The penalty tiers at a glance
| Violation Type | Maximum Fine | Alternative Cap |
|---|---|---|
| Prohibited AI practices (Article 5) | €35,000,000 | 7% of global annual turnover (whichever is higher) |
| Most other violations (GPAI, high-risk, transparency) | €15,000,000 | 3% of global annual turnover (whichever is higher) |
| Providing incorrect or incomplete information to authorities | €7,500,000 | 1.5% of global annual turnover (whichever is higher) |
| SME and startup reduced caps | For SMEs: the lower of the absolute amount or the turnover percentage applies. Some reduction for first-time violations. | |
The turnover cap matters more than the absolute figure for larger companies. A company with €500 million global revenue faces potential fines of €35 million (prohibited AI) or €15 million (other violations) — not the turnover percentage, because the absolute figure is lower. But a company with €1 billion revenue faces €70 million or €30 million respectively. The penalty scales with size.
Who enforces the EU AI Act
National market surveillance authorities (MSAs)
Each EU member state designates a national market surveillance authority responsible for AI Act enforcement. Germany has the Bundesnetzagentur; France has CNIL and ANSSI in coordination; the Netherlands designates its ACM. These authorities can conduct investigations, request documentation, issue orders to withdraw products from market, and impose fines.
The EU AI Office
The EU AI Office, established within the European Commission, has direct enforcement authority over GPAI model providers. It can investigate GPAI providers, require access to model documentation, conduct evaluations, and impose fines independent of national MSAs. This creates a dual-track enforcement structure for GPAI developers.
The European Data Protection Authorities
National DPAs have enforcement authority when AI Act violations also constitute GDPR violations, for example where biometric data processing in high-risk AI systems breaches data protection requirements. The overlap between AI Act and GDPR creates compounding penalty exposure in some scenarios.
When does enforcement start
Article 5 prohibited AI practices: enforcement started February 2, 2026. Any company still operating a prohibited system after that date is already in violation.
GPAI obligations, Article 50 transparency, Article 49 registration, and the general enforcement framework: August 2, 2026.
Annex III high-risk system obligations: expected December 2, 2027 pending the Digital Omnibus deferral. Planning should begin now; enforcement authority exists from August 2026 but obligation date may shift.
How enforcement will work in practice
Complaints and self-reporting
Enforcement will be triggered by complaints from individuals, competitors, NGOs, and civil society organizations. The AI Act allows any natural person to submit a complaint to a national MSA. Whistleblower protections for employees reporting AI Act violations are established under the Act.
Serious incidents (harm to health, safety, or fundamental rights caused by an AI system) must be reported by providers and deployers to national MSAs. Self-reporting creates an enforcement record and will be a factor in how authorities assess violations.
Market surveillance investigations
National MSAs can initiate investigations without a complaint. They can require providers to supply technical documentation, conduct audits, access premises, and test systems. Refusal to cooperate is itself a violation carrying fines up to €7.5 million or 1.5% of turnover.
For GPAI models, the EU AI Office can access models directly for evaluation and may commission third-party testing organizations to assess systemic risk.
Cross-border coordination
When an AI system is placed on the market in multiple member states, the lead MSA is typically the country where the provider is established. For companies established outside the EU, the lead authority is the country where the EU representative is appointed. Cross-border cases are coordinated through the AI Board.
Illustrative penalty scenarios
Example: Fintech with €50M revenue, non-compliant AI credit scoring
A fintech with €50 million global revenue is found to have placed a high-risk credit scoring AI on the EU market without completing technical documentation or conformity assessment. The maximum fine is €15 million (the absolute cap is lower than 3% of €50M = €1.5M, so the higher of the two applies — wait, for companies where 3% of turnover is higher: 3% × €500M. For this company: max(€15M, 3% × €50M = €1.5M) = €15M). The authority would likely impose a fraction of the maximum for a first-time violation with cooperation, but the exposure is real. Market withdrawal orders would also apply, meaning the product must be pulled from EU market use.
Example: GPAI developer with 10M EU users
A GPAI developer places a model on the EU market in August 2026 without completing technical documentation, publishing a summary of training data sources, or implementing a copyright policy. The EU AI Office opens an investigation. The developer cooperates but documentation is incomplete. The Office imposes a fine of €5 million and requires a 90-day remediation plan. The developer must also notify all downstream deployers of the gap in its compliance documentation.
Example: SaaS company with AI chatbot, no Article 50 disclosure
A B2B SaaS company operates an AI chatbot that identifies itself as "Jamie from Support" without disclosing it is an AI. A customer files a complaint with the national MSA after discovering the interaction was AI-generated. The MSA issues a corrective order requiring immediate disclosure implementation and a fine of €200,000, noting the violation was clear and the company had time to comply. In this scenario the company's size (€8M revenue) kept the fine proportionate, but the reputational disclosure is itself a significant business impact.
Mitigating factors in AI Act enforcement
The regulation does not prescribe a fixed formula for determining fines within the maximum. Enforcement guidance from the AI Board and initial decisions from member state MSAs will establish precedent, but mitigating factors typically include:
- Immediate steps taken to remediate the violation when discovered
- Proactive self-reporting of violations before an investigation is opened
- Absence of harm to individuals resulting from the violation
- First violation with no prior enforcement history
- Full cooperation with investigation and documentation requests
- Small company size and limited resources (particularly relevant for startups)
Aggravating factors include continued violation after notification, harm to vulnerable groups or persons, financial benefit derived from the violation, and obstruction of investigation.
The insurance question
EU AI Act fines are administrative penalties and are generally not insurable under standard liability policies. Cyber liability and technology errors and omissions policies do not typically cover regulatory fines. Companies in high-exposure categories should consult their legal counsel and insurers about whether emerging AI compliance insurance products offer relevant coverage.
Related EU AI Act Resources
- Free EU AI Act Risk Classifier — find your tier and obligations in 90 seconds
- EU AI Act Compliance Deadline 2026 — August 2 obligations explained
- EU AI Act Annex III High-Risk Checklist — full requirements
- EU AI Act for Fintech and AI Companies — sector-specific guidance
- The Better Societies EU AI Act Compliance Package