EU AI Act topic guide

EU AI Act penalties and fines: the three tiers explained

The EU AI Act has some of the largest administrative fines in EU regulation history. Penalties are graduated: the most serious breaches (prohibited practices) attract the highest fines, and smaller organisations benefit from a proportionality rule that caps fines at the lower of the percentage or the fixed amount. Penalties became enforceable from 2 August 2025.

Reviewed by the AI Act Navigator team · Last updated 9 June 2026

TL;DR

  • Three tiers: €35m/7% (prohibited practices) → €15m/3% (other obligations, incl. high-risk non-compliance) → €7.5m/1% (misleading information).
  • The fine is whichever is higher of the fixed amount and the percentage of global annual turnover - except for SMEs, where it is whichever is lower.
  • GPAI model providers can be fined by the AI Office up to €15m/3% under Article 101.
  • Penalties applicable from 2 August 2025.
Classify your AI systemObligations guide

Scope

What this covers

  • Tier 1 - Breach of Article 5 prohibited practices: up to €35,000,000 or 7% of total worldwide annual turnover (preceding financial year), whichever is higher.
  • Tier 2 - Non-compliance with other obligations (high-risk requirements, transparency obligations, deployer/importer/distributor duties, notified body obligations): up to €15,000,000 or 3% of worldwide annual turnover, whichever is higher.
  • Tier 3 - Supplying incorrect, incomplete or misleading information to national authorities or notified bodies: up to €7,500,000 or 1% of worldwide annual turnover, whichever is higher.
  • GPAI model providers (Article 101): the AI Office can impose fines of up to €15,000,000 or 3% of worldwide annual turnover for GPAI-specific violations.
  • EU institutions and bodies (Article 100): the European Data Protection Supervisor can fine - up to €1,500,000 for Article 5 violations, €750,000 for other violations.

SME and start-up proportionality (Article 99(6)): for SMEs (including start-ups), each fine is capped at the LOWER of the percentage threshold or the fixed amount - the reverse of the general rule, which takes the higher. National authorities must also consider proportionality and the specific circumstances.

Source: Regulation (EU) 2024/1689 (EUR-Lex)

Compliance challenges

Key compliance challenges

  • The "higher of" rule means a large company breaching a prohibition faces a minimum of the lower of €35m/7% - the headline fine exposure is the higher: so a €10bn-revenue company could face €700m.
  • The "misleading information" tier (€7.5m/1%) catches errors in conformity-assessment submissions and regulatory reporting, not just deliberate deception.
  • The AI Office has direct enforcement authority over GPAI model providers - national authorities do not have primary jurisdiction over GPAI Chapter V compliance.
  • Penalties apply from 2 August 2025, so GPAI and governance obligations are already subject to fines today.

The EU AI Act applies a risk-based approach: obligations scale with the level of risk posed. AI Act high-level summary

What to do

What to do

  1. Priority-rank your compliance risks: Article 5 prohibitions (in force since Feb 2025) carry the highest penalty exposure and should be addressed first.
  2. Ensure GPAI compliance is underway - GPAI Chapter V obligations are already enforceable (from 2 Aug 2025).
  3. For high-risk systems: build the Chapter III programme targeting the 2 August 2026 deadline (or the proposed 2 December 2027 if the Omnibus is adopted).
  4. Implement robust regulatory-reporting processes: errors in information to notified bodies or authorities attract the Tier 3 penalty.
  5. For SMEs: document your SME status to benefit from the proportionality cap; note you still have the same obligations, just a lower maximum fine.

For the full obligations breakdown, see the AI Act obligations guide, and for role-specific duties see the provider vs deployer guide.

FAQ

AI Act penalties: common questions

When did AI Act penalties become enforceable?
Penalties became applicable from 2 August 2025 - the same date as the GPAI and governance provisions. Note that Article 5 prohibitions have applied since 2 February 2025, but enforcement via Article 99 fines commenced from 2 August 2025.
Is a €35m fine a minimum or a maximum?
It is a maximum. In practice authorities must consider proportionality, severity, duration, the degree of responsibility, and whether the organisation cooperated. The Commission and national authorities cannot impose a fine above the ceiling, but there is no legal minimum below which they cannot go.
We are a start-up - how does the SME rule work?
For SMEs (including start-ups), each fine is capped at the lower of the percentage threshold or the fixed amount. So for a prohibited-practice breach, the fine ceiling is the lower of 7% of turnover or €35m - not the higher. This protects small companies where 7% of their turnover would be less than €35m.
Who enforces the AI Act?
National authorities designated by each EU Member State enforce the Act for AI systems within their jurisdiction. The AI Office (European Commission) has exclusive EU-level enforcement jurisdiction over GPAI model providers. The European Data Protection Supervisor enforces against EU institutions.
Can my company be fined under both the AI Act and GDPR?
Yes - the two regulations are independent. An AI system that violates both the AI Act's prohibited practices and GDPR's data-protection requirements can attract penalties under each. The AI Act does not create an immunity from GDPR fines, and vice versa. Coordination between the AI Office, national AI authorities and data-protection authorities is expected for overlapping cases.

Get AI Act-ready

Use the risk classifier to find your system's tier, then explore the obligations and checklist for your role.

Classify your AI system

This is guidance, not legal advice

This is guidance to help you understand how the EU AI Act applies to ai act penalties, not legal advice. For decisions specific to your organisation, confirm with the official sources we link or a qualified legal adviser.

Sources

  1. [1]Regulation (EU) 2024/1689 (EU AI Act) - EUR-Lexretrieved 9 Jun 2026
  2. [2]European Commission: AI regulatory frameworkretrieved 9 Jun 2026
  3. [3]AI Act Explorer: high-level summaryretrieved 9 Jun 2026
  4. [4]AI Act implementation timelineretrieved 9 Jun 2026
  5. [5]Council of the EU: Digital Omnibus provisional agreement, 7 May 2026retrieved 9 Jun 2026

The AI Act Brief

Subscribe to The AI Act Brief

We watch Brussels so you don't. Plain-English EU AI Act updates, free.

No spam. Unsubscribe anytime.

EU AI Act fines and penalties: €35m/7%, €15m/3%, €7.5m/1% explained | AI Act Navigator · AI Act Navigator