← All EU AI Act guides

EU AI Act penalties and enforcement: what is at stake — 2026-06-23

EU AI Act Penalties and Enforcement: What Is at Stake

TL;DR — The EU AI Act imposes administrative fines of up to €30 million or 6% of annual global turnover (whichever is higher) for violations of prohibited AI practices, and up to €15 million or 3% of turnover for high-risk system breaches. Fines scale by violation severity and infringer size. Member state authorities enforce through investigations and corrective orders.

What are the maximum penalties under the EU AI Act?

The EU AI Act establishes a tiered fine structure. The highest category—violations of prohibitions on certain AI practices (Article 5)—carries administrative fines up to €30 million or 6% of annual global turnover, whichever is higher. Infringements of high-risk AI system requirements (Articles 6–15) incur fines up to €15 million or 3% of global turnover. Lower-tier violations attract proportionate penalties. Fines apply to both providers and deployers of non-compliant systems.

Who enforces the EU AI Act and how?

Member state authorities designated as national AI offices conduct investigations, issue corrective orders, and impose fines. The European Commission oversees compliance for high-risk systems and coordinates enforcement. Enforcement begins with inspections, document requests, and technical assessments. Authorities may order suspension of non-compliant AI systems, require remediation, or escalate to formal penalty proceedings. Procedures respect proportionality and the right to be heard.

When do penalties take effect?

Enforcement timelines depend on the AI Act's phased implementation. Prohibitions on unlawful practices take effect immediately upon entry into force. High-risk system rules apply after a transition period. Fines are imposed only after the relevant obligations are in force. Organizations have time to audit and remediate, but delay does not shield non-compliance once deadlines pass.

What factors determine fine amounts?

The EU AI Act directs authorities to consider:

  • Nature and gravity of the violation
  • Duration of non-compliance
  • Intentionality (deliberate vs. negligent)
  • Systemic impact and scale of harm
  • Organization size (SMEs receive proportionate treatment)
  • Cooperation with authorities
  • History of prior violations

No single violation triggers a fixed fine; each case is assessed individually within statutory caps.

Frequently asked questions

Can small or medium enterprises (SMEs) face the same fines as large companies?

No. The EU AI Act requires authorities to apply fines proportionately. SMEs benefit from reduced caps and consideration of financial impact. A 6% fine is calculated on actual turnover, meaning smaller organizations pay proportionally less.

Are there penalties for failure to comply with a corrective order?

Yes. The EU AI Act allows authorities to impose periodic fines if organizations refuse or delay implementation of required remediation. Non-compliance compounds liability.

Does the EU AI Act impose criminal penalties?

The EU AI Act itself establishes administrative fines only. Member states may implement complementary criminal sanctions for egregious conduct (e.g., harm to safety), but these are not part of the AI Act framework.

Can individuals (not just organizations) be penalized?

The EU AI Act targets organizations as primary enforcees. Individual liability (for officers, researchers, or developers) depends on national law implementing the Act and may apply in cases of fraud or recklessness.

Is there a statute of limitations for enforcement?

The EU AI Act does not specify a limitation period; enforcement timelines are governed by general EU administrative law and member state procedures. Investigations may commence years after a violation occurs.

Sources

[1] Regulation (EU) 2024/1689 — EU AI Act

This article is informational and does not constitute legal advice. Consult qualified counsel for your specific situation.