EU AI Act fines and penalties: how much can you be fined

EU AI Act fines and penalties: how much can you be fined

The EU AI Act introduces some of the largest potential fines in technology regulation, exceeding GDPR penalties in the most serious cases. For startups and growth-stage companies, even the mid-tier penalties can be existential. Understanding the fine structure is not just a legal exercise, it is a product and business risk calculation every CTO should have done before the August 2026 deadlines arrive.

What the EU AI Act requires

Article 99 sets out three tiers of administrative penalties. The highest tier applies to violations of the prohibited practices in Article 5 (unacceptable-risk AI): fines of up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher. The middle tier applies to non-compliance with most other obligations in the Act, including Annex III high-risk requirements (Articles 9 to 17), GPAI model obligations (Articles 51 to 56), and transparency requirements (Article 50): fines of up to EUR 15 million or 3% of total worldwide annual turnover. The lowest tier applies to supplying incorrect, incomplete, or misleading information to national competent authorities: fines up to EUR 7.5 million or 1% of turnover. For SMEs and startups, Article 99(6) gives national authorities discretion to apply proportionate penalties, but this is discretionary, not guaranteed.

What this means for your business

For a startup generating EUR 5 million in annual revenue, a 3% fine is EUR 150,000. For a scale-up at EUR 50 million revenue, it is EUR 1.5 million. These figures assume the minimum percentage threshold, and national authorities can go higher within the statutory caps. Beyond fines, Article 88 empowers authorities to order withdrawal of a non-compliant AI system from the EU market, which for a SaaS business that sells to European customers is effectively a forced shutdown. Reputational damage from public enforcement actions is an additional compounding risk. GPAI model providers face the EUR 15M or 3% tier from August 2, 2026, making this the most immediate enforcement exposure for AI-native startups.

Steps to get compliant

1. Map your highest-risk exposure first: if your product includes any system that could be classified as prohibited under Article 5 (biometric categorisation, social scoring, real-time remote biometric identification in public spaces), remove or redesign it immediately. 2. Address GPAI and Article 50 obligations before August 2, 2026, as this is the first enforcement window for the EUR 15M or 3% tier. 3. Build documented evidence of your compliance efforts: Article 99 penalties are assessed partly on whether the company took reasonable steps to comply, and regulators consistently treat documented good-faith efforts as a mitigating factor. 4. Register your point of contact with your national market surveillance authority well before enforcement begins, as first contact with regulators should not be in response to an investigation.

Free EU AI Act risk assessment

Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener
EU AI Act fines and penalties: how much can you be fined | ActComply