EU AI Act
EU AI Act Fines: What They Are and How to Actually Avoid Them
The EU AI Act's three-tier penalty structure explained in detail, with real enforcement mechanics, aggravating and mitigating factors, and a practical playbook for avoiding exposure.
June 10, 2026 · 16 min read
EU AI Act
"Up to €35M or 7% of global turnover" is the headline figure everyone quotes about the EU AI Act, but it obscures how fines are actually calculated, who decides the amount within that ceiling, and — critically — that the formula works differently for SMEs than for large enterprises. Here's the real mechanics under Article 99, and a practical playbook for staying out of scope entirely.
TL;DR
- Article 99 sets three penalty tiers: up to €35M/7% for prohibited practices, €15M/3% for high-risk and other obligations, and €7.5M/1% for supplying incorrect information to authorities.
- For large companies, the fine is whichever amount is higher between the fixed figure and the percentage of global annual turnover. For SMEs, including startups, it's whichever is lower.
- Regulators must weigh aggravating and mitigating factors: intent vs. negligence, cooperation with authorities, mitigation actions taken, and financial benefit gained from the infringement.
- Fines are enforced by national market surveillance authorities, with the EU AI Office handling general-purpose AI model obligations specifically.
- The real cost of non-compliance usually exceeds the fine itself — lost enterprise contracts, forced remediation, and reputational damage compound the direct penalty.
The Three-Tier Penalty Structure
| Tier | Violation | Maximum penalty |
|---|---|---|
| 1 | Prohibited AI practices (Article 5) | €35M or 7% of global annual turnover, whichever is higher |
| 2 | High-risk system obligations and most other requirements | €15M or 3% of global annual turnover, whichever is higher |
| 3 | Supplying incorrect, incomplete or misleading information to authorities | €7.5M or 1% of global annual turnover, whichever is higher |
How Fines Are Actually Calculated
The turnover figure is the company’s global annual turnover for the preceding financial year — not EU-only revenue. For large companies, the penalty is whichever is higher between the fixed euro amount and the percentage — meaning very large companies can face fines well above the headline €35M figure once 7% of global turnover is calculated.
The SME Exception Almost Nobody Mentions
For SMEs, including startups, Article 99 flips the formula: the fine is whichever amount is lower between the fixed figure and the percentage, not higher. A small company with €2M in annual turnover facing a Tier 1 violation would face up to 7% of that turnover (€140,000) — not the €35M ceiling designed for large enterprises.
The law explicitly requires penalties to be “effective, proportionate and dissuasive,” while taking into account the interests of SMEs, including their economic viability — this SME provision is how that principle is implemented in the actual fine calculation.
Who Can Actually Be Fined
| Role | Exposure |
|---|---|
| Providers | Full exposure across all three tiers for their own compliance failures |
| Deployers | Exposure primarily for deployer-specific obligations (oversight, monitoring, incident reporting) |
| Importers & distributors | Exposure for failing to verify a system's compliance before placing it on the EU market |
| Authorized representatives | Exposure for failing their designated compliance duties on behalf of a non-EU provider |
Aggravating and Mitigating Factors Regulators Must Weigh
- The nature, gravity and duration of the infringement and its consequences
- Whether the infringement was intentional or negligent
- Actions taken to mitigate the damage suffered
- The degree of responsibility, considering technical and organizational measures implemented
- The degree of cooperation with competent authorities
- Any previous infringements by the same operator
- Financial benefits gained or losses avoided from the infringement
Who Actually Enforces This
Most enforcement runs through national market surveillance authorities in each EU member state, who investigate complaints and conduct their own monitoring. The EU AI Office handles enforcement specifically for general-purpose AI model obligations at the EU level, given that GPAI providers often operate across multiple member states simultaneously.
The Real Cost Beyond the Fine Itself
For most companies, the direct fine is not the largest cost of a compliance failure. Losing enterprise customers who require compliance attestations, being forced into expedited remediation under regulatory scrutiny, and the reputational damage of a public enforcement action typically outweigh the penalty amount — especially for the SME tier, where fines are proportionate but customer and reputational consequences are not.
A Practical Playbook for Avoiding Exposure
- Classify every AI system correctly — misclassifying a high-risk system as limited or minimal risk is one of the most common paths to Tier 2 exposure.
- Never claim the Article 6(3) high-risk carve-out without a documented assessment — an undocumented claim is treated as a compliance gap, not a valid exemption.
- Respond to regulator information requests accurately and promptly — Tier 3 exposure comes specifically from incorrect or misleading information, which is often avoidable with a clear internal process for authority requests.
- Document mitigating actions as you take them — cooperation and mitigation are explicit factors regulators must weigh, so a paper trail matters if an investigation happens.
- If you're an SME, confirm your turnover classification is accurate and documented — it directly determines which fine formula applies to you.
How This Interacts With the Digital Omnibus Delay
The penalty structure under Article 99 is separate from the high-risk deadline delay currently working through EU institutions. Even if high-risk deadlines move to December 2027 as proposed, the fine structure itself isn't what's being delayed — only the date obligations become enforceable. See EU AI Act Deadlines in 2026 and 2027 for the full status of that delay.
Where Unorma Fits
Reduce misclassification risk
Primary Sources
- EUR-Lex — Regulation (EU) 2024/1689, Article 99
- European Commission — Regulatory framework for AI
Frequently asked questions
What's the maximum fine under the EU AI Act?
€35 million or 7% of global annual turnover, whichever is higher for large companies, for violations involving prohibited AI practices — the most serious tier.
Do SMEs face the same fines as large enterprises?
No. For SMEs, including startups, Article 99 caps fines at whichever is lower between the fixed amount and the percentage of turnover, rather than whichever is higher — resulting in proportionately smaller exposure.
Is turnover calculated based on EU revenue or global revenue?
Global annual turnover for the preceding financial year, not just EU-derived revenue — this is a common misconception that underestimates real exposure for global companies.
Can a company be fined for cooperating honestly with an investigation?
No — cooperation with authorities is an explicit mitigating factor under Article 99, weighed in the operator's favor when regulators determine the actual fine within the applicable ceiling.
Who enforces EU AI Act penalties?
Primarily national market surveillance authorities in each EU member state, with the EU AI Office handling enforcement for general-purpose AI model obligations at the EU level.
Is the fine the biggest cost of EU AI Act non-compliance?
Often not — lost enterprise contracts requiring compliance attestations, forced remediation under scrutiny, and reputational damage frequently exceed the direct financial penalty, especially for SMEs facing proportionately smaller fines.
Does the proposed Digital Omnibus delay affect the fine amounts themselves?
No — the delay under discussion affects when high-risk obligations become enforceable, not the Article 99 penalty structure itself, which remains as described here regardless of the deadline's final date.
Key terms in this article
About the author

Compliance Manager & AI Governance Consultant
Compliance Manager and consultant specializing in AI governance for high-scale technology companies operating in regulated markets.
View full profileKeep reading
More from the blog
AI Compliance Software
AI Compliance Software
What Is AI Compliance Software? A Complete Guide for 2026
AI compliance software turns scattered spreadsheets and PDFs into a live system of record for every AI system you build or use. Here's what it does, who needs it, and how to evaluate it.
EU AI Act
EU AI Act
EU AI Act Deadlines in 2026 and 2027: What the Digital Omnibus Actually Changed
In May 2026, EU lawmakers provisionally agreed to delay the AI Act's high-risk deadlines. Here's exactly what changed, what didn't, and what's legally binding today.
ISO 42001
ISO 42001
ISO 42001 Certification Requirements: The Complete Checklist
ISO 42001 has 10 clauses and 38 Annex A controls. This is the complete, plain-language checklist for what you actually need to have in place before your audit.