EU AI Act Penalties & Fines: The 2026 Guide to the Tiers
The EU AI Act (Regulation (EU) 2024/1689) is not a voluntary code of practice — it carries some of the heaviest penalties in EU law. For the most serious breaches, fines reach up to €35 million or 7% of total worldwide annual turnover, whichever is higher. That ceiling sits above even the GDPR's headline figure.
This guide breaks down the three penalty tiers under Article 99, explains who can actually be fined, how fines scale with company turnover, and why the Act builds in proportionate caps for SMEs and start-ups. If you want to see where your systems sit before worrying about fines, start with our free risk checker.
The three penalty tiers under Article 99
The AI Act sorts infringements into three bands, each with its own maximum. For each band the fine is the higher of a fixed euro amount or a percentage of the company's total worldwide annual turnover for the preceding financial year.
| Tier | What it covers | Maximum fine |
|---|---|---|
| Most severe | Breaching the prohibited AI practices in Article 5 | €35M or 7% of worldwide annual turnover |
| General | Breaching most other obligations — provider, deployer, importer, distributor and notified-body duties | €15M or 3% of worldwide annual turnover |
| Information | Supplying incorrect, incomplete or misleading information to authorities or notified bodies | €7.5M or 1% of worldwide annual turnover |
The key mechanic is whichever is higher: for a large multinational the percentage usually bites hardest, while for a smaller company the fixed amount is the binding figure.
Who can be fined
Liability is not limited to the companies that build AI. The Act's obligations — and therefore its penalties — reach across the whole value chain:
- Providers — organisations that develop an AI system or general-purpose AI model, or have one developed, and place it on the market under their own name.
- Deployers — organisations using an AI system under their authority in a professional context.
- Importers and distributors — those bringing third-country systems into the EU or making them available.
- Product manufacturers placing AI-enabled products on the market under their own brand.
Because the Act is extraterritorial, a provider or deployer based outside the EU can be fined where its AI system's output is used in the Union. Being headquartered abroad is not a shield.
How fines scale with turnover
The percentage ceilings are deliberately tied to total worldwide annual turnover, not EU-only or AI-related revenue. This makes the maximum exposure proportionate to the size of the organisation.
A worked illustration of the top (Article 5) tier:
- A company with €100M turnover faces up to €35M — here the fixed €35M amount is higher than 7% (€7M), so €35M applies.
- A company with €2bn turnover faces up to €140M — here 7% exceeds the €35M floor, so the percentage applies.
When setting the actual fine, authorities must weigh factors such as the nature and gravity of the infringement, its duration, whether it was intentional or negligent, and any action taken to mitigate harm. The tier maximum is a ceiling, not an automatic amount.
Proportionate caps for SMEs and start-ups
The Act recognises that a flat percentage could wipe out a young company. For SMEs, including start-ups, each fine is capped at the lower of the two figures — the percentage or the fixed amount — rather than the higher.
So where a large enterprise breaching Article 5 faces the higher of €35M or 7%, an SME faces the lower of the two. For a small firm with modest turnover, that means the percentage figure typically governs and the multi-million euro fixed ceilings do not apply in full.
This is a genuine structural concession, but it is not an exemption: the obligations themselves remain identical regardless of company size.
Enforcement: who issues the fines
The AI Act sets the ceilings, but Member States are responsible for laying down the specific penalty regimes and designating the national competent authorities that enforce them. Penalties must be effective, proportionate and dissuasive.
For EU institutions, bodies and agencies, the European Data Protection Supervisor (EDPS) has the power to impose fines. This means enforcement is decentralised — the exact procedures and any national ceilings can vary between countries — but the maximum tiers in Article 99 are common across the Union.
The cost of non-compliance vs compliance
Weighing the two sides makes the business case clear:
- Non-compliance carries not only the headline fines but also market withdrawal orders, reputational damage, loss of customer trust, and potential civil claims where an AI system causes harm.
- Compliance is a structured, one-off-then-maintained investment: mapping your AI systems to risk categories, building technical documentation, implementing risk management, and training staff on AI literacy.
The cheapest path is to know where you stand early. Map your systems against the risk tiers with our complete guide, then confirm your exposure with the free risk checker.
Frequently asked questions
What is the maximum fine under the EU AI Act?
The highest tier is up to €35 million or 7% of total worldwide annual turnover for the preceding financial year, whichever is higher. It applies to breaches of the Article 5 prohibited AI practices.
Are the AI Act fines higher than GDPR fines?
At the top tier, yes. The GDPR's maximum is €20 million or 4% of worldwide turnover, whereas the AI Act's most severe tier reaches €35 million or 7%. The two regimes can apply to the same organisation simultaneously.
Do small companies face the full fines?
No. For SMEs and start-ups, each fine is capped at the lower of the percentage or the fixed amount, rather than the higher — a proportionate cap. The underlying obligations, however, still apply in full.
Who enforces the EU AI Act penalties?
Member States set their own penalty regimes and designate national competent authorities to enforce them. For EU institutions and bodies, the European Data Protection Supervisor can impose fines.
Free, no sign-up. Deterministic — not a chatbot.