The EU AI Act introduces a three-tier penalty system that rivals – and in some areas exceeds – the GDPR in severity. With fines reaching up to €35 million or 7% of global turnover, understanding the penalty structure is critical for every business that uses AI.
The Three-Tier Penalty System
The EU AI Act (Regulation (EU) 2024/1689) establishes three levels of fines based on the severity of the violation:
Tier 1: Prohibited AI Practices
Up to €35 million or 7% of global annual turnover
Applies to the use of banned AI systems such as social scoring, subliminal manipulation, or real-time biometric mass surveillance.
Tier 2: Core Obligation Violations
Up to €15 million or 3% of global annual turnover
Applies to violations of high-risk requirements, transparency obligations, and general-purpose AI rules.
Tier 3: False Information
Up to €7.5 million or 1.5% of global annual turnover
Applies to providing false or misleading information to supervisory authorities.
Note: The higher amount always applies – either the fixed sum or the percentage of turnover. For multinational corporations, the percentage can far exceed the fixed amount.
EU AI Act vs. GDPR: How Fines Compare
| Criterion | GDPR | EU AI Act |
|---|---|---|
| Maximum fine (fixed) | €20 million | €35 million |
| Maximum fine (% turnover) | 4% | 7% |
| SME-specific rules | Limited | Yes, explicitly provided |
| Warning before fine | Possible | Recommended as first measure |
Who Enforces the Fines?
Each EU member state must establish a national supervisory authority for the AI Act. These authorities have broad powers:
- Market surveillance: Proactive monitoring of AI systems on the market
- Audits: Right to inspect a company's AI documentation and processes
- Corrective orders: Requiring improvements or cessation of AI use
- Fines: Imposing financial penalties for violations
Special Rules for SMEs and Startups
The EU AI Act recognises that large fines can be existentially threatening for smaller businesses. Special provisions include:
| Company Size | Tier 1 Maximum | Tier 2 Maximum |
|---|---|---|
| Large enterprise (>250 employees) | €35M / 7% turnover | €15M / 3% turnover |
| SME (<250 employees) | Proportionally lower, but significant | Proportionally lower, but significant |
| Startup (<5 years, <€10M turnover) | Lower amount or % of turnover | Lower amount or % of turnover |
Warning: "Proportional" does not mean "negligible". Even for SMEs, fines can reach six figures – enough to threaten the survival of a business.
Factors That Influence the Fine Amount
Supervisory authorities consider several factors when determining penalties:
- Nature and severity: A missing transparency notice weighs less than deploying prohibited AI
- Intent or negligence: Deliberate violations are punished more harshly
- Corrective actions taken: Quick remediation can reduce penalties
- Cooperation: Working with authorities is viewed positively
- People affected: The more people impacted, the higher the fine
- Previous violations: Repeat offenders face stricter penalties
- Existing documentation: Demonstrated compliance efforts can be mitigating
Real-World Risk Scenarios
Scenario 1: Missing Chatbot Disclosure
A company operates an AI chatbot without any transparency notice. A customer files a complaint with the supervisory authority.
Likely outcome: Warning + order to add disclosure. If ignored: fine up to €15M / 3% turnover.
Scenario 2: Unaudited HR Screening Tool
A company uses AI-based CV screening without risk assessment, documentation, or human oversight.
Likely outcome: Fine up to €15M / 3% turnover + order to cease use until compliant.
Scenario 3: Customer Behaviour Scoring
A company rates customers based on their online behaviour to offer different prices – essentially social scoring.
Likely outcome: Fine up to €35M / 7% turnover + immediate cessation order.
How to Protect Your Business
The best insurance against fines is proactive compliance. Start early, document thoroughly, and review regularly. Our free compliance check shows you in 5 minutes:
- Which risk level applies to your AI systems
- Which specific obligations you must fulfil
- Where urgent action is needed
- A PDF document as initial compliance evidence
Minimise Your Fine Risk Today
15 questions. 5 minutes. Know exactly where you stand.
Check Now – It's Free