EU AI Act Fines: The €35M Penalty Framework
The EU AI Act establishes a three-tier fine structure modelled on GDPR but with higher upper limits. National authorities enforce, and the regulation provides for both monetary penalties and product withdrawal.
Three Penalty Tiers
Article 5 violations: social scoring, subliminal manipulation, untargeted facial-recognition scraping, real-time remote biometric identification in public spaces (outside narrow exceptions).
Failure to meet high-risk system obligations (logging, oversight, risk management, technical documentation), GPAI provider obligations, or transparency obligations under Article 50.
Supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.
Whichever amount is higher applies. SME and start-up multipliers may reduce the absolute caps but not the percentage-of-turnover caps.
How This Compares to GDPR
GDPR's 4% / €20M ceiling has produced multiple fines exceeding €1 billion since 2018 (Meta, Amazon, Google, TikTok). The EU AI Act's 7% / €35M ceiling is materially higher, and the political momentum suggests enforcement will not be lenient.
Practical Cost of Non-Compliance
- Direct fines (above)
- Forced market withdrawal of the AI system
- Reputational damage and customer churn
- Civil litigation in member states with private rights of action
- Investor scrutiny and acquisition-due-diligence delays