The EU AI Act is in force. For businesses headquartered outside the European Union, this often prompts the assumption that it does not apply to them. For many Singapore SMEs, that assumption is wrong.
This article explains what the EU AI Act requires, which Singapore businesses it is likely to apply to, and what the practical compliance implications are for a small or mid-market company that does not have a dedicated legal team to interpret European regulation.
What the EU AI Act is
The EU AI Act is the first comprehensive legal framework for AI anywhere in the world. It came into force in August 2024, with different provisions applying at different dates through 2026 and 2027. It classifies AI systems by risk level and imposes obligations on both providers (organisations that build AI systems) and deployers (organisations that use AI systems in their operations).
The risk classification system has four tiers. Unacceptable-risk AI is prohibited outright. High-risk AI, which includes AI used in employment decisions, credit assessment, healthcare, critical infrastructure, and educational assessment, faces the most demanding requirements. Limited-risk AI requires transparency disclosures. Minimal-risk AI has no specific obligations.
Most Singapore SMEs using off-the-shelf AI tools are deployers, not providers. Deployers of high-risk AI systems have their own set of obligations that are distinct from the provider obligations.
The extraterritorial question
The EU AI Act applies to AI systems that are placed on the market in the EU, put into service in the EU, or whose outputs are used in the EU. It also applies to providers and deployers located outside the EU when their AI system’s output is used within the EU.
This is the extraterritorial provision that catches Singapore businesses by surprise.
If you are a Singapore-based company that:
- Has customers or users in the EU whose interactions involve AI systems
- Operates through a subsidiary, partner, or distribution arrangement in an EU country
- Provides services to EU businesses that use your AI systems in their operations
- Has employees or contractors in the EU who use your AI systems in their work
…then the EU AI Act may apply to some or all of your AI deployments.
The question is not where your company is headquartered. The question is where the output of your AI systems is used.
What Singapore SMEs most need to check
For SMEs, the most practical starting points are:
Do any of your AI systems fall into the high-risk category? The Act’s Annex III lists the high-risk AI use cases specifically. Employment and HR AI is on the list. Credit and insurance AI is on the list. If you use AI to screen job applications, assess credit risk, or make educational assessments, and any of that activity touches the EU, you have high-risk AI obligations.
What AI tools from vendors are you using, and what obligations do they place on you as a deployer? Many enterprise software tools now have AI features embedded. If those tools are used in EU-touching activities, you as the deployer may have residual obligations even when the AI is provided by a third party.
What does your vendor contract say about EU AI Act compliance? Many vendor contracts have been updated since the Act came into force. Some shift compliance obligations to the deployer. Understanding what your contracts say matters.
The overlap with Singapore’s own frameworks
One genuinely useful feature of the EU AI Act’s risk framework is that it aligns reasonably well with IMDA’s risk-tiering approach. High-risk categories in the EU framework overlap substantially with the high-risk use cases IMDA’s framework addresses.
This means that if you build genuine compliance with the IMDA Model AI Governance Framework, you are partway to EU AI Act compliance for the requirements that apply to your Singapore operations. The gap is in the specific procedural requirements the EU Act adds on top of the IMDA framework’s principles.
For a Singapore SME, the pragmatic approach is to build a governance baseline against the IMDA Framework first, then map that baseline against EU AI Act requirements for any EU-touching activity. This avoids duplicating effort while ensuring both sets of obligations are addressed.
What to do if you are uncertain
If you are uncertain whether the EU AI Act applies to your business, the first step is mapping your AI systems against the risk categories in Annex III of the Act. This does not require a lawyer. It requires an honest assessment of what your AI systems do and whether any of that activity involves EU users, customers, or operations.
If any of your systems are in the high-risk category, or if you have significant EU exposure, getting a professional governance assessment is worth the investment. The penalties under the EU AI Act for non-compliance are material: up to 3% of global annual turnover for deployer violations, and up to 15 million euros or 3% of turnover for the most serious breaches.
For most Singapore SMEs, the more common situation is a modest amount of EU exposure and uncertainty about which obligations apply. Resolving that uncertainty with a structured assessment is significantly cheaper than discovering a compliance gap after a regulatory inquiry.
Arjen Hendrikse advises Singapore and Southeast Asia businesses on AI governance, including EU AI Act implications for companies with EU exposure. If you are uncertain about your obligations, the AI Governance Review is a practical first step.