Back to Blog
Compliance

EU AI Act Fines and Penalties: What's at Stake

January 5, 20264 min read

EU AI Act Fines and Penalties: What's at Stake

The EU AI Act introduces a three-tier fine structure tied to the severity of the violation. With the main enforcement date of August 2, 2026 now less than two months away, understanding what you are exposed to is the first step to prioritising your compliance work.

The Three Fine Tiers

Tier 1: Prohibited AI Practices — Up to €35M or 7% of Global Turnover

The highest fines apply to violations of Article 5 — the outright prohibitions. These include:

  • Deploying AI systems that manipulate people through subliminal techniques
  • Exploiting vulnerabilities of specific groups (children, elderly, people with disabilities)
  • Social scoring by public authorities
  • Real-time remote biometric identification in publicly accessible spaces (with narrow exceptions)
  • AI systems that infer sensitive attributes (race, political opinion, religion) from biometric data
  • Predictive policing based solely on profiling
  • Emotion recognition in workplaces and educational institutions
  • If your product does any of these things, the fine ceiling is €35 million or 7% of global annual turnover, whichever is higher. For a company with €100M revenue, that is €7 million.

    Tier 2: High-Risk AI Violations — Up to €15M or 3% of Global Turnover

    Missing the requirements for high-risk AI systems (Articles 9–15) triggers Tier 2 fines. The most commonly violated requirements are:

  • Article 9 — No risk management system
  • Article 10 — Inadequate data governance
  • Article 11 + Annex IV — Missing or incomplete technical documentation
  • Article 12 — No audit logging
  • Article 13 — No transparency notice to users
  • Article 14 — No human oversight mechanism
  • For a company with €10M revenue, the maximum Tier 2 fine is €300,000 — but the documentation and remediation cost of an enforcement action will likely exceed the fine itself.

    Tier 3: Incorrect Information — Up to €7.5M or 1% of Global Turnover

    The lowest tier applies to providing incorrect, incomplete, or misleading information to notified bodies or national competent authorities. This includes misrepresenting your AI system's risk level, claiming conformity assessments have been completed when they have not, or providing false data about your system's capabilities.

    ---

    Who Can Fine You

    Each EU member state must designate a national competent authority (NCA) responsible for AI Act enforcement. At EU level, the European AI Office coordinates enforcement and has direct supervisory powers over general-purpose AI models.

    In Germany, the responsible authority is expected to be a designated body under the existing Federal Network Agency framework. France has indicated the CNIL will have a role. In practice, enforcement will start with larger, higher-risk systems — but smaller companies that fall under Annex III categories are not exempt.

    ---

    Beyond the Fine: What Enforcement Actually Looks Like

    Fines are the end of an enforcement process, not the beginning. Before a fine is issued, national competent authorities can:

    Order an audit. You will be given a deadline to produce your Annex IV documentation, risk management records, and audit logs. If you cannot produce them, that is a violation in itself.

    Issue a corrective action order. You may be ordered to modify or restrict your AI system pending compliance.

    Order market withdrawal. Non-compliant AI systems can be ordered off the EU market. For a product central to your revenue, this is far more damaging than the fine.

    Publish findings. Enforcement decisions are typically made public. The reputational damage — particularly in B2B markets where your customers need to trust your compliance posture — can outlast the fine.

    ---

    The SME Consideration

    The EU AI Act includes provisions for SMEs and startups. Member states must provide them with regulatory sandboxes and simplified compliance pathways. However, reduced administrative burden does not mean exemption. If your product falls under Annex III, the substantive requirements (documentation, oversight, logging) still apply regardless of company size.

    ---

    What to Prioritise

    If you are deciding where to spend your compliance effort in the next 60 days, the answer is:

    1. Determine if your AI system is high-risk — if it is not, most of the detailed requirements do not apply

    2. If it is high-risk, produce Annex IV documentation — this is the document every enforcement action starts with

    3. Add a human oversight mechanism — Article 14 is the most commonly cited gap

    4. Enable audit logging — without logs, you cannot demonstrate compliance even if you were compliant

    Check your risk level for free →