Fine Tiers
| Violation Category | Maximum Fine | Relevant Articles |
|---|---|---|
| Prohibited AI practices (Unacceptable Risk) | €35,000,000 or 7% of global annual turnover — whichever is higher | Art. 5 (Chapter II) |
| Non-compliance with other obligations (High-Risk, GPAI, etc.) | €15,000,000 or 3% of global annual turnover — whichever is higher | Arts. 9–50, 51–56 |
| Providing incorrect, incomplete, or misleading information to authorities | €7,500,000 or 1% of global annual turnover — whichever is higher | Art. 99(4) |
How Fines Are Calculated
Higher of Fixed Amount or Percentage
The fine is whichever is greater: the fixed euro amount or the percentage of global annual turnover. For large multinationals, the percentage will almost always exceed the fixed cap. For smaller companies, the fixed amount may be the binding ceiling.
SME and Startup Provisions
The Act includes proportionality provisions for small and medium-sized enterprises and startups. National market surveillance authorities must take into account the size and economic resources of the infringer when setting fines. The fixed-amount caps for SMEs are lower than those applicable to large enterprises.
Natural Persons (Individuals)
Lower fine caps apply to natural persons — individuals acting in personal capacity rather than as representatives of companies. The Act is primarily directed at organisations placing AI systems on the market.
Factors Considered in Setting Fines
National authorities consider (non-exhaustive):
- Nature, gravity, and duration of the infringement
- Any action taken to mitigate damage
- Degree of responsibility
- Financial strength of the operator
- Cooperation with authorities
- Categories of personal data affected
- Previous infringements
Who Enforces
National Market Surveillance Authorities
Each EU member state must designate a national competent authority to act as the market surveillance authority for AI Act enforcement. These authorities investigate complaints, conduct inspections, and impose fines for most AI Act violations — particularly for high-risk AI systems deployed domestically.
EU AI Office
The EU AI Office, established within the European Commission, has oversight responsibility for GPAI models — particularly those posing systemic risk. The AI Office can investigate GPAI providers directly and coordinate with national authorities. It became operational alongside the GPAI rules in August 2025.
European AI Board
An advisory body coordinating national authorities and the EU AI Office. Does not itself impose fines but facilitates consistent enforcement across member states.
Comparison with GDPR Fines
| Regime | Maximum Fine | Basis |
|---|---|---|
| EU AI Act — Prohibited Practices | €35M or 7% global turnover | AI Act Art. 99 |
| GDPR — Serious Violations | €20M or 4% global turnover | GDPR Art. 83(5) |
| GDPR — Less Serious Violations | €10M or 2% global turnover | GDPR Art. 83(4) |
| EU AI Act — Other Obligations | €15M or 3% global turnover | AI Act Art. 99(3) |
The AI Act's maximum fine for prohibited practices (7% of global turnover) exceeds GDPR's highest tier (4%). Both regimes can apply simultaneously to the same conduct — for example, an AI system that violates prohibited practice rules and also processes personal data unlawfully could face cumulative enforcement action from both AI Act authorities and data protection authorities.
Full AI Act vs GDPR comparison →
No Private Right of Action
The AI Act does not create a private right of action. Individuals cannot sue companies directly under the AI Act for compensation. Enforcement is by regulatory authorities only — market surveillance authorities and the EU AI Office.
This contrasts with GDPR, under which individuals have the right to seek compensation from data controllers and processors for material or non-material damage resulting from GDPR infringement.