AI Act penalties: who pays what and when

Tier 1 (Article 99(3)): Violations of prohibited practices (Article 5) — up to €35 million or 7% of worldwide annual turnover. Tier 2 (Article 99(4)): Non-compliance with high-risk obligations, GPAI rules, notified body requirements — up to €15 million or 3% of turnover. Tier 3 (Article 99(5)): Supplying incorrect or misleading information to authorities — up to €7.5 million or 1.5% of turnover.

For each tier, the higher of the fixed amount or the turnover-based amount applies. For SMEs and startups, penalties are capped at the lower of the two thresholds, providing proportionate protection.

National market surveillance authorities (one per Member State, all designated by August 2025) conduct enforcement. Triggers include complaints from affected persons (Article 85), systematic market surveillance activities, and cross-border coordination through the European AI Board.

At the EU level, the AI Office directly supervises GPAI model providers and can impose its own fines under Article 101.

The strongest mitigant is demonstrable, continuous compliance infrastructure. Penalty calculations consider the nature, gravity, and duration of the infringement, as well as the measures taken to mitigate harm.

Maintaining an up-to-date compliance posture, incident response records, and documented risk management processes creates the evidentiary foundation that limits both the probability and severity of enforcement actions.