Credits: Conjur
There is a reassuring interpretation of Regulation (EU) 2024/1689 — the AI Act [1] — circulating among Brazilian technology companies and their lawyers: “the standard is European, the authority is European, the fine is European; none of this affects me here”. The premise is not wrong. The conclusion drawn from it is.
It is true that the administrative fine under the AI Act will hardly be enforced against a company based in Brazil, without an establishment or representative in the Union. But whoever stops the reasoning at this point misses what actually transfers risk to the Brazilian supplier: not the public sanction, but the contractual obligation that the European contractor passes down the chain. The AI Act does not need to reach the Brazilian company directly. It only needs to reach its European client.
Why doesn’t the fine actually arrive?
The sanctions regime of the AI Act is set out in Article 99. It does not create a self-executing fine of global scope: it stipulates that Member States establish the rules for penalties and other enforcement measures applicable to infringements committed by operators, ensuring that they are effective, proportionate and dissuasive. The ceilings are known — up to €35 million or 7% of global annual turnover for prohibited practices; up to €15 million or 3% for breach of operator obligations; up to €7.5 million or 1.5% for providing incorrect information. But the design is for decentralized national enforcement: each Member State designates an authority, initiates proceedings and applies the sanction according to its domestic law.
Herein lies the practical limitation, and it does not stem from the absence of a rule, but from the rule that exists. A fine imposed by an administrative authority of a Member State is, under Brazilian law, a foreign decision. And, according to Article 105, I, “i”, of the Constitution, and Article 961 of the Code of Civil Procedure, no foreign decision—including a non-judicial act that, under Brazilian law, has an equivalent nature—produces effects in the national territory without prior homologation by the Superior Court of Justice. The institute theoretically allows for the homologation of foreign administrative and extrajudicial acts; the problem, for a European regulatory sanction, is surviving the preliminary review process.
There are two filters that this fine hardly passes through. The first is the sieve of public order and sovereignty (article 963, V, of the CPC; article 17 of the Lindb). In private international law, the principle prevails that a State does not lend its jurisdictional structure to execute the sanctioning claim of another—the coercive collection, in Brazil, of a penalty of a public and punitive nature imposed by a foreign authority encounters structured resistance precisely on this point. The second is subsidiary: insofar as the credit is treated as being of a fiscal or tax nature, article 961, § 4, of the CPC conditions the homologation for enforcement purposes on the existence of a treaty or promise of reciprocity. And, in the absence of a treaty or reciprocity between Brazil and the European Union that covers the enforcement of administrative sanctions of this nature, there is no basis for executive homologation.
A clarification, to avoid undue generalization: Brazil maintains bilateral agreements for legal cooperation with Member States of the Union—Spain, France, and Italy among them. However, these instruments operate in civil and commercial matters; they are not suitable for the execution of a State’s punitive administrative sanction, which remains subject to public policy scrutiny. The distinction lies in the nature of the act, not in the existence of cooperation. And this is not an accidental gap: the multilateral instruments for the recognition of foreign decisions in civil and commercial matters—such as the 2019 Hague Convention, to which the European Union has acceded [2] —specifically limit their scope to exclude administrative and fiscal matters. The type of treaty that exists does not cover regulatory sanctions by definition, not by omission. Even so, Brazil is not even a party to this convention.
There is also the underlying discussion about the extraterritorial reach of the rule. Article 2(1)(a) subjects suppliers placing systems on the Union market to the AI Act “regardless of whether they are established or located in the Union or in a third country”. Article 2(1)(c) goes further and covers suppliers and implementers located in a third country “when the result produced by the AI system is used in the Union”. This is a theory of expansive jurisdiction — and it is precisely this expansion that operators outside the Union have been contesting in principle, using the same type of sovereign objection that has already been raised against the scope of the GDPR. Being within the theoretical scope of the rule does not equate to being under its practical execution.
However, there is a limit that needs to be stated clearly—and it is this that opens up the second half of the problem. All this protection is procedural and territorial: it applies against the direct execution, in Brazil, of a European sanction. It disappears the moment the Brazilian company has assets, an establishment, or a representative in the Union. Assets reachable on European soil are executed there, by the local authority, without going through the Superior Court of Justice (STJ) and without a preliminary hearing. The protection, therefore, safeguards the purely domestic operation—not the company that has already established a foothold in Europe.
So far, therefore, the reassuring interpretation holds up, but only in part. The error lies not in the diagnosis of the fine. It lies in believing that the fine is the only risk factor—and in ignoring that the very act of entering the European supply chain is what dissolves territorial protection.
What arrives is the clause.
The AI Act was designed with the understanding that high-risk AI systems are rarely built by a single actor. There are those who provide the model, those who provide the data, those who provide the components, and those who integrate everything into a final product. To distribute responsibility along this chain, the Regulation does not rely solely on public sanction—it imposes a contract.
Article 25(4) is explicit: the supplier of a high-risk AI system and the third party supplying systems, tools, services, components or processes used or integrated into that system must, by means of a written agreement , specify the information, capabilities, technical access and other assistance necessary for the supplier of the high-risk system to comply with the obligations of the Regulation. It is not optional. It is a regulatory obligation to contract — and to contract by transferring substantive compliance duties to those upstream in the chain.
Article 25(1)(a), in turn, expressly recognizes the logic of contractual allocation of responsibility. When dealing with situations where a distributor, importer or implementer becomes considered a supplier, the provision makes an exception for “contractual arrangements that stipulate that obligations are allocated in another way”. In other words, the regulation not only admits it: it relies on the contract as an instrument for organizing responsibility.
Connect the two ends. The European contractor — a high-risk provider or implementer established in the Union — is genuinely exposed to the fine under Article 99. It has an address in the Union, competent authority over it, and reachable assets. Its rational defense is simple: to shield itself contractually, transferring to the supplier the technical and documentary obligations on which its own compliance depends . This is exactly the behavior that Article 25(4) makes mandatory and Article 25(1)(a) validates.
The result is straightforward. The Brazilian company that supplies a component, model, or service integrated into a high-risk European AI system does not receive a fine. It receives a contract. And the contract contains, translated into enforceable clauses, the obligations of the AI Act that the European client must fulfill: technical documentation, traceability, cooperation in conformity assessment, incident response, and access to information. Failure to comply with these clauses does not generate European regulatory sanctions against the Brazilian supplier—it generates contractual liability, enforceable in the jurisdiction and under the law chosen by the contract. And this jurisdiction and this law will almost always be European.
A distinction that Brazilian lawyers need to make.
There is a subtlety that changes the risk analysis on a case-by-case basis. Being covered by the scope of Article 2(1)(c) — as a supplier or implementer whose output is used in the Union — is not the same as being the component supplier subject to the written agreement of Article 25(4).
The Brazilian supplier acting as a provider of a high-risk AI system placed on the European market theoretically faces the supplier regime: designation of an authorized representative in the Union, technical documentation, conformity assessment. The figure of the authorized representative, provided for in Article 2(1)(f), exists precisely to give the European authority an interlocutor with an address in the Union — and, once designated, this representative becomes the missing point of exposure. However, a supplier that only supplies a component or service integrated into another actor’s system normally does not fall under the supplier regime: it falls under the contractual chain of Article 25(4). For most Brazilian technology companies — which supply parts, not the entire high-risk system under their own name — the relevant exposure is contractual, not directly regulatory.
This distinction is what separates panic from a correct interpretation. The risk is not a European fine falling from the sky onto a software house in Rio Grande do Sul. The risk is a supply contract that, without the supplier having read the AI Act , already includes obligations from the AI Act as a condition for maintaining the business—and whose breach authorizes termination, withholding of payment, and compensation under foreign law.
What to do with this
The practical consequence is less regulatory than commercial, and that’s where the Brazilian lawyer adds value. Some key areas:
First, reverse contractual due diligence . Before signing a supply contract with a European client operating in AI, it is necessary to map which obligations of the AI Act the contract is transferring—and whether the supplier has the technical and documentary capacity to fulfill them. A cooperation clause in conformity assessment is not boilerplate; it is an enforceable obligation.
Second, jurisdiction and applicable law. Since the exposure is contractual, the decisive point of negotiation is where and under what law these obligations will be enforced. Accepting European jurisdiction and law without pricing in the embedded compliance costs is to assume an uncompensated risk.
Third, allocation and limitation of liability. If the European client is passing on liability to shield themselves from the fine, the supplier must, symmetrically, limit their exposure to the contract value and avoid liability for regulatory sanctions that are, in origin, the client’s own responsibility.
One necessary caveat, because the text is in motion: the proposal known as Digital Omnibus on AI [3] is being processed in the Union , aimed at simplifying the implementation of the AI Act . Changes in the value chain discipline are not ruled out. In addition, the application of the Regulation is phased — the rules on high-risk systems in Article 6(1) and corresponding obligations have an application milestone in August 2027. Any contractual strategy built today should be revisited as the regulatory framework settles.
Conclusion
The question the Brazilian company is asking — “will the European fine affect me?” — is the wrong question, or at least an incomplete one. The honest answer is: probably not, at least not in a directly enforceable way. But the AI governance required by the AI Act is already arriving in Brazil through a channel that bypasses foreign authorities and transnational enforcement: the supply contract.
Those who treat the AI Act as an exclusively European concern discover the obligation too late—in the clause they’ve already signed. Those who understand that the regulation extends to contracts, and not just penalties, negotiate exposure before accepting it. AI compliance has ceased to be a distant regulatory issue and has become a commercial prerequisite for accessing the European supply chain. And commercial prerequisites are understood, negotiated, and priced—not ignored.
[1] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 establishing harmonised rules on artificial intelligence (Artificial Intelligence Act). EUR-Lex, CELEX 32024R1689; published in the Official Journal of the European Union. Provisions cited in this article: arts. 2, 25 and 99.
[2] Convention on the Recognition and Enforcement of Foreign Judgments in Civil and Commercial Matters (The Hague, 2019). The European Union acceded to it by means of Council Decision (EU) 2022/1206 of 12 July 2022 (OJ L 187, 14.7.2022). Brazil is not a party to the convention. Due to its focus on civil and commercial matters, the instrument excludes administrative and tax matters from its scope.
[3] Final proposal COM(2025) 836, procedure 2025/0359 (COD), concerning the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI), with processing registered until July 2026.
- Joana Faccini Salaverry is a lawyer (OAB-RS), a certified data protection officer and lead auditor in ISO standards for privacy management and artificial intelligence, founder of Infolock Data Protection Consulting, and a specialist in data governance and AI in the Brazilian and European regulatory contexts.