EU AI Act: What It Means for Caribbean Businesses

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. Most provisions apply from August 2026, with prohibited AI practices already applicable from February 2025. Caribbean businesses that assume this regulation is a European problem are taking a risk they may not have priced accurately. The Act's extraterritorial scope is broad. If your organisation uses AI systems from EU-based vendors, sells products or services to EU customers, or has EU-based employees, compliance obligations may already apply to you.

The Extraterritorial Reach That Caribbean Organisations Are Underestimating

The EU AI Act follows the same extraterritorial logic as the GDPR. Article 2 of the Act specifies that it applies to providers of AI systems placed on the EU market and to deployers of AI systems who are established in the EU or whose AI system outputs affect persons in the EU. That last clause is the one Caribbean organisations need to read carefully.

A Jamaican financial services company that uses a US-built AI credit scoring tool, where that tool was trained on EU data or is also deployed in the EU by its vendor, may be operating an AI system whose outputs affect EU persons. A Barbadian hospitality group with European booking customers, using AI-powered pricing optimisation from a Dutch vendor, may qualify as a deployer under the Act's definition. A Trinidad-based insurance company that uses an AI claims processing system sold by a French insurtech operates within a supply chain that is clearly subject to the Act.

The practical implication is this: Caribbean organisations cannot assume the Act does not apply simply because they are not incorporated in Europe. The question is whether any element of the AI system's lifecycle, from development to deployment to output, touches the EU market or EU persons.

How the EU AI Act Classifies AI Systems

The Act uses a four-tier risk classification system. Understanding which tier your AI tools fall into determines what your obligations are.

Prohibited AI practices are banned outright from 2 February 2025. These include AI systems that use subliminal techniques to manipulate behaviour below conscious awareness, AI that exploits vulnerabilities of specific groups based on age, disability, or social situation, biometric categorisation systems that infer race, political opinion, or religion from physical characteristics, and AI social scoring by public authorities. These prohibitions apply regardless of where the deployer is based, if the system operates on EU persons.

High-risk AI systems carry the heaviest compliance burden. The Act defines high-risk systems across eight categories: biometric identification and categorisation, management of critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services (including credit scoring), law enforcement, migration and border control, and administration of justice. For Caribbean financial services organisations, the credit scoring and fraud detection categories are directly relevant. High-risk systems must meet requirements for data governance, technical documentation, transparency, human oversight, accuracy, resilience, and cybersecurity before they can be placed on the EU market.

Limited-risk AI systems face transparency obligations only. Chatbots and AI-generated content must be disclosed as AI to users. For Caribbean businesses using AI customer service tools, this transparency requirement applies when those tools interact with EU customers.

Minimal-risk AI systems (spam filters, AI-enabled video games, and most productivity tools) face no mandatory requirements under the Act, though voluntary codes of practice may apply.

What This Means for Caribbean Financial Services

Caribbean financial institutions are the highest-exposure category. Credit scoring, loan decisioning, fraud detection, and anti-money laundering tools all fall within the Act's high-risk category under Annex III, Section 5, which covers AI systems intended to evaluate creditworthiness or establish credit scores. If a Caribbean bank deploys such a system and any element of that deployment touches the EU, either through the vendor, the data, or the customer, the full suite of high-risk requirements may apply.

The most consequential requirements for Caribbean banks and credit unions are the data governance provisions under Article 10 and the transparency and human oversight requirements under Articles 13 and 14. Article 10 requires that training, validation, and test datasets for high-risk AI systems be subject to appropriate data governance practices, including examination for biases. Article 13 requires that high-risk systems be designed to allow deployers to understand what the system does and how it performs. Article 14 requires human oversight measures that allow persons to understand, monitor, and, where necessary, correct AI outputs.

These requirements are consistent with what good risk management practice already demands. The difference is that under the EU AI Act, failure to meet them carries penalties. For providers, fines can reach 30 million euros or 6% of global annual turnover, whichever is higher, for prohibited practices. For other violations, 15 million euros or 3% of turnover. For deployers who are not the system's original provider, obligations are lower but still enforceable.

Vendor Management as the Primary Compliance Mechanism for Caribbean Businesses

Most Caribbean organisations are deployers rather than providers. They buy AI systems from vendors rather than building their own. This distinction matters for compliance. Under the Act, providers (those who develop and market AI systems) carry the heavier burden of technical documentation, conformity assessment, and CE marking. Deployers carry obligations around appropriate use, human oversight, monitoring, and transparency to users.

For Caribbean businesses in the deployer category, the practical compliance path runs through vendor management. The Act creates obligations that flow through the supply chain. Providers must give deployers all information necessary for deployers to meet their obligations. Caribbean organisations should therefore:

Request EU AI Act conformity documentation from all EU-based AI vendors. This includes technical documentation under Annex IV, information about the AI system's intended purpose, performance metrics, known limitations, and data governance practices. Ask each EU AI vendor whether their product is classified as high-risk under Annex III. If yes, request evidence of conformity assessment and registration in the EU database of high-risk AI systems. Review vendor contracts for AI Act compliance clauses. EU vendors selling to Caribbean clients should be updating their standard contracts to include provisions on cooperation for compliance, notification of material changes to the AI system, and allocation of liability for Act violations.

Caribbean organisations that do not update their vendor management processes before August 2026 will be operating blind on a compliance obligation that is already in the calendar.

The Compliance Timeline Caribbean Organisations Should Be Working To

The Act's phased implementation gives Caribbean organisations time, but not unlimited time. Prohibited AI practices became applicable on 2 February 2025. GPAI (general purpose AI) model obligations apply from 2 August 2025. High-risk AI system obligations under the main body of the Act apply from 2 August 2026. High-risk AI systems in Annex I (existing product safety regulation) have until 2 August 2027.

A Caribbean organisation with EU exposure should be working to a three-phase programme: Phase 1 (now to August 2025) means completing an AI inventory and identifying all systems with potential EU Act relevance, contacting EU vendors to request conformity documentation, and confirming no prohibited AI practices are in use. Phase 2 (August 2025 to February 2026) means completing risk classification of all AI tools against the Annex III high-risk categories, reviewing and updating vendor contracts, and establishing human oversight processes for any high-risk applications. Phase 3 (February to August 2026) means completing any remaining conformity steps for high-risk applications and ensuring monitoring and documentation systems are operational before the full obligations activate.

Frequently Asked Questions

Does the EU AI Act apply to businesses based in Jamaica or Trinidad and Tobago?

It can. The EU AI Act applies to organisations that place AI systems on the EU market, use AI systems to serve EU customers, or whose AI system outputs affect persons in the EU. Caribbean businesses with EU vendor relationships, EU customers, or EU-based employees in any AI-related role should conduct an exposure assessment to determine whether Act obligations apply to them. The safe assumption is to treat EU-sourced AI tools as carrying Act-related obligations until a formal assessment says otherwise.

What are prohibited AI practices under the EU AI Act and do any apply to the Caribbean?

Prohibited AI practices include: AI using subliminal manipulation techniques, AI exploiting vulnerabilities of protected groups, biometric categorisation systems that infer sensitive characteristics, and government AI social scoring. These prohibitions have been in effect since 2 February 2025 and apply globally to any AI system operating on EU persons. Caribbean organisations using any system that could fit these descriptions, particularly AI tools from EU vendors deployed in customer-facing contexts, should confirm with their vendor that the tool does not constitute a prohibited practice.

What is a high-risk AI system under the EU AI Act?

The Act defines high-risk AI systems across eight categories listed in Annex III. The categories most relevant to Caribbean businesses are: AI used in credit scoring and creditworthiness assessment, AI used in recruitment or employment decisions, AI used for fraud detection in financial services, and AI used in essential public services. Any Caribbean financial institution using AI-assisted credit decisioning, loan processing, or fraud flagging should assume their tool falls in the high-risk category and assess accordingly.

What documentation should Caribbean businesses request from EU AI vendors?

Caribbean businesses using EU-based AI vendors should request: confirmation of the AI system's risk classification under Annex III; technical documentation as required under Annex IV (for high-risk systems); evidence of conformity assessment or self-assessment; EU database registration number for high-risk systems; information about known limitations and performance metrics; and the vendor's process for notifying clients of material changes to the AI model. Vendors that cannot provide this documentation are a compliance risk.

What are the penalties under the EU AI Act for non-compliance?

Fines for violating prohibited AI practices can reach 35 million euros or 7% of global annual turnover. For other violations of the Act, fines reach 15 million euros or 3% of global annual turnover. For providing incorrect or misleading information to authorities, the ceiling is 7.5 million euros or 1% of turnover. These penalties apply to organisations subject to the Act's jurisdiction, which can include non-EU deployers when their systems affect EU persons.

How does the EU AI Act relate to GDPR for Caribbean businesses?

The EU AI Act and GDPR overlap significantly for AI systems that process personal data. Most high-risk AI systems will process personal data and will therefore be subject to both frameworks simultaneously. The Acts are designed to complement rather than conflict, but they impose distinct obligations. GDPR governs the lawfulness, fairness, and transparency of personal data processing. The EU AI Act governs the design, development, deployment, and oversight of AI systems. Caribbean organisations with GDPR obligations (typically those handling EU residents' personal data) should treat EU AI Act compliance as a parallel exercise, not a replacement.

Is there a Caribbean equivalent of the EU AI Act?

No Caribbean government has yet enacted standalone AI-specific legislation. The CARICOM Secretariat and the Caribbean Telecommunications Union have published policy roadmaps signalling intent, but enacted law remains absent as of early 2025. This means Caribbean organisations cannot look to domestic AI law for compliance benchmarks. The most practical approach is to adopt the NIST AI Risk Management Framework as a structural baseline, comply with existing domestic data protection and consumer protection law, and apply EU AI Act standards where EU exposure exists.

When do EU AI Act obligations apply to high-risk AI systems?

High-risk AI system obligations under the main body of the EU AI Act apply from 2 August 2026. Prohibited AI practices have applied since 2 February 2025. General purpose AI model obligations apply from 2 August 2025. High-risk systems covered by existing EU product safety legislation have until 2 August 2027. Caribbean organisations with EU exposure should be running their compliance preparation now, not in 2026, to avoid compressed timelines and inadequate vendor negotiations.

Compliance Is Not Optional for Businesses With EU Exposure

Caribbean organisations have a window before the full obligations of the EU AI Act activate. That window is being used inconsistently. Some regional financial institutions are already requesting EU AI Act documentation from their vendors. Many are not. The difference will show in 2026 when the high-risk system requirements come into force and organisations that have not prepared will face the choice between rapid remediation, renegotiating vendor contracts under time pressure, or accepting exposure on a regulation that affects their European business relationships.

The EU AI Act is not the last regulation of its kind. The UK AI regulation consultation is ongoing. Several US states have enacted or proposed AI-specific rules. Caribbean organisations that treat the EU AI Act as a one-time compliance task will find themselves running the same process again within three years. The more durable investment is building an AI governance programme that can absorb new regulatory requirements as they arrive, rather than responding to each one from scratch.