EU AI Act penalties and fines explained
- Penalties are tiered: up to 35M euro / 7% (prohibited), 15M / 3% (most obligations), 7.5M / 1% (false information).
- For larger firms the fine is the higher of the sum or percentage; SMEs benefit from the lower cap.
- Authorities can also order corrective measures or withdrawal from the EU market, not just fines.
- The evidence that prevents penalties is the same evidence that builds buyer trust.
- Current as of June 2026. This is general information, not legal advice.
The three penalty tiers
The Act's fines are structured in three main tiers:
- Up to 35 million euro or 7 percent of global annual turnover for breaching the prohibitions on unacceptable-risk AI practices. This is the most serious tier.
- Up to 15 million euro or 3 percent of global annual turnover for breaching most other obligations, including the requirements on high-risk systems, for providers and deployers.
- Up to 7.5 million euro or 1 percent of global annual turnover for supplying incorrect, incomplete, or misleading information to authorities.
In each case, the fine is the higher of the fixed sum or the percentage for larger companies.
How SMEs and startups are treated
The Act applies the penalties proportionately to smaller organisations. For SMEs and startups, the fine is generally the lower of the fixed amount or the percentage, rather than the higher. This softens the impact, but it does not remove it, and even the lowest tier can be material for an early-stage company.
Beyond fines
Penalties are not the only enforcement tool. Authorities and the AI Office can request information, require access to systems, order corrective measures, and in some cases require a system to be withdrawn from the EU market. For many organisations, the operational disruption of a withdrawal or a forced remediation can matter as much as a fine.
When penalties apply
The penalties framework took effect alongside the phased obligations, with rules for penalties to be laid down by Member States from 2 August 2025. The fines attach to the obligations as they come into force, so prohibited-practice and GPAI breaches are already exposed, while high-risk penalties track the high-risk obligations as they apply.
The constructive way to read this
Fines make the headlines, but the more useful framing is that the Act rewards organisations that can demonstrate good governance. The same evidence that protects you from penalties (a clear inventory, documented risk decisions, and current records) is exactly what enterprise buyers and partners increasingly ask to see. Building that evidence is both a shield against penalties and an enabler of trust and sales.
Key terms
- Article 99
- The EU AI Act article that sets the penalty framework and tiered fines for breaches.
- Unacceptable-risk practices
- The prohibited AI uses, breaches of which attract the highest tier of fine.
- Proportionate cap
- The lower of the fixed amount or percentage applied to SMEs and startups, instead of the higher.
- AI Office
- The European Commission body overseeing implementation and enforcement of the AI Act.
- Corrective measures
- Remedial steps an authority can require, including withdrawal of a system from the EU market.