The three questions that determine your regulatory exposure
Most founders know that data protection law applies if they process personal data. Fewer founders have mapped their AI features against the EU AI Act risk categories. Almost no founders have thought through how their customers' sector-specific regulatory obligations flow down to them as an AI vendor. All three matter.
Where your users are determines which data protection laws apply. GDPR applies to processing personal data of EU residents. The UK GDPR applies to UK residents. Australia's Privacy Act applies to personal data of Australians processed by organisations with Australian turnover above $3M, and to all organisations that process health data. If you have users in any of these jurisdictions, the relevant data protection law applies to your product.
What your AI does determines whether you are in EU AI Act scope and at what risk level. Annex III lists the high-risk categories: biometric identification, critical infrastructure, education, employment, essential services (credit, insurance, social benefits), law enforcement, migration, and justice. If your AI is used by customers in any of these categories, you may be a provider of high-risk AI with obligations under the EU AI Act even if you did not think of your product as "high-risk AI."
How sector regulation cascades to you
This is the piece most founders miss. If you sell to financial services companies, their AI governance obligations — set by APRA, the FCA, MAS, or the Fed — flow down to you through procurement requirements. An APRA-regulated bank buying your AI product will ask you for documentation that their prudential supervisor expects them to hold about the AI systems they use. If you cannot provide that documentation, you lose the deal. Understanding what your customers' regulators require from their AI vendors gives you a significant competitive advantage in enterprise sales to regulated sectors.
