Skip to main content
EU AI Act Fines and Enforcement: What's at Stake
Enforcement

EU AI Act Fines and Enforcement: What's at Stake

AI Comply HQ Team11 min read

Let us be blunt about what this is. The EU AI Act is not a set of friendly guidelines you can get to next quarter. It is a regulation with binding legal force across all 27 EU member states, and it carries a penalty regime that rivals the GDPR's and in some places goes further. Treat compliance as optional and you are betting the company on it. The fines reach 35 million EUR or 7% of annual worldwide turnover, whichever is higher.

Here is what we will walk you through: the full penalty structure, how enforcement actually works on the ground, and the concrete moves you can make to shrink your exposure before the August 2, 2026 deadline lands.

The Three-Tier Penalty Structure

Article 99 sets out a graduated penalty framework. The fine you face scales with how serious the violation is, and the Act sorts those violations into three tiers.

Tier 1: Prohibited Practice Violations, Up to 35 Million EUR or 7% of Turnover

The harshest penalties hit organisations that build or deploy AI systems crossing the Article 5 prohibitions. These cover:

  • Social scoring systems
  • Subliminal manipulation techniques
  • Systems that exploit vulnerabilities of specific groups
  • Untargeted facial image scraping for building biometric databases
  • Emotion recognition in workplaces and educational institutions
  • Biometric categorisation based on sensitive attributes
  • Predictive policing based solely on profiling
  • Real-time remote biometric identification in public spaces (outside narrow exceptions)

The maximum fine for prohibited practice violations is 35 million EUR or 7% of the preceding financial year's total worldwide annual turnover, whichever amount is higher.

Put real numbers on it. A company pulling 500 million EUR in annual revenue is looking at a maximum fine of 35 million EUR. Push revenue to 1 billion EUR and the ceiling rises with it, to 70 million EUR, since the turnover percentage now beats the fixed amount. For the largest technology companies, the ones clearing 100 billion EUR, the theoretical maximum runs into the billions.

Tier 2: High-Risk System Non-Compliance, Up to 15 Million EUR or 3% of Turnover

The second tier catches violations of the core obligations for high-risk AI systems. This is non-compliance with:

  • Risk management (Article 9)
  • Data governance (Article 10)
  • Technical documentation (Articles 11-12)
  • Transparency and instructions for use (Article 13)
  • Human oversight (Article 14)
  • Accuracy, robustness, and cybersecurity (Article 15)
  • EU database registration (Article 71)
  • Conformity assessment (Article 43)
  • Post-market monitoring (Article 72)

The maximum fine is 15 million EUR or 3% of total worldwide annual turnover, whichever is higher.

For most organisations, this is where the broadest exposure sits. Every gap in your high-risk system compliance programme is a potential violation: missing documentation, thin human oversight, weak data governance. They all count.

Tier 3: Information Violations, Up to 7.5 Million EUR or 1.5% of Turnover

The third tier is about what you tell the regulators. It covers supplying incorrect, incomplete, or misleading information to national competent authorities and notified bodies, including:

  • Providing false information during a conformity assessment
  • Failing to supply requested documentation during a market surveillance investigation
  • Providing misleading information in the EU database registration
  • Failing to report serious incidents as required

The maximum fine is 7.5 million EUR or 1.5% of total worldwide annual turnover, whichever is higher.

The amounts are lower than the first two tiers, but do not relax. This category is quietly dangerous because any interaction with regulators can trigger it. That incomplete documentation you filed away as a minor gap? It becomes a tier 3 violation the moment you hand it to an authority.

SME and Startup Provisions

The Act does account for size. Article 99(6) recognises that the standard fine ceilings could be existentially disproportionate for smaller organisations. For SMEs, including startups:

  • The fines described above are reduced to the lower of the two amounts (the fixed amount or the turnover percentage) rather than the higher
  • National authorities must take the economic viability of the organisation into account when setting the actual fine amount
  • The European Commission is tasked with providing guidance on how fines should be proportionate for SMEs

That is meaningful protection. It does not erase the risk. A 7.5 million EUR fine for a startup with 2 million EUR in revenue would still be catastrophic, even when the turnover-based alternative (30,000 EUR at 1.5%) comes in substantially lower.

How Enforcement Will Work

National Competent Authorities

Each EU member state must designate one or more national competent authorities to oversee AI Act enforcement within their jurisdiction (Article 70). These authorities are responsible for:

  • Market surveillance: Monitoring AI systems placed on the market or put into service
  • Complaints handling: Receiving and investigating complaints from individuals and organisations
  • Inspections: Conducting audits and inspections of AI system providers and deployers
  • Corrective actions: Ordering organisations to bring AI systems into compliance, withdraw them from the market, or recall them
  • Imposing fines: Setting and collecting administrative penalties

Several member states have already designated or started building out their national authorities. If you operate across multiple EU markets, plan to engage with the authority in every member state where your systems are deployed. There is no single front desk.

The European AI Office

The European AI Office, established within the European Commission, serves as the central coordinating body for AI Act enforcement. Its responsibilities include:

  • Supervising general-purpose AI (GPAI) models and their providers (the AI Office is the primary enforcement authority for GPAI)
  • Coordinating enforcement actions across member states
  • Developing codes of practice, guidelines, and implementing regulations
  • Managing the EU database of high-risk AI systems
  • Supporting national authorities with technical expertise

The AI Office holds direct enforcement powers over GPAI model violations, and it can impose fines of up to 15 million EUR or 3% of global turnover on GPAI providers.

The European Artificial Intelligence Board

The European Artificial Intelligence Board advises and assists the Commission and member states in consistent application of the AI Act. The Board does not impose fines itself, but it shapes how everyone else does, by:

  • Harmonising enforcement approaches across member states
  • Issuing opinions and recommendations on classification questions
  • Contributing to the development of standards and benchmarks

Enforcement Timeline

Enforcement does not switch on all at once. It is staggered, so different obligations come into force at different moments:

DateWhat Becomes Enforceable
February 2, 2025Prohibited practices: violations can be penalised immediately
August 2, 2025GPAI model obligations: providers of general-purpose AI models must comply
August 2, 2026Full high-risk AI system obligations: the broadest set of requirements becomes enforceable
August 2, 2027High-risk AI systems that are safety components of products under existing EU harmonised legislation

Read that top row again. The prohibited practices provisions are already enforceable. If your organisation is still running a prohibited AI system, you are not facing a future risk: you are already exposed to tier 1 penalties.

Beyond Fines: The Full Spectrum of Consequences

Fines get all the headlines. They are not the only enforcement mechanism, and for some businesses they are not even the worst one. Non-compliance opens you up to a stack of additional consequences.

Market Withdrawal and Recall

National competent authorities can order providers to withdraw non-compliant AI systems from the EU market or recall systems already deployed. For organisations whose AI systems are central to their products or services, a withdrawal order can be more damaging than a fine.

Injunctive Relief

Authorities can order organisations to cease deploying or making available non-compliant AI systems. This can shut down business operations that depend on those systems.

Reputational Damage

The EU database of high-risk AI systems is publicly accessible. Non-compliance actions, including fines and corrective measures, will become matters of public record. In regulated industries (finance, healthcare, critical infrastructure), a compliance failure can trigger customer attrition, loss of partnerships, and difficulty attracting investment.

Contractual and Liability Exposure

Non-compliance with the AI Act can create exposure under existing contract law and product liability frameworks. Clients, partners, and affected individuals may pursue private claims on top of the regulatory penalties.

Board and Officer Liability

While the AI Act primarily targets organisations rather than individuals, member state implementing measures and existing national laws on corporate governance may create personal liability for directors and officers who knowingly permit non-compliance.

How to Minimise Your Exposure

1. Start With a Risk Classification

You cannot quantify your exposure without knowing which of your AI systems are high-risk. Conduct a thorough risk assessment as described in our risk assessment guide.

2. Prioritise Prohibited Practice Screening

Tier 1 is where the ceiling sits highest (35 million EUR / 7% of turnover), so prohibited practice violations carry the most exposure per system. Screen every AI system in your inventory against the Article 5 prohibitions, and do it now.

3. Document Everything

Documentation failures are uniquely dangerous. They turn a system that might be compliant into one that is demonstrably not. You cannot prove compliance without the paperwork, and regulators will not take your word for it.

4. Implement a Compliance Management System

Ad-hoc compliance efforts are fragile. Establish a systematic compliance management programme that includes:

  • A central AI system register
  • Assigned compliance owners for each system
  • Defined review and re-assessment schedules
  • Incident reporting procedures
  • Documentation templates and standards
  • Training programmes for staff involved in AI system development and deployment

If a system sits near a classification boundary (for example, a recruitment tool that could be argued as minimal risk under the Article 6(3) exception), get a formal legal opinion. The cost of legal advice is trivial compared to the cost of a wrong classification that is later challenged by a regulator.

6. Build Compliance Into Development

Retrofitting compliance onto an existing system is expensive and often inadequate. Integrate compliance requirements into your AI development lifecycle from the beginning: privacy by design, documentation by design, human oversight by design.

The Cost of Inaction

Run the maths yourself. A mid-size technology company with 200 million EUR in annual revenue that fails the high-risk AI system requirements faces a maximum fine of 15 million EUR (3% of turnover). A full compliance programme (risk assessment, documentation, process changes, training) usually costs a fraction of that.

The question is not whether you can afford to comply. It is whether you can afford not to.

Assess Your Compliance Today

We built AI Comply HQ to make all of this manageable instead of frightening. Our platform automates the same compliance workflow this article walks through:

  • Risk classification: determine your penalty exposure by identifying which of your AI systems are high-risk
  • Gap analysis: see exactly where you fall short of requirements, and what that exposure means
  • Action planning: get prioritised steps to close compliance gaps before the August 2, 2026 deadline
  • Audit-ready reporting: generate documentation that demonstrates your compliance efforts to regulators

It guides you through a structured compliance interview in plain language, one question at a time. No legal background required.

Start your free 7-day trial and quantify your compliance exposure today.

The August 2, 2026 deadline is not moving. The prohibition provisions are already in force. Start today, and let us help you find out exactly where you stand.

Update: Where the Digital Omnibus Stands (June 12, 2026)

A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.

Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.

We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.

Ready to assess your EU AI Act compliance?

Start a guided compliance interview, get your AI system's risk classification, and generate an audit-ready report.

Start Your Free 7-Day Trial

Not ready to sign up? Take the free 90-second risk check →