A lot of U.S. boards have been told the EU AI Act is a European problem. For most internationally active U.S. banks, and for a meaningful share of mid-size U.S. firms with any cross-border footprint, that framing is wrong in a specific and expensive way.
The Act, Regulation (EU) 2024/1689, applies extraterritorially. A non-EU firm whose AI system produces output used in the EU is within scope for the relevant obligations, regardless of where the firm is incorporated and regardless of whether the firm has European staff. Most U.S. financial institutions with European customers, operations, or partners meet at least one of those triggers through at least one product line. The high-risk classifications around credit scoring, employment, and essential-services access map directly onto common U.S. banking, insurance, and healthcare use cases.
The sharper operational point is that the Act forces a documentation discipline with no clean U.S. analogue yet. Auditors moving through a U.S. firm’s EU-facing workflows are already asking for that documentation, and supervisors increasingly expect a written EU AI Act posture as a baseline. Most U.S. firms underestimate this until they meet it. Building the documentation set once and applying it both ways is the engagement Virtova exists to scope.
Engagements are led personally by Sultan Meghji. Sultan’s tenure as inaugural Chief Innovation Officer of the U.S. FDIC included direct engagement with European supervisors (the European Central Bank, the German Bundesbank, the United Kingdom Ministry of Defence, and EU institutions) on the cyber and AI agenda; the work has continued in advisory and boardroom settings since.
What this engagement looks like
A Virtova EU AI Act readiness engagement typically runs eight to twelve weeks. The standard scope covers five threads.
Inventory and classification. Each in-scope AI system is classified against the Act’s categories: prohibited, high-risk (Annex III), limited-risk, minimal-risk, or general-purpose AI. Classification is the rate-determining step; everything else flows from it. We expect, and clients sometimes resist, the finding that several systems they did not consider AI are in fact in scope.
Article-by-article gap analysis. For high-risk systems, the obligations span risk management (Art. 9), data and data governance (Art. 10), technical documentation (Art. 11), record-keeping (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness/cybersecurity (Art. 15), and quality management (Art. 17). Output: a written gap list, prioritized by enforcement risk and business criticality.
Documentation build. Technical documentation is where most U.S. firms have the largest gap. We build the set the Act actually expects, not a generic compliance memo, to a standard that an external auditor or competent authority will accept.
Governance integration. EU AI Act compliance is wired into the firm’s existing risk and AI governance program rather than built as a separate workstream. For firms with U.S. exposure, the same engagement also produces NIST AI RMF mapping so a single program serves both rulebooks.
Phase-in tracking. The Act phases in across 2024–2027. Different obligations land at different times. We build a tracker the firm carries past the engagement so deadlines do not arrive as surprises.
When the engagement is the wrong answer
EU AI Act readiness is the wrong scope when the organization has no plausible EU exposure: purely domestic U.S. firms with no European customers, partners, or operations and no foreseeable plan to acquire any. It is also the wrong scope when the gap is foundational AI governance rather than EU-specific obligations; in that case AI governance consulting is the right starting engagement, with EU readiness as a follow-on.
Where the Act overlaps with sector-specific EU regulation (DORA for financial services, MDR for medical devices, GDPR throughout), Virtova engagements scope the AI Act layer specifically and bring in named specialist counsel for the adjacent regimes when the engagement warrants it.
A note on enforcement
Enforcement of the Act is a national competent-authority responsibility, with EU-level coordination through the AI Office. Penalties are material: up to €35 million or 7% of worldwide annual turnover for the most serious violations. The first wave of enforcement decisions in 2026 has set expectations that competent authorities are taking documentation discipline seriously. Firms that have built the documentation report short conversations. Firms that have not report less short ones.
The pattern across early enforcement is also worth flagging for U.S. risk committees. The questions competent authorities are asking are largely documentation questions, not technical ones. Where the technical artifact is in place, the conversation moves quickly. Where it is not, and the firm cannot produce a coherent risk-management or technical-documentation file at the article level, the conversation becomes a discovery exercise that a U.S. firm running on a different documentation culture is not built to handle.
Next step
Most engagements start with a 30-minute discovery call. Bring an honest read of the firm’s EU exposure (customers, operations, partners, output-flow) and we will tell you which classification work needs to happen first and what a focused engagement looks like.