AI Act Territorial Scope

The scope section of the AI Act includes specific provisions on territorial applicability and which providers are subject to the regulation regardless of their location, warranting a dedicated topic.

territorial scope geographic scope EU applicability extraterritorial application market access EU market third country providers

Overview

Legal Framework

Article 2 AI Act defines its territorial scope, which is modeled on the GDPR's approach. The regulation applies to: (1) providers placing AI systems on the EU market or putting them into service there, irrespective of their place of establishment; (2) deployers of AI systems located within the EU; and (3) providers and deployers located outside the EU where the output produced by the AI system is used in the EU.

Practical Application

The extraterritorial application to non-EU providers is a cornerstone of the Act. The provision targeting "output used in the Union" creates a broad jurisdictional hook. While no AI Act-specific case law exists yet, the CJEU's interpretation of similar language in the GDPR is highly instructive. In Google v CNIL and Wirtschaftsakademie, the Court established that the activities of an establishment in a Member State can render the non-EU entity subject to EU law when those activities are inextricably linked to the data processing or service in question. This jurisprudence suggests that having a sales office, marketing team, or other establishment in the EU that promotes or supports an AI system will likely trigger the AI Act's application to the entire provider organization.

Key Considerations

  • Map Global AI Deployments: Non-EU providers must assess whether any AI system output—such as a credit score, content moderation decision, or generated text—is utilized to make decisions affecting individuals in the EU, as this alone subjects them to the regulation.
  • Scrutinize EU Establishment Links: The activities of any EU-based subsidiary, branch, or representative office related to an AI system (e.g., sales, marketing, customer support) may establish a jurisdictional nexus for the entire corporate group under the established GDPR case law.
Newest Relevant

Case Law (3)

Google LLC, venant aux droits de Google Inc. v Commission nationale de l’informatique et des libertés (CNIL)

Google - Global De-linking

Territorial scope of EU data protection law: The present case falls within the territorial scope of GDPR because “it is apparent from the information provided in the order for reference, first, that Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inte

Sep 24, 2019 CJEU

UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH

Wirtschaftsakademie

Territorial Scope / Concept of “establishment”: Facebook Germany is responsible for promoting and selling advertising space and carries on activities addressed to persons residing in Germany. Given that a social network such as Facebook generates a substantial part of its income from advertisements posted on the web pages set up and accessed by users, and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Faceboo

Jun 5, 2018 CJEU

GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)

Google Spain

Concept of ‘establishment’: An ‘establishment’ exists where an organization engages in the effective and real exercise of activity through stable arrangements in a EU Member State. It is not require that the processing be carried out by the establishment itself. The processing of personal data by the not-established controller suffices if it is “carried out in the context of the activities” of the establishment. In this case, the activities of the search engine and those of its establishment in

May 13, 2014 CJEU

Guidance (12)

VERSIEGESCHIEDENIS

binding corporate rules voor verwerkingsverantwoordelijken

Nov 21, 2025 EDPB

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Guidelines on the territorial scope of the GDPR

Nov 21, 2025 EDPB

Guidelines 02/2024 on Article 48 GDPR

Article 48 GDPR provides that: ' Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer...

Nov 21, 2025 EDPB

Version history

Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

Nov 21, 2025 EDPB

Guidelines 01/2022 on data subject rights - Right of access

Guidelines on data subject rights - Right of access

The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.

Nov 21, 2025 EDPB

Guidelines 9/2022 on personal data breach notification under GDPR

Guidelines on personal data breach notification under GDPR

Nov 21, 2025 EDPB

Version history

Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...

Nov 21, 2025 EDPB

Guidelines 07/2020 on the concepts of controller and processor in the GDPR

Guidelines on the concepts of controller and processor in the GDPR

The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...

Nov 21, 2025 EDPB

Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679

Guidelines on codes of conduct and monitoring bodies

Nov 21, 2025 EDPB

Richtsnoeren 3/2018 over het territoriale toepassingsgebied van de AVG (artikel 3)

guidelines territoriaal toepassingsgebied AVG

Nov 21, 2025 EDPB

Translations proofread by EDPB Members. This language version has not yet been proofread.

van de tekst in de afbeeldingen in de bijlage

Nov 21, 2025 EDPB

Versiegeschiedenis

guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG

De AVG bevat geen juridische definitie van het begrip 'doorgifte van persoonsgegevens aan een derde land of aan een internationale organisatie'. Daarom verstrekt de EDPB deze richtsnoeren om te verduidelijken op welke scenario's de voorschriften van hoofdstuk V volgens hem moeten worden toegepast en heeft hij daartoe drie cumulatieve criteria vastgesteld waaraan een verwerkingsactiviteit moet voldoen om als een doorgifte te worden aangemerkt: - 1) Een verwerkingsverantwoord...

Nov 21, 2025 EDPB

News (3)

Article 40 GDPR

(3) Controllers and Processors not Subject to the Territorial Scope of the GDPR The focus on a particular sector is supposed to allow for a cost effective way to achieve data protection compliance by taking into account all the specific characteristics of processing carried out in that sector - with particular emphasis on the needs of micro, small and medium enterprises.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version

Jan 5, 2026 GDPRhub

Greek SA fines Clearview AI for EUR 20M

A rundown of the fine on IAPP: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings

Oct 20, 2022 IAPP

AEPD publishes GDPR Risk Assessment

> GDPR RISK ASSESSMENT is intended to assist controllers and processors to identify the risk factors for the rights and freedoms of data subjects whose data are present in the processing, to make an initial assessment of the intrinsic risk, including the need to perform a DPIA, and to estimate the residual risk if measures and safeguards are used to mitigate the specific risk factors.

Oct 11, 2022 AEPD