ARTICLE
10 July 2026

Compliance And Enforcement In Global AI Regulation: EU AI Act Risks And International Regulatory Challenges

FL
Foley & Lardner

Contributor

Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
The EU AI Act establishes the world's first comprehensive AI regulation, classifying systems by risk and imposing strict compliance obligations on manufacturers developing or deploying AI in European markets. With penalties reaching up to 7% of global revenue and fragmented regulations across the U.S., China, and other jurisdictions, manufacturers face immediate contractual and governance challenges. How should multinational manufacturers navigate conflicting AI compliance requirements while managing vendor
Worldwide Strategy
Vanessa L. Miller’s articles from Foley & Lardner are most popular:
  • in United States
Foley & Lardner are most popular:
  • within Wealth Management topic(s)

Key Takeaways:

  • The EU AI Act is the world’s first comprehensive AI regulation. It classifies AI systems by risk level and imposes compliance obligations on companies that develop or deploy AI. Although anticipated legislative changes would extend key deadlines to late 2027 and 2028, foundational requirements are already in force. Manufacturers should use the additional time to build compliance infrastructure now.
  • Global AI regulation is fragmented and evolving rapidly. The EU mandates conformity assessments with penalties up to 7% of global revenue. The U.S. relies primarily on voluntary frameworks. China imposes algorithm registration and content labeling rules. No single compliance approach satisfies all regimes simultaneously.
  • Regulatory compliance for AI is a contractual and governance priority, not merely a technology problem. Vendor agreements and internal oversight structures must be designed to satisfy the most demanding applicable regime.

Governments worldwide are moving to regulate artificial intelligence (AI), and manufacturers are directly affected. The EU AI Act, which entered into force in August 2024, establishes binding obligations on companies that develop or deploy AI systems in European markets. The United States, China, and other major economies are advancing their own approaches, often with conflicting requirements. For manufacturers operating across borders, the practical consequences are immediate: the same AI system may be classified differently in each jurisdiction, triggering different compliance obligations and enforcement risks.

1. Compliance Obligations under the EU AI Act for High-Risk Systems

The EU AI Act classifies AI systems into four risk tiers: unacceptable (prohibited), high-risk (strictly regulated), limited risk (transparency obligations), and minimal risk (no specific obligations). For manufacturers, the high-risk classification triggers significant compliance requirements. AI used as a safety component in machinery, AI integrated into products requiring CE marking, and AI in critical infrastructure typically qualify as high-risk.

Importantly, most industrial AI applications, including production optimization, anomaly detection, and predictive maintenance, fall into the minimal-risk category if they do not perform direct safety functions and a human remains the final decision-maker. This “human-in-the-loop” distinction is one of the most important factors determining a manufacturer’s regulatory burden under the EU framework.

The Act also distinguishes between Providers (developers of AI) and Deployers (companies using AI from vendors). Providers must implement risk management systems, maintain technical documentation, and conduct conformity assessments. Deployers, which includes most manufacturers purchasing AI software, must ensure the AI is used as intended, maintain qualified oversight personnel, and monitor operations. Manufacturers should contractually require vendors to provide conformity documentation. See our prior article regarding other tips and strategies for manufacturers negotiating AI vendor contracts.

A May 2026 legislative agreement (the Digital Omnibus) proposes to extend key compliance deadlines: high-risk standalone systems to December 2027, and AI embedded in regulated products to August 2028. For machinery manufacturers specifically, the agreement proposes to exempt the EU Machinery Regulation from direct AI Act applicability; AI requirements will instead be layered into existing machinery safety rules. However, AI literacy requirements and prohibited practices have been in force since February 2025 and remain in effect.

2. Navigating Global AI Regulations for Manufacturing and Supply Chain

Beyond the EU, manufacturers face a fragmented global landscape. The United States has no comprehensive federal AI law. The current administration favors a pro-innovation approach and has sought to preempt state-level AI regulations, but 48 state laws currently create a patchwork of obligations. The National Institute for Standards and Technology (NIST) AI Risk Management Framework (AI RMF) remains the primary voluntary governance standard for U.S. companies.

China takes a different approach: mandatory AI content labeling, national security standards, and sector-specific rules affecting automotive supply chains. The UK pursues a lighter-touch, sector-based approach without comprehensive legislation.

For multinational manufacturers, ISO/IEC 42001, the first international standard for AI management systems, provides a useful operational framework that can bridge divergent national requirements. The NIST AI RMF serves as a complementary technical resource. These voluntary frameworks help structure internal governance and vendor management, though they do not eliminate the obligation to comply with each jurisdiction’s specific rules.

3. Enforcement Trends and Penalties in International AI Regulation

The EU AI Act’s penalties exceed the General Data Protection Regulation’s already significant 4% maximum. Violations of prohibited practices face fines of €35 million or 7% of global annual turnover (whichever is higher) under the EU AI Act. Other high-risk violations carry penalties of €15 million or 3% of turnover. For a manufacturer with €10 billion in annual revenue, a single prohibited-practice violation could mean up to a €700 million fine.

In the U.S., enforcement operates through existing regulatory powers: the FTC may pursue unfair or deceptive AI practices, while state laws create additional liability channels. China’s enforcement leverages cybersecurity and data security laws with consequences including fines, service suspension, or even criminal referral.

For manufacturers, a single AI vendor failure could trigger regulatory exposure in multiple jurisdictions simultaneously. Technology may explain why a decision was made, but it will not excuse the consequences.

4. Managing Compliance Risks in Manufacturing and Supply Chain AI Applications

Manufacturers should take the following steps to address compliance risks:

  1. Conduct an AI inventory. Map every AI system by purpose, data access, autonomy level, and applicable jurisdictions.
  2. Demand vendor compliance documentation. Require technical documentation, conformity declarations, and contractual representations about risk classification from AI vendors.
  3. Design governance for the most demanding regime. If you operate in the EU, build to EU AI Act standards. Use ISO/IEC 42001 as an operational framework. See our prior article for additional information regarding building a scalable AI Governance Program.
  4. Negotiate contracts that allocate regulatory risk. AI vendor agreements should address conformity assessment obligations, documentation maintenance, incident reporting, and indemnification for regulatory penalties.
  5. Build human oversight into system design. The human-in-the-loop distinction is the most important factor determining whether manufacturing AI falls into high-risk or minimal-risk categories under the EU framework. Design processes that preserve meaningful human authority over safety-critical decisions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More