Partly in force since 2 February 2025Full enforcement: 4 months away
EU AI Act Fines: How Much Does Non-Compliance Actually Cost?
The EU AI Act has four fine tiers and three enforcement dates. The numbers are large — up to €35 million or 7% of global revenue, whichever is higher — but what you owe depends on which tier your violation falls into, your company size, and a list of ten mitigating and aggravating factors regulators consider before setting a final amount.
Fines are not theoretical
Article 5 enforcement started on 2 February 2025 — more than a year before the main 2026 deadline. GPAI model obligations have applied since August 2025. If your AI system touches any prohibited practice or GPAI classification, you are already within enforcement scope. The August 2026 deadline is not when the rules start — it is when the last group of systems comes into scope.
What fine tier applies to your system?
Regumatrix identifies your risk tier, maps your system to the correct Article 99 paragraph, and names your maximum fine exposure — based on exactly what your system does, not a generic guess.
Each tier maps to a different set of violations. A single company could face multiple tiers simultaneously if it has both prohibited AI and high-risk AI compliance gaps.
Tier 1 — Prohibited AI
€35,000,000or 7% of global annual turnover(whichever is higher)
In force since February 2025
Using, building, or selling any of the 8 AI practices banned under Article 5. This includes social scoring, real-time facial recognition in public by police without authorisation, emotion detection at work, and subliminal manipulation.
An HR platform with social scoring logic
Emotion recognition deployed in a school or workplace
A facial scraping tool that builds biometric databases
These fines are already active. There is no future enforcement date for Article 5.
€15,000,000or 3% of global annual turnover(whichever is higher)
4 months away
Failing to meet your obligations as a provider, deployer, authorised representative, importer, distributor, or notified body — for AI systems that fall into the high-risk category under Annex III.
No risk management system in place before launch (Art 16)
Deploying a high-risk AI without logging or human oversight (Art 26)
Missing technical documentation required before a conformity assessment
Full enforcement for most high-risk AI systems starts 2 August 2026.
€15,000,000or 3% of global annual turnover(whichever is higher)
In force since August 2025
Violations by providers of general-purpose AI models (GPAI) — models like GPT-4, Claude, or Gemini class — issued directly by the European Commission, not national authorities.
Failing to comply with a Commission information request under Art 91
Not cooperating with a Commission evaluation under Art 92
Refusing to implement corrective measures ordered under Art 93
GPAI fines are issued by the European Commission, not member state authorities. They apply regardless of where the GPAI provider is based.
The SME cap rule works differently than you expect
Under Art. 99(6) , SMEs and start-ups are fined the lower of the percentage cap or the flat euro amount. This is the opposite of the standard rule (where you pay whichever is higher).
Large company — €600M turnover
7% = €42M → but the ceiling is €35M (flat amount is lower)
Max fine: €35,000,000
SME — €5M turnover
7% = €350K → lower than €35M flat, so SME pays the percentage
Max fine: €350,000
PROPOSAL — not yet enacted lawCOM(2025) 836 · Art 1 pt29
The Digital Omnibus proposal would extend this cap to SMCs (small mid-cap enterprises) — companies with fewer than 500 employees that are not SMEs. Under current law, only SMEs and start-ups receive the inverse cap. If COM(2025) 836 is enacted, Art 99(6) would explicitly read “SMCs and SMEs, including start-ups.”
10 factors that change the final amount
The tier sets the ceiling. Regulators set the actual fine based on these factors from Art. 99(7).
Self-reported the violation
Reduces fine
Cooperated fully with authorities
Reduces fine
Took immediate corrective action
Reduces fine
No financial benefit from the violation
Reduces fine
Negligent rather than intentional
Reduces fine
Intentional violation
Increases fine
Financial gain from the violation
Increases fine
Large number of affected people
Increases fine
Previous violations of EU law
Increases fine
Refused to cooperate with investigation
Increases fine
PROPOSAL — not yet enacted lawCOM(2025) 836
What the Digital Omnibus proposal changes for penalties
COM(2025) 836 — the Digital Omnibus on AI — is a legislative proposal published in March 2025. It has not been enacted. If it becomes law, two things change for Article 99 enforcement:
SMC fine cap extended (Art 1 pt29). The inverse cap currently in Art 99(6) — which protects SMEs and start-ups from disproportionate flat-euro fines — would be extended to SMCs (small mid-cap enterprises): companies with fewer than 500 employees that fall outside the SME definition. This is a significant protection for growth-stage companies.
AI Office direct enforcement powers (Art 1 pt25). Under 836, the AI Office (a body within the European Commission) would gain exclusive competence to supervise and enforce Art 99 fines against two types of AI system: (1) AI systems built on a GPAI model where the same company is both GPAI provider and AI system provider; and (2) AI systems embedded in Very Large Online Platforms (VLOPs) or Very Large Online Search Engines (VLOSEs). If 836 is enacted, those actors would face enforcement from the Commission — not national authorities — via a new implementing act under Art 75(1a).
Plan compliance for current law. Monitor 836 progress at EUR-Lex — COM(2025) 836 final.
Not sure which tier your system falls into?
Most teams don't know their fine exposure because they haven't classified their AI system against Annex III. Without that classification, you don't know whether you're in Tier 1, Tier 2, or outside scope entirely. If any of these apply to your company, you need a precise answer before August 2026:
Your AI makes or influences decisions that affect people (employment, credit, education)
Your AI uses facial recognition, biometrics, or emotional signals
You sell AI tools to EU businesses or users
You are a non-EU company with EU customers
Your AI is built on top of a GPAI model like GPT-4 or Claude
For most AI systems, fines are issued by national market surveillance authorities — the competent authority designated by each EU member state. Germany, France, Spain and other countries each appoint their own authority. For general-purpose AI models (GPAI), fines are issued directly by the European Commission under Article 101. For EU institutions using AI, fines are issued by the European Data Protection Supervisor under Article 100.
Does the 7% fine apply to the entire company or just the AI product revenue?▾
The fine is calculated on total worldwide annual turnover of the undertaking — meaning the entire company group, not just the revenue from the non-compliant AI product. If a division of a €10 billion company builds a prohibited AI system, the 7% fine ceiling is €700 million — not just a percentage of that division's revenue.
Can my company be fined before August 2026?▾
Yes — for two categories. Article 5 prohibited AI (Tier 1) has been enforceable since 2 February 2025. Article 5 violations carry the highest fine tier: €35M or 7%. Additionally, GPAI model obligations under Article 53 have applied since 2 August 2025, and the Commission can already issue GPAI fines under Article 101. Fines for high-risk AI violations (Tier 2) become enforceable from 2 August 2026.
Does the SME fine cap mean smaller companies pay less?▾
Yes, but not in the way you might expect. Under Article 99(6), for SMEs and start-ups, each fine is capped at whichever is lower — the percentage of turnover OR the flat euro amount. For a small company with €5M annual turnover, 7% is €350,000 — which is lower than €35M, so the fine ceiling is €350,000. For a company with €600M annual turnover, 7% is €42M — which is higher than €35M, so the ceiling is €35M. The flat amount protects large companies; the percentage protects small ones.
Can you be fined even if no one was harmed?▾
Yes. EU AI Act fines are not compensation for damages — they are administrative penalties for regulatory non-compliance. Article 99(7) lists factors affecting fine size, and harm to affected persons is only one of ten. Intentional violation, financial benefit gained, and failure to cooperate with authorities are equally relevant factors. A company that deploys a prohibited AI system, harms no one, and self-reports still faces a potential fine — though cooperation and lack of harm are mitigating factors.
Know your exact fine exposure before a regulator does the maths for you
The fine tiers on this page are ceilings. Where you land within that ceiling depends on your specific system, your Annex classification, your role (provider or deployer), and the mitigating factors you can document.
Describe your AI system in plain language. Regumatrix returns your risk tier, the Annex III domain (or GPAI classification), the Article 99 paragraph that applies to you, and the list of obligations you need to meet before enforcement begins. Eight sections, Article citations, about 30 seconds.
