The EU AI Act Already Applies to Australian Businesses. Most Don't Know It Yet.

We sat down with Archie Swinyard, founder of ArchAI, to work through what the divergence between Europe and Australia actually means for the businesses caught between the two. What follows is less a compliance checklist than a way of thinking about the next three years.

The part that catches people off guard

The European Union's AI Act does not stop at Europe's borders. Its general-purpose AI obligations took effect on 2 August 2025, and a separate AI-literacy duty has applied to providers and deployers since February 2025. The broader high-risk obligations were originally scheduled for 2 August 2026. In May 2026 the Council and Parliament reached a provisional agreement to push those dates back, a change we come to shortly. The agreement still has to be formally adopted, which means the prudent move is to prepare against the obligations as written rather than to bet on the timing.

The detail most Australian businesses miss is reach. If your AI system's output is used in the EU, or your product is placed on the EU market, you are within scope. Where you are headquartered makes no difference. A Brisbane SaaS company with European users is as exposed as a firm in Frankfurt.

Archie's first piece of advice is the one businesses most often skip.

“The first thing I would tell companies is to not assume that AI vendors like OpenAI or Anthropic own all the compliance burden,” he says. “Being based in Australia doesn't automatically put you outside its scope.”

The Act defines distinct roles across the AI chain: providers, deployers, importers, distributors, product manufacturers and authorised representatives. Depending on how you use AI, you may sit in more than one. Working out where your organisation actually sits is step one, and in Archie's experience most organisations have not done it.

What just changed in Brussels

On 7 May 2026, the Council and the European Parliament reached a provisional agreement to simplify and streamline the rules. Two parts matter for businesses planning ahead. First, the co-legislators added a new prohibition, banning AI practices that generate non-consensual sexual and intimate content or child sexual abuse material. Second, the agreement sets a fixed timeline for the delayed high-risk rules: the new application dates would be 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products.

It is tempting to read a delay as a reprieve. That reading is exactly the trap. The deadline moved; the obligations did not. The extra time is only an advantage for the businesses that use it to get ready, and because the agreement still needs formal adoption, building to the published standard remains the safe default.

The lesson hiding in 2018

Archie's reference point is not another piece of AI commentary. It is GDPR.

“The organisations that got ahead were the ones that used the transition period to understand their obligations, map what was happening inside their business, and put governance frameworks in place before they were required,” he says. “I think the same lesson applies to the EU AI Act.”

The businesses that struggled with GDPR were the ones that waited for regulators to clarify every detail before moving. The ones that thrived treated the transition window as the work, not the warning.

Translated to AI, the groundwork is concrete. Understand which AI systems you are actually using. Identify where you sit in the operator chain. Work out which use cases might trigger additional obligations or be classified as high risk. Then build the governance processes around them.

“Where I see companies getting it wrong,” Archie notes, “is assuming the Act only applies to European businesses or major AI developers, or treating compliance as something that can be solved with a policy document alone.”

Australia is moving fast. That is the problem.

Here is the tension we keep returning to. Europe has a binding, risk-based framework. Australia has taken a voluntary, principles-based path, with mandatory guardrails for high-risk AI still working through consultation. Meanwhile, Australian businesses are adopting AI at a remarkable rate, often without the governance scaffolding their European counterparts are being forced to build.

Archie sees the light-touch approach as a genuine double-edged sword.

“On one side, it acts as a major advantage, especially for SMEs,” he says. “Without the heavy financial and operational burden of immediate regulation, Australian businesses have a unique environment to experiment and deploy AI tools at speed.”

He points to Microsoft's Global AI Diffusion data for Q1 2026, which he reads as placing Australia ahead of both the United States and heavily regulated European economies such as Germany on AI adoption across the working-age population. Fast movers, in other words, are moving fast precisely because nothing is slowing them down.

“But that's where the other side of the sword cuts,” he says. “Because Australia's compliance landscape is mostly voluntary, this rapid rollout means companies are accumulating significant governance debt.”

Advantage, disadvantage, or delay?

Archie's answer is unambiguous. It is a delay.

“Ongoing government consultations make it clear that mandatory guardrails for high-risk AI are coming,” he says. “I expect any future Australian framework to be influenced by many of the same governance principles we see in the EU AI Act, particularly around risk management, accountability and transparency.”

The consequence is a wall that an Australian business cannot see until it hits it.

“When an Australian SME tries to scale internationally or secure global investment, they are going to hit a regulatory brick wall if they have ignored AI governance frameworks entirely,” he says.

The businesses that understand this are not treating the voluntary window as a permanent pass.

“They are leveraging the lighter touch to grow and innovate fast today, but they are voluntarily aligning their internal frameworks with global standards like the EU Act,” Archie says. “That way, they get the best of both worlds. Maximum growth right now, and total futureproofing for tomorrow.”

Why governance is becoming part of the build itself

The most far-reaching part of our conversation was about something subtler than any single deadline. Over the next three to five years, Archie expects the lines between AI governance, traditional compliance, and software development to collapse into each other.

“We are completely moving away from the era where AI governance is just an isolated, box-ticking exercise run by a legal team at the very end of a project,” he says. “Compliance is embedding itself directly into how software gets built from day one.”

He grounds this in the text of the law. Article 4 of the EU AI Act requires organisations to maintain a level of AI literacy for staff building or deploying these systems.

“The reality is that developers are making daily engineering choices around model selection, prompt engineering, or fine-tuning that carry direct legal and reputational consequences,” Archie says. “You simply cannot separate the code from the compliance anymore, and AI literacy is the only bridge between those two worlds.”

His prescription is a dual one, depending on which side of the build you sit.

If you are building AI, your developers need enough regulatory knowledge to understand the legal boundaries of their technical choices, so they can automate practices like bias testing directly into the deployment pipeline.

If you are deploying AI, you cannot assume the vendor carries all the responsibility. Your legal and risk teams need enough technical literacy to investigate vendors, set meaningful guardrails, and monitor for problems like model drift over time.

The throughline

Strip away the deadlines and what remains is a single idea, and it is the reason this organisation exists.

Responsible AI is not a document you file once the build is finished. It is something you embed from the first day of a project, and something you can prove you have embedded. That is the difference between a policy on paper and governance in practice. It is also, increasingly, the difference between a business that can scale across borders and one that cannot.

If you use AI in your organisation and you have not yet mapped where you sit in the operator chain, what systems you are actually running, and what controls you genuinely have in place, that is the groundwork to begin now. Not when the law arrives. Before it does.

With thanks to Archie Swinyard, founder of ArchAI, for the conversation. Responsible AI Australia offers certification across three tiers, Commit, Embed and Govern, along with governance frameworks, policy development, risk and compliance audits, and impact assessments aligned with the Australian AI Ethics Principles. If you would like to understand where your organisation sits and what futureproofing looks like in practice, book a free discovery call.

Frequently asked questions