EU AI Act penalties and fines: what non-compliance actually costs

Article 99 of the EU AI Act sets the fine structure for non-compliance. The headline numbers are higher than the GDPR's, the structure is similar in shape, and the practical exposure depends on which provision you have breached. This article walks through each tier of fines, who applies them, how they scale for SMEs and start-ups, and what the cumulative exposure looks like in a realistic enforcement scenario.

Take the numbers as the ceiling, not the expectation. The Act requires penalties to be "effective, proportionate and dissuasive," and Member States are required to take a long list of mitigating and aggravating factors into account when setting an individual fine. The maximum is what makes headlines; the typical fine for a first-time, good-faith compliance failure will be lower. But the exposure is real and large enough to make compliance investment a much cheaper option than the alternative.

The three fine tiers

Article 99(3), (4) and (5) set three tiers of administrative fines. The structure follows the familiar two-number pattern: a fixed cap in euros, and a percentage of worldwide annual turnover, with the higher of the two applying (except for SMEs and start-ups — more on that below).

Tier 1: prohibited practices

Up to EUR 35 million or 7% of total worldwide annual turnover for the preceding financial year, whichever is higher.

This tier applies to breaches of Article 5 (the prohibited AI practices: social scoring, untargeted facial-image scraping, certain biometric categorisation and emotion recognition, real-time remote biometric identification by law enforcement outside the narrow exceptions, etc. — see the prohibited practices article for the full list).

This is the most punitive tier in any EU digital regulation. Compare:

• EU AI Act tier 1: 7% of turnover.
• Digital Services Act (DSA): 6% of turnover.
• Digital Markets Act (DMA): 10% of turnover for first breach, up to 20% for repeated.
• GDPR top tier: 4% of turnover.

The choice to put prohibited practices at 7% rather than the GDPR's 4% reflects the legislative view that prohibited AI practices represent a categorical harm to fundamental rights that warrants stronger deterrence.

Tier 2: most other obligation breaches

Up to EUR 15 million or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher.

This is the workhorse tier. It applies to non-compliance with obligations of providers, deployers, importers, distributors, notified bodies, and authorised representatives across the rest of the Act, including:

• Article 16 (provider obligations for high-risk AI systems): the full set of provider obligations including QMS, technical documentation, risk management, data governance, transparency to deployers, human oversight, accuracy and robustness, post-market monitoring, registration, CE marking.
• Article 22 (authorised representative obligations).
• Article 23 (importer obligations).
• Article 24 (distributor obligations).
• Article 26 (deployer obligations for high-risk AI systems).
• Article 31, 33, 34 (notified body obligations).
• Article 50 (transparency obligations: AI disclosure, deepfake labelling, generative AI output marking).

A failure to register a high-risk Annex III system in the EU database, or to keep technical documentation current, lands in this tier. So does deploying a high-risk AI system without the required human oversight measures.

Tier 3: supplying incorrect information

Up to EUR 7.5 million or 1.5% of total worldwide annual turnover for the preceding financial year, whichever is higher.

This tier applies to supplying incorrect, incomplete or misleading information to notified bodies and national competent authorities in reply to a request.

It is narrower than people sometimes assume. It does not cover bad documentation per se; it covers active misinformation supplied to a regulator. The penalty exists because regulators need accurate information to enforce the rest of the Act; deliberately misleading them is a separate harm.

The SME and start-up rule

Article 99(6) introduces a specific carve-out for SMEs (including start-ups). The standard rule is "whichever is higher" between the euro cap and the percentage of turnover. For SMEs and start-ups, the rule flips to "whichever is lower."

In practice:

• A large enterprise with EUR 10 billion turnover that breaches Article 5: max fine is the higher of EUR 35 million or 7% × 10 billion = EUR 700 million (capped at the higher figure of those two).
• An SME with EUR 5 million turnover that breaches Article 5: max fine is the lower of EUR 35 million or 7% × 5 million = EUR 350,000.

This is a meaningful protection for smaller operators. The reasoning in the recitals: SMEs and start-ups are an explicit focus of the Act's innovation provisions (Article 62 establishes regulatory sandboxes and Article 63 provides for SME-specific guidance and support), and the penalty regime should not crush them.

The definition of SME follows the standard Commission Recommendation 2003/361/EC: fewer than 250 staff, and either turnover not exceeding EUR 50 million or balance sheet total not exceeding EUR 43 million. Start-ups have their own working definition under various national laws; the Act does not redefine the term, deferring to national criteria.

Mitigating and aggravating factors

Article 99(7) requires that the fine actually imposed take into account a list of factors. These cut both ways — they can scale the fine down from the headline cap or up toward it within the legal maximum:

• The nature, gravity and duration of the infringement, including the nature, scope, and purpose of the AI system and the number of natural persons affected.
• Whether the same infringement has been repeated, including in other Member States.
• The size and market share of the operator committing the infringement.
• Any action taken by the operator to mitigate the harm suffered by affected persons.
• Whether the operator notified the infringement to relevant authorities promptly and cooperated with them.
• The financial benefit gained or losses avoided through the infringement.
• The degree of cooperation with the authority to remedy the infringement and mitigate possible adverse effects.
• The degree of responsibility of the operator taking into account the technical and organisational measures it has implemented.
• The manner in which the infringement became known to the authorities (whether through self-reporting or otherwise).
• Any aggravating or mitigating factor otherwise applicable to the circumstances of the case.

This list is similar in shape to GDPR Article 83(2). Practically it means: cooperation, self-reporting, demonstrable controls, and remediation all reduce the fine. Delay, obstruction, repeat behaviour and concealment all increase it. A breach that is reported by the provider to the market surveillance authority within days of detection, with a remediation plan attached, is fined materially less than the same breach surfaced through an investigation triggered by a complaint.

Who enforces

The enforcement architecture splits between national authorities and the European AI Office:

• National market surveillance authorities in each Member State enforce the Act for AI systems generally. They run investigations, impose fines, and coordinate with other Member States via the AI Board.
• National Data Protection Authorities enforce the Act for AI systems used by law enforcement, border control, migration and asylum in the area of biometrics (Article 70(7)).
• The European AI Office at the Commission supervises GPAI providers directly. Penalties on GPAI providers (Article 101) are imposed by the Commission, separately from the national fines on other operators. The Commission applies its own procedural rules (similar to those under the GDPR for cross-border cases) for GPAI investigations.
• Sectoral authorities retain their existing powers for AI systems in their sector (e.g. financial regulators for banking AI, medicines agencies for medical-device AI). The AI Act adds to but does not replace those regimes.

Member States must lay down rules on penalties — including for breaches by Member State public bodies of Member State law transposing the Act — by 2 August 2025 and notify the Commission. This is the date by which the national enforcement architecture has to be in place.

How fines stack with other regulations

The EU AI Act's fines do not displace fines under other EU laws. A single incident that breaches the AI Act and the GDPR can attract fines under both, subject to two limits:

• ne bis in idem: you cannot be punished twice for the same conduct in the same legal interest. The two regulations protect different legal interests (product safety and personal data respectively), so the principle does not generally prevent dual fines on the same set of facts.
• The overall fine must be proportionate to the conduct and the gravity. Regulators are expected to coordinate on cross-cutting cases.

Practically, the worst-case for a serious incident with personal-data and AI-system dimensions is a GDPR fine plus an AI Act fine plus potentially DSA or sectoral fines, all running in parallel. The bookkeeping for that exposure is one of the reasons compliance programmes increasingly integrate across regulations.

Similar layering applies with respect to:

• Product safety regulations (machinery, medical devices, etc.) for Annex I-integrated high-risk systems — sectoral fines plus AI Act fines.
• Anti-discrimination law for biased AI deployments in employment, credit, housing — national anti-discrimination remedies plus AI Act fines.
• Consumer protection for transparency failures in B2C AI — Unfair Commercial Practices Directive plus AI Act Article 50 fines.

Realistic exposure scenarios

The headline numbers feel abstract. Three realistic scenarios to make them concrete:

Scenario 1: SMB deploys recruitment AI without classification or documentation. 200-person company, EUR 30 million turnover. Deploys an off-the-shelf candidate-screening tool without realising it is high-risk under Annex III area 4. No FRIA, no human oversight beyond "the manager reads the shortlist," no logging, no contracts with the provider on documentation. Worst-case exposure under Tier 2 (deployer obligations): the lower of EUR 15 million and 3% × EUR 30 million = EUR 900,000. Realistic first-time enforcement after cooperation and remediation: probably six-figure rather than seven-figure, but not negligible.

Scenario 2: large enterprise places a high-risk biometric system on the market without conformity assessment. EUR 5 billion turnover. No notified-body assessment, no CE marking, no EU database registration. Worst-case under Tier 2: the higher of EUR 15 million and 3% × EUR 5 billion = EUR 150 million.

Scenario 3: provider operates a system that falls within Article 5. EUR 500 million turnover. Worst-case under Tier 1: the higher of EUR 35 million and 7% × EUR 500 million = EUR 35 million. This is one where the regulator is most likely to push toward the cap, given the categorical nature of the prohibited practices.

In all three, the fine is one consequence. Loss of market access (Member States can order withdrawal of the AI system from the EU market), reputational damage, customer-contract breach exposure, and shareholder litigation in publicly listed companies often dwarf the regulatory fine itself.

How to reduce exposure

A short list of disproportionately effective actions, in rough priority order:

1. Classification before deployment. The single biggest risk is having a high-risk system in production that you have not classified as such. Run the classification process per system, document the conclusion.
2. Documentation in place when the obligation triggers. Technical documentation, risk management records, conformity assessment, EU database registration. The work is non-trivial but predictable; treat it as an engineering deliverable with a deadline.
3. Working human-oversight measures. Not just a box-tick. The deployer obligation under Article 14 requires that humans can effectively oversee the system during operation. Tested escape valves and clear escalation paths.
4. Self-reporting capability. Article 73 requires serious-incident reporting from providers within 15 days (sooner in some cases). A working channel from engineering through legal to the market surveillance authority is the cheapest insurance you can buy.
5. Documented cooperation posture. Multiple Article 99(7) factors reward cooperation. Build it into your incident-response playbook so it happens by default, not as an ad-hoc decision under pressure.

The Act's fine structure is designed to make non-compliance materially worse than the cost of doing the work. For a typical SMB, the cost of building a credible compliance programme — even one that uses a tool like aiactly to do the heavy lifting on classification and documentation — is well inside the cost of a single enforcement action. The arithmetic is unfavourable for taking the wait-and-see option.