Estimate your maximum EU AI Act fine based on violation type and company turnover. Prohibited practices: €35M/7%. High-risk non-compliance: €15M/3%. For SMEs, the lower amount applies.
EU AI Act sanction tiers
| Violation | Max fine (large org) | Max fine (SME/startup) |
|---|---|---|
| Prohibited practices (Art. 5) | €35,000,000 or 7% of global annual turnover | Lower of the two amounts |
| High-risk AI non-compliance (Chapters III & V) | €15,000,000 or 3% of global annual turnover | Lower of the two amounts |
| Incorrect/misleading information to authorities | €7,500,000 or 1% of global annual turnover | Lower of the two amounts |
Estimating your exposure
For a large organisation with €1 billion global annual revenue:
- Prohibited practice violation: up to €70,000,000 (7% > €35M absolute cap)
- High-risk AI non-compliance: up to €30,000,000 (3% > €15M absolute cap)
For a mid-market company with €50 million global annual revenue:
- Prohibited practice violation: up to €35,000,000 (cap applies — 7% = €3.5M, so cap applies; wait, for SME the LOWER applies — €3.5M)
- High-risk AI non-compliance: up to €1,500,000 (3% of €50M = €1.5M, lower than €15M cap)
Key insight for SMEs: The "lower amount" rule significantly reduces SME exposure. A startup with €5M revenue faces a maximum of €350,000 for a prohibited practice (7% of €5M), not €35M.
Stacking with GDPR and NIS2
AI systems often process personal data and may be deployed in critical sectors. Fines can stack:
- GDPR: Up to €20M or 4% global annual turnover for personal data violations
- NIS2: Member state fines, typically up to €10M or 2% of global revenue for essential entities
- AI Act: As above
A biometric identification system deployed without proper consent could simultaneously trigger all three. Total maximum exposure for a large organisation across all three: €70M (AI Act) + €20M (GDPR) + €10M (NIS2).
To reduce your exposure, complete the Compliance Checklist → and ensure all high-risk AI obligations are documented and implemented before your deadline.
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
EU AI Act fines are calculated as the higher of an absolute cap or a percentage of global annual turnover: €35M or 7% for prohibited practices, €15M or 3% for most high-risk violations. For SMEs and startups, the lower of the two amounts applies — protecting smaller organizations from disproportionate fines.
National market surveillance authorities in each EU member state have sanctioning authority for AI Act violations. The EU AI Office can impose sanctions on GPAI model providers. Maximum fine levels are set by the AI Act, but actual fines depend on severity, duration, intent, cooperation, and remediation.
For individual provisions, yes. However, the AI Act fines can stack with fines from other EU regulations. A non-compliant high-risk AI system might simultaneously trigger AI Act fines, GDPR fines (up to €20M or 4%), and NIS2 fines, potentially compounding the exposure significantly.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.