EU AI Act

Penalties of the EU AI Act: The High Cost of Non-Compliance

Authored By
Osman Gazi Güçlütürk
,
Airlie Hilliard
,
Published on
January 23, 2025

Key Takeaways

  • The heftiest fines are imposed on operators for violations related to prohibited systems of up to €35,000,000 or 7% of worldwide annual turnover for the preceding financial year, whichever is higher.
  • The lowest penalties for AI operators are for providing incorrect, incomplete, or misleading information, up to €7,500,000 or 1% of total worldwide annual turnover for the preceding financial year, whichever is higher.
  • SMEs receive fines up to the lower threshold.
  • There are specific penalties for operators of general purpose AI systems and Union agencies.

With its risk-based approach, the EU AI Act is set to become the global gold standard for AI regulation. Imposing requirements that are proportionate to an AI system’s risk, the EU AI Act distinguishes between systems that have unacceptable levels of risk, high levels of risk, and limited risk, where high-risk systems have the most stringent obligations. Similarly,  penalties for non-compliance follow a tiered system, with more severe violations of obligations and requirements carrying heftier penalties. In this blog post, we breakdown the particularly hefty penalties that can be issued for non-compliance under the EU AI Act.

What is the tiered approach the EU AI Act takes for penalties?

Penalties of the EU AI Act target three key actors:

  • Operators of AI systems
  • Providers of general purpose AI models, and
  • Union institutions, agencies, and bodies.

As we explore below, penalties for AI operators form a three-tier system that ranges in severity. There are also penalties specifically for operators of general purpose AI systems and a two-tier system for Union bodies.

Penalties of the EU AI Act

Penalties for AI system operators

Tier 1: Non-compliance with the prohibitions

The heftiest fines are given for using or making available systems that are prohibited by the AI Act. Non-compliance with prohibitions carries the heftiest fine under the EU AI Act – up to €35,000,000 or up to 7% of annual worldwide turnover for companies. This also surpasses the penalties under GDPR, with the AI Act therefore imposing some of the heftiest penalties for non-compliance in the EU.

Tier 2: Non-compliance with obligations

The second highest fines are = for non-compliance with specific obligations for providers, representatives, importers, distributors, deployers, notified bodies, and users. Non-compliance with the relevant provisions is subject to fines of up to €15,000,000 or up to 3% of annual worldwide turnover for companies.‍

Specifically, these penalties can be issued for non-compliance with

Specifically, these penalties are incurred by not meeting the following provisions on obligations:

  1. Obligations of the providers of HRAIs under Article 16
  1. Obligations of authorized representatives under Article 22
  1. Obligations of the importers of HRAIs under Article 23
  1. Obligations of the distributors of HRAIs under Article 24
  1. Obligations of the deployers of HRAIs under Article 26
  1. Requirements and obligations of notified bodies under Articles 29-34
  1. Transparency obligation for providers and users of certain AI systems under Article 50

Tier 3: Supplying incorrect, incomplete, or misleading information to the authorities

Failure to supply the correct or incomplete information is a violation of Article 21 of the AI Act, which requires cooperation with component authorities. Upon request by a competent national authority, providers of HRAIs shall provide the necessary information and documentation to demonstrate the conformity of the HRAI with the relevant requirements.

Replying with incorrect, incomplete, or misleading information to a request of national authorities or notified bodies is subject to fines of up to €7,500,000 or 1% of the total worldwide turnover, whichever is higher.

Are there any considerations for SMEs?

In the case of SMEs, including start-ups, fines will be whichever is lower of the percentage and value instead of the higher of the two.

Administrative fines against providers of GPAI models

Providers of GPAI models can be issued fines of up to 3% of total worldwide turnover or 15 million EUR, whichever is higher under Article 101. Fines can be incurred if a provider of a GPAI intentionally or negligently:

  • Fails to comply with a request for document or information or supplies incorrect, incomplete, or misleading information under Article 91,
  • Fails to comply with a measure requested under Article 93,
  • Fails to make available to the Commission access to the GPAI model or GPAI with systemic risk with a view to conducting an evaluation under Article 92.

Administrative fines against Union bodies

According to Article 100, the European Data Protection Supervisor can also impose administrative fines on Union agencies, bodies, and institutions. Fines could be up to €1,500,000 for non-compliance with the prohibitions of the Act and €750,000 for non-compliance with obligations other than those laid down in Article 5.

How are penalties decided?

The general principle of the AI Act is that penalties shall be effective, dissuasive, and proportionate to the type of offense, previous actions, and profile of the offender. As such, the EU AI Act acknowledges that each case is individual and designates the fines as a maximum threshold, although lower penalties can be issued depending on the severity of the offense. Factors that may be considered when determining penalties include:

  • The nature, gravity, and duration of the offense,
  • The intentional or negligent character of infringements,
  • Any actions to mitigate the effects,
  • Previous fines,
  • The size, annual turnover, and market share of the offender,
  • Any financial gain or loss resulting from the offense,
  • Whether the use of the system is for professional or personal activity.

As there is no union-wide central authority to issue fines, taking the above into consideration, penalty amounts generally depend on the national legal system of the Member States. On the other hand, for the providers of GPAI models and for the Union bodies, the fines are imposed by the Commission and the European Data Protection Supervisor, respectively.

Simplify EU AI Act Compliance with Our AI Governance Platform

Stay ahead of the AI revolution while ensuring compliance with the EU AI Act. Discover how Holistic AI's purpose-built governance platform can help your organization accelerate innovation, minimize risk, and meet stringent regulatory standards. Book a demo today and take the first step toward responsible, scalable, and impactful AI transformation. Together, let's unlock the full potential of AI—safely and securely.

Schedule a call to learn more about how Holistic AI can help you get ahead with your EU AI Act preparedness.

Table of contents

Heading 2
Share this

Unlock the Future with AI Governance.

Get a demo

Get a demo

One platform for AI you can trust.
Holistic AI is an AI Governance platform that empowers enterprises to adopt and scale AI confidently.

Get a demo

Stay informed with the latest news & updates
Products

AI Governance Platform

Resources

Blog

Papers & Research

News

Events & Webinars

Red Teaming & Jailbreaking Audit

EU AI Act Risk Calculator

Privacy Policy

Terms & Conditions

© 2025 Holistic AI. All Rights Reserved.