Enforcement Guide

EU AI Act Fines and Penalties: The Complete Guide for 2026

The EU AI Act creates three tiers of financial penalty, from €7.5 million up to €35 million — or 1.5% to 7% of a company's global annual turnover if that is higher. Here is exactly what each tier covers, what triggers it, and how to reduce your exposure.

9 min read·Last updated June 2026

Fine Structure at a Glance

€35M / 7%
Prohibited practices (Article 99(3))
€15M / 3%
High-risk & GPAI violations (Article 99(4))
€7.5M / 1.5%
False information to authorities (Article 99(5))

The "or X% of global annual turnover" rule means the fine is whichever is higher — designed to ensure fines are proportionate for large multinationals, not a relief for them.

The Three-Tier Fine Structure (Article 99)

Tier 1Article 99(3)

Prohibited Practices

Up to €35,000,000
or 7% of global annual turnover

What triggers this:

  • Operating AI systems that perform real-time biometric identification in publicly accessible spaces (without a law-enforcement exemption)
  • Using AI to manipulate people through subliminal techniques or exploit psychological vulnerabilities
  • Deploying social scoring systems that assess individuals and restrict their access to services or resources
  • Using AI that predicts criminal behaviour based solely on individual profiling
  • Using emotion recognition at work or in educational settings
  • Building biometric categorisation systems based on protected characteristics (race, religion, political views, sexuality)

These practices were banned from 2 February 2025. If your business does any of the above today, fines at this tier are already possible.

Tier 2Article 99(4) & Article 101

High-Risk & GPAI Obligations

Up to €15,000,000
or 3% of global annual turnover

What triggers this:

  • Failing to comply with high-risk AI system obligations (technical documentation, risk management, logging, human oversight)
  • Not registering a high-risk AI system in the EU AI database before it is placed on the market
  • Failing to conduct a conformity assessment for a high-risk AI system
  • General-purpose AI model providers failing to meet transparency, copyright, or risk-evaluation obligations
  • Not cooperating with market surveillance authorities during an investigation
  • Deployers of high-risk AI failing to conduct a fundamental rights impact assessment where required

The August 2, 2026 deadline is the main enforcement trigger for high-risk AI obligations. After that date, non-compliant high-risk systems risk fines at this tier.

Tier 3Article 99(5)

Incorrect or Misleading Information

Up to €7,500,000
or 1.5% of global annual turnover

What triggers this:

  • Providing incorrect, incomplete, or misleading information to supervisory authorities or notified bodies
  • Failing to respond to requests for information from a market surveillance authority
  • Not maintaining required records or documentation
  • Obstructing audits or inspections by national competent authorities

This tier most often catches companies during investigations — not for the original non-compliance, but for how they respond to it.

Is There an SMB Exemption?

There is no blanket exemption for SMBs — but the Act does require that fines be proportionate to the size of the company. Article 99(6) explicitly states that for SMEs and start-ups, authorities must take into account economic capacity when setting fines. In practice this means an SMB will not face the same fine as a multinational for an equivalent breach — but the obligations are the same.

The percentage-of-turnover rule (7% / 3% / 1.5%) is designed to scale with company size. For a company with €2M annual turnover, the practical cap on even the most serious violation is €140,000 — still significant, but not €35M. For an SMB, the binding limit will almost always be the percentage, not the nominal cap.

Micro-enterprises (fewer than 10 employees and under €2M in revenue) receive additional leniency in enforcement guidance, but must still comply with all substantive obligations.

How Authorities Decide the Amount

The figures above are maximum fines. In practice, supervisory authorities apply a structured assessment under Article 99(2) before deciding any penalty. These are the factors that directly influence whether you receive the maximum or a meaningfully lower amount.

1

Nature, gravity, and duration

How severe was the violation? How long did it continue? Was it intentional or negligent?

2

Market size and impact

How many people were affected, and how significantly?

3

Company size

SMBs and micro-enterprises may receive reduced fines. For natural persons, fines must be proportionate to their economic capacity.

4

Cooperation with authorities

Companies that cooperate proactively during investigations — including self-reporting — typically receive meaningfully lower fines.

5

Prior violations

Repeat offenders or companies with prior sanctions in the same area face higher fines.

6

Voluntary remediation

Stopping the violation quickly and implementing corrective measures demonstrates good faith.

7

Technical and organisational measures already in place

Evidence of an existing compliance programme — even an imperfect one — weighs in your favour.

Practical implication: A company that detects a compliance gap, corrects it promptly, and cooperates with authorities is in a materially better position than one that ignores it. Most enforcement regimes (GDPR is the clearest precedent) treat proactive remediation as a significant mitigating factor.

Common SMB Risk Scenarios

Most SMBs will not build high-risk AI systems from scratch — but many already use AI tools that create compliance exposure. These are the most common situations.

Using AI in hiring or HR decisions

High (Tier 2)

AI tools used to screen CVs, rank candidates, or assess employees fall under Annex III high-risk. You must comply with all high-risk obligations — or avoid these tools entirely.

AI chatbots that do not identify as AI

Medium (Tier 2)

Article 50 requires all AI systems interacting directly with people to clearly disclose that they are AI. Failing to do so is a Tier 2 breach.

Emotion detection in workplace tools

Critical (Tier 1)

Any AI that detects or infers emotions in workplaces is prohibited outright under Article 5(1)(f). This includes 'productivity sentiment' tools and engagement analysis platforms.

Building on an LLM API without proper transparency

Medium (Tier 2)

If you build a product on top of an LLM API and deploy it to EU users, you are a deployer. Article 50 transparency obligations apply, and for some use cases high-risk obligations too.

No Article 4 AI literacy programme

Lower (Tier 2)

Article 4 has been in force since February 2025. Fines for this alone are unlikely before enforcement ramps up, but it aggravates any investigation into other non-compliance.

When Does Enforcement Start?

2 Feb 2025Prohibited practices (Article 5) — fully enforceable now

Fines at Tier 1 can be issued today for prohibited practices. These obligations have been live for over a year.

2 Aug 2025GPAI model obligations — active

General-purpose AI model providers (those releasing models like LLMs) must comply. Article 101 fines apply.

2 Aug 2026High-risk AI system obligations (Annex III) — 54 days away

The main deadline for most SMBs. High-risk AI in employment, education, credit, healthcare, and other Annex III domains must be compliant by this date. Tier 2 fines active from this point.

2 Aug 2027Annex I high-risk AI products (embedded in machinery, medical devices, etc.)

An additional year for AI embedded in regulated physical products.

2 Dec 2030Legacy high-risk systems deployed before Aug 2026 must be brought into compliance

Systems already in use before August 2026 have until 2030 — but new deployments after August 2026 do not.

How Will Enforcement Compare to GDPR?

GDPR is the closest precedent. Key observations from six years of GDPR enforcement:

The largest fines went to large tech companies. Most SMB fines were in the low tens of thousands, not the headline maximum.
Enforcement began slowly — the first major GDPR fine came 18 months after GDPR went live. The EU AI Act will likely follow a similar ramp-up.
The biggest risks for SMBs came from complaints (a customer reports your AI system to the DPA equivalent) and sector audits, not random inspections.
Companies with a documented compliance programme — even imperfect — received more lenient treatment than those with nothing at all.
The pattern is: authorities go after the worst-offending large actors first, set examples, then work down. SMBs who fix obvious issues in Year 1 typically face far less scrutiny.

FAQ

Can an SMB outside the EU be fined?

Yes. The EU AI Act applies to any provider or deployer whose AI systems affect EU residents, regardless of where the company is based — the same jurisdictional logic as GDPR. Enforcement against non-EU companies is harder in practice, but legally the obligation exists.

Is there a minimum fine? Can I receive zero?

There is no statutory minimum. Article 99 only specifies maximums and requires proportionality. Authorities can and do issue warnings, require remediation without fines, or issue nominal fines for minor or first-time violations — especially where there's been no harm and genuine remediation.

Which national authority will enforce this in my country?

Each EU member state must designate a national competent authority (NCA) by August 2, 2025. Some states are using their existing data protection authorities; others are creating new bodies. Check your country's regulatory authority for confirmation. Cross-border enforcement follows the 'leading authority' model familiar from GDPR.

What about companies that are currently mid-implementation?

The Act has no formal safe harbour for mid-implementation companies. However, being able to demonstrate that a compliance programme is active and progressing is a material mitigating factor — it shifts the narrative from "ignoring the law" to "working towards compliance." Document your progress.

Do the fines apply per violation or per company?

Fines are typically assessed per company per investigation, not per individual violation — the same approach GDPR enforcement has taken. One investigation may result in one fine covering multiple issues, or separate fines for distinct violations. The binding cap in all cases is the percentage-of-turnover rule.

5 Steps to Reduce Your Fine Risk Today

1

Audit your AI tool stack

List every AI system your business uses, operates, or deploys. Include AI features embedded in third-party SaaS. Flag any that touch employment, education, credit, or healthcare decisions.

2

Eliminate prohibited practices immediately

Prohibited AI (Article 5) has been enforceable since February 2025. If you use emotion detection at work or any form of social scoring, stop now.

3

Add AI disclosure to customer-facing products

If your product uses a chatbot or any AI that speaks to users, it must clearly identify as AI. This is a Tier 2 obligation and one of the simplest to fix — add a disclosure message at the start of interactions.

4

Implement Article 4 AI literacy

Document that your staff have received AI literacy training. A short written briefing + acknowledgement is a reasonable minimum. This costs almost nothing and substantially reduces your risk profile in any enforcement investigation.

5

Classify your AI systems before August 2

Use the free risk classifier below to identify whether any of your AI systems are high-risk under Annex III. If they are, you have until August 2, 2026 to comply — or to change your tooling.

Find Out If Your AI Systems Are at Risk

Our free classifier tells you whether your AI systems fall into a high-risk category — and exactly what obligations apply — in under 5 minutes.

Start Free Risk Assessment

Related Guides

High-Risk AI Systems: The Full Annex III List

Which AI systems require full compliance before August 2, 2026.

SMB Compliance Checklist (August 2026)

Step-by-step: from prohibited-practices check to AI literacy.

ChatGPT, Copilot & LLMs: Your Obligations

Using AI tools? What you're responsible for as a deployer.

HomeHigh-Risk Systems Guide