EU AI Act Fines and Penalties - The Three Tiers
EU AI Act fines come in three tiers under Article 99: up to 35 million euros or 7 percent of worldwide annual turnover (whichever is higher) for prohibited practices, up to 15 million euros or 3 percent for breaking most other obligations, and up to 7.5 million euros or 1 percent for feeding authorities incorrect, incomplete, or misleading information. Here is what lands you in each bucket.
The penalty table
| Tier | Ceiling | What triggers it |
|---|---|---|
| 1 | 35M euros or 7% of turnover | Article 5 prohibited practices: social scoring, manipulative techniques, untargeted facial-image scraping |
| 2 | 15M euros or 3% | Non-compliance with the operational obligations: the high-risk duties (Articles 9 to 15, 16, 26), Article 50 transparency, and related requirements |
| 3 | 7.5M euros or 1% | Incorrect, incomplete, or misleading information to notified bodies or authorities |
For SMEs and startups the same tiers apply, but capped at whichever of the two amounts is lower. Member states set the procedures and can add penalties of their own; the EU AI Office handles fines for general-purpose model providers separately under Article 101.
The detail people miss
Tier 3 is the quiet one. You can do the engineering work and still get fined for the paperwork around it, because answering a regulator's request sloppily is its own violation. That is a strong argument for keeping classification reasoning, documentation, and an audit trail in one place rather than across inboxes. It is also why every document AI Comply HQ generates is versioned and timestamped.
When is this enforceable?
The penalties chapter applies from 2 August 2025, with each obligation becoming finable as it becomes applicable: prohibitions already, GPAI duties already, and the high-risk plus Article 50 sets from 2 August 2026 under the current text.
What should you do about it?
Two things this quarter. Classify every system, because tier determines exposure. Then close the gap on whichever obligation list applies. The compliance checklist walks the triage, and the free risk check does the first step for you.
FAQ
Are fines the only risk?
No. Market-surveillance authorities can order systems withdrawn or recalled, which for a software business can hurt more than the fine.
Find your exposure in 3 minutes
Sources
This page is informational content, not legal advice. Talk to a qualified lawyer about your specific situation.