How much can the European AI Act fine?

Up to EUR 35,000,000 or 7% of annual worldwide turnover for prohibited uses; up to EUR 15,000,000 or 3% for failing other obligations, including transparency; and up to EUR 7,500,000 or 1% for supplying incorrect information to the authority. In each band the figure or the percentage applies, whichever is higher (Regulation (EU) 2024/1689, art. 99).

From when do the AI Act penalties apply?

The prohibitions are enforceable from 2 February 2025; the penalties chapter applies from 2 August 2025; and the general date, covering most of the high-risk regime, is 2 August 2026. There is a possible deferral of the high-risk regime, agreed provisionally but not yet formally adopted: it is worth verifying the timetable before deciding.

Fines under the AI Act: how much and when

Q: Are fines lower for SMEs?

Yes. For SMEs and start-ups, each fine is capped at the lower of the two amounts —the fixed figure or the percentage—, not the higher (Regulation (EU) 2024/1689, art. 99).

When a business owner hears that Europe has passed a law on artificial intelligence, the first question is rarely technical. It is blunt: can this cost me money, and how much? The answer is yes, and the figures are high. But high does not mean arbitrary: the regulation states precisely how much, on what grounds and from when. It is worth knowing before it matters.

Three bands, not a single fine

The European AI Act [Source: Regulation (EU) 2024/1689, EUR-Lex, 2024, https://eur-lex.europa.eu/eli/reg/2024/1689/oj] does not have a single penalty. It splits fines into three levels according to the gravity of what is breached. At each level the fixed figure or the percentage of turnover applies, whichever is higher — calculated on worldwide turnover for the previous year, not only the Spanish figure [Source: Regulation (EU) 2024/1689, art. 99, EUR-Lex, 2024, https://artificialintelligenceact.eu/article/99/]:

Prohibited uses — up to EUR 35,000,000 or 7% of worldwide turnover. This is the highest band, reserved for uses the law bars entirely (for example, certain social-scoring systems for individuals). If your case falls here, there is no fine to negotiate: the use is simply not permitted.
Breaching obligations — up to EUR 15,000,000 or 3%. This is the band that affects most organisations. It covers failing to do what the law requires of whoever develops or deploys a system, including the transparency obligation (for example, not warning that the party one is talking to is an AI).
Misinforming the authority — up to EUR 7,500,000 or 1%. Supplying incorrect, incomplete or misleading information to the supervisor has its own band. In other words: complying is not enough; you have to be able to demonstrate it properly when asked.

There is some relief for smaller companies: for SMEs and start-ups, the fine is capped at the lower of the two amounts (the fixed figure or the percentage), not the higher [Source: Regulation (EU) 2024/1689, art. 99, EUR-Lex, 2024, https://artificialintelligenceact.eu/article/99/].

Whom it applies to

The question matters because the law does not fine "AI companies" in the abstract. The obligations —and therefore the fines— fall on whoever plays a specific role: whoever develops the system, whoever imports or distributes it, and also whoever deploys it, that is, the company that uses it in its operation. A company that codes nothing but uses an AI system to, say, screen CVs occupies one of those roles and is within scope.

That is why the first question is not "how much is the fine?" but "which category does my system fall into?". The band that applies to you depends on what your AI does and what risk it carries — and that is decided earlier, when you classify it. We explain it in detail in Is your AI «high-risk»? How to tell without being a lawyer.

From when

The fines do not all arrive on the same day. The regulation applies in stages [Source: Regulation (EU) 2024/1689, art. 113, EUR-Lex, 2024, https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng]:

From 2 February 2025 the prohibitions are enforceable (the highest band).
From 2 August 2025 the penalties chapter and the obligations on general-purpose models apply, among others.
2 August 2026 is the general date of application, which includes most of the high-risk systems regime.

A note of honesty: there is a possible deferral of some of these dates for high-risk systems under discussion at European level, agreed provisionally but not yet formally adopted [Source: Council of the EU, 2026, https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/]. Until it is confirmed, the dates in force are those above. It is worth verifying the timetable before taking decisions that depend on it.

The fine is not the problem; it is the symptom

Looking only at the figure leads to the wrong question — "how do I avoid the fine?" — when the useful one is another: "can I demonstrate, today, what my AI does and how I control it?". Because the penalty does not come from using artificial intelligence, but from being unable to prove it is governed. The 1% band makes it plain: it punishes, specifically, the inability to inform the supervisor properly.

That is where AI governance stops being a defensive formality. The same documentation that lets you see what your system does and direct it is what answers the regulator when it asks. It is not a PDF signed for the inspection: it is the architecture of your system, ordered so that anyone can check what it does. Whoever has that does not fear the fine, because they have something to answer it with.

What to do with this

The figure of 35 million is frightening, and that is its purpose. But the work that avoids it is not last-minute legal work, but a matter of order: knowing which AI systems you have, which risk category each falls into and with what documentation you sustain that classification. In our method that inventory is the first thing put in writing.