Does the June 2026 US executive order remove AI compliance requirements for US companies?

No. The executive order 'Promoting Advanced Artificial Intelligence Innovation and Security' (June 2, 2026) makes US federal AI policy deregulatory and voluntary, with no mandatory licensing, preclearance, or requirement to log, monitor, or audit deployed AI systems. It governs US federal policy only. It does not affect the EU AI Act, which applies to any company whose AI output is used in the European Union regardless of where the company is based.

Does the EU AI Act apply to US companies?

Yes, in many cases. Regulation (EU) 2024/1689, Article 2(1)(c), applies the Act to providers and deployers located in a third country 'where the output produced by the AI system is used in the Union.' A US company does not need an EU office, subsidiary, or data center to be in scope. It needs only to produce output (a score, recommendation, classification, generated document, or decision) that is used by people in the EU. High-risk obligations begin enforcing on August 2, 2026.

What does 'output used in the Union' mean under the EU AI Act?

It means the result an AI system produces reaches or is relied upon by a person in the EU, even if the system runs entirely outside the EU. Examples include a US-built hiring agent screening EU applicants, a credit model scoring EU customers, or a customer-facing assistant serving EU users. The trigger is functional and output-based, not tied to the location of the company, its servers, or its team.

What are the penalties under the EU AI Act?

For the most serious violations, the EU AI Act sets a penalty ceiling of up to 35 million euros or 7 percent of total worldwide annual turnover, whichever is higher. Lower tiers apply to other categories of violation. The high-risk system obligations carry enforcement from August 2, 2026.

If US AI policy is deregulatory, should US companies still prepare for the EU AI Act?

Yes. US federal policy and EU obligations are independent. A deregulatory posture in Washington does not reduce or delay any EU AI Act requirement, and it removes the domestic forcing function that would otherwise prompt teams to build audit-readiness. US companies with EU-facing AI output should plan compliance against the EU enforcement timeline, not US policy signals, focusing on record-keeping (Article 12), human oversight (Article 14), and post-market monitoring (Article 26).

← Back to Blog

eu-ai-actus-ai-policyextraterritorialai-governancecomplianceexecutive-order

The US Just Deregulated AI. Your EU AI Act Obligations Did Not Change.

Henrique Veiga Curi2026-06-036 min read

On June 2, 2026, the White House signed an executive order titled "Promoting Advanced Artificial Intelligence Innovation and Security." It is deregulatory by design. A lot of US founders will read it as permission to stop worrying about AI compliance.

They should not.

The order is real, and on its own terms it does what it says. But it governs US federal policy. It does not govern where your AI's output lands. For any US company whose AI system produces results that get used in the European Union, the binding obligation did not move an inch. If anything, the gap between the two regimes just got wider, and harder to see.

What the executive order actually does

The order's center of gravity is cybersecurity and voluntary industry collaboration, not prescriptive governance. It directs CISA, the Department of War, Treasury, and OMB to harden federal and critical-infrastructure systems against cyber threats, on 30 to 60 day timelines. It sets up a voluntary framework for developers of "covered frontier models" to engage the government before public release.

The line that matters most for compliance planning is this one:

> "Nothing in this section shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement for the development, publication, release, or distribution of new AI models."

Read the rest and the pattern holds. There is no federal requirement to log how a deployed AI system behaves. No mandate to monitor it in production. No transparency reporting. No audit trail for AI-driven decisions. The order leans deliberately away from the kind of domestic regime that would force US enterprises to prove how their AI operates.

If your compliance plan was "wait and see what Washington makes us do," the answer just came back. Nothing, for now.

Why that does not get US companies off the hook

The EU AI Act does not care what your home regulator requires. Its scope follows the output of the system, not the location of the company that built it.

Regulation (EU) 2024/1689, Article 2(1)(c), is explicit. The Act applies to:

> "providers and deployers of AI systems that have their place of establishment or are located in a third country, where the output produced by the AI system is used in the Union."

There is no US-company exemption. There is no clause that says a deregulatory posture at home reduces the obligation abroad. The trigger is functional: if a system you build produces results that are used by people in the EU, you are in scope, and the high-risk obligations begin enforcing on August 2, 2026. The penalty ceiling is up to 35 million euros or 7 percent of global annual turnover, whichever is higher.

"Used in the Union" is broader than most US teams assume. You do not need an EU office, an EU subsidiary, or an EU data center. You need an output: a score, a recommendation, a classification, a generated document, a decision, that reaches a person in the Union. A US company running a hiring agent, a credit model, or a customer-facing assistant that serves EU users is producing output used in the Union, whether or not anyone on the team has thought about it that way.

The two-regime picture for a US team in 2026

Set the two side by side and the real situation is not "deregulation, relax." It is two regimes pulling in opposite directions.

- At home: no mandate, no reminder, no forcing function. The federal posture actively discourages prescriptive AI governance.

- Abroad: a hard obligation that triggers on where your output is used, with a fixed enforcement date and turnover-scaled penalties.

Deregulation at home does not shrink your obligations abroad. It removes the one thing that was going to remind you they exist. That is the trap. When your own government signals that AI governance is optional, the internal pressure to build audit-readiness evaporates, exactly while the external deadline keeps approaching.

The teams that get caught in August will not be the ones who did not know the rules existed. They will be the ones who assumed their own government's silence meant they were covered.

What this means in practice

The deregulatory order does not change a single thing about what an EU-facing US company needs to be able to show. The EU AI Act still requires, for high-risk systems, automatic record-keeping of events over the system's lifetime (Article 12), human oversight that allows intervention (Article 14), and post-market monitoring of how the system behaves in production (Article 26). None of those obligations are satisfied by a deregulatory stance in Washington.

The practical move is to decouple your compliance planning from US policy signals entirely and anchor it on two questions that have nothing to do with any executive order:

Does any output my AI systems produce get used by someone in the EU? If yes, you are likely in scope regardless of where you sit.

If an EU auditor asked me to prove how a specific agent behaved on a specific date, could I produce that evidence today? For most teams, the honest answer is no, because observability data is not the same thing as compliance evidence.

That second gap is the one that does not close itself. Telemetry collection answers "what happened on the wire." An audit answers "prove this system met its obligations over its lifetime, and show me what you did when its behavior drifted." Those are different artifacts, and the deadline for the second one is not set in Washington.

Where MeshAI fits

MeshAI Labs builds the evidence layer that turns the telemetry your stack already collects into the artifacts an EU AI Act audit requires. We are OpenTelemetry-native and we sit downstream of your observability and GRC tooling, not in competition with it. The traces your APM already produces become inputs to an external-action inventory, a conformity-assessment bundle, and drift detection calibrated against a regulatory baseline.

US AI policy will keep swinging. The EU AI Act enforcement date will not. If your output reaches the Union, the question worth asking is not what Washington requires, but whether you could prove compliance today. If that is the conversation your team is having, it is the one we want to have too. Reach us at /contact.