Skip to main content

EU AI Act Fines 2026: What Does a Violation Cost?

Article 99 of the EU AI Act sets out three fine tiers: up to EUR 35M for prohibited AI practices, up to EUR 15M for missing high-risk documentation, and up to EUR 7.5M for false statements. Here is the complete table, with worked examples for SMEs.

EU AI Act compliance checkFree Wito Digital Audit (WDA)

EU AI Act fines: what is this actually about?

The EU AI Act (Regulation (EU) 2024/1689 of 13 June 2024) is the world's first comprehensive statutory regulation of artificial intelligence. Article 99 sets out the sanction regime — three fine tiers scaled to the type and severity of the breach. The decisive figure is always the higher of the two values: the absolute amount in EUR or the percentage of worldwide annual turnover. According to the European Commission (EU AI Act overview, 2024), the penalty levels were deliberately set above the GDPR level to create a stronger incentive to comply.

The three fine tiers explained (Art. 99 EU AI Act)

Tier 1: prohibited AI practices (Art. 5) — up to EUR 35M or 7%

The highest sanction tier applies to breaches of the prohibitions in Art. 5 of the EU AI Act. These bans have been in force since 2 February 2025 and cover AI practices deemed to violate fundamental rights: subliminal manipulation, exploitation of vulnerabilities, emotion recognition in the workplace, and real-time biometric screening in public spaces by state actors. Under Art. 99(1) of the EU AI Act, the fine can reach EUR 35,000,000 or, for companies, 7% of total worldwide annual turnover for the preceding financial year — whichever is higher.

For a mid-sized company with EUR 25M in annual turnover, that means the fine can run to EUR 1.75M (7% x EUR 25M). Because that figure is below EUR 35M, the percentage applies. For a company with EUR 600M in turnover, the absolute amount of EUR 35M would instead apply, because 7% x EUR 600M = EUR 42M — and the higher value governs. The Heinrich-Böll-Stiftung (EU AI Act analysis, 2024) notes that this sanction logic is explicitly designed to deter even large enterprises.

Tier 2: high-risk obligations and general requirements — up to EUR 15M or 3%

The middle tier applies to breaches of the requirements for high-risk AI systems (Art. 6–55 of the EU AI Act) and to general duties such as transparency, conformity assessment, registration and reporting. Under Art. 99(3) of the EU AI Act, the fine here can reach EUR 15,000,000 or 3% of worldwide annual turnover — again, whichever is higher. This is the tier most directly relevant to the majority of SMEs: anyone deploying AI systems in HR, lending or education who fails to maintain the prescribed documentation risks these sanctions.

According to the Bitkom EU AI Act sanctions guide, 2024, missing risk-management systems, incomplete technical documentation and unmet transparency duties are the most common compliance gaps in German SMEs — all of them sanctioned under Tier 2.

Tier 3: false statements to authorities — up to EUR 7.5M or 1.5%

The lowest, but by no means negligible, tier covers misleading, incomplete or false information provided to the competent national authorities or the European Commission, particularly in the context of conformity assessments or official investigations. Under Art. 99(4) of the EU AI Act, the fine can reach EUR 7,500,000 or 1.5% of worldwide annual turnover — again the higher value. For example: submitting incomplete or deliberately misleading documents in response to an official request about a deployed high-risk AI system falls into this tier.

The "higher value applies" principle is a central design feature of the sanction regime. It prevents large, high-turnover companies from capping their exposure by invoking the absolute limits, while at the same time stopping small companies from being driven into disproportionate fines by the absolute amount alone where the percentage would be lower.

35M EUR

maximum — Art. 99(1) EU AI Act

Quelle: Regulation (EU) 2024/1689, 2024
7%

global annual turnover — Art. 99(1)

Quelle: Regulation (EU) 2024/1689, 2024
4%

GDPR comparison — Art. 83 GDPR

Quelle: Regulation (EU) 2016/679, 2016
9

sanction-setting factors — Art. 99(7)

Quelle: Regulation (EU) 2024/1689, 2024

What counts as "global annual turnover"? Group consolidation and ownership ties

The question of what exactly "total worldwide annual turnover" means within Art. 99 of the EU AI Act carries significant practical weight — especially for companies that are part of a corporate group or that maintain subsidiaries. The European Commission (EU AI Act FAQ, 2024) has published initial guidance on this.

The basic rule: the decisive figure is the consolidated total turnover of the entire economic undertaking in the preceding financial year. In practice this means that for a subsidiary forming part of a larger group, it is not just that subsidiary's own turnover that counts, but the consolidated group turnover of the whole group. This follows the group-level practice established in European competition and data-protection law (compare GDPR Art. 83 and competition law under Art. 101/102 TFEU).

For SMEs with group ties: a company that is 25% or more owned by a large enterprise no longer qualifies as an independent SME under the EU SME definition. In that case the consolidated parent-group turnover — not just the subsidiary's turnover — is used as the basis for assessing the fine. This can substantially raise the maximum possible sanction.

On the question of net versus gross turnover: the EU AI Act refers to "total turnover" without an explicit clarification. By analogy with GDPR interpretive practice, and according to the BMWK position paper on EU AI Act implementation, 2024, the basis for calculation is likely to be net turnover before tax (excluding VAT) — in line with the commercial-law definition of net turnover. The national supervisory authority and ultimately the Court of Justice of the EU will make the final determination.

Practical note for SMEs: if your company is part of a corporate group, you should calculate the maximum sanction amounts on the basis of consolidated group turnover — not your own standalone turnover. That can change your true exposure considerably.

Non-compliance with Art. 5 shall be subject to administrative fines of up to EUR 35,000,000 or, if the offender is an undertaking, up to 7% of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Europäisches Parlament und Rat der Europäischen Union, Verordnung (EU) 2024/1689 — EU AI Act, Art. 99 Abs. 1, EUR-Lex / Amtsblatt der Europäischen Union, 2024

Sanction-setting factors: when more, when less? (Art. 99(7))

Art. 99(7) of the EU AI Act names nine factors the national authority must take into account when setting the specific level of a fine. These factors can both increase and reduce a fine — they create a margin of assessment that is to be exercised in the interest of proportionality. According to the Bitkom EU AI Act sanctions guide, 2024, authorities in practice will respond particularly favourably to cooperation and self-disclosure.

Factors that increase the fine

  • Severity and duration of the breach: the longer a prohibited system is operated and the more far-reaching the breach, the higher the fine. An AI emotion-recognition system run for years without being switched off is sanctioned more harshly than short-term use that was stopped immediately after a warning.
  • Intent or gross negligence: anyone who knowingly breaches the prohibitions or systematically ignores the compliance requirements should expect the upper end of the fine range. Proven intent is the strongest aggravating factor.
  • The company's market share: a company with a large market share causes more harm when it breaches the rules — the authority may treat this as an aggravating factor.
  • Repeat breaches: anyone already sanctioned once for EU AI Act breaches or comparable AI-related rules who breaches again faces significantly higher fines.

Factors that reduce the fine

  • Cooperation with the authority: active, proactive cooperation with the national supervisory authority — including transparent disclosure of all relevant information and the immediate cessation of the breach — is the most important mitigating factor. The European Commission FAQ, 2024 makes this point explicitly.
  • Low severity and short duration: a short-term, unintended breach with swift self-correction is sanctioned more leniently.
  • Responsible conduct after the breach: anyone who initiates corrective measures without delay after a breach is identified, informs those affected and can demonstrate preventive measures for the future significantly improves their sanction position.
  • Degree of responsibility: anyone who did not themselves cause the breach but, for instance, relied as a deployer on incorrect information from the AI provider bears reduced responsibility — provided the verification duties were met to the best of their knowledge.

Special rule for SMEs

Art. 99(6) of the EU AI Act expressly provides that, when setting fines for SMEs and start-ups, the lower of the two thresholds shall apply. This means a SME with EUR 5M in turnover pays, in a high-risk case, at most 3% x EUR 5M = EUR 150,000 — not the absolute maximum of EUR 15M. This rule protects against disproportionate fines, but it is not a free pass: even EUR 150,000 can threaten the survival of a small company.

Worked examples: what does a violation actually cost an SME?

The abstract fine ranges become more tangible when broken down into realistic mid-market scenarios. The following three examples illustrate how the "higher value applies" principle plays out in practice — and why even small SMEs carry significant risk.

Example 1: Tier 1 — SME with EUR 25M turnover

A mid-sized staffing company with EUR 25M in annual turnover deploys an AI system for automated candidate pre-screening that, unnoticed, discriminates against candidates on the basis of ethnic origin — a breach of Art. 5 (prohibited biometric categorisation based on protected characteristics). Fine calculation: 7% x EUR 25M = EUR 1.75M. Because EUR 1.75M is below the absolute ceiling of EUR 35M, the percentage value applies. Even with all mitigating factors, a fine in the six-figure range is realistic.

Example 2: Tier 2 — micro-enterprise with EUR 5M turnover

A law firm with EUR 5M in annual turnover deploys an AI system to predict litigation risk without maintaining the prescribed technical documentation and risk-management system under Art. 9 of the EU AI Act — a breach of the high-risk requirements (Tier 2). Fine calculation: 3% x EUR 5M = EUR 150,000. The absolute ceiling of EUR 15M does not apply, because the percentage value (EUR 150,000) is lower. Thanks to the SME special rule, the lower value applies here. Even so: EUR 150,000 is existential for a mid-sized firm.

Example 3: Tier 1 — company with EUR 100M turnover

A retail company with EUR 100M in annual turnover operates an AI system for behavioural influence in advertising that deliberately exploits the psychological vulnerabilities of older target groups — a clear breach of Art. 5(1)(b) of the EU AI Act. Fine calculation: 7% x EUR 100M = EUR 7M. Because EUR 7M is below EUR 35M, the percentage value applies. On top of this comes potential civil liability for damages under Art. 82 GDPR and the planned EU AI Liability Act.

Comparison with GDPR fines

For comparison: the highest GDPR fine under Art. 83(5) GDPR is capped at 4% of worldwide annual turnover or EUR 20M — whichever is higher. At 7% for Tier 1, the EU AI Act therefore sits 75% higher than the GDPR maximum penalty. According to the Heinrich-Böll-Stiftung (EU AI Act analysis, 2024), this gap was a deliberate choice, intended to reflect the greater danger posed by uncontrolled AI compared with conventional data processing.

Who imposes the penalties? The authority structure in Germany

Enforcement of the EU AI Act falls to national market surveillance authorities, which each member state must designate itself. In Germany the allocation of competence has not yet been finally settled — but according to the BMWK position paper on EU AI Act implementation, 2024, the following structure is planned:

  • Federal Network Agency (Bundesnetzagentur, BNetzA): the lead national market surveillance authority for the EU AI Act in Germany. It is to take overall oversight, receive complaints and open fine proceedings.
  • Federal Commissioner for Data Protection and Freedom of Information (BfDI): responsible for AI Act breaches that also have data-protection implications (Art. 74(8) of the EU AI Act).
  • EU AI Office: for cross-border cases, GPAI providers (general-purpose AI models) and systemic risks, the AI Office established at EU level within the European Commission is responsible. It coordinates between national authorities and can act on its own in major cases.

Routes of appeal: companies can lodge an objection against fine notices and then pursue the administrative-court route. At EU level, the Court of Justice of the EU has jurisdiction. Proceedings can extend over several years — but that does not mean the fine is suspended until they conclude.

Frequently asked questions about EU AI Act fines

The fines for breaches of the prohibited AI practices (Art. 5 of the EU AI Act, Tier 1) have been in force since 2 February 2025. Fines for missing high-risk compliance and transparency duties (Tiers 2 and 3) apply from 2 August 2026, once all high-risk requirements fully take effect. National market surveillance authorities become operational from August 2025. The first fines in Germany are expected in 2026/2027.
Art. 99(6) of the EU AI Act provides a special rule for SMEs and start-ups: the lower of the two values always applies (the absolute amount in EUR or the percentage of turnover). A SME with EUR 5M in turnover pays, in a high-risk case, at most 3% x EUR 5M = EUR 150,000 — not the absolute limit of EUR 15M. This rule protects against disproportionate sanctions, but it is not a free pass: EUR 150,000 can threaten the survival of a small company.
Yes. Art. 99(7) of the EU AI Act explicitly names cooperation with the authority as a mitigating factor. Anyone who proactively reports a breach, transparently discloses all information, stops the breach immediately and demonstrates corrective measures can achieve a significant reduction in the fine. The European Commission FAQ 2024 advises companies to seek dialogue with the authority early when compliance gaps are identified — rather than waiting to be found out by an external party.
Under the 2024 BMWK position paper, the Federal Network Agency (Bundesnetzagentur, BNetzA) is designated as the lead national market surveillance authority. Where there are data-protection overlaps, the Federal Commissioner for Data Protection (BfDI) is to be involved. For cross-border cases and GPAI providers, the EU AI Office of the European Commission is responsible. The final statutory framework for the German supervisory structure is still pending (as of May 2026).
By all indications, yes — but with a ramp-up phase. Experience with the GDPR shows that national authorities first rely on advice and corrective orders, imposing fines for repeated or serious breaches. The first EU AI Act fines in Germany are realistically expected from 2027. Companies that cannot demonstrate any compliance efforts face a considerably higher risk than those actively working on implementation.
Under Art. 83(5) GDPR, the maximum for serious breaches is 4% of worldwide annual turnover or EUR 20M — whichever is higher. For prohibited practices (Tier 1), the EU AI Act sits at 7% or EUR 35M — that is 75% higher than the GDPR maximum penalty. For high-risk breaches (Tier 2, 3% or EUR 15M), the level is comparable with the mid-range GDPR penalties under Art. 83(4).
The principle means that for every fine there is an absolute ceiling in EUR and a percentage ceiling tied to worldwide annual turnover. The higher of the two calculated amounts always applies. Example: Tier 1 (7% or EUR 35M). For a company with EUR 20M in turnover: 7% x EUR 20M = EUR 1.4M — smaller than EUR 35M, so EUR 1.4M applies. For EUR 600M in turnover: 7% x EUR 600M = EUR 42M — larger than EUR 35M, so the cap at EUR 35M applies.
Yes. The full administrative-court route is open against fine notices: first an objection to the issuing authority, then a claim before the competent administrative court, up to the Federal Administrative Court and, on questions of EU law, to the Court of Justice of the EU. While appeal proceedings are pending, enforcement of the fine may, in certain circumstances, be suspended through interim relief. In practice, the immediate involvement of a lawyer specialising in AI law is advisable when a fine notice arrives.

EU AI Act compliance check — minimise your fine risk

Wito AI assesses your AI systems against EU AI Act risk tiers, identifies compliance gaps and produces a prioritised action list. Know your fine exposure and reduce it deliberately — before the authority comes asking.

Request an EU AI Act compliance checkFree Wito Digital Audit (WDA)
  • Risk classification of all AI systems
  • Close compliance gaps before the 2026 deadline
  • Demonstrably reduce your fine exposure

EU AI Act Fines 2026: What Does a Violation Cost? Complete Table

Ressource

KI-Tools Vergleich

→ Jetzt lesen
Ressource

Fördermittel-Kompass

→ Jetzt lesen
Ressource

ROI-Calculator

→ Jetzt lesen
Assessment

KI-Reifegrad-Check

→ Jetzt lesen