In May 2023, Ireland’s Data Protection Commission fined Meta EUR 1.2 billion. Not for hacking. Not for data theft. For transferring personal data to the United States without a valid legal basis under GDPR Chapter V. A paperwork failure — the most expensive one in regulatory history.
The EU AI Act penalty structure under Regulation (EU) 2024/1689 follows the same logic. Everyone fixates on the headline number: EUR 35 million or 7% of global turnover for prohibited AI practices. But most organizations will never deploy a banned AI system. They will fail on documentation. They will miss conformity assessments. They will lack risk management records. These are Tier 2 violations — EUR 15 million or 3% of turnover — and they are what regulators will actually fine you for.
This article explains the EU AI Act penalties not by quoting maximum numbers, but by predicting which fines will actually be issued, to whom, and when.
What Are the Three Penalty Tiers?
Art. 99 of the EU AI Act creates three tiers. The table takes 30 seconds to read. Everything after it is the analysis that matters.
| Tier | Maximum Fine | % of Global Turnover | Triggers |
|---|---|---|---|
| 1 — Highest | EUR 35 million | 7% | Art. 5 prohibited practices, Art. 10 data governance violations |
| 2 — Main | EUR 15 million | 3% | All other AI Act obligations: high-risk requirements (Arts. 6-49), GPAI obligations (Ch. V) |
| 3 — Lowest | EUR 7.5 million | 1% | Supplying incorrect information to notified bodies or authorities |
The “whichever is higher” clause makes the percentage the real number for any company with significant revenue. A company earning EUR 5 billion in global turnover faces EUR 350 million at Tier 1 (7%), not EUR 35 million. The fixed amount only matters for small companies.
Which Violations Will Regulators Enforce First?
This is the question nobody is answering well. The AI Act is new. No fines have been issued yet. But GDPR gives us eight years of enforcement data from the same regulators, in the same legal system, with a similar penalty structure. EUR 5.8 billion in total GDPR fines across 2,245 enforcement actions from 2018 to 2025 (BuiltInEu/Statista) show a clear pattern.
GDPR enforcement followed three phases:
- Years 1-2 (2018-2020): Warnings, guidance, and small fines for transparency failures. Average fine under EUR 100K. Regulators were building capacity.
- Years 3-5 (2021-2023): Large fines for systematic, high-profile violations. Meta EUR 1.2B, Amazon EUR 746M, WhatsApp EUR 225M. All for process failures, not malice.
- Years 5+ (2024-2026): Sector-specific campaigns targeting ad tech, AI training data, and automated decision-making. Italy fined OpenAI EUR 15 million.
The AI Act will follow the same arc. Here is a prediction, specific enough to be wrong:
| Period | What Gets Enforced | Penalty Tier |
|---|---|---|
| 2025-2026 | Art. 5 monitoring. Guidance published. Warnings issued. No large fines. | Tier 1 (but not yet) |
| H2 2026-2027 | First Tier 2 fines: missing documentation, no conformity assessment after Aug 2026 deadline | Tier 2 |
| 2027-2028 | Escalation for repeat offenders and willful non-compliance | Tier 1 + 2 |
| 2028+ | GPAI enforcement matures. First fines against foundation model providers. | Tier 2 |
Why paperwork violations come first, not prohibited practices: Regulators enforce what they can prove. Technical documentation either exists or it doesn’t. A conformity assessment was either completed or it wasn’t. These are binary checks. Proving that an AI system uses “subliminal techniques beyond conscious awareness” (Art. 5(1)(a)) requires expert analysis, contested evidence, and legal argument. Documentation gaps require an auditor and a checklist.
The enforcement risk ranking, from most likely to least:
| Rank | Violation | Article | Why It’s Early | Tier |
|---|---|---|---|---|
| 1 | Missing technical documentation | Art. 11 | Binary: exists or doesn’t. First thing auditors check. | 2 |
| 2 | No conformity assessment | Art. 43 | Mandatory for all high-risk. Aug 2026 deadline creates a clear enforcement trigger. | 2 |
| 3 | Failure to register in EU database | Art. 49 | Public database. Non-compliance is visible to anyone. | 2 |
| 4 | No risk management system | Art. 9 | Process requirement. Auditable against Art. 9(2) criteria. | 2 |
| 5 | Transparency failures | Art. 13 | Visible to end users. Generates complaints to authorities. | 2 |
| 6 | Prohibited practice deployment | Art. 5 | Highest penalty but hardest to prove. Requires intent analysis. | 1 |
How Are Fines Actually Calculated?
Art. 99(3) lists ten criteria that national authorities must consider. Listing them is not useful. Showing how they combine is.
Scenario A: Mid-Size MedTech (EUR 200M Turnover)
A radiology AI provider deploys its system in German hospitals without completing a conformity assessment under Art. 43. A competitor completes its assessment and reports the gap to the market surveillance authority.
- Base calculation: Tier 2. EUR 15M or 3% of EUR 200M = EUR 6M. The percentage wins.
- Aggravating factors: The company knew about the obligation. A direct competitor demonstrated it was achievable. The system processed patient data for 14 months without assessment.
- Mitigating factors: Cooperated fully with the investigation. Began the assessment immediately after the inquiry. No patient harm documented.
- Realistic fine estimate: EUR 2-4M. This is roughly 1-2% of turnover — consistent with mid-range GDPR fines for process violations.
Scenario B: Big Tech (EUR 50B Turnover)
A technology company deploys emotion recognition in its video interview platform across the EU. HR departments at 200+ companies use it to assess candidates. Art. 5(1)(f) prohibits emotion recognition in workplaces.
- Base calculation: Tier 1. EUR 35M or 7% of EUR 50B = EUR 3.5B. The percentage wins, dramatically.
- Aggravating factors: Intentional deployment. Full awareness of the prohibition. Thousands of affected job candidates. Revenue generated from the prohibited feature.
- Mitigating factors: Difficult to construct one. The prohibition is clear and was enforceable since February 2025.
- Realistic fine estimate: EUR 500M-1B. For reference, Meta’s GDPR fine of EUR 1.2B was approximately 2.4% of annual revenue. A 1-2% range for a clear AI Act Tier 1 violation is plausible.
These scenarios are hypothetical. The fine ranges are estimates based on GDPR precedent, not legal advice. But they show something the raw penalty tables cannot: the gap between maximum fines and likely fines is enormous, and it depends on how you respond to the violation as much as the violation itself.
What Do SMEs and Startups Actually Face?
Art. 99(5) says penalties for SMEs and startups must be “effective, proportionate and dissuasive” while considering their “economic viability.” In practice, fines are capped at the lower of the fixed amount or the percentage.
| Company Size | Revenue | Tier 2 Fine (3%) | Tier 1 Fine (7%) |
|---|---|---|---|
| Early-stage startup | EUR 500K | EUR 15K | EUR 35K |
| Growth-stage startup | EUR 5M | EUR 150K | EUR 350K |
| Scale-up | EUR 50M | EUR 1.5M | EUR 3.5M |
| Mid-size enterprise | EUR 500M | EUR 15M (cap) | EUR 35M (cap) |
| Large enterprise | EUR 5B | EUR 150M | EUR 350M |
A 10-person AI startup earning EUR 2M in revenue faces a maximum Tier 2 fine of EUR 60K — not EUR 15 million. A Tier 1 violation caps at EUR 140K. These numbers are survivable. The penalty structure is progressive by design.
This is not widely reported. Most media coverage quotes the EUR 35 million headline without noting the proportionality mechanism. The Commission designed the AI Act to avoid crushing small innovators with fines calibrated for Meta and Google.
Public bodies face a different regime entirely. Member States define penalties for their own government entities. Art. 99(7) permits but does not require financial penalties for public institutions. Some Member States will fine their own agencies. Most will not.
Why Your Country of Establishment Matters
GDPR enforcement proved that national regulators vary wildly in appetite and capacity. The same will happen under the AI Act.
| Member State | DPA/Authority | GDPR Track Record | AI Act Signal |
|---|---|---|---|
| Ireland | DPC | Slow but massive fines (Meta EUR 1.2B, WhatsApp EUR 225M). Hosts most big tech HQs. | Likely primary enforcer for US tech companies deploying AI in EU |
| France | CNIL | Aggressive, early enforcement. EUR 150M Google fine in 2022 for cookie consent. | Already issuing AI-specific guidance on training data. Probable early AI Act enforcer. |
| Italy | Garante | Proactive on AI: banned ChatGPT (2023), fined Clearview EUR 20M (2022), fined OpenAI EUR 15M (2024). | Most likely to issue first AI Act fine. Already treating GDPR as proxy for AI enforcement. |
| Germany | 16 state DPAs | Decentralized, inconsistent. Strong on employment and healthcare data. | Enforcement will vary by state. Large companies face uncertainty about which authority acts. |
| Spain | AEPD | Published first EU guidance on agentic AI (2025). Moderate fine levels. | Signaling interest in AI governance. Watch for sector-specific enforcement. |
A company headquartered in Ireland faces a different enforcement reality than one in Italy. Ireland’s DPC took four years to fine Meta. Italy’s Garante fined Clearview within months of the complaint. This gap will persist under the AI Act.
The One Insight Most Analyses Miss
The AI Act borrowed GDPR’s penalty structure but added a critical difference. Under GDPR, the highest tier (4% of turnover) required proving violation of core principles — lawfulness, fairness, transparency. These are broad, interpretive concepts. Every GDPR enforcement case involves argument about what “fairness” means in context.
Under the AI Act, Tier 1 (7% of turnover) targets specific, enumerated prohibited practices. Art. 5(1)(a) through (h) define eight concrete categories. The question is not “was this fair?” but “did you deploy a social scoring system — yes or no?” This is structurally easier to prove.
The implication: Tier 1 AI Act fines will arrive faster than Tier 1 GDPR fines did. GDPR’s highest-tier fines took five years to materialize at scale. The AI Act’s prohibited practices are binary and already enforceable. If a national authority finds a clear Art. 5 violation, the enforcement path is shorter than anything GDPR required.
Where to Allocate Your First EUR 100K of Compliance Budget
Compliance costs money. Spending it in the wrong order wastes it. This is a priority framework based on penalty exposure.
| Priority | Action | Estimated Cost | Penalty Avoided |
|---|---|---|---|
| 1 | AI system inventory and classification | EUR 15-25K | Prerequisite for everything else |
| 2 | Art. 5 prohibited practices audit | EUR 10-20K | Tier 1: up to 7% of turnover |
| 3 | Technical documentation for high-risk systems | EUR 20-40K | Tier 2: up to 3% of turnover |
| 4 | Conformity assessment preparation | EUR 15-30K | Tier 2: Aug 2026 deadline |
| 5 | Legal review of grey-zone systems | EUR 10-20K | Prevents classification errors |
These are directional figures for a mid-size organization with 3-5 AI systems. A 50-person fintech will spend at the lower end. A multinational insurer with 20+ AI tools will spend multiples. The priority order holds regardless of scale: you cannot assess conformity on systems you haven’t inventoried, and you cannot deprioritize prohibited practices when Tier 1 fines are already enforceable.
If your total AI compliance budget is under EUR 50K, start with items 1 and 2. The inventory tells you what you have. The Art. 5 audit tells you if any of it is illegal. Everything else can wait until August 2026. Those two steps cannot.
This content is for informational purposes only and does not constitute legal advice. Fine estimates are based on GDPR enforcement precedent and the author’s interpretation of Art. 99. Organizations should consult qualified legal counsel for compliance decisions. Reg Intel is not a law firm and does not provide legal services.
Last verified: 8 April 2026
Sources
Official Sources
- European Union, Regulation (EU) 2024/1689 (EU AI Act), Art. 99 — Penalties. EUR-Lex. Last accessed 8 April 2026.
- European Union, Regulation (EU) 2024/1689, Art. 5 — Prohibited AI Practices. Full text. Last accessed 8 April 2026.
- European Parliament Think Tank, “Enforcement of the AI Act,” 18 March 2026. EP Think Tank. Last accessed 8 April 2026.
- European Commission, “Guidelines on Prohibited Artificial Intelligence Practices,” 4 February 2025. Digital Strategy. Last accessed 8 April 2026.
Analysis & Commentary
- BuiltInEu, “GDPR Fines & Enforcement Data (2018-2025) — 16 Sources Analyzed.” BuiltInEu. Last accessed 8 April 2026.
- Matproof, “EU AI Act Fines and Penalties: What Non-Compliance Will Cost You,” 22 March 2026. Matproof. Last accessed 8 April 2026.
- ClearAct, “EU AI Act Fines Explained for SMEs,” 1 March 2026. ClearAct. Last accessed 8 April 2026.
Data Sources
- GDPR total enforcement: EUR 5.8 billion across 2,245+ actions, 2018-2025. Source: BuiltInEu analysis of CMS, Enforcementtracker.com, and national DPA records.
- Meta EUR 1.2 billion fine: Ireland DPC, May 2023. For GDPR Chapter V data transfer violations.
- Clearview AI EUR 20 million fine: Italy Garante, March 2022. For biometric data scraping.
- OpenAI EUR 15 million fine: Italy Garante, December 2024. For GDPR violations related to ChatGPT.
- Amazon EUR 746 million fine: Luxembourg CNPD, July 2021. For targeted advertising without consent.
Compare: EU vs UK
For the comprehensive comparison across twelve dimensions — structural divergence, risk classification, the 19 UK regulators vs the EU AI Office, enforcement penalties, the Data (Use and Access) Act 2025, AISI vs the EU AI Office, and a five-step dual-market compliance baseline — see EU vs UK AI Regulation: Precaution vs Innovation Compared (2026).
Singapore Wave 2 — Deep Dives + EU Comparison
Compare: EU vs China
For the global keystone comparison across twelve dimensions — algorithm filing vs conformity assessment, content moderation conflicts, asymmetric extraterritoriality, enforcement philosophy, and a five-step dual-market compliance baseline — see EU vs China AI Regulation: Two Systems, Two Philosophies (2026).
Compare: EU vs South Korea
For the global keystone comparison across twelve dimensions — high-impact vs high-risk classification, mandatory vs voluntary conformity, KRW 30M vs €35M penalties, Korea’s innovation chapter, and a five-step dual-market compliance baseline — see EU vs South Korea AI Act: High-Impact vs High-Risk Compared (2026).