Compliance and Enforcement in Global AI Regulation: EU AI Act Risks and International Regulatory Challenges
Key Takeaways:
- The EU AI Act is the world’s first comprehensive AI regulation. It classifies AI systems by risk level and imposes compliance obligations on companies that develop or deploy AI. Although anticipated legislative changes would extend key deadlines to late 2027 and 2028, foundational requirements are already in force. Manufacturers should use the additional time to build compliance infrastructure now.
- Global AI regulation is fragmented and evolving rapidly. The EU mandates conformity assessments with penalties up to 7% of global revenue. The U.S. relies primarily on voluntary frameworks. China imposes algorithm registration and content labeling rules. No single compliance approach satisfies all regimes simultaneously.
- Regulatory compliance for AI is a contractual and governance priority, not merely a technology problem. Vendor agreements and internal oversight structures must be designed to satisfy the most demanding applicable regime.
Governments worldwide are moving to regulate artificial intelligence (AI), and manufacturers are directly affected. The EU AI Act, which entered into force in August 2024, establishes binding obligations on companies that develop or deploy AI systems in European markets. The United States, China, and other major economies are advancing their own approaches, often with conflicting requirements. For manufacturers operating across borders, the practical consequences are immediate: the same AI system may be classified differently in each jurisdiction, triggering different compliance obligations and enforcement risks.
1. Compliance Obligations under the EU AI Act for High-Risk Systems
The EU AI Act classifies AI systems into four risk tiers: unacceptable (prohibited), high-risk (strictly regulated), limited risk (transparency obligations), and minimal risk (no specific obligations). For manufacturers, the high-risk classification triggers significant compliance requirements. AI used as a safety component in machinery, AI integrated into products requiring CE marking, and AI in critical infrastructure typically qualify as high-risk.
Importantly, most industrial AI applications, including production optimization, anomaly detection, and predictive maintenance, fall into the minimal-risk category if they do not perform direct safety functions and a human remains the final decision-maker. This “human-in-the-loop” distinction is one of the most important factors determining a manufacturer’s regulatory burden under the EU framework.
The Act also distinguishes between Providers (developers of AI) and Deployers (companies using AI from vendors). Providers must implement risk management systems, maintain technical documentation, and conduct conformity assessments. Deployers, which includes most manufacturers purchasing AI software, must ensure the AI is used as intended, maintain qualified oversight personnel, and monitor operations. Manufacturers should contractually require vendors to provide conformity documentation. See our prior article regarding other tips and strategies for manufacturers negotiating AI vendor contracts.
A May 2026 legislative agreement (the Digital Omnibus) proposes to extend key compliance deadlines: high-risk standalone systems to December 2027, and AI embedded in regulated products to August 2028. For machinery manufacturers specifically, the agreement proposes to exempt the EU Machinery Regulation from direct AI Act applicability; AI requirements will instead be layered into existing machinery safety rules. However, AI literacy requirements and prohibited practices have been in force since February 2025 and remain in effect.
2. Navigating Global AI Regulations for Manufacturing and Supply Chain
Beyond the EU, manufacturers face a fragmented global landscape. The United States has no comprehensive federal AI law. The current administration favors a pro-innovation approach and has sought to preempt state-level AI regulations, but 48 state laws currently create a patchwork of obligations. The National Institute for Standards and Technology (NIST) AI Risk Management Framework (AI RMF) remains the primary voluntary governance standard for U.S. companies.
China takes a different approach: mandatory AI content labeling, national security standards, and sector-specific rules affecting automotive supply chains. The UK pursues a lighter-touch, sector-based approach without comprehensive legislation.
For multinational manufacturers, ISO/IEC 42001, the first international standard for AI management systems, provides a useful operational framework that can bridge divergent national requirements. The NIST AI RMF serves as a complementary technical resource. These voluntary frameworks help structure internal governance and vendor management, though they do not eliminate the obligation to comply with each jurisdiction’s specific rules.
3. Enforcement Trends and Penalties in International AI Regulation
The EU AI Act’s penalties exceed the General Data Protection Regulation’s already significant 4% maximum. Violations of prohibited practices face fines of €35 million or 7% of global annual turnover (whichever is higher) under the EU AI Act. Other high-risk violations carry penalties of €15 million or 3% of turnover. For a manufacturer with €10 billion in annual revenue, a single prohibited-practice violation could mean up to a €700 million fine.
In the U.S., enforcement operates through existing regulatory powers: the FTC may pursue unfair or deceptive AI practices, while state laws create additional liability channels. China’s enforcement leverages cybersecurity and data security laws with consequences including fines, service suspension, or even criminal referral.
For manufacturers, a single AI vendor failure could trigger regulatory exposure in multiple jurisdictions simultaneously. Technology may explain why a decision was made, but it will not excuse the consequences.
4. Managing Compliance Risks in Manufacturing and Supply Chain AI Applications
Manufacturers should take the following steps to address compliance risks:
- Conduct an AI inventory. Map every AI system by purpose, data access, autonomy level, and applicable jurisdictions.
- Demand vendor compliance documentation. Require technical documentation, conformity declarations, and contractual representations about risk classification from AI vendors.
- Design governance for the most demanding regime. If you operate in the EU, build to EU AI Act standards. Use ISO/IEC 42001 as an operational framework. See our prior article for additional information regarding building a scalable AI Governance Program.
- Negotiate contracts that allocate regulatory risk. AI vendor agreements should address conformity assessment obligations, documentation maintenance, incident reporting, and indemnification for regulatory penalties.
- Build human oversight into system design. The human-in-the-loop distinction is the most important factor determining whether manufacturing AI falls into high-risk or minimal-risk categories under the EU framework. Design processes that preserve meaningful human authority over safety-critical decisions.
Foley & Lardner’s Manufacturing, Supply Chain, and Artificial Intelligence teams regularly advise manufacturers navigating the intersection of AI technology and global regulatory compliance. For more information, please contact the authors or your Foley relationship partner.