The EU AI Act applies to Australian businesses only when they place AI systems on the EU market or when their AI system's output is used in the EU. For most Australian SMBs serving Australian customers, there is no direct obligation. The Act still matters locally: Australia's proposed mandatory guardrails for high-risk AI follow the same risk-based logic, and the Act's core practices - human oversight, documentation, transparency - are becoming the default expectation in B2B contracts.
Does the EU AI Act apply to Australian businesses?
Only in two situations: you supply an AI system or AI-enabled product into the EU market, or the output of your AI system is used inside the EU. An Australian firm using AI internally to serve Australian customers is not directly regulated by the Act.
The Act is extraterritorial in the same way the GDPR is. It catches providers and deployers outside Europe when their systems or outputs reach the EU. Concrete examples of Australian exposure:
- An Australian SaaS product with EU customers that includes AI features - you are likely a provider placing a system on the EU market.
- An Australian recruiter screening candidates for EU-based roles with an AI ranking tool - the output is used in the EU, and hiring is a high-risk category under the Act.
- An Australian manufacturer exporting products with embedded AI into the EU - covered through the product rules.
If none of that describes your business, the Act imposes nothing on you directly. The reason to keep reading is that its structure is shaping what Australian regulation and Australian enterprise procurement now ask for.
What does the EU AI Act actually regulate?
The Act sorts AI uses into risk tiers. A short list of practices is banned outright. High-risk uses - hiring, credit, essential services, law enforcement - carry heavy obligations: risk management, documentation, human oversight and conformity assessment. Limited-risk uses carry transparency duties, such as telling people they are talking to a chatbot. Most everyday business uses are minimal risk and largely untouched.
The tiers, from heaviest to lightest:
- Prohibited - social scoring, manipulative techniques that cause harm, untargeted scraping of facial images, and most real-time remote biometric identification in public spaces.
- High risk - AI used in employment decisions, credit scoring, education assessment, critical infrastructure, medical devices and similar. These need documented risk management, quality data governance, logging, human oversight and registration.
- Limited risk - transparency obligations. Chatbots have to disclose they are AI; synthetic media has to be labelled.
- Minimal risk - the bulk of business AI: drafting, summarising, internal search, spam filtering. No new obligations.
Separately, providers of general-purpose AI models - the companies behind Claude, ChatGPT and Gemini - carry their own documentation, copyright and safety obligations. Those duties sit with the model providers, not with the businesses using the models.
Key dates and penalties
The Act entered into force on 1 August 2024. Prohibitions applied from 2 February 2025, general-purpose AI model obligations from 2 August 2025, and most high-risk obligations from 2 August 2026, with some embedded-product rules running into 2027. Maximum penalties reach EUR 35 million or 7% of global turnover for prohibited practices.
The phase-in matters because obligations land in waves. At the time of writing the prohibitions and general-purpose model duties are live, and the main high-risk regime is the next wave. Penalties are tiered: up to EUR 35 million or 7% of worldwide annual turnover for prohibited practices, and up to EUR 15 million or 3% for most other breaches.
For an Australian business with EU exposure, the practical move is to map each AI use case against the risk tiers and check the dates that apply to it - the obligations differ sharply between a chatbot and a CV screener.
What is Australia doing instead?
Australia has no AI-specific statute at the time of writing. The federal government published a Voluntary AI Safety Standard in September 2024 with ten guardrails, and has consulted on making similar guardrails mandatory for high-risk AI. Existing law already applies to AI use: the Privacy Act, Australian Consumer Law and anti-discrimination legislation do not stop applying because a model made the decision.
The Voluntary AI Safety Standard's guardrails will look familiar if you have read the EU tiers: accountability processes, risk management, data governance, testing, human oversight, transparency with users, contestability, supply chain transparency, record keeping and stakeholder engagement.
The direction of travel is clear even though the legislative timing is not: risk-based rules, heavier duties where AI touches consequential decisions about people, and an expectation that someone in the business can explain what the AI did. Australian businesses that build those habits now are not betting on a particular bill passing - they are aligning with where every comparable jurisdiction has landed.
What should an Australian SMB actually do now?
Five moves cover most of it: keep an inventory of where AI is used in the business, keep a human approving consequential outputs, document what data each workflow touches, use AI tools on business or API tiers where your data is not used for training, and map any EU-facing use cases against the Act's risk tiers.
None of this requires a compliance team. An inventory is a page. An approval gate is a workflow rule. A data map is part of scoping any decent automation build - it is how we run <a href="../security">security and data handling</a> on every Horizon AI workflow: defined data paths, human approval on client-facing and regulated outputs, and an audit trail of every AI action.
If you are unsure whether a planned AI use would count as high risk - here or in Europe - that is a scoping question, not a legal panic. It is the kind of thing a short <a href="../services/ai-consulting-services">AI consulting</a> engagement settles before any build starts.