EU AI ActEnforcement

EU AI Act (Regulation (EU) 2024/1689) Penalties and fines

Penalty exposure follows from bad classification, weak controls, and poor evidence.

The numbers matter, but so do the behaviors that create enforcement attention.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated Mar 4, 2026
Overview

Penalty analysis is useful only if it improves behavior. The AI Act penalty structure should be read as a signal about what regulators and authorities consider most serious: prohibited practices, failure of core operator duties, bad information to authorities, and non compliant GPAI provider conduct.

Section 1

Main Article 99 tiers

Article 99 creates three main operator fine levels. The highest tier is reserved for prohibited practices under Article 5. The middle tier applies to listed operator and notified body duties, including provider, authorised representative, importer, distributor, deployer, notified body, and Article 50 transparency obligations. The lower tier applies to incorrect, incomplete, or misleading information supplied to notified bodies or national competent authorities.

The Act also says Member States must make penalties effective, proportionate, and dissuasive, while taking account of the interests and economic viability of SMEs, including start ups.

  • Article 5: up to EUR 35,000,000 or 7 percent of worldwide annual turnover.
  • Listed operator and notified body duties: up to EUR 15,000,000 or 3 percent.
  • Incorrect, incomplete, or misleading information: up to EUR 7,500,000 or 1 percent.
  • For SMEs and start ups, the lower of the percentage or fixed amount applies.
Section 2

GPAI provider fine exposure

The GPAI regime has a separate Commission fine power. Under Article 101, the Commission may impose fines on providers of general purpose AI models up to EUR 15,000,000 or 3 percent of annual worldwide turnover when the provider intentionally or negligently breaches the relevant obligations.

This matters because GPAI providers answer directly to the Commission and the AI Office for Chapter V matters, not only to national enforcement channels.

  • Article 101 sits alongside, not inside, the main Article 99 operator ladder.
  • Commission enforcement powers for GPAI fines start from 2 August 2026.
  • Weak technical documentation, missing summaries, or failed cooperation can become enforcement issues.
  • Systemic risk cases attract higher supervisory attention because of potential scale.
Section 3

What authorities look at when setting the amount

Article 99 says authorities should consider all relevant circumstances of the case. The Act specifically points to the nature, gravity, duration, and consequences of the infringement, the number of affected persons, prior fines, the size and market position of the operator, cooperation, and the technical and organizational measures that were implemented.

That means evidence quality is not cosmetic. A weak paper trail can make an otherwise contained issue look reckless or unmanaged.

  • Nature, gravity, duration, and consequences of the infringement.
  • Number of affected persons and level of damage.
  • Prior fines for the same or related conduct.
  • Operator size, turnover, market share, cooperation, and implemented controls.
Section 4

How to lower enforcement risk in practice

The best penalty reduction strategy is not a last minute legal memo. It is an operating record that shows the organization actually assessed the system, assigned the right role, implemented relevant controls, monitored outcomes, and acted quickly when issues appeared.

This is especially important for transparency duties and high risk system operations, where it is easy for authorities to compare what the organization claimed with what the product actually did.

  • Keep signed decision records for Article 5, Annex III, Article 50, and GPAI obligations.
  • Retain version linked documentation, logs, and incident records.
  • Show prompt corrective action and cooperation when issues are found.
  • Do not provide incomplete or optimistic answers to authority requests.
Recommended next step

Use EU AI Act (Regulation (EU) 2024/1689) Penalties and fines as a cited research workflow

Research Copilot can take EU AI Act (Regulation (EU) 2024/1689) Penalties and fines from understanding exposure and enforcement with cited answers to a reusable workflow inside Sorena. Teams working on EU AI Act (Regulation (EU) 2024/1689) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU AI Act (Regulation (EU) 2024/1689) Penalties and fines

Start from EU AI Act (Regulation (EU) 2024/1689) Penalties and fines and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU AI Act (Regulation (EU) 2024/1689)

Review your current process, evidence gaps, and next steps for EU AI Act (Regulation (EU) 2024/1689) Penalties and fines.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

EU AI Act Applicability and Roles | Provider, Deployer, Importer Guide
Determine whether the EU AI Act applies, when output used in the Union brings a system into scope, and how to assign provider, deployer, importer.
EU AI Act Applicability Test | Scope, Role, and Obligation Routing
Run a practical EU AI Act applicability test that checks scope, exclusions, operator role, prohibited practices, high risk status, transparency triggers.
EU AI Act Checklist | Practical Compliance Checklist by Obligation
Use a detailed EU AI Act checklist covering inventory, role mapping, Article 5 screening, high risk controls, Article 50 disclosures, GPAI evidence, logging.
EU AI Act Compliance Program | Build an Operational AI Act Program
Build an EU AI Act compliance program that covers inventory, governance, AI literacy, prohibited practice gates, high risk controls, Article 50 product work.
EU AI Act Deadlines and Compliance Calendar | Exact Dates and Workplan
Track the exact EU AI Act dates, including entry into force on 1 August 2024, early obligations from 2 February 2025, GPAI obligations from 2 August 2025.
EU AI Act FAQ | Dates, High Risk, GPAI, Transparency, and Penalties
Get grounded answers to common EU AI Act questions on application dates, high risk status, provider versus deployer roles, transparency.
EU AI Act GPAI and Foundation Model Obligations | Chapter V Guide
Understand EU AI Act obligations for general purpose AI model providers, including Article 53 documentation, copyright policy.
EU AI Act High Risk AI Use Cases by Industry | Annex III and Product Routes
See how EU AI Act high risk status appears across biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration.
EU AI Act High Risk Requirements Checklist | Articles 9 to 15 and Beyond
Use a detailed high risk AI checklist covering Article 9 risk management, Article 10 data governance, Annex IV technical documentation, logging, instructions.
EU AI Act Prohibited AI Practices | Article 5 Screening Guide
Screen AI systems against EU AI Act Article 5 prohibited practices, including manipulative and deceptive techniques, exploitation of vulnerabilities.
EU AI Act Requirements | Prohibited, High Risk, Transparency, and GPAI
Get a grounded overview of EU AI Act requirements across Article 5 prohibited practices, Article 6 and Annex III high risk systems.
EU AI Act Timeline and Phasing Roadmap | Practical Implementation Roadmap
Follow a practical EU AI Act roadmap that aligns workstreams to the phased application dates for prohibited practices, AI literacy, GPAI obligations.
EU AI Act Transparency, Labeling, and User Disclosures | Article 50 Guide
Implement EU AI Act Article 50 transparency duties for direct interaction notices, machine readable marking of synthetic outputs, deepfake disclosures.
EU AI Act vs ISO 42001 | What ISO 42001 Covers and What It Does Not
Compare the EU AI Act with ISO/IEC 42001:2023. Learn where ISO 42001 helps with AI policy, roles, risk assessment, impact assessment, documented information.
EU AI Act vs NIST AI RMF | How to Use AI RMF Without Missing AI Act Duties
Compare the EU AI Act with NIST AI RMF 1.0. Learn how the voluntary NIST AI RMF functions Govern, Map, Measure.