Back to blogAI Agent Architecture

EU AI Act Penalties and Enforcement

GuruSup

The EU AI Act backs its requirements with fines that rival GDPR penalties. The maximum is 35 million euros or 7% of worldwide annual turnover, whichever is higher. That is not a typo. For a company with 500 million in revenue, the ceiling is 35 million euros. For a company with 10 billion, it is 700 million.

Understanding the penalty structure matters because it shapes how you prioritize compliance work. Not all violations cost the same.

Three Tiers of Fines

Tier 1: Prohibited AI practices — up to 35M or 7%

The heaviest fines apply to deploying AI systems that the Act bans outright. Social scoring, unauthorized real-time biometric surveillance, subliminal manipulation, and the other prohibited practices trigger this tier.

This tier took effect February 2, 2025. If you are still running a banned system, you are already exposed. See the complete list of prohibited AI.

Tier 2: High-risk non-compliance — up to 15M or 3%

Violations of the high-risk system requirements fall here. Missing documentation, inadequate risk management, no conformity assessment, insufficient human oversight, or failing data governance obligations.

This covers the bulk of Articles 6 through 51. If you have a high-risk system and have not completed the steps in our compliance checklist, this is your exposure.

Tier 3: Incorrect information — up to 7.5M or 1%

Providing incorrect, incomplete, or misleading information to national competent authorities or notified bodies. This includes false declarations of conformity, incorrect registration data, and failure to cooperate with investigations.

How Fines Are Calculated

The regulation lists factors that authorities must consider when determining the specific amount:

  • Nature, gravity, and duration of the infringement.
  • Whether the violation was intentional or negligent.
  • Actions taken to mitigate harm to affected persons.
  • The size and market share of the infringing entity.
  • Previous infringements by the same operator.
  • Degree of cooperation with the authority.
  • How the authority learned about the infringement (self-reported vs discovered).

SMEs and startups get proportionally adjusted penalties. The Act explicitly states that fines for small enterprises should account for their economic viability. But "adjusted" does not mean "waived."

Who Enforces It

National competent authorities

Each EU member state designates at least one national authority for market surveillance and enforcement. These bodies handle complaints, conduct investigations, and impose fines within their jurisdiction.

The European AI Office

Established within the European Commission, the AI Office has direct enforcement power over providers of general-purpose AI models (think foundation models like GPT-4.5 or Claude 4.6). For these models, the AI Office can impose fines of up to 15 million euros or 3% of global turnover.

National data protection authorities

When AI Act violations overlap with GDPR breaches, data protection authorities may be involved. This dual enforcement risk is real. See our AI Act vs GDPR comparison for the overlap points.

Enforcement Timeline

Penalties phase in with the rest of the Act:

  • February 2025: Fines for prohibited AI practices enforceable.
  • August 2025: General-purpose AI model enforcement by the AI Office begins.
  • August 2026: Full enforcement of high-risk requirements and all remaining provisions.
  • August 2027: Enforcement extends to high-risk AI in Annex I products.

For the complete schedule, see our EU AI Act timeline.

Beyond Fines: Other Consequences

Financial penalties are not the only enforcement tool:

  • Market withdrawal: Authorities can order non-compliant AI systems removed from the EU market.
  • Public naming: Enforcement actions can be published, creating reputational damage.
  • Injunctions: Courts can prohibit specific AI deployments pending compliance.
  • Contractual impact: Enterprise customers are increasingly requiring AI Act compliance in procurement. Non-compliance locks you out of deals.

How to Minimize Exposure

Start with the risk classification to know where your systems stand. Complete the compliance checklist for each high-risk system. For customer support AI, make sure transparency disclosures are in place.

The organizations that document their compliance efforts in real time will be in the strongest position if enforcement comes. Regulators in every jurisdiction look more favorably on companies that made genuine efforts, even imperfect ones, than on those that ignored the regulation entirely.

Explore more

AI Comparisons 2026

ChatGPT vs Claude vs Gemini vs DeepSeek — prices, performance and best use cases

See the product

Explore how our AI agents handle support, sales and ops

AI Chatbot

Deploy intelligent chatbots that resolve queries autonomously

Related articles