Updated May 2026 to reflect the enforcement timeline changes agreed by EU lawmakers on 7 May 2026.
The EU AI Act entered into force in August 2024. For businesses headquartered outside the European Union, this often prompts the assumption that it does not apply to them. For many Singapore SMEs, that assumption is wrong, but the urgency of the compliance timeline has shifted materially since this article was first published.
This article explains what the EU AI Act requires, which Singapore businesses it is likely to apply to, where the enforcement deadlines now stand, and what the practical implications are for a small or mid-market company that does not have a dedicated legal team to interpret European regulation.
What the EU AI Act is
The EU AI Act is the first comprehensive legal framework for AI anywhere in the world. It entered into force on 1 August 2024, but its obligations apply in phases across several years rather than all at once. It classifies AI systems by risk level and imposes obligations on both providers (organisations that build AI systems) and deployers (organisations that use AI systems in their operations).
The risk classification system has four tiers. Unacceptable-risk AI is prohibited outright. High-risk AI, which includes AI used in employment decisions, credit assessment, healthcare, critical infrastructure, and educational assessment, faces the most demanding requirements. Limited-risk AI requires transparency disclosures. Minimal-risk AI has no specific obligations.
Most Singapore SMEs using off-the-shelf AI tools are deployers, not providers. Deployers of high-risk AI systems have their own set of obligations that are distinct from the provider obligations.
Where enforcement actually stands
The enforcement timeline has changed significantly. On 7 May 2026, EU lawmakers reached political agreement on the Digital AI Omnibus, which defers the compliance deadlines for high-risk AI systems. The agreement is still subject to formal adoption, but the direction is clear.
Under the revised timeline:
- Prohibited AI practices have been enforceable since February 2025. Social scoring, subliminal manipulation, and real-time biometric surveillance in public spaces are already banned.
- General-purpose AI model obligations have applied since August 2025.
- Annex III high-risk AI systems (including employment, recruitment, credit, and educational AI) now have a compliance deadline of 2 December 2027, a 16-month postponement from the original August 2026 date.
- Annex I systems (AI embedded in regulated products such as medical devices and machinery) face a deadline of 2 August 2028.
For most Singapore SMEs, the Annex III deadline is the relevant one. If you use AI in hiring, performance assessment, credit evaluation, or educational contexts and that activity touches EU users, December 2027 is now your working deadline.
The delay is real, but it does not change the underlying obligations. It provides time to build compliance properly, not a reason to defer the assessment of whether you are in scope.
The extraterritorial question
The EU AI Act applies to AI systems that are placed on the market in the EU, put into service in the EU, or whose outputs are used in the EU. It also applies to providers and deployers located outside the EU when their AI system’s output is used within the EU.
This is the extraterritorial provision that catches Singapore businesses by surprise.
If you are a Singapore-based company that:
- Has customers or users in the EU whose interactions involve AI systems
- Operates through a subsidiary, partner, or distribution arrangement in an EU country
- Provides services to EU businesses that use your AI systems in their operations
- Has employees or contractors in the EU who use your AI systems in their work
…then the EU AI Act may apply to some or all of your AI deployments.
The question is not where your company is headquartered. The question is where the output of your AI systems is used.
What Singapore SMEs most need to check
For SMEs, the most practical starting points are:
Do any of your AI systems fall into the high-risk category? The Act’s Annex III lists the high-risk AI use cases specifically. Employment and HR AI is on the list. Credit and insurance AI is on the list. If you use AI to screen job applications, assess credit risk, or make educational assessments, and any of that activity touches the EU, you have high-risk AI obligations to prepare for.
What AI tools from vendors are you using, and what obligations do they place on you as a deployer? Many enterprise software tools now have AI features embedded. If those tools are used in EU-touching activities, you as the deployer may have residual obligations even when the AI is provided by a third party.
What does your vendor contract say about EU AI Act compliance? Many vendor contracts have been updated since the Act came into force. Some shift compliance obligations to the deployer. Understanding what your contracts say matters.
The overlap with Singapore’s own frameworks
One genuinely useful feature of the EU AI Act’s risk framework is that it aligns reasonably well with IMDA’s risk-tiering approach. High-risk categories in the EU framework overlap substantially with the high-risk use cases IMDA’s framework addresses.
This means that if you build genuine compliance with the IMDA Model AI Governance Framework, you are partway to EU AI Act compliance for the requirements that apply to your Singapore operations. The gap is in the specific procedural requirements the EU Act adds on top of the IMDA framework’s principles.
For a Singapore SME, the pragmatic approach is to build a governance baseline against the IMDA Framework first, then map that baseline against EU AI Act requirements for any EU-touching activity. This avoids duplicating effort while ensuring both sets of obligations are addressed.
What to do if you are uncertain
If you are uncertain whether the EU AI Act applies to your business, the first step is mapping your AI systems against the risk categories in Annex III of the Act. This does not require a lawyer. It requires an honest assessment of what your AI systems do and whether any of that activity involves EU users, customers, or operations.
If any of your systems are in the high-risk category, or if you have significant EU exposure, a professional governance assessment is worth the investment before the December 2027 deadline. The penalties under the EU AI Act are structured in three tiers:
- Prohibited AI violations: up to €35 million or 7% of global annual turnover, whichever is higher.
- High-risk and other obligation violations (including deployer obligations): up to €15 million or 3% of global annual turnover, whichever is higher.
- Providing misleading information to authorities: up to €7.5 million or 1% of global annual turnover.
For SMEs specifically, fines are calculated as the lower of the fixed euro amount or the revenue percentage. That is a meaningful distinction: for a smaller business, the percentage cap typically results in a lower fine than the fixed euro ceiling. Large enterprises face the higher of the two figures.
For most Singapore SMEs, the more common situation is a modest amount of EU exposure and genuine uncertainty about which obligations apply. The extended timeline makes it possible to resolve that uncertainty properly. The right time to do the assessment is now, not in late 2027 when compliance deadlines are approaching and advisory capacity will be stretched.
Arjen Hendrikse advises Singapore and Southeast Asia businesses on AI governance, including EU AI Act implications for companies with EU exposure. If you are uncertain about your obligations, the free 30-Minute Enforcement Gap Diagnosis is a practical first step. You leave with a one-page diagnosis on Aivance letterhead within 48 hours.