Quick answer

The EU AI Act establishes three penalty tiers: up to EUR 35 million or 7% of global turnover for prohibited practices, up to EUR 15 million or 3% for most other violations, and up to EUR 7.5 million or 1% for supplying incorrect information. SMEs and startups benefit from proportionate caps.

Updated June 2026 · MmowW AI Compliance

EU AI Act Penalties: Fines Up to EUR 35 Million Explained

Three-Tier Penalty Structure

The EU AI Act (Regulation 2024/1689) establishes a graduated system of administrative fines under Article 99, designed to ensure that penalties are effective, proportionate, and dissuasive. The regulation creates three distinct tiers of penalties, each corresponding to different categories of non-compliance. This structure mirrors the approach taken by the GDPR but with significantly higher maximum amounts for the most serious violations.

The highest tier, reserved for violations of Article 5 (prohibited AI practices), carries fines of up to EUR 35 million or, if the offender is an undertaking, up to 7 percent of its total worldwide annual turnover for the preceding financial year, whichever is higher. This tier reflects the severity with which the EU legislature views practices such as social scoring, prohibited biometric identification, subliminal manipulation, and exploitation of vulnerabilities.

The second tier applies to violations of most other substantive provisions of the regulation. This includes non-compliance with the requirements for high-risk AI systems (Articles 9 through 15), obligations of providers (Articles 16 through 22), obligations of deployers (Article 26), obligations regarding general-purpose AI models (Articles 51 through 56), and obligations of notified bodies (Articles 31 through 39). The maximum fine for this tier is EUR 15 million or 3 percent of total worldwide annual turnover, whichever is higher.

The third tier covers the supply of incorrect, incomplete, or misleading information to notified bodies or national competent authorities in reply to a request. The maximum fine for this category is EUR 7.5 million or 1 percent of total worldwide annual turnover, whichever is higher.

Calculating the Fine Amount

Article 99(4) sets out the factors that national competent authorities must consider when deciding whether to impose an administrative fine and determining its amount. These factors include the nature, gravity, and duration of the infringement, taking into account the purpose of the AI system and the number of affected persons and the level of damage suffered by them.

Authorities must also consider whether other administrative fines have already been applied to the same operator by other competent authorities for the same infringement, the size, annual turnover, and market share of the operator, any previous infringements by the same operator, the degree of cooperation with the competent authority, and any action taken to mitigate the damage suffered by affected persons.

The intentional or negligent character of the infringement is relevant. Deliberate violations will generally attract higher fines than those resulting from negligence. The authority must also consider any other aggravating or mitigating factor applicable to the circumstances of the case, including any relevant financial benefits gained or losses avoided, directly or indirectly, from the infringement.

Proportionate Treatment for SMEs and Startups

The EU AI Act includes specific provisions to ensure that penalties do not disproportionately burden smaller organisations. Article 99(6) provides that when administrative fines are imposed on SMEs, including startups, the fines shall take into account their economic viability. The percentage-based calculation (7 percent, 3 percent, or 1 percent of turnover) already provides some proportionality, as smaller companies will have lower absolute fine amounts.

Additionally, the regulation recognises that a EUR 35 million fine would be disproportionate for a small enterprise. In practice, the lower of the two figures (fixed amount versus percentage of turnover) will apply when the percentage calculation yields a lower number. For a company with EUR 10 million in annual revenue, a 7 percent fine would be EUR 700,000 rather than EUR 35 million.

Member states may also establish specific rules regarding to what extent administrative fines may be imposed on public authorities and bodies established in that member state. This recognises that public sector organisations operate under different financial constraints and accountability mechanisms.

Enforcement Authorities and Mechanisms

Enforcement of the EU AI Act is shared between national competent authorities and the European AI Office. Each member state must designate one or more national competent authorities and one national market surveillance authority. These authorities are responsible for supervising the application and implementation of the regulation within their territory.

The European AI Office, established within the European Commission, has a specific supervisory role regarding general-purpose AI (GPAI) models. Under Article 88, the AI Office has the power to investigate GPAI model providers, request information, conduct evaluations, and ultimately request the Commission to impose fines for non-compliance with GPAI obligations.

For GPAI models, the fines are calculated differently. Under Article 101, the Commission may impose fines of up to 3 percent of annual worldwide turnover or EUR 15 million, whichever is higher, for non-compliance with GPAI obligations. For supplying incorrect or misleading information, fines of up to 1 percent of turnover or EUR 7.5 million apply.

Article 85 establishes a right for natural and legal persons to lodge a complaint with the relevant market surveillance authority if they consider that there has been a violation of the regulation. The authority must inform the complainant of the progress and outcome of the complaint within a reasonable period.

Comparison with GDPR Penalties

The EU AI Act penalty framework is deliberately modelled on the GDPR but with notable differences. The GDPR establishes two tiers: up to EUR 20 million or 4 percent of worldwide annual turnover for the most serious violations, and up to EUR 10 million or 2 percent of turnover for other violations.

The EU AI Act exceeds the GDPR on both tiers. The maximum of EUR 35 million or 7 percent of turnover for prohibited practices is 75 percent higher than the GDPR upper tier in absolute terms and nearly double in percentage terms. This reflects the EU legislature's assessment that the most dangerous AI practices can cause harm at a scale and speed that exceeds even the worst data protection violations.

Violation CategoryEU AI ActGDPR
Most serious violationsEUR 35M / 7% turnoverEUR 20M / 4% turnover
Other violationsEUR 15M / 3% turnoverEUR 10M / 2% turnover
Incorrect informationEUR 7.5M / 1% turnoverCovered under general tier

One important similarity is that both regulations calculate fines based on the total worldwide annual turnover of the undertaking, not just EU revenue. This prevents companies from minimising their exposure by restructuring their European operations. The definition of undertaking follows competition law principles, meaning that the turnover of the entire corporate group may be considered.

Under the GDPR, national data protection authorities have already demonstrated a willingness to impose substantial fines. Since the GDPR took effect in 2018, cumulative fines have exceeded EUR 4 billion, with individual penalties reaching hundreds of millions of euros. The EU AI Act is likely to follow a similar enforcement trajectory as national authorities build capacity and experience.

When Penalties Take Effect and How to Prepare

The penalty provisions apply in accordance with the phased timeline of the regulation. Fines for violations of Article 5 (prohibited practices) have been enforceable since February 2, 2025. Fines for violations of GPAI obligations will be enforceable from August 2, 2025. Fines for violations of high-risk AI system requirements and most other provisions will be enforceable from August 2, 2026.

Organisations should implement compliance programmes well before the relevant deadlines. A documented compliance effort, even if imperfect, is likely to be treated as a mitigating factor in any enforcement action. Conversely, a complete absence of compliance measures may be treated as an aggravating factor.

Key preparedness steps include establishing an AI system inventory, classifying systems by risk category, conducting gap analyses against applicable requirements, implementing documented compliance processes, training staff on their obligations, and establishing internal reporting and incident response procedures. Organisations should also consider appointing a dedicated AI compliance function, similar to the data protection officer role established under the GDPR.

Engaging with industry associations, standardisation bodies, and regulatory sandboxes established under Article 57 can also help organisations develop proportionate and effective compliance strategies while reducing regulatory risk.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.