The EU AI Act provides for administrative fines of up to EUR 35 million or 7% of a company's total worldwide annual turnover - whichever is higher. That is a level of sanctions comparable to the GDPR, and at the top tier even stricter.
In this guide we explain exactly which penalties the regulation provides for, what they are imposed for, who they apply to, who imposes them in practice and - most importantly - how to prepare so you can avoid them.
The three penalty tiers in the AI Act
Article 99 of the AI Act sets out three basic tiers of administrative fines:
- Up to EUR 35 million or 7% of turnover - for engaging in the prohibited practices of Article 5 (e.g. manipulative subliminal techniques, social scoring, prohibited emotion recognition in the workplace and education, untargeted scraping of facial images for recognition databases);
- Up to EUR 15 million or 3% of turnover - for breaching the regulation's other obligations, including the obligations of providers and deployers of high-risk systems, transparency obligations, and the obligations of importers and distributors;
- Up to EUR 7.5 million or 1% of turnover - for supplying incorrect, incomplete or misleading information to authorities.
In all cases, the higher amount applies. An exception is made for SMEs, including start-ups - for them, the lower of the two possible amounts applies. That is real relief, but not an exemption: for a small company, even the lower tier can mean a fine that threatens liquidity.
A separate regime applies to providers of general-purpose AI models (GPAI): the European Commission can impose fines of up to EUR 15 million or 3% of turnover (Article 101).
What can an „ordinary" company realistically be fined for?
Most organisations do not build their own AI models - they use off-the-shelf tools. Does that mean the fines do not apply to them? No. The AI Act also places obligations on deployers of AI, and breaching those obligations falls within the tier of up to EUR 15 million or 3% of turnover. We wrote about this in Does the AI Act only apply to tech companies?
The most practical risk areas for companies using AI are:
- unknowingly engaging in a prohibited practice - e.g. a tool analysing employees' emotions, or scoring based on data unrelated to the purpose;
- using a high-risk system without meeting deployer obligations (Article 26) - e.g. AI in recruitment, credit scoring, education;
- lack of transparency (Article 50) - not labelling AI-generated content where required, chatbots that do not disclose that the user is talking to AI;
- lack of AI literacy (Article 4) - the obligation to ensure AI competence has applied since 2 February 2025; it carries no separate fine amount of its own, but neglecting it weighs against the company in every incident and every inspection.
Who imposes the fines and since when?
The penalty provisions have applied since 2 August 2025, but enforcing them requires a national supervision system. Poland's Act on artificial intelligence systems - designating the supervisory authority and procedures - has gone through the government legislative process and reached parliament; we covered it in our article on Poland's AI bill in parliament.
The key date is 2 August 2026 - from that day the regulation applies in full and organisations must be able to demonstrate compliance. We explain exactly what changes that day in The EU AI Act and 2 August 2026.
It is worth remembering that a financial penalty is only part of the risk. The supervisory authority can also, among other things, order a system to be withdrawn from use. Then there are reputational costs, lost tenders and clients' compliance questions - increasingly common in B2B contracts.
What determines the size of the fine?
The AI Act requires penalties to be effective, proportionate and dissuasive. When setting them, authorities take into account, among other things: the nature, gravity and duration of the infringement, its effects, the number of people affected, intent or negligence, actions taken to mitigate harm, previous infringements and - crucially - the degree of cooperation with the authority and whether the organisation had preventive measures in place.
That last criterion matters enormously in practice. A company that has an AI system register, an AI usage policy, trained employees and evidence of those actions is in a completely different position from a company that can show nothing. Even if an incident occurs, documented diligence directly affects the size of the penalty.
How to prepare: 5 steps before an inspection
1. Inventory your AI - build a register of tools and systems, including shadow AI.
2. Check prohibited practices and high-risk systems - go through Article 5 and Annex III; establish whether any use case requires special measures.
3. Introduce rules and train employees - an AI policy + AI literacy training with an exam and certificate (Article 4).
4. Collect evidence - acknowledgements, certificates, decisions, reviews. These decide the company's position in any conversation with the authority.
5. Test your readiness - like an auditor would: step by step, area by area. We describe how in An EU AI Act compliance audit step by step.
How does AI TrustCERT help?
The AI TrustCERT platform covers exactly the areas that determine the size of a potential fine: an AI system register, policies and acknowledgements, certified training and a readiness report with due-diligence evidence - up and running in 1-7 days. You will find the full overview of obligations, deadlines and sanctions on our EU AI Act compliance page.
Want to know which penalty tiers apply to your organisation at all? Take the free AI Ready Check - 3 minutes, no commitment.
Summary
The AI Act's penalties are high by design: up to EUR 35 million or 7% of turnover for prohibited practices, up to EUR 15 million or 3% for breaching obligations, up to EUR 7.5 million or 1% for misleading authorities - with a softer mechanism for SMEs.
But the most important message is different: the size of the fine depends on what the organisation did before something went wrong. A register, rules, training and evidence are not the cost of bureaucracy - they are an insurance policy that works exactly when it is needed.
Sources
- Regulation (EU) 2024/1689 (AI Act) - Article 99 (administrative fines), Article 101 (fines for GPAI providers), Article 5 (prohibited practices), Article 26 (deployer obligations), Article 50 (transparency), Article 113 (application dates): eur-lex.europa.eu
- European Commission - AI regulatory framework and application timeline: digital-strategy.ec.europa.eu
- Government bill on artificial intelligence systems (legislative process in the Polish Sejm): sejm.gov.pl