Unorma

EU AI Act

EU AI Act Fines: What They Are and How to Actually Avoid Them

The EU AI Act's three-tier penalty structure explained in detail, with real enforcement mechanics, aggravating and mitigating factors, and a practical playbook for avoiding exposure.

Jasper Claes
Jasper Claes

June 10, 2026 · 16 min read

EU AI Act

"Up to €35M or 7% of global turnover" is the headline figure everyone quotes about the EU AI Act, but it obscures how fines are actually calculated, who decides the amount within that ceiling, and — critically — that the formula works differently for SMEs than for large enterprises. Here's the real mechanics under Article 99, and a practical playbook for staying out of scope entirely.

TL;DR

  • Article 99 sets three penalty tiers: up to €35M/7% for prohibited practices, €15M/3% for high-risk and other obligations, and €7.5M/1% for supplying incorrect information to authorities.
  • For large companies, the fine is whichever amount is higher between the fixed figure and the percentage of global annual turnover. For SMEs, including startups, it's whichever is lower.
  • Regulators must weigh aggravating and mitigating factors: intent vs. negligence, cooperation with authorities, mitigation actions taken, and financial benefit gained from the infringement.
  • Fines are enforced by national market surveillance authorities, with the EU AI Office handling general-purpose AI model obligations specifically.
  • The real cost of non-compliance usually exceeds the fine itself — lost enterprise contracts, forced remediation, and reputational damage compound the direct penalty.

The Three-Tier Penalty Structure

Tier 1€35M / 7%Tier 2€15M / 3%Tier 3€7.5M / 1%Prohibited AI practicesHigh-risk & other obligationsIncorrect info to authorities
Three penalty tiers under Article 99 — the percentage is of global annual turnover, whichever amount is higher for large companies.
TierViolationMaximum penalty
1Prohibited AI practices (Article 5)€35M or 7% of global annual turnover, whichever is higher
2High-risk system obligations and most other requirements€15M or 3% of global annual turnover, whichever is higher
3Supplying incorrect, incomplete or misleading information to authorities€7.5M or 1% of global annual turnover, whichever is higher

How Fines Are Actually Calculated

The turnover figure is the company’s global annual turnover for the preceding financial year — not EU-only revenue. For large companies, the penalty is whichever is higher between the fixed euro amount and the percentage — meaning very large companies can face fines well above the headline €35M figure once 7% of global turnover is calculated.

The SME Exception Almost Nobody Mentions

For SMEs, including startups, Article 99 flips the formula: the fine is whichever amount is lower between the fixed figure and the percentage, not higher. A small company with €2M in annual turnover facing a Tier 1 violation would face up to 7% of that turnover (€140,000) — not the €35M ceiling designed for large enterprises.

Large companyMax(€35M, 7% of turnover)→ whichever is HIGHERBigger exposureSME / startupMin(€35M, 7% of turnover)→ whichever is LOWERProportionate exposure
The same Tier 1 violation, calculated for a large company vs. an SME — 'whichever is higher' flips to 'whichever is lower' for SMEs.

The law explicitly requires penalties to be “effective, proportionate and dissuasive,” while taking into account the interests of SMEs, including their economic viability — this SME provision is how that principle is implemented in the actual fine calculation.

Who Can Actually Be Fined

RoleExposure
ProvidersFull exposure across all three tiers for their own compliance failures
DeployersExposure primarily for deployer-specific obligations (oversight, monitoring, incident reporting)
Importers & distributorsExposure for failing to verify a system's compliance before placing it on the EU market
Authorized representativesExposure for failing their designated compliance duties on behalf of a non-EU provider

Aggravating and Mitigating Factors Regulators Must Weigh

  • The nature, gravity and duration of the infringement and its consequences
  • Whether the infringement was intentional or negligent
  • Actions taken to mitigate the damage suffered
  • The degree of responsibility, considering technical and organizational measures implemented
  • The degree of cooperation with competent authorities
  • Any previous infringements by the same operator
  • Financial benefits gained or losses avoided from the infringement

Who Actually Enforces This

Most enforcement runs through national market surveillance authorities in each EU member state, who investigate complaints and conduct their own monitoring. The EU AI Office handles enforcement specifically for general-purpose AI model obligations at the EU level, given that GPAI providers often operate across multiple member states simultaneously.

The Real Cost Beyond the Fine Itself

For most companies, the direct fine is not the largest cost of a compliance failure. Losing enterprise customers who require compliance attestations, being forced into expedited remediation under regulatory scrutiny, and the reputational damage of a public enforcement action typically outweigh the penalty amount — especially for the SME tier, where fines are proportionate but customer and reputational consequences are not.

A Practical Playbook for Avoiding Exposure

  1. Classify every AI system correctly — misclassifying a high-risk system as limited or minimal risk is one of the most common paths to Tier 2 exposure.
  2. Never claim the Article 6(3) high-risk carve-out without a documented assessment — an undocumented claim is treated as a compliance gap, not a valid exemption.
  3. Respond to regulator information requests accurately and promptly — Tier 3 exposure comes specifically from incorrect or misleading information, which is often avoidable with a clear internal process for authority requests.
  4. Document mitigating actions as you take them — cooperation and mitigation are explicit factors regulators must weigh, so a paper trail matters if an investigation happens.
  5. If you're an SME, confirm your turnover classification is accurate and documented — it directly determines which fine formula applies to you.

How This Interacts With the Digital Omnibus Delay

The penalty structure under Article 99 is separate from the high-risk deadline delay currently working through EU institutions. Even if high-risk deadlines move to December 2027 as proposed, the fine structure itself isn't what's being delayed — only the date obligations become enforceable. See EU AI Act Deadlines in 2026 and 2027 for the full status of that delay.

Where Unorma Fits

Reduce misclassification risk

Unorma’s AI inventory includes EU AI Act risk classification with a documented rationale for every system, and gap analysis flags exactly where obligations aren't yet met — the two most common paths to exposure. See the complete EU AI Act high-risk systems checklist for the underlying obligations.

Primary Sources

Frequently asked questions

What's the maximum fine under the EU AI Act?

€35 million or 7% of global annual turnover, whichever is higher for large companies, for violations involving prohibited AI practices — the most serious tier.

Do SMEs face the same fines as large enterprises?

No. For SMEs, including startups, Article 99 caps fines at whichever is lower between the fixed amount and the percentage of turnover, rather than whichever is higher — resulting in proportionately smaller exposure.

Is turnover calculated based on EU revenue or global revenue?

Global annual turnover for the preceding financial year, not just EU-derived revenue — this is a common misconception that underestimates real exposure for global companies.

Can a company be fined for cooperating honestly with an investigation?

No — cooperation with authorities is an explicit mitigating factor under Article 99, weighed in the operator's favor when regulators determine the actual fine within the applicable ceiling.

Who enforces EU AI Act penalties?

Primarily national market surveillance authorities in each EU member state, with the EU AI Office handling enforcement for general-purpose AI model obligations at the EU level.

Is the fine the biggest cost of EU AI Act non-compliance?

Often not — lost enterprise contracts requiring compliance attestations, forced remediation under scrutiny, and reputational damage frequently exceed the direct financial penalty, especially for SMEs facing proportionately smaller fines.

Does the proposed Digital Omnibus delay affect the fine amounts themselves?

No — the delay under discussion affects when high-risk obligations become enforceable, not the Article 99 penalty structure itself, which remains as described here regardless of the deadline's final date.

About the author

Jasper Claes
Jasper Claes

Compliance Manager & AI Governance Consultant

Compliance Manager and consultant specializing in AI governance for high-scale technology companies operating in regulated markets.

View full profile