Most US mid-market executives have heard of the EU AI Act. Very few have read it, and almost none have assessed what it means for their specific operations. For healthcare and financial-services firms — where AI is already touching diagnoses, eligibility, credit, and claims — that gap is worth closing now.

Here is what we tell clients: if you have EU customers, EU employees, or EU data, the EU AI Act applies to you. Full stop. Its extraterritorial reach is as broad as GDPR, and the compliance clock is already running.

The part that matters most is the risk-tiered framework. The Act sorts AI systems into four levels — unacceptable, high, limited, and minimal — and obligations scale accordingly. High-risk uses include employment decisions, credit scoring, biometric identification, critical-infrastructure management, and certain health and education contexts. If you use AI for any of these and you have EU exposure, you are in scope for the most demanding requirements.

The good news: a governance framework built to EU AI Act standards will satisfy most other regulatory requirements you face — HIPAA-adjacent expectations, financial-services oversight, state AI laws. It is a high bar, but a complete one. The bad news: most US firms are not on track to meet it.

The number that matters

August 2, 2026 — the enforcement date for obligations covering high-risk AI systems. That is closer than most teams realize, and the documentation, conformity assessment, and technical standards work required before then is substantial.

A quick exposure assessment

  • Do you have customers, employees, or operational data subject to EU jurisdiction?
  • Are you using AI for any high-risk use case in Annex III — employment, credit, biometrics, critical infrastructure, education?
  • Do you have a named person responsible for EU AI Act compliance?

If the answers are yes, yes, and no, you have a gap that needs attention now.

How LANStatus helps

Compliance work is where our professional services and our deep healthcare and financial-services experience meet. We help you inventory your AI systems, classify them by risk tier, assign clear ownership, and assemble the documentation a regulator would actually ask for — so “we were getting to it” never becomes the answer you give after the fact.

If an EU regulator asked you to produce documentation of your AI systems’ conformity tomorrow, what would you hand them?

Not sure where your AI systems fall on the risk tiers? LANStatus can run an exposure assessment for you.

Explore Professional Services

Brian Diamond

Founder & CEO, LANStatus · Fractional Chief AI Officer

Brian founded LANStatus in 2001 and works with mid-market healthcare and financial-services organizations on AI strategy, governance, and security. He publishes The CAIO Brief, a weekly briefing for leaders navigating AI in real time.

The CAIO Brief · BrianOnAI · LinkedIn

A version of this article first appeared in The CAIO Brief.