What are the EU AI Act fines and penalties?

The EU AI Act has three penalty tiers: up to €35 million or 7% of global turnover for prohibited practices, up to €15 million or 3% for non-compliance with high-risk obligations, and up to €7.5 million or 1% for supplying incorrect information to authorities.

How are EU AI Act fines calculated?

Fines are calculated as a fixed euro amount OR a percentage of total worldwide annual turnover, whichever is higher. Regulators consider the gravity and duration of the violation, corrective actions taken, cooperation, previous infringements, and whether a compliance programme was in place.

Will the EU AI Act actually be enforced?

Yes. National competent authorities are being designated across all EU member states and the European AI Office is operational. The enforcement infrastructure builds on the same apparatus that has issued billions in GDPR fines.

EU AI Act Penalties: How Much Could You Actually Be Fined?

The maximum fine for violating the EU AI Act's prohibited practices is €35 million or 7% of your total worldwide annual turnover — whichever is higher.

Not European revenue. Not AI revenue. Your entire global turnover. For a company doing €800 million, that's €56 million. For €10 billion — that's €700 million. From a single violation.

The three-tier structure

Tier 1 — Prohibited practices

Up to €35 million or 7% of global turnover. The nine banned uses. This is the "what were you thinking" tier.

Tier 2 — Non-compliance with core requirements

Up to €15 million or 3% of global turnover. High-risk obligations, transparency rules, deployer duties. This is the tier that matters day-to-day for most companies — the high-risk requirements involve dozens of obligations and falling short on any lands you here.

Tier 3 — Incorrect information

Up to €7.5 million or 1% of global turnover. The "don't lie on the paperwork" tier. One percent still hurts.

The maths people get wrong

The "whichever is higher" clause is the part people miss. A startup doing €2 million violates a prohibited practice. 7% of €2 million is €140,000 — but the floor is €35 million. That's nearly eighteen times their entire revenue. In practice, regulators would likely scale it proportionately, but the legal maximum is staggering.

What regulators actually consider

The nature and duration of the violation. Whether you took corrective action before they came knocking. Whether you cooperated. Whether you had previous infringements. And critically — whether you had a compliance programme in place at all.

That last point matters more than people realise. The mere existence of a documented compliance effort — evidence that you tried — can meaningfully reduce the penalty. The worst position is having done nothing, because it signals either ignorance or indifference.

Will they actually enforce this?

Yes. The same regulatory apparatus that has issued billions in GDPR fines is being extended to AI. National competent authorities are being designated. The European AI Office is operational. The first wave will likely target prohibited practices — they're the clearest violations and make the best deterrent examples.

The penalty structure tells you the EU's priorities: banned practices (7%), operational requirements (3%), administrative honesty (1%). Your compliance effort should mirror that hierarchy.

EU AI Act Penalties: How Much Could You Actually Be Fined?

The three-tier structure

Tier 1 — Prohibited practices

Tier 2 — Non-compliance with core requirements

Tier 3 — Incorrect information

The maths people get wrong

What regulators actually consider

Will they actually enforce this?

Get the full picture

More in this series