The EU AI Act’s Extraterritorial Reach: Compliance Obligations for Indian Tech Companies Serving European Markets
Introduction
When the European Union’s AI Act entered into force in August 2024, becoming the world’s first comprehensive AI regulatory framework, its implications extended far beyond the Member States. Like the General Data Protection Regulation before it, the AI Act was designed with an expansive jurisdictional logic: if an AI system produces outputs that are used within the European Union, the entities responsible for that system are subject to its requirements, regardless of where those entities are incorporated, where their servers are located, or where their engineers work.
For Indian technology companies, this extraterritorial design is not a peripheral concern. India is home to one of the world’s largest concentrations of AI development talent, a thriving base of AI product companies serving global markets, and a software services sector whose clients include major European corporations deploying AI in regulated sectors. The AI Act’s compliance obligations, which carry penalties of up to 35 million euros or seven percent of global annual turnover for prohibited practice violations, demand serious attention from any Indian firm with European market exposure.
The challenge is compounded by novelty. Unlike the GDPR, which built on decades of European data protection jurisprudence and which Indian companies had years to study before its enforcement commenced, the AI Act introduces genuinely new regulatory categories, risk classification systems, and conformity assessment requirements that have no clear Indian analogue. The learning curve is steep, and the cost of misclassification is severe.
Legal Framework
The AI Act establishes a risk-based classification system with four tiers. Prohibited AI practices, in Article 5, include social scoring systems operated by public authorities, manipulation of human behaviour through subliminal techniques, real-time remote biometric identification in public spaces by law enforcement with narrow exceptions, and AI systems that exploit vulnerabilities of specific groups. High-risk AI systems, enumerated in Annex III, include AI used in biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and administration of justice.
For high-risk AI systems, the Act mandates a comprehensive compliance framework including a quality management system covering the entire AI lifecycle, technical documentation demonstrating conformity with requirements, registration in a public EU database before deployment, conformity assessment, post-market monitoring, and incident reporting. The obligations attach to ‘providers’ of AI systems, defined as those who develop or have AI systems developed and place them on the Union market under their own name or trade mark.
Critically, Article 2(1) extends the Act’s territorial scope to providers established outside the Union when their systems are placed on the Union market or when the outputs of their systems are used within the Union. Article 25 extends obligations to ‘deployers’, including European companies that integrate Indian AI outputs into products or services. This creates a compliance obligation for Indian AI providers serving European deployers, even where the Indian provider has no European presence.
Judicial and Regulatory Developments
The AI Act’s enforcement machinery became operational in phases from 2024 through 2025. The European AI Office, housed within the European Commission, is responsible for overseeing general-purpose AI model providers and maintaining the public database of high-risk AI systems. Several Member States, led by Germany, France, and the Netherlands, have moved rapidly to designate their national competent authorities and issue provisional guidance on conformity assessment.
The German Federal Agency for Artificial Intelligence Oversight, established in early 2025, has already issued two advisory opinions confirming that a provider established in a third country whose AI system is integrated into a German-deployer’s product is a provider for purposes of the AI Act regardless of contractual arrangements allocating responsibility. The French CNIL has issued guidance requiring French importers of AI systems to obtain technical documentation from their non-EU providers before deployment in high-risk contexts.
No formal enforcement action targeting a third-country provider has yet been concluded, but the European AI Office has opened preliminary inquiries into several non-European foundation model providers in connection with their general-purpose AI obligations under Articles 51 through 55 of the Act. The outcome of these inquiries, expected in 2026, will significantly clarify the practical reach of extraterritorial obligations.
Contemporary Issues and Analysis
Indian IT service companies face the most immediate compliance exposure through their contracts with European clients. An Indian company contracted to develop, fine-tune, or maintain an AI system used by a European bank, insurer, or healthcare provider will almost certainly be engaged with a high-risk AI system as defined by Annex III. Many compliance obligations are already being inserted into Request for Proposal templates issued by European financial institutions.
For Indian AI product companies, a company building an AI-powered human resources management system sold to European employers faces automatic high-risk classification under Annex III, Category 4, and must establish a conformity assessment regime, register in the EU AI database, and maintain incident reporting capability. Preliminary estimates from compliance consultancies suggest that bringing a single high-risk AI product into EU AI Act conformity costs between 200,000 and 800,000 euros.
Indian foundation model developers face obligations under the general-purpose AI provisions even where their model is not itself deployed in a high-risk context. Models with systemic risk designation, applied to models trained on more than 10 to the power of 25 floating-point operations, must conduct model evaluations, provide technical documentation to downstream providers, and implement cybersecurity protections.
Comparative and International Perspective
The AI Act’s extraterritorial mechanism mirrors but amplifies the GDPR’s extra-territorial logic. Many Indian companies navigated GDPR compliance by appointing EU representatives, implementing data processing agreements, and obtaining Standard Contractual Clause approval. A similar representative obligation exists under Article 25 of the AI Act for non-EU providers, requiring designation of an EU-based representative before accessing the Union market with a high-risk AI system.
India has an opportunity to negotiate a bilateral arrangement with the EU that provides streamlined conformity assessment for Indian AI systems that are certified compliant with an Indian national AI standard. The GDPR adequacy decision sought by India has stalled, but an AI Act equivalency pathway would be commercially transformative.
Practical and Policy Implications
The compliance burden is asymmetrically distributed. Large Indian IT companies with dedicated compliance functions can absorb the AI Act compliance cost as a business investment. The disproportionate impact falls on mid-sized Indian AI product companies and early-stage startups that build AI tools serving European enterprise clients but lack the resources for full conformity assessment infrastructure.
The AI Act may function as a market access barrier regardless of technical merit. If conformity assessment requires third-party notified body certification, and if notified bodies for AI are concentrated in European jurisdictions with long backlogs and significant fees, Indian companies may be priced out of European deployment. The Medical Device Regulation experience in Europe created exactly this bottleneck, with non-European manufacturers facing years-long delays in notified body access.
Suggestions and Reforms
The Government of India should urgently pursue an AI Act equivalency dialogue with the European Commission, proposing a mutual recognition framework under which Indian AI systems certified compliant with a notified Indian AI safety standard are treated as meeting EU AI Act conformity requirements for high-risk categories. This requires, as a precondition, that India develop a credible national AI safety standard through a consultative process involving industry and civil society.
NASSCOM and the Software Technology Parks of India should establish a joint EU AI Act compliance resource centre providing documentation templates, notified body referral services, and legal analysis available to small and medium-sized Indian AI companies at subsidised cost.
Indian IT companies should proactively restructure their service contracts with European clients to include clear AI Act role delineation, specifying which party bears provider and deployer obligations respectively, with corresponding indemnity provisions. Legal teams should assess existing engagements for AI Act exposure and initiate remediation before the high-risk obligation enforcement deadlines in 2026.
Conclusion
The EU AI Act is not a distant European problem. It is a present commercial reality for any Indian technology company with European ambitions. Those who treat it as a compliance checkbox to be addressed at the last moment will find themselves disadvantaged relative to competitors who have built AI Act conformity into their development processes from the outset. India’s AI industry has the technical sophistication to meet these requirements. What is needed is strategic clarity, governmental support, and the institutional infrastructure to translate that capability into market access.