What is the maximum fine under the EU AI Act?

The maximum fine is €35 million or 7% of the offender's total worldwide annual turnover for the preceding financial year, whichever is higher. This top tier applies only to violations of Article 5 — the use or placing on the market of prohibited AI practices such as social scoring or untargeted facial-image scraping.

How are EU AI Act fines calculated?

Fines are the higher of a fixed euro amount or a percentage of global annual turnover. Within those caps, national market surveillance authorities set the actual figure considering the nature and gravity of the infringement, its duration, whether it was intentional or negligent, the size and market share of the operator, any previous infringements, and the degree of cooperation with authorities. For SMEs and start-ups, the lower of the two ceilings applies.

When do EU AI Act fines become enforceable?

Penalties for prohibited practices (Article 5) have been enforceable since 2 August 2025. Penalties for GPAI model obligations also apply from 2 August 2025. The full penalty regime for high-risk AI system obligations applies from 2 August 2026, aligned with when those obligations take effect.

Is there a lower fine cap for small businesses?

Yes. For SMEs, including start-ups, each fine is capped at whichever of the percentage-of-turnover figure or the fixed-euro figure is lower — the opposite of the "whichever is higher" rule applied to large enterprises. This is an explicit proportionality safeguard in Article 99(6).

Can you be fined for giving regulators incorrect information?

Yes. Supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities in reply to a request is a distinct infringement, punishable by up to €7.5 million or 1% of global annual turnover, whichever is higher (or the lower figure for SMEs).

Who enforces EU AI Act fines?

Each EU member state designates one or more national market surveillance authorities responsible for enforcement and penalties within its territory. For general-purpose AI models, the European AI Office (within the European Commission) has direct supervisory and fining powers, with a separate penalty ceiling of €15 million or 3% of global turnover.

EU AI Act Fines & Penalties 2026: The Complete Breakdown

The Four Penalty Tiers at a Glance

The EU AI Act's penalty regime lives in Article 99 (for operators) and Article 101 (for providers of general-purpose AI models). Unlike GDPR's two-tier structure, the AI Act has a distinct hierarchy that maps the size of the fine to the seriousness of the obligation breached. The headline figures are deliberately larger than GDPR's — the EU wanted the ceiling for banned AI to exceed any other digital regulation in force.

Tier 1 — Prohibited practices (Article 5): up to €35 million or 7% of total worldwide annual turnover, whichever is higher.
Tier 2 — Most other obligations: up to €15 million or 3% of global annual turnover. This covers the bulk of high-risk system duties for providers, deployers, importers, distributors, and authorised representatives, and most general-purpose AI model obligations.
Tier 3 — Incorrect information: up to €7.5 million or 1% of global annual turnover for supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.
SME safeguard: for small and medium enterprises and start-ups, each ceiling is the lower of the percentage figure or the euro figure.

Tier 1: The €35 Million Band — Prohibited AI

The top band exists for one category only: the eight prohibited practices in Article 5. These are AI uses the EU considers fundamentally incompatible with its values — subliminal or manipulative techniques that distort behaviour and cause harm, exploitation of vulnerabilities due to age or disability, social scoring by or on behalf of public authorities, individual criminal-risk prediction based solely on profiling, untargeted scraping of facial images to build recognition databases, emotion inference in workplaces and schools, certain biometric categorisation inferring sensitive attributes, and most real-time remote biometric identification in public spaces for law enforcement.

Because these bans took effect on 2 August 2025, this is the one tier where enforcement is already live. Any organisation operating an AI system in the EU should treat an Article 5 screen as urgent — a single prohibited deployment can attract the maximum fine regardless of intent.

Tier 2: The €15 Million Band — High-Risk and GPAI

This is where most organisations face exposure. The €15 million / 3% band covers failures across the high-risk obligation set: not establishing a risk management system, missing or inadequate Annex IV technical documentation, no conformity assessment or CE marking, failure to register the system in the EU database, inadequate human oversight, poor data governance, or failing to report serious incidents. For deployers, it covers using a high-risk system outside its intended purpose or ignoring the instructions for use.

General-purpose AI model providers sit in a parallel regime under Article 101, with the European AI Office able to impose fines up to €15 million or 3% of global turnover for breaches such as missing training-data summaries, absent copyright policies, or non-cooperation with the Office.

Tier 3: The €7.5 Million Band — Misleading Information

The lowest band targets a specific behaviour: giving regulators bad information. If you supply incorrect, incomplete, or misleading information to a notified body or a national competent authority in response to a request, that is itself a fineable offence at up to €7.5 million or 1% of turnover. The lesson is operational: build accurate, retrievable documentation, because the act of answering a regulator badly is independently punishable.

How Regulators Actually Set the Number

The euro and percentage figures are ceilings, not the fine itself. Article 99(7) lists the factors a national authority must weigh when deciding the actual amount: the nature, gravity, and duration of the infringement and its consequences; whether other authorities have already fined the same conduct; the size, annual turnover, and market share of the operator; whether the breach was intentional or negligent; any action taken to mitigate harm; the degree of cooperation; how the authority learned of the breach; and whether the operator is a first-time or repeat offender. In practice, an early, well-documented, cooperative response materially reduces exposure.

How the SME Cap Changes the Math

For large enterprises the rule is “whichever is higher”, so the percentage usually bites. For SMEs and start-ups the rule flips to “whichever is lower”, which almost always means the fixed euro figure for a small company and the percentage for a tiny one. This proportionality safeguard means a five-person start-up will not be wiped out by a turnover percentage, but the fixed ceilings remain large enough to be a genuine deterrent.

How to Reduce Your Exposure

The cheapest fine is the one you never trigger. Start with a classification exercise — map every AI system you build or use to the four risk tiers — so you know which band you sit in. Screen aggressively for Article 5 prohibited practices first, because that tier is both the most expensive and already enforceable. For high-risk systems, get the documentation and risk-management system in place well before August 2026; these take months. And keep your records accurate and retrievable so a regulator request never turns into a Tier 3 information offence.

GeraCompliance's free risk classifier tells you which tier each system falls into in minutes, and our document templates cover the risk-management system, Annex IV file, and conformity records you need to stay out of the penalty bands.