Fines under the AI Act can amount to 35 million euros or 7% of global annual revenue, whichever is higher. The amount depends on the severity of the violation: the most severe penalties apply to prohibited AI practices, while less serious violations have lower maximum fines. In this article, we answer the most frequently asked questions about enforcement, fines, and what your organization can do to remain compliant. Want to know what AI-driven intelligence looks like within a responsible framework? Then read on.
How high can fines under the AI Act go?
The AI Act has three categories of fines with increasing maximum amounts. The highest fine is 35 million euros or 7% of global annual revenue. The middle category ranges up to 15 million euros or 3%, and the lowest category up to 7.5 million euros or 1%. In each case, the higher of the two amounts applies, except for small and medium-sized enterprises.
A more favorable rule applies to SMEs and startups: they pay the lower of the fixed amount or the percentage. This offers some protection for smaller players, but does not eliminate the obligation to comply.
The provisions on fines are set forth in Article 99 of the regulation and have been in effect since August 2, 2025. Providers of General Purpose AI (GPAI) models are subject to a separate regime and may be fined by the European Commission up to a maximum of 15 million euros or 3% of annual turnover under Article 101.
Which violations result in the most severe penalties?
The heaviest fines—up to 35 million euros or 7% of global annual revenue—are imposed for violations of the prohibited practices listed in Article 5. These are AI applications that are considered to pose an unacceptable risk and will be completely banned as of February 2, 2025.
Examples of prohibited practices that may result in the maximum fine:
- Subliminal or manipulative techniques that influence behavior without a person’s awareness and cause significant harm
- Exploiting vulnerabilities based on age, disability, or socioeconomic status
- Social scoring by government agencies
- Predictive policing based solely on profiling
- Building facial recognition databases through undirected scraping
- Emotion recognition in the workplace or in educational institutions (excluding medical or safety exceptions)
- Real-time remote biometric identification in public spaces for law enforcement, except in strictly defined cases
Non-compliance with other obligations—such as the absence of technical documentation or an incomplete risk management system for high-risk AI—results in fines in the middle category: up to 15 million euros or 3%. Providing incorrect or misleading information to supervisory authorities falls into the lightest category: a maximum of 7.5 million euros or 1%.
Who enforces the AI Act and imposes fines?
Enforcement of the AI Act is divided into two levels. The European AI Office, established within the European Commission’s Directorate-General for CNECT, is responsible for overseeing GPAI models in all 27 member states. National market surveillance authorities are responsible for high-risk AI in general.
In practice, this decentralized model means that enforcement priorities and interpretations may vary by Member State. In January 2026, Finland became the first Member State to grant formal enforcement powers to its national authority under Article 99.
In addition to the national authorities, the AI Board—with one representative per member state—plays a coordinating role. An independent scientific panel advises on implementation and may issue a qualified warning when it identifies risks. The Commission itself may directly fine GPAI providers under Article 101.
Does the AI Act also apply to non-European companies?
Yes, the AI Act has extraterritorial effect. The regulation applies to anyone who develops, markets, imports, or uses AI systems within the EU, regardless of the organization’s country of establishment. The law also applies when the output of a system created outside the EU is used within the EU.
This mechanism is also known as the “Brussels effect, ” comparable to the global impact that the GDPR had after 2018 on how companies around the world handle personal data. Companies outside the EU that offer AI systems to European users are required to appoint an authorized representative in the EU.
Importers and distributors also have their own obligations: they must verify that conformity assessments have been conducted, that the CE marking and declaration of conformity are present, and retain the documentation for ten years. A distributor or importer who adds their name to a system or makes a substantial modification becomes the supplier themselves, with all the associated responsibilities.
When will enforcement of the AI Act take effect?
Enforcement of the AI Act will be phased in and will not take full effect on a single date. The first requirements, including the prohibited practices and the AI literacy requirement, have been in effect since February 2, 2025. The penalty provisions themselves have been in effect since August 2, 2025.
The complete timeline is as follows:
- February 2, 2025: Prohibited Practices (Article 5) and the AI Literacy Requirement (Article 4) take effect
- August 2, 2025: Penalty provisions (Article 99), GPAI obligations, governance structure, and designation of national authorities
- August 2, 2026: Most requirements for high-risk Annex III systems will become enforceable
- August 2, 2027: Requirements for high-risk AI as a safety component of regulated products (Annex I); GPAI models that were on the market before August 2025 must be compliant by that date at the latest
In 2026, the enforcement of high-risk systems will therefore be the next major milestone. Organizations that have not yet begun their compliance process have little leeway left.
How can organizations avoid fines?
Organizations can avoid fines by creating a structured AI registry now that lists all the AI systems they develop or use, and by determining their role for each system: Are they a provider, deployer, importer, or distributor? Determining this role is crucial because the obligations vary significantly depending on the role.
Practical steps to remain compliant:
- Create a comprehensive registry of all AI systems and classify them by risk level
- Check whether any of your systems fall under the prohibited practices listed in Article 5, which are already in effect
- Ensure that employees who work with AI systems have demonstrable AI literacy
- Prepare technical documentation for high-risk systems and implement a risk management system
- For high-risk AI, designate individuals responsible for human oversight
- Retain logs from high-risk systems for at least six months
- Inform employees before high-risk AI systems are put into use (Article 26(7))
- Be aware of circumstances that could inadvertently make you a provider, such as modifying an existing system or putting your name on it
Also note the distinction between the deployer and the provider: anyone who makes a substantial change to an AI system or alters its intended use in such a way that the system becomes high-risk automatically assumes full provider liability.
How Pegamento Helps with AI Act Compliance
At Pegamento, we understand that the AI Act is a complex issue for many organizations, especially if you’re already using multiple AI applications in your customer engagement processes. We help you use AI responsibly and in compliance with regulations, without falling into any regulatory pitfalls.
What we can do for you:
- Provide insight into which of your AI applications fall under the AI Act and what risk level applies
- Delivering AI solutions designed with human oversight as a fundamental principle, in accordance with the requirements for high-risk systems
- Implement our Agentic AI for customer service in a way that is transparent, verifiable, and documented
- Offering everything under one roof: from consulting and implementation to management and support, without silos or complex supplier structures
- We operate according to our ISO 27001-certified procedures, supplemented by ISO 9001 and ISO 26000, to ensure information security and quality
Our approach combines proven standard building blocks into a solution that fits your organization perfectly, without the need for costly customization. This allows you to reap the benefits of AI while keeping the risks of non-compliance under control. Would you like to know how we can implement this for your organization? Contact us, and we’d be happy to work with you to find a solution.
Frequently Asked Questions
What is the difference between a provider and a deployer under the AI Act, and why does that matter for my risk of being fined?
A provider is the party that develops and places an AI system on the market, while a deployer uses another party’s system in its own business processes. This distinction is crucial because providers have much more stringent obligations, such as preparing technical documentation, conducting conformity assessments, and affixing a CE mark. Note: As a deployer, you can inadvertently become a provider—for example, if you substantially modify a purchased AI system or use it for a purpose other than that for which it was intended.
How do I know if my AI system is classified as 'high-risk'?
High-risk AI systems are listed in Annex I and Annex III of the AI Act and include applications in sectors such as education, human resources, lending, law enforcement, and critical infrastructure. A practical first step is to assess, for each AI system, the context in which it is used and the decisions it (partly) influences. Systems that have a significant impact on people’s access to services, opportunities, or rights quickly fall into the high-risk category and require a comprehensive risk management system, technical documentation, and human oversight.
What exactly does the AI literacy requirement entail, and how do I demonstrate that my organization complies with it?
The AI literacy requirement (Article 4) obligates both providers and deployers to ensure that employees working with AI systems have sufficient knowledge and skills to use those systems responsibly. In practice, this means you must set up training courses or awareness programs tailored to the employee’s role and the system’s risk level. Demonstrability is essential here: document training sessions, participant lists, and learning content so that you can prove compliance with this obligation during an audit.
Can fines under the AI Act be combined with GDPR fines for the same incident?
Yes, that is possible in principle. Many AI systems process personal data, meaning a violation can simultaneously breach both the AI Act and the GDPR—for example, a facial recognition system that processes biometric data without a legal basis. In such cases, the supervisory authorities are required to cooperate and coordinate, but double penalties cannot be ruled out. This makes it all the more important to address AI compliance and privacy compliance as a single integrated process rather than as separate silos.
What should I do if I use AI systems from third-party vendors—am I also liable?
As a deployer, you are responsible for the proper use of the AI system within your organization, even if the system was developed by a third party. Among other things, you are required to verify that the provider has conducted a conformity assessment, that the CE marking is present, and that the technical documentation is available. Specify in the contract which obligations fall on the provider and which fall on you, and ensure that you have access to the information you need for human oversight and incident reporting.
Is there a transition period for AI systems that were already in use before the AI Act?
Yes, transition provisions apply to existing systems. AI systems that were already on the market before August 2, 2026, and are classified as high-risk under Annex III do not need to be fully compliant until that date. For systems covered by Annex I (safety components of regulated products), the deadline is August 2, 2027. GPAI models that were already available before August 2025 must comply with the requirements by August 2, 2027, at the latest. These transition periods provide some leeway, but they are no excuse to delay compliance efforts—the preparation time is considerable.
What are the most common mistakes organizations make when preparing for the AI Act?
A common mistake is underestimating the scope: many organizations do not realize how many AI systems they already have in use, including embedded AI in SaaS tools or third-party HR software. A second common mistake is starting too late on drafting technical documentation and risk assessments, leaving insufficient time for a thorough implementation. Finally, organizations often fail to critically assess their own role: anyone who modifies or reuses an existing system outside its original scope of application automatically assumes provider obligations—with all the associated compliance requirements.


