Table of Contents
💰 TL;DR — Read This First:
- EU AI Act fines operate on a three-tier penalty structure, with maximum fines ranging from €7.5 million to €35 million (or 1%–7% of global annual turnover, whichever is higher).
- The turnover-based calculation mirrors GDPR enforcement — meaning large companies face proportionally enormous exposure while the law scales for SMEs.
- Beyond direct fines, the real cost of non-compliance includes market exclusion, product withdrawal orders, and reputational damage that can define a company’s trajectory for years.
The headline numbers — €35 million, 7% of global turnover — are the ones that make board members sit up straight. But in my experience, boards that focus exclusively on the maximum fine miss the more important picture: the probability-adjusted cost of non-compliance, and the range of enforcement tools regulators have beyond fines.
This post breaks down the EU AI Act’s penalty structure in detail, explains how fines are actually calculated, examines how regulators are likely to approach enforcement in 2026, and quantifies the non-fine costs that may ultimately be more damaging than any financial penalty.
For the strategic governance framework that protects against these risks, see our AI Governance Framework pillar guide. For the operational compliance programme that drives readiness, read the 6-Month Readiness Checklist.
The Three-Tier Fine Structure Under Article 99
The EU AI Act’s penalty framework is established in Article 99 and operates as a three-tier system calibrated to the severity of the infringement.
| Tier | Violation Type | Maximum Fine (Absolute) | Maximum Fine (% Turnover) | SME Cap |
|---|---|---|---|---|
| Tier 1 — Highest | Article 5 prohibited practices | €35,000,000 | 7% global annual turnover | Lower of the two figures |
| Tier 2 — Significant | Non-compliance with high-risk AI obligations (Articles 8–15, 25, 26, 72) | €15,000,000 | 3% global annual turnover | Lower of the two figures |
| Tier 3 — Moderate | Supplying incorrect, incomplete, or misleading information to authorities | €7,500,000 | 1% global annual turnover | Lower of the two figures |
The key structural feature is the “whichever is higher” rule for all thresholds above SME level. For a company with €200 million in global annual turnover, the Tier 1 ceiling is not €35 million — it’s €14 million (7%). For a company with €1 billion in turnover, it’s €70 million. The absolute figure is only the floor for large enterprises.
The official penalty provisions are set out in Chapter X of the EU AI Act, available on EUR-Lex. The European AI Office’s enforcement approach guidance is available through the European Commission’s AI policy hub.
How Fines Are Actually Calculated
The regulation sets maximum fines — it does not mandate those maximums in every case. Article 99(6) requires national market surveillance authorities to consider several factors when determining the actual fine amount.
Factors That Increase the Fine
- Duration and frequency of the infringement
- Intentional or negligent nature of the infringement (deliberate violations attract higher fines)
- Number of affected persons and the severity of harm caused to them
- Systemic or widespread nature of the violation
- Prior infringements — repeat offenders face substantially higher penalties
- Failure to cooperate with enforcement authorities during investigation
Factors That Reduce the Fine
- Proactive notification of the infringement to authorities before detection
- Immediate remediation of the infringement when identified
- Active cooperation with the investigating authority
- Good-faith compliance effort — evidence of a structured compliance programme, even if incomplete
- Financial situation of the operator — particularly for SMEs
This is the most important practical point in the entire fine structure: documented compliance effort is a formal mitigating factor. A company with a complete risk management system, a Technical File that was 80% complete, and evidence of active internal compliance work is in a categorically different enforcement position from one that has done nothing. This is exactly why building a compliance programme matters even when the deadline hasn’t passed.
The Non-Fine Costs: What the Headlines Miss
Direct fines are the most visible consequence of non-compliance. In many cases, they won’t be the most damaging.
Market Access Withdrawal
Under Article 79, national market surveillance authorities can order the withdrawal of a non-compliant high-risk AI system from the market or restrict its use. For a SaaS company whose primary product is an AI system — particularly one serving EU enterprise customers — a market withdrawal order is an existential event that no fine could match in its operational impact.
Product Recall and Remediation Costs
Beyond the formal withdrawal mechanism, a regulatory finding of non-compliance typically triggers customer notifications, contract renegotiations, and product re-engineering. Industry parallels from GDPR enforcement suggest these operational costs frequently exceed the formal fine by a factor of three to five.
Civil Liability
The EU AI Act creates private rights of action for individuals harmed by prohibited or non-compliant AI systems. Article 4 of the EU AI Liability Directive (currently in final stages of the legislative process) proposes a disclosure obligation that would make it significantly easier for affected individuals to establish causation in civil claims. For companies deploying AI in employment or credit decisions, class action exposure is not theoretical.
Reputational and Commercial Damage
The EU AI database under Article 71 is public. A finding of non-compliance — or a market withdrawal order — becomes part of your company’s public regulatory record. Enterprise procurement teams in regulated industries (finance, healthcare, insurance) are increasingly conducting AI vendor due diligence as a standard procurement step. Read our post on AI vendor due diligence in 2026 to understand what buyers are now checking.
The GDPR Comparison: What History Tells Us
The enforcement trajectory of GDPR provides the most useful reference point for understanding how AI Act enforcement is likely to develop.
| Enforcement Dimension | GDPR (2018–2024) | AI Act (2025–2026 projection) |
|---|---|---|
| Initial enforcement focus | Large companies, high-profile cases | Prohibited practices, GPAI models |
| Year-1 fines issued | Relatively modest; mostly small operators | Expected to focus on clear, provable violations |
| Year-3 fines issued | €1.2B+ total; significant corporate targets | High-risk AI non-compliance expected |
| Enforcement resource | Understaffed initially; grew significantly | European AI Office better resourced from day one |
| Documentation requirement | Records of processing activities | Far more extensive (full Technical File) |
The critical lesson from GDPR: enforcement ramped up faster than most companies expected. The businesses that had compliant programmes in place before enforcement intensified were not just legally protected — they were commercially advantaged, because their competitors were scrambling to remediate while they were closing deals with compliance-conscious enterprise buyers.
Calculating Your Organisation’s Maximum Exposure
Run this calculation for your organisation:
- Take your global annual turnover (last financial year)
- For prohibited practice violations: multiply by 7% and compare to €35M — the higher figure is your ceiling
- For high-risk AI violations: multiply by 3% and compare to €15M — the higher figure is your ceiling
- For misleading authorities: multiply by 1% and compare to €7.5M
- For concurrent violations across multiple systems: each violation has its own ceiling and fines can be cumulative
For a €50M turnover SaaS company with a non-compliant high-risk AI system, maximum fine exposure is €1.5M (3% of €50M, which is below the €15M absolute cap). Still significant. For a €2B turnover company, that ceiling is €60M.
Now compare that to the cost of a structured compliance programme. For most organisations, the math is clear — and that calculation is exactly the kind of business case our AI Governance Framework guide is designed to help you build for your board.
Frequently Asked Questions
Does the EU AI Act have a whistleblower mechanism that could trigger investigations?
Yes. Article 83 requires member states to establish accessible reporting mechanisms for individuals to report suspected violations, including protections for whistleblowers. This significantly increases the likelihood that internal compliance failures — especially in consumer-facing AI applications — will be brought to enforcement authorities’ attention without waiting for a formal market surveillance inspection.
Are there fines specifically for failing to maintain technical documentation?
Yes. Failure to maintain the Technical File required by Article 11, or failure to provide it to national authorities on request, falls under the Tier 2 violation category (non-compliance with high-risk AI obligations). This carries a maximum fine of €15M or 3% of global annual turnover. For most companies, documentation non-compliance is the most likely enforcement trigger — it’s auditable, it’s objective, and it’s easy for regulators to verify.
What’s the statute of limitations on AI Act violations?
Article 101 establishes a five-year limitation period for violations, with the clock starting from the date the violation was committed (or for continuous violations, the date it ceased). Market surveillance authorities therefore have a substantial window to investigate and pursue enforcement action after a violation occurs.
Do fines apply to individual employees or only to the company?
The EU AI Act primarily targets the “operator” (provider or deployer) as an entity, not individual employees. However, national implementation laws may create individual liability for senior executives in some member states — mirroring the approach taken in some EU data protection law implementations. Companies should check the specific national AI Act implementation laws in their jurisdiction.
Can we negotiate a lower fine if we cooperate with investigators?
Cooperation is a formal mitigating factor under Article 99(6). Companies that proactively disclose violations, provide full documentation, and actively assist investigators have consistently received reduced fines in GDPR enforcement — a strong precedent for AI Act enforcement. However, “cooperation” must be genuine and substantive, not a delay tactic.
Who enforces the EU AI Act fines — national regulators or the EU directly?
Both, depending on the type of violation. For most non-compliance by AI providers and deployers, national market surveillance authorities in each EU member state are the primary enforcers. For GPAI model providers — particularly systemic risk models — the European AI Office has direct enforcement authority. For prohibited practices, both national authorities and the European AI Office can act.
Jasper Claes is a Compliance Manager and consultant specializing in AI governance for high-scale technology companies operating in regulated markets. He advises product and legal teams on implementing practical compliance frameworks aligned with evolving regulations such as the EU AI Act. Through his writing, Jasper focuses on translating complex regulatory requirements into clear, actionable guidance for teams building and deploying AI systems.