EU AI Act Fines: How Much Can You Actually Be Fined?

The EU AI Act has some of the highest potential fines in EU regulatory history. But most coverage focuses on the headline numbers without explaining when those fines actually apply, who enforces them, and what SMBs realistically face.

The three fine tiers

• Tier 1 — up to €35 million or 7% of global annual turnover. Violations of Article 5 — the prohibited practices. Deploying real-time biometric surveillance, building social scoring systems, or using AI to manipulate vulnerable people. If you're doing any of these, fines are the least of your problems.
• Tier 2 — up to €15 million or 3% of global annual turnover. The main tier for high-risk AI system violations: missing technical documentation, no risk management system, inadequate human oversight. This is what most SMBs need to focus on.
• Tier 3 — up to €7.5 million or 1.5% of global annual turnover. Providing incorrect or misleading information to regulators and notified bodies.

In each case, the higher of the fixed amount or the percentage applies.

What this means in real numbers

For a company with €2 million annual revenue, a Tier 2 violation is up to €15 million (the fixed cap — since 3% = €60,000, the fixed cap is higher). For a company with €20 million in revenue, a Tier 2 violation is still up to €15 million. Article 99(6) does state that fines must be "proportionate" for SMBs — regulators are supposed to consider company size, financial situation, and whether the violation was intentional.

Who actually enforces the fines?

Each EU member state designates a national supervisory authority. Germany, France (CNIL), and Ireland are key ones to know — Ireland especially for US tech companies with EU headquarters there. The European AI Office oversees enforcement at EU level, particularly for general-purpose AI models. Fines are issued following an investigation triggered by complaints or routine market surveillance — there is no automated penalty system.

When do fines actually happen?

Regulators typically prioritise:

• Systems that have caused actual harm to people
• Large companies with significant EU market presence
• Repeated or knowing violations after warnings

A small SaaS company making genuine compliance efforts, with documented reasoning, that responds promptly to any regulatory enquiry is extremely unlikely to face maximum fines even if its documentation isn't perfect.

The more immediate risk: market access

Before fines, there's a more immediate enforcement tool: market surveillance authorities can order non-compliant AI systems to be withdrawn from the EU market. For a company whose product is its only revenue source, this is potentially more damaging than a fine.

What to do

The goal isn't perfect compliance from day one — it's demonstrating good faith effort. Classify your AI systems, document your reasoning, and start building the required documentation. Start with a free risk classification at getactready.com/classify to understand exactly where your systems sit.