EU AI Act Fines Explained: Up to €35M or 7% of Revenue

The largest EU AI Act fines reach €35 million or 7% of global annual turnover, whichever is higher. That makes the AI Act’s maximum penalty nearly double the GDPR ceiling and roughly on par with the biggest antitrust sanctions the Commission has ever issued.

As of May 2026, no AI Act fine has been imposed anywhere. Not by a single Member State, not by the AI Office, not by the European Data Protection Supervisor. The penalty chapter has been in force since August 2025. If that sounds like a grace period, recall how GDPR enforcement started: two quiet years, then a sustained wave that produced over €4 billion in cumulative fines. The AI Act’s penalty chapter was modelled on GDPR Article 83 deliberately.

If your organisation uses, develops, or distributes AI systems in the EU, the penalty structure is not theoretical. It determines how much risk you carry for every month you delay compliance. Use the AI Act Fines Calculator to see your specific exposure by company size and violation type.

Five tiers of EU AI Act fines

The AI Act organises penalties into distinct bands based on the severity of the violation and who is being sanctioned. This is not a sliding scale. It is a hard classification: what you did wrong determines which band applies.

Tier 1: Prohibited AI practices. Up to €35 million or 7% of worldwide annual turnover per Article 99(3), whichever is higher. This covers the categories banned outright under Article 5: social scoring by governments, real-time remote biometric identification in public spaces (with narrow exceptions), manipulation of vulnerable groups, subliminal AI causing significant harm, exploitation of specific group vulnerabilities, and emotion recognition in workplaces and schools. If you deploy a system that falls into these categories, this is the band that applies. The turnover calculation uses the preceding financial year, consolidated at group level. These prohibitions have been legally binding since 2 February 2025.

Tier 2: Operator obligation breaches. Up to €15 million or 3% of global turnover per Article 99(4). This applies to providers of high-risk AI systems (Annex III) who fail to meet the requirements in Articles 8 through 15. That includes obligations around risk management systems, data governance, technical documentation, human oversight, accuracy, and cybersecurity. Deployers of high-risk systems who violate their obligations under Article 26 also fall here, along with authorised representatives (Article 22), importers (Article 23), distributors (Article 24), notified bodies (Articles 31, 33, 34), and transparency obligations under Article 50.

Tier 3: Incorrect or misleading information. Up to €7.5 million or 1% of global turnover per Article 99(5). This is for supplying incorrect, incomplete, or misleading information to national authorities or notified bodies during conformity assessments or market surveillance. Lying to your regulator, in other words. The EU has decided that dishonesty deserves its own penalty category. A refreshingly specific legislative priority. One note: several competing analyses incorrectly cite 1.5% for this tier. The Official Journal text reads 1%.

General-purpose AI model providers face a separate enforcement track entirely under Article 101. The European Commission, not national authorities, has exclusive power to impose fines up to €15 million or 3% of worldwide turnover. This covers Chapter V infringements, failures to comply with documentation requests (Article 91), non-compliance with measures (Article 93), and blocking Commission access for model evaluations (Article 92). The Court of Justice holds unlimited jurisdiction over these decisions. This enforcement power activates on 2 August 2026.

EU institutions, bodies, and agencies fall under EDPS enforcement per Article 100, with a ceiling of €1.5 million for prohibited-practice violations and €750,000 for other AI Act infringements.

Tier	Violation type	Fixed ceiling	% of turnover	Enforced by
1	Prohibited AI practices (Art. 5)	€35M	7%	National MSAs
2	Operator obligation breaches	€15M	3%	National MSAs
3	Misleading information to authorities	€7.5M	1%	National MSAs
GPAI	Model provider breaches (Ch. V)	€15M	3%	European Commission
EU bodies	Any AI Act infringement	€1.5M	n/a	EDPS

One more common error in circulating analyses: some legacy sources cite €40 million / 7% for prohibited practices. That was the European Parliament’s June 2023 trilogue position, not the final regulation.

How fines are calculated in practice

National market surveillance authorities decide the actual amount, not the Commission. The Regulation sets maximum ceilings. Each Member State’s enforcement body has discretion within those ceilings.

Article 99(7) lists the factors authorities must consider: the nature, gravity, and duration of the infringement. Whether the organisation cooperated. Whether they took corrective action. Whether they have prior violations. The size and market share of the company. Any gains obtained from the infringement. These criteria mirror GDPR’s approach under Article 83, which means EU regulators already have a decade of practice applying them. The Commission has not published dedicated penalty-calculation methodology guidance. Expect authorities to develop their approach by analogy with existing GDPR jurisprudence.

The “whichever is higher” formula matters enormously. For a startup with €2 million in revenue, 7% is €140,000. The €35 million floor does not apply because the percentage is calculated against turnover, with the flat euro amount as the alternative. But for a company with €500 million in turnover, 7% is €35 million, so the two figures converge. For a company with €10 billion in turnover, 7% means €700 million. No cap.

One detail that compliance teams keep overlooking: the turnover calculation is group-level, not entity-level. A subsidiary deploying prohibited AI exposes the entire parent company’s global revenue to the percentage calculation.

SMEs and startups get a different formula

The AI Act flips the calculation for small and medium-sized enterprises, including startups. For normal companies, the fine is “whichever is higher” between the fixed euro amount and the turnover percentage. Article 99(6) reverses this for SMEs: the fine is “whichever is lower.”

In practice, this means the percentage almost always wins. An SME with €2 million in revenue facing a Tier 1 violation pays up to 7% of turnover (€140,000), not the €35 million flat amount. The fixed euro ceiling that terrifies large corporations becomes irrelevant. For Tier 2, the same SME faces up to €60,000 (3% of €2 million) instead of €15 million. The SME definition follows Commission Recommendation 2003/361/EC: fewer than 250 employees with annual turnover of €50 million or less, or a balance sheet total of €43 million or less.

The Digital Omnibus on AI, which reached political agreement on 7 May 2026 but still awaits formal adoption, extends most SME concessions (including the inverse cap) to “small mid-cap” companies. This new category widens the protective regime considerably.

This is not immunity. An SME deploying a prohibited AI system will still face enforcement. €140,000 can be existential for a seed-stage startup. And the obligation to cease the practice and the reputational damage remain identical regardless of company size.

For most SMEs, though, the headline fine number is the wrong thing to worry about. The real financial exposure is compliance cost. An independent study by CEPS, commissioned for the European Commission’s 2021 Impact Assessment, estimated that building a new quality management system for high-risk AI costs between €193,000 and €330,000, with €71,400 in annual maintenance. For a company with €5 million turnover, the maximum Tier 1 fine is €350,000. The compliance cost to avoid that fine is roughly the same amount. That arithmetic is why cost-efficient compliance architecture matters more than fine avoidance. Run your numbers through the AI Act Fines Calculator to see how the inverse cap applies to your turnover bracket.

Not sure where you stand? Take the free AI Act Readiness Assessment.

When enforcement actually starts

The prohibited practices ban under Article 5 took effect on 2 February 2025. The penalty chapter (Chapter XII) became applicable on 2 August 2025. Fines for Article 5 violations can be imposed now in Member States that have designated their enforcement authorities and enacted national penalty legislation.

The Digital Omnibus on AI reached political agreement on 7 May 2026 and is expected to be formally adopted before 2 August 2026. Subject to that adoption, Annex III high-risk system obligations shift to 2 December 2027, and embedded-product high-risk obligations to 2 August 2028. The Article 99 fine ceilings, Article 5 prohibitions, and GPAI obligations are unaffected by the Omnibus.

The Commission’s enforcement powers over general-purpose AI model providers under Article 101 activate on 2 August 2026. From that date, the AI Office can request documentation, conduct evaluations, demand access to models, and impose fines.

National enforcement readiness varies sharply. Each Member State must designate at least one market surveillance authority under Article 70. As of March 2026, only eight single points of contact out of 27 had been notified to the Commission, per the European Parliament Research Service. The 2 August 2025 deadline for these designations was widely missed.

Finland moved fastest: national enforcement powers entered into force on 1 January 2026, making it the first Member State with full AI Act enforcement capacity. Spain’s AESIA has been operational since June 2024, though full sanctioning powers await the national AI Law still in legislative passage. Germany’s Federal Cabinet adopted the government draft of its AI Market Surveillance Act (KI-MIG) on 10 February 2026, designating the Bundesnetzagentur as central authority. France split responsibilities between the DGCCRF as single point of contact and the CNIL for specific Article 5 prohibitions. Italy designated the ACN and AgID under Law No. 132/2025 (in force 10 October 2025), with implementing decrees pending. Italy also introduced a separate criminal offence for unlawful dissemination of AI-generated content (deepfakes), carrying imprisonment of 1 to 5 years. No prosecutions have been reported. Ireland is establishing a National AI Office under its Regulation of Artificial Intelligence Bill 2026, spreading oversight across approximately 15 sectoral authorities.

No AI Act fine has been imposed yet. The Future of Privacy Forum confirmed in February 2026 that no enforcement action related to prohibited AI practices had been announced. The EDPS separately confirmed in March 2026 that its mapping exercise identified no prohibited AI practices in use by EU institutions. National DPAs in Italy and Spain have continued GDPR-based actions against AI systems (ChatGPT, Clearview AI, biometric tools), but these are GDPR enforcement, not AI Act penalties. The distinction matters.

For the full AI Act phased timeline alongside other major EU regulation deadlines, check the EU compliance deadline tracker.

Logical Next Steps

Stop treating the AI Act penalty structure as a distant risk. The prohibited practices ban is already enforceable. High-risk obligations arrive in December 2027 under the Digital Omnibus, or August 2026 if the Omnibus is not formally adopted in time.

Map your AI systems against Annex III. Every AI system your organisation uses, deploys, or provides needs to be classified. If any system falls into the high-risk categories, you are in scope for Tier 2 fines once the deadline passes. Use the AI Act Fines Calculator to model your financial exposure per system.

Audit for prohibited practices immediately. Article 5 violations carry the highest fines and are enforceable now. Emotion recognition in the workplace, AI-driven social scoring, manipulative dark patterns targeting vulnerable users. If any of your systems touch these categories, remediation is urgent.

Document everything. Tier 3 fines exist because regulators expect accurate information during oversight. Incomplete technical documentation, misleading conformity declarations, or gaps in your risk management records create standalone liability. Even if the underlying AI system is compliant, poor documentation can trigger penalties of up to €7.5 million.

Set group-level governance. The parent company’s global turnover is the calculation base. If AI compliance decisions are being made at the subsidiary level without group visibility, the financial exposure is invisible to the people who carry it.

Budget for compliance infrastructure. The CEPS independent study estimated €193,000 to €330,000 to stand up a high-risk quality management system from scratch, plus €71,400 annually. For SMEs, this may exceed the maximum fine under the inverse cap. That does not make compliance optional. It makes getting the architecture right the first time essential.