Penalties · Enforcement

EU AI Act Fines: €35M and 7% Turnover — What US Companies Risk

until EU AI Act high-risk obligations take effect

How the EU AI Act penalty framework works and what GDPR enforcement history tells us about extraterritorial fines.

Three tiers of penalties

The EU AI Act establishes a three-tier penalty structure under Article 99, scaled to the severity of the violation. These are maximum penalties — actual fines will be determined by national authorities based on the specific circumstances of each case.

Tier 1: Prohibited practices (Article 5). Up to €35 million or 7% of the preceding financial year's worldwide annual turnover, whichever is higher. This applies to violations of the outright bans: social scoring, manipulative AI, certain biometric uses, emotion recognition in workplaces and schools.

Tier 2: High-risk non-compliance. Up to €15 million or 3% of global annual turnover. This covers failures to meet the requirements for high-risk AI systems (Articles 8-15), GPAI model obligations (Chapter V), and most other substantive provisions of the Act.

Tier 3: Incorrect information. Up to €7.5 million or 1.5% of global annual turnover. This applies to providing incorrect, incomplete, or misleading information to regulatory authorities, including during conformity assessments, database registration, or in response to enforcement inquiries.

The GDPR precedent for US companies

The EU has demonstrated willingness to enforce against non-EU companies. GDPR enforcement provides the blueprint: regulators have consistently held that processing affecting EU residents triggers jurisdiction regardless of where the company is based. Major US technology companies have faced GDPR fines measured in hundreds of millions of euros. The EU AI Act follows the same enforcement model and there is no reason to expect a different approach.

Proportionality factors

Article 99 requires that penalties be effective, proportionate, and dissuasive. National authorities must consider the nature, gravity, and duration of the infringement, whether it was intentional or negligent, the actions taken to mitigate the harm, the degree of cooperation with authorities, previous infringements, the financial strength of the entity, and any other aggravating or mitigating factors.

For SMEs and startups, the Act provides that fines may be adjusted to avoid disproportionate impact. However, the maximum penalty calculations still apply as an upper ceiling.

Civil liability exposure

Beyond administrative fines, the EU AI Act creates civil liability exposure. If an AI system causes harm due to non-compliance — biased hiring decisions, discriminatory credit assessments, privacy violations — affected individuals may pursue damages through EU courts. The EU is also developing complementary liability frameworks for AI that would facilitate such claims.

Related reading

Article 2 Scope · EU AI Act Timeline · Database Registration

Assess your exposure

Take our free 5-minute assessment to determine how these obligations apply to your organization.

Start the assessment

This article provides general information about AI regulation. It does not constitute legal advice. Lexara Advisory LLC is an AI governance consulting firm, not a law firm. Published April 2026. About the author.

LA

Lexara Assistant

AI compliance guidance

AI assistant — not a lawyer, not legal advice
We use cookies to analyze site traffic. No tracking without consent. Privacy Policy

Cookie Preferences

Strictly Necessary

Required.

Analytics

Google Analytics.