EU AI Act Compliance

EU AI Act Fines & Penalties: What You Could Owe in 2026

Q: Is the EU AI Act fine 6% or 7% of turnover?

Seven percent. The adopted text (Regulation 2024/1689, Article 99(3)) sets the prohibited-practice tier at the higher of EUR 35 million or 7% of worldwide annual turnover. A 6% figure still circulates in some summaries — it does not match the adopted Regulation text.

Q: Does the fine apply to revenue or turnover?

Turnover, not revenue. The regulation text (Article 99) uses "total worldwide annual turnover for the preceding financial year." In EU competition law this is interpreted as gross revenue across all business activities — not net revenue or profit. For groups, turnover consolidates across the undertaking.

Q: Are the fines different for small businesses and startups?

Yes. Under Article 99(6) the SME cap inverts the ordinary rule: each fine is the lower of the percentage or the absolute amount, not the higher. For a startup with EUR 2 million in turnover, an operator-obligation fine is capped at 3% of turnover (EUR 60 000), not EUR 15 million.

The EU AI Act sets three tiers of administrative fines. The top tier is EUR 35 million or 7% of worldwide annual turnover, whichever is higher. This guide walks through who is exposed to which tier, how the SME cap works, and how enforcement actually begins.

The three fine tiers at a glance

Violation	Max fine	% of worldwide turnover
Prohibited practices (Art. 5)	EUR 35 million	7% (higher applies)
Operator / notified-body obligations (Arts. 16, 22, 23, 24, 26, 50, 31, 33, 34)	EUR 15 million	3% (higher applies)
Incorrect / misleading information to authorities	EUR 7.5 million	1% (higher applies)

Fines apply from August 2, 2026 for most obligations — the date the EU AI Act becomes generally applicable. See Timeline below.

1. Top tier: EUR 35 million / 7% for prohibited practices

Article 99(3) sets the highest fine tier. It applies only to AI systems that fall under Article 5 — practices the EU AI Act deems unacceptably harmful to fundamental rights, and therefore banned outright.

What Article 5 prohibits

Subliminal, manipulative, or deceptive techniques causing significant harm
Exploitation of vulnerabilities (age, disability, socio-economic situation)
Social scoring leading to detrimental treatment
Real-time remote biometric identification in publicly accessible spaces for law enforcement (subject to narrow exceptions)

Full list: Art. 5(1)(a)–(h). Interpretive reading of each category typically requires counsel because of vague spans like "significant harm".

The fine formula

For an undertaking (a company), the penalty is the higher of:

EUR 35 million, or
7% of total worldwide annual turnover for the preceding financial year

Worldwide turnover, not EU turnover. A non-EU company placing a prohibited system on the EU market is exposed to its global revenue base.

2. Mid tier: EUR 15 million / 3% for operator obligations

Article 99(4) covers the operator obligations that fall outside Art. 5 — the bulk of the EU AI Act's compliance surface. This is the tier most companies will be exposed to.

Which obligations this covers

Provider obligations (Art. 16) — the full provider duty stack
Authorised-representative obligations (Art. 22)
Importer and distributor obligations (Arts. 23, 24)
Deployer obligations (Art. 26) — including the six-month log-retention rule under Art. 26(6)
Transparency obligations to end users (Art. 50)
Notified-body obligations (Arts. 31, 33, 34)

The fine formula

For an undertaking, the penalty is the higher of:

EUR 15 million, or
3% of total worldwide annual turnover

If you use OpenAI, Anthropic, or another third-party AI provider in your product, your exposure most often lands in this tier — as a deployer under Art. 26 and for transparency duties under Art. 50. See the full deployer obligations guide.

3. Lower tier: EUR 7.5 million / 1% for supplying incorrect information

Article 99(5) creates a distinct fine for supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities in response to a request. This is not a substantive AI-Act violation — it is a separate duty of candour with regulators.

The fine formula

For an undertaking, the penalty is the higher of:

EUR 7.5 million, or
1% of total worldwide annual turnover

4. The SME cap — the one rule that favours startups

For SMEs (including startups), Article 99(6) inverts the ordinary rule: each fine is capped at the lower of the percentage or the absolute amount — not the higher.

What changes for SMEs

Tier	Ordinary rule	SME rule
Art. 5 prohibited	Higher of 35M / 7%	Lower of 35M / 7%
Operator obligations	Higher of 15M / 3%	Lower of 15M / 3%
Incorrect information	Higher of 7.5M / 1%	Lower of 7.5M / 1%

For a startup with EUR 2 million in annual turnover, an operator-obligation fine is capped at 3% of turnover (EUR 60 000), not EUR 15 million. This is the single most important rule for SaaS founders reading this page to understand.

5. When fines start — and when they won't

The fine articles (Art. 99) apply from August 2, 2026, the date the EU AI Act becomes generally applicable. Before that date, the corresponding substantive obligations (prohibited practices, transparency, operator duties) are either already in force (prohibited practices and AI literacy have applied since February 2, 2025) or are building up to the August 2026 date. Enforcement is paced to match.

Known date pressures

Article 5 (prohibited practices) and Article 4 (AI literacy) — applied since February 2, 2025. Fines under Art. 99(3) for Art. 5 breaches attach once Art. 99 itself applies in August 2026.
Annex I legacy regulated products have a later ramp (August 2, 2027).
A Commission proposal (COM(2025) 836, the "Digital Omnibus on AI") would move Annex III high-risk obligations six months later, to December 2, 2027. Not yet adopted. Plan for the current dates; track the proposal.

6. Who enforces and how fines actually get issued

Fines are not assessed by a single EU body. Each Member State designates one or more national competent authorities to supervise AI Act compliance within its borders. The Commission's AI Office coordinates cross-border cases and handles general-purpose AI (GPAI) provider enforcement directly.

Typical triggers

A market-surveillance authority opens a proactive inspection of a high-risk AI system
A complaint from an end user, workers' representative, or affected person reaches a national authority
A notified body flags an issue during conformity assessment
A serious incident is reported under the notification rules
Press coverage or civil-society reporting surfaces a likely Art. 5 breach

Authorities are required to give companies an opportunity to be heard before issuing a fine, and the decision itself is subject to judicial review. Expect proceedings to take months, not weeks. That is long enough to fix documented issues — but not long enough to start from scratch if the August 2026 deadline arrives without any compliance work done.

7. How to stay out of the fine zone

This Week

Know which tier you are exposed to

Run our free scanner to classify your AI system by role and risk level. Most SaaS deployers land in Tier 2 (operator obligations), not Tier 1 (prohibited practices).

Scan your AI stack →

This Month

Confirm you are not in Tier 1

Cross-check your use cases against the Art. 5 prohibited-practice list. Most B2B SaaS products are not prohibited — but "emotion recognition in the workplace" and "social scoring" are catch-all spans that need legal review at the edges.

Use the decision tree →

Before August 2, 2026

Document your operator-obligation compliance

For each obligation (deployer log retention, transparency notices, risk classification, provider documentation), have a written record of how you meet it. This is what authorities ask for first and what Art. 99(5) penalises if supplied incorrectly.

DPIA template →

Frequently asked questions

What is the maximum fine under the EU AI Act?

The highest tier is EUR 35 million or 7% of total worldwide annual turnover, whichever is higher — reserved for non-compliance with the Art. 5 prohibited-practice list. Most violations fall under lower tiers: EUR 15 million / 3% for operator obligations and EUR 7.5 million / 1% for supplying incorrect information to authorities.

What percentage of global turnover can the EU AI Act fine?

Up to 7% of total worldwide annual turnover for prohibited practices under Art. 5. For operator-obligation violations the cap is 3% of worldwide turnover, and for supplying incorrect information to authorities it is 1%. The percentage is measured against the preceding financial year.

Is the EU AI Act fine 6% or 7% of turnover?

Seven percent. The adopted text (Regulation 2024/1689, Art. 99(3)) sets the prohibited-practice tier at the higher of EUR 35 million or 7% of worldwide annual turnover. A 6% figure still circulates in some summaries — it does not match the adopted Regulation text.

What are the EU AI Act fines for high-risk AI systems?

High-risk AI system obligations fall under the operator-obligations tier: EUR 15 million or 3% of worldwide turnover, whichever is higher. This covers provider duties under Art. 16 (risk management, documentation, logs, conformity assessment, registration), deployer duties under Art. 26, and the transparency duties under Art. 50. Art. 5 prohibitions are a separate, higher tier.

Does the fine apply to revenue or turnover?

Turnover, not revenue. The regulation text (Art. 99) uses "total worldwide annual turnover for the preceding financial year." In EU competition law this is interpreted as gross revenue across all business activities — not net revenue or profit. For groups, turnover consolidates across the undertaking.

Are the fines different for small businesses and startups?

Yes. Under Art. 99(6) the SME cap inverts the ordinary rule: each fine is the lower of the percentage or the absolute amount, not the higher. For a startup with EUR 2 million in turnover, an operator-obligation fine is capped at 3% of turnover (EUR 60 000), not EUR 15 million. See the SME cap section above for the full comparison.

When do EU AI Act fines start being issued?

From August 2, 2026 — the date the EU AI Act becomes generally applicable — the fine provisions in Art. 99 are in force. Prohibited practices (Art. 5) and AI literacy (Art. 4) have applied since February 2, 2025, but their associated Art. 99 fine tiers attach once Art. 99 itself applies. Some high-risk ramps are later (Annex I legacy: August 2, 2027).

Who enforces the EU AI Act fines?

National competent authorities designated by each Member State supervise AI Act compliance within their borders. The Commission's AI Office handles general-purpose AI provider enforcement directly and coordinates cross-border cases. Companies are given a hearing before a fine is issued, and the decision is subject to judicial review.

Related Guides

This guide explains the fine structure in the EU AI Act (Regulation 2024/1689, Art. 99). It is not legal advice. Apportionment of a fine in a specific case depends on factors listed in Art. 99(7) — nature and gravity of the infringement, whether fines have already been applied by other authorities, size of the operator, and the operator's degree of cooperation. Consult qualified counsel for formal exposure assessment.