What are the maximum fines under the EU AI Act?

The EU AI Act has three fine tiers: (1) Up to €35 million or 7% of global annual turnover for prohibited AI practices (Article 5 violations — emotion inference in the workplace, social scoring, real-time biometric surveillance); (2) Up to €15 million or 3% of global annual turnover for non-compliance with high-risk AI obligations (Articles 6–49); (3) Up to €7.5 million or 1.5% of global annual turnover for providing incorrect or misleading information to authorities. The higher of the fixed amount or percentage applies. SMEs and startups benefit from halved maximum fines.

When do EU AI Act fines start applying?

The prohibition on banned AI practices (Article 5) has applied since 2 February 2025. High-risk AI deployer and provider obligations apply from 2 August 2026. Enforcement by national supervisory authorities is expected to ramp up through 2026–2027. The Digital Omnibus proposal would defer some provider obligations to December 2027, but deployer obligations and Article 5 prohibitions are unaffected.

Can fines be reduced for SMEs and startups under the EU AI Act?

Yes. Article 99(6) of the EU AI Act provides that for SMEs and startups, the maximum administrative fine is half of the standard tier maximum. So the Article 5 maximum becomes €17.5M or 3.5%, the high-risk maximum becomes €7.5M or 1.5%, and the misleading information maximum becomes €3.75M or 0.75%. Proportionality and cooperation with authorities also reduce effective fines in practice.

How are EU AI Act fines calculated — fixed amount or percentage?

The EU AI Act uses whichever is higher: the fixed euro amount or the percentage of global annual turnover. For a large company with €1 billion revenue, 7% equals €70 million — exceeding the €35M fixed cap, so the fine is capped at €70M. For a small company with €5 million revenue, 7% equals €350,000 — well below €35M, so the fixed cap is the binding limit. This calculator works out both numbers and shows which applies to you.

EU AI Act Fine Calculator — What Is Your Maximum Fine Exposure?

How EU AI Act fines are calculated

The EU AI Act uses a two-number system for every fine tier. Regulators take whichever is higher: a fixed euro amount or a percentage of global annual turnover. This means large companies always pay more than small ones for the same violation — but the percentage system also protects genuinely small businesses.

The three fine tiers

Article 5 violations (banned practices): Up to €35 million or 7% of global annual turnover — whichever is higher. These include emotion inference in workplaces, social scoring, real-time biometric surveillance in public spaces, and manipulation of vulnerable persons. These prohibitions have applied since 2 February 2025.
High-risk AI non-compliance (Articles 6–49): Up to €15 million or 3% of global annual turnover. This covers failing to meet obligations as a provider (documentation, conformity assessment) or deployer (disclosure, human oversight, log retention). Applies from 2 August 2026.
Misleading authorities (Article 101): Up to €7.5 million or 1.5% of global annual turnover. For providing incorrect, incomplete, or misleading information to national supervisory authorities during investigations.

SME and startup protection

Article 99(6) of the EU AI Act halves the maximum fine for SMEs and startups (under 250 employees and under €50M turnover). This is not a discretionary reduction — it is a statutory cap. A qualifying startup's Article 5 maximum is €17.5M or 3.5% of turnover, not €35M or 7%.

Mitigating factors that reduce actual fines

The maximum is a ceiling, not the expected fine. National supervisory authorities must take proportionality into account and consider:

Nature, gravity, and duration of the infringement
Whether the organisation cooperated with the authority
Degree of responsibility and technical/financial capacity
Steps taken to mitigate harm after discovering a violation
Whether the organisation notified the authority voluntarily

In practice, first-time violations by organisations that cooperate and remediate promptly are likely to attract fines well below the statutory maximum. The maximum signals severity — it does not predict average enforcement.

When does enforcement start?

Article 5 prohibited practices have been enforceable since 2 February 2025. If your organisation uses emotion inference AI or social scoring, that risk is live now — there is no August 2026 grace period for banned practices.

High-risk AI deployer obligations (disclosure, human oversight, log retention, AI literacy) apply from 2 August 2026. The Digital Omnibus proposal (currently under European Parliament review) would defer some provider obligations to December 2027, but deployer obligations remain at August 2026.

National market surveillance authorities must be designated by August 2025. Enforcement activity is expected to build through 2026 and 2027 as authorities operationalise their remits.

Frequently asked questions

Can regulators fine both the provider and the deployer for the same AI system?

Yes. The EU AI Act places separate obligations on providers (the companies that develop and place AI systems on the market) and deployers (the organisations that use those systems in a professional context). Both can be fined independently for failures in their respective obligations. If a provider fails to provide adequate documentation and a deployer fails to disclose to candidates, both are liable — the same AI system can generate two separate enforcement actions.

Is "global annual turnover" my EU revenue or total worldwide revenue?

Total worldwide revenue. The EU AI Act's fine calculation uses global annual turnover — not just EU-based revenue. This is the same approach used in GDPR enforcement and EU competition law. For a US company with €500M worldwide revenue and €50M EU revenue, the 7% calculation is based on €500M (yielding €35M), not €50M (which would yield €3.5M).

How do EU AI Act fines compare to GDPR fines?

The structures are similar but the amounts differ. GDPR's maximum is €20M or 4% of global annual turnover. The EU AI Act's Article 5 maximum is €35M or 7% — higher than GDPR for the most serious violations. In practice, average GDPR fines have been far below maximums. EU AI Act enforcement is expected to follow a similar pattern: maximums are reserved for egregious, uncooperative, or repeat violations. However, unlike GDPR which requires a data breach to trigger investigation, the EU AI Act's prohibited practices can be investigated proactively.

Can fines be combined with GDPR fines for the same incident?

Yes. A single AI system processing personal data could trigger both GDPR obligations (as a data controller) and EU AI Act obligations (as a deployer of high-risk AI). Regulators can issue separate fines under each regulation. However, EU supervisory authorities are required to cooperate — the data protection authority (which handles GDPR) and the AI supervisory authority (the market surveillance body) must coordinate where both regulations apply. Double-fining for the exact same conduct is constrained by proportionality, but separate violations under each regulation can generate separate penalties.

EU AI Act Fine Calculator

Your Maximum Fine Exposure

Immediate legal review required

Fine calculation breakdown

Get your personalised compliance roadmap