What is the maximum fine under the EU AI Act?

Up to €35 million or 7% of global annual turnover, whichever is higher, for engaging in a prohibited AI practice under Article 5.

Will every infringement trigger a maximum fine?

No. The figures in Article 99 are ceilings. Most early enforcement actions are expected to fall well below the cap, with maximum fines reserved for severe, repeated or intentional violations.

Are penalties already being issued in 2026?

Yes. Prohibited practice fines (Tier 1) have applied since 2 February 2025. Tier 2 fines for high-risk system providers apply from 2 August 2026, and GPAI fines from 2 August 2026 for new models and 2 August 2027 for existing models.

Do SMEs and start-ups get a lower cap?

Yes. For SMEs and start-ups, the lower of the absolute amount and the percentage of turnover applies, instead of the higher. This is a meaningful difference for small companies whose turnover is far below the headline figures.

Can a company be fined twice for the same conduct?

Article 99(7) requires authorities to consider any fine already imposed by other authorities for the same conduct, applying the principle of ne bis in idem. Coordinated enforcement is overseen by the AI Board.

Are individuals personally liable?

AI Act fines target legal entities. National law may add personal liability for directors or officers, but that is a Member State matter outside the scope of Article 99.

Last reviewed: May 2026 · 9 min read

EU AI Act Fines and Penalties: The 2026 Enforcement Picture

The three penalty tiers at a glance

Article 99 of Regulation (EU) 2024/1689 — the AI Act — sets out the maximum administrative fines that national supervisory authorities can impose. Penalties are capped by both an absolute figure and a percentage of worldwide annual turnover, and the higher of the two applies to large organisations.

Tier	Type of infringement	Maximum fine
Tier 1	Prohibited AI practices (Article 5)	€35M or 7% of global turnover
Tier 2	Provider, deployer, importer, distributor or notified body obligations	€15M or 3% of global turnover
Tier 3	Incorrect, incomplete or misleading information to authorities	€7.5M or 1% of global turnover

Tier 1: prohibited AI practices

Tier 1 fines apply only to the eight categories of AI prohibited under Article 5: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, predictive policing based purely on profiling, untargeted scraping of facial images for biometric databases, emotion recognition in workplaces and schools, biometric categorisation inferring sensitive attributes, and real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions). These prohibitions have been enforceable since 2 February 2025.

Tier 2: provider and deployer obligations

Tier 2 is the largest enforcement surface. It covers breaches of the obligations on providers, deployers, importers, distributors and notified bodies — including risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness and cybersecurity for high-risk systems, as well as the transparency obligations on limited-risk systems like chatbots and synthetic media. Most organisations selling or deploying AI in the EU will face Tier 2 risk, not Tier 1.

Tier 3: information offences

Tier 3 targets the integrity of the supervisory regime itself. Supplying authorities with information that is incorrect, incomplete or misleading — for example in EU database registrations, post-market monitoring submissions, or in response to a market surveillance request — can trigger fines of up to €7.5 million or 1% of turnover.

How fines are actually calculated

The headline figures are ceilings, not defaults. Article 99(7) lists the criteria a supervisory authority must weigh when setting a specific fine:

The nature, gravity and duration of the infringement and of its consequences.
Whether other authorities have already imposed administrative fines for the same conduct.
The size, annual turnover and market share of the operator.
Any aggravating or mitigating factor — including financial benefits gained, losses avoided, and the degree of cooperation with the authority.
The degree of responsibility of the operator, considering technical and organisational measures it implemented.
Whether the infringement was intentional or negligent.
Any action taken to mitigate damage suffered by affected persons.

SME and start-up caps

Article 99(6) requires authorities to take the size and market share of providers into account, with explicit consideration for SMEs and start-ups. For these organisations, the lower of the absolute and percentage caps applies, rather than the higher of the two. For a small start-up with €1M turnover, a Tier 1 cap is €70,000 (7% of turnover) rather than €35M.

Penalties for general-purpose AI model providers

Providers of general-purpose AI models (GPAI) face a separate penalty regime under Article 101. The European Commission, acting through the AI Office, can impose fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher, for infringements of Chapter V obligations — including failures to maintain technical documentation, supply downstream providers with required information, comply with EU copyright law, or carry out systemic risk evaluations for GPAI models with systemic risk.

Who enforces what?

Enforcement is a three-layer structure. National market surveillance authoritiesdesignated by each Member State enforce most provider and deployer obligations on AI systems. The European AI Office inside the European Commission supervises providers of general-purpose AI models. The European Artificial Intelligence Boardcoordinates between national authorities and issues guidance to ensure consistent enforcement across the EU.

What enforcement looks like in 2026

National authorities have signalled three early enforcement priorities for 2026: prohibited practices (especially workplace emotion recognition and untargeted facial scraping), transparency obligations for limited-risk systems (clear "this is AI" disclosures), and the integrity of EU database registration entries for high-risk systems. Full enforcement of Annex III high-risk obligations accelerates from 2 August 2026, with the GPAI regime fully applicable to existing models from 2 August 2027.

Recovering fines from non-EU providers

The Act applies extraterritorially. Non-EU providers of high-risk systems must designate an authorised representative established in the Union under Article 22, and that representative carries co-responsibility for compliance and is the practical addressee for enforcement. Distributors and deployers in the EU also share enforcement exposure when a non-EU provider cannot be reached. See our companion piece on how the EU AI Act applies to US companies.