we build one compliance program that covers both, or do we need two separate programs?” The honest answer: neither, exactly. You need one program architecture with two implementation layers.

Start with the EU AI Act as Your Baseline

If your AI systems touch both EU and US markets, start by building your compliance program to satisfy EU AI Act requirements. Here’s why this is the right direction even for US-headquartered companies: EU requirements are more comprehensive, more prescriptive, and more demanding than anything currently required in the US. Building to EU standards gives you a compliance program with documented risk management, bias testing, technical documentation, and governance infrastructure that substantially exceeds what US law requires. You won’t need to rebuild it when US requirements evolve — and they will evolve.

This is a strategic posture that pays dividends over time. State AI laws in California, Colorado, and elsewhere are clearly trending toward more comprehensive requirements. Federal law, if it ever materializes in a Biden-style framework, will likely look more like the EU than the current executive order approach. Building to EU standards today means you’re ahead of the curve for US regulation, not just compliant with it.

Layer US-Specific Requirements on Top

Once your EU AI Act baseline program is established, add the US-specific requirements that aren’t covered by EU compliance. There are five main additions for most multinationals.

Impact assessments for Colorado and California. Colorado’s annual impact assessment requirement for deployers has a specific structure and disclosure format that differs from Annex IV documentation. Create a templated impact assessment process that meets Colorado’s requirements and can be adapted for California’s specific laws — but link it to your Annex IV documentation to avoid duplication of effort.

Consumer notification workflows. Colorado requires specific consumer notifications when high-risk AI makes a consequential decision, with explicit language about the AI’s role and appeal rights. California has similar but distinct disclosure requirements. Build consumer notification workflows that satisfy both states’ specific language and timing requirements, layered on top of your EU-standard transparency infrastructure.

Civil rights compliance documentation. US civil rights law (Title VII, ADA, FHA, ECOA) creates litigation exposure that EU AI Act compliance doesn’t address. Maintain adverse impact analyses and disparate impact testing documentation specifically formatted for employment and lending compliance — these differ from Annex IV bias documentation in legally important ways.

Attorney General disclosure readiness. Both Colorado and California require disclosure to state AGs within 90 days of discovering algorithmic discrimination. Build an internal escalation process that automatically triggers AG disclosure preparation when your monitoring systems identify potential algorithmic discrimination — connecting your EU AI Act monitoring infrastructure to your US disclosure obligations.

Private litigation defense records. Unlike the EU, the US creates significant private litigation exposure for AI-driven discrimination. Maintain litigation-ready documentation of your bias testing methodology, results, and remediation actions — separately from your Annex IV technical documentation, structured for US discovery rules and admissibility standards.

The State Law Tracker Your Team Needs

The US state AI law landscape is changing faster than any compliance team can track manually. As of March 2026, the following states have active AI laws or upcoming effective dates that multinational companies should monitor:

State / Jurisdiction	Law / Requirement	Effective Date	Primary Focus	Key Compliance Action
Colorado	SB 24-205 (Colorado AI Act)	June 30, 2026	Algorithmic discrimination in consequential decisions	Impact assessments, risk management policy, consumer notification, 90-day AG disclosure
California	SB 53 (frontier AI) + AB 2013 (generative AI data) + SB 942 (AI transparency) + employment AI laws	January 1, 2026 (various)	Frontier model safety protocols; generative AI training data disclosure; AI detection tools	Safety and security protocols for frontier model developers; training data documentation for generative AI; AI detection tools for large-scale systems
Illinois	HB 3773 (Human Rights Act amendment)	January 1, 2026	AI discrimination in employment	Audit employment AI for disparate impact; no specific documentation format required
Texas	TRAIGA (HB 149) — Texas Responsible AI Governance Act	January 1, 2026	Prohibited AI practices (intent-based); government agency AI transparency	Assess whether AI systems could be used for prohibited purposes; minimal private sector affirmative obligations; safe harbor via NIST AI RMF alignment
New York City	Local Law 144	July 5, 2023 (in force)	Automated employment decision tools	Annual independent bias audits; candidate notification; public summary
Federal (FTC)	FTC Act Section 5 + policy statement expected March 11, 2026	Ongoing + March 2026	Deceptive/unfair AI practices	Monitor FTC policy statement on AI; ensure outputs aren’t deceptive

Assign someone on your compliance team to monitor two specific developments in the near term: the Commerce Department evaluation of state AI laws (due March 11, 2026) and the FTC policy statement on AI (also due March 11, 2026). Both will clarify the federal-state dynamic and potentially shift compliance priorities.

Case Study: One Company’s Dual-Market Compliance Approach

Frequently Asked Questions: EU AI Act vs. US AI Regulation

These come up in almost every dual-market compliance discussion I’m part of. I’ve answered each as directly as the genuinely complex situation allows.

Does the EU AI Act apply to US companies?

Yes — and this is one of the most common compliance misconceptions I see. The EU AI Act applies to any company, regardless of its country of incorporation, if its AI systems are placed on the EU market or used by individuals in EU member states.^[1] This follows the same extraterritorial logic as GDPR. If you have European customers whose lives are affected by your AI systems — even if your company is headquartered in San Francisco and your servers are in Virginia — you are in scope.

The implication is that “we’re a US company” is not a compliance defense under the EU AI Act. Your EU market exposure determines your EU AI Act obligations, not your corporate address.

Is there a US equivalent of the EU AI Act?

No — and the gap is significant. As of March 2026, the United States has no comprehensive federal AI law equivalent to the EU AI Act.^[2] Colorado’s AI Act (SB 24-205) is the closest approximation at state level — risk-based, covers both developers and deployers, targets high-risk AI in consequential decisions — but it applies only to Colorado residents and focuses narrowly on algorithmic discrimination rather than the EU AI Act’s broader safety and governance framework.

The Senate’s 99–1 vote against a proposed 10-year moratorium on state AI laws suggests that state-level regulation will continue to fill this federal void. Don’t expect a comprehensive federal AI law in the near term — plan your compliance architecture around the current patchwork reality.

What is the biggest compliance difference between the EU AI Act and US AI regulation?

Legal structure — the difference between binding law and advisory guidance. The EU AI Act is a directly applicable regulation with mandatory requirements, defined penalties, and a centralized enforcement structure covering 27 countries. US AI governance at the federal level consists primarily of executive orders (which don’t directly regulate private companies), voluntary frameworks, and existing agency enforcement under pre-AI laws.

This means EU compliance is a defined target you can build a program toward. US “compliance” at the federal level is more about managing relationships with enforcement agencies, anticipating enforcement priorities, and maintaining documentation that supports litigation defense — a meaningfully different compliance posture.

Do I need to comply with both the EU AI Act and US state AI laws?

Potentially yes, and they run in parallel. If your AI system affects EU residents, EU AI Act compliance is required. If it affects Colorado residents in high-risk AI contexts, Colorado AI Act compliance is required. If it affects Illinois employees, Illinois Human Rights Act compliance is required. None of these obligations satisfies any of the others — they apply simultaneously based on the geographic location of the affected individuals, not your company’s location.

The good news: there is meaningful substantive overlap, particularly between EU AI Act requirements and Colorado’s Act, that allows a single underlying compliance program to satisfy multiple frameworks with different documentation formats on top.

How does the Colorado AI Act compare to the EU AI Act?

Similar philosophy, narrower scope, lighter obligations, smaller penalties. Both use a risk-based approach targeting AI that makes consequential decisions about individuals. Both require developer and deployer obligations. Both focus heavily on bias prevention and transparency. The differences: Colorado focuses specifically on algorithmic discrimination (not a full safety framework), applies only to Colorado residents, doesn’t require formal conformity assessment or a technical dossier of EU depth, and carries maximum penalties of $20,000 per violation versus EU fines up to €35 million.^[9]

Colorado also provides a safe harbor for companies following recognized risk management frameworks like NIST AI RMF — the EU AI Act has no equivalent blanket safe harbor.

Can the Trump administration’s executive orders eliminate state AI laws?

Not directly and not immediately. Executive orders cannot override state laws — that requires an act of Congress or a successful court ruling on preemption grounds. The December 2025 executive order establishes mechanisms to challenge state laws (the DOJ AI Litigation Task Force) and conditions on federal funding, but these must work through legal processes that will take years to resolve, with uncertain outcomes.^[5]

Until those legal challenges succeed — which is far from guaranteed — existing state AI laws remain fully enforceable. Companies must continue complying with all effective state AI requirements. Plan for the current patchwork reality, not the possible preempted future.

Next Steps for Multinational Teams

If You’re Just Starting Your Compliance Program

Begin with a market mapping exercise. For each AI system you deploy, identify every jurisdiction where affected individuals are located — not where your company is headquartered, not where your servers are, but where the people your AI touches are. That map determines your compliance obligations.

If you have EU-facing AI, EU AI Act compliance is your highest-priority obligation and your best starting point. Build your core AI governance program to EU standards, then assess what additional requirements apply in each US state where you operate. This sequencing maximizes the compliance dividend from each investment.

If You Already Have EU AI Act Compliance Underway

Audit your existing compliance work against the US state laws relevant to your business. Start with Colorado, California, and Illinois — the three states with the most comprehensive current AI requirements. For each state law that applies, identify what additional documentation, process, or disclosure work is needed beyond your EU compliance program. In most cases, this is incremental work on top of a solid foundation, not a new program from scratch.

Key Dates to Keep on Your Radar

The transatlantic divergence in AI regulation is not going to resolve itself quickly. For the foreseeable future, multinational businesses deploying AI will need to maintain dual compliance architectures — one anchored in the EU’s binding, comprehensive framework and one navigating the US patchwork of state laws, agency enforcement, and litigation risk.

The companies that handle this well aren’t building two programs. They’re building one governance foundation — ideally NIST AI RMF-aligned — and layering jurisdiction-specific requirements efficiently on top. The upfront investment is real. But the alternative — reactive compliance sprints as enforcement actions materialize — is significantly more expensive.

For the complete EU AI Act compliance requirements, deadlines, and documentation program guidance, return to our EU AI Act Compliance Pillar Guide.

Next in this cluster series: Colorado AI Act 2026: What It Means for US Companies and the Path to Federal AI Regulation — a deep dive into SB 24-205 compliance requirements and what Colorado’s law signals about where US federal regulation is heading.

Two other topics directly connected to dual-market compliance: if your organization is concerned about unauthorized AI tool use creating unmonitored compliance exposure in both the EU and US markets simultaneously, see our Shadow AI compliance guide. And if your deployment falls within Article 27’s FRIA obligation or Colorado’s annual impact assessment requirement, our AI Impact Assessment guide covers both with a dual-market template design.