Your €15M EU AI Act Fine Estimate Is Probably Wrong
- The True Ceiling: The maximum penalty is actually €35 million or 7% of global annual turnover for Article 5 prohibited practices.
- Global Turnover Defined: Penalties are calculated at the undertaking level, meaning a parent company's global revenue, not just the EU subsidiary's revenue.
- The Stacking Threat: AI Act fines do not replace GDPR fines; they stack, creating double exposure for a single data-processing violation.
- SME Adjustments: Start-ups and SMEs face the lower of the two fine metrics (fixed sum vs. percentage), whereas enterprise entities face the higher.
Most enterprise compliance officers and CFOs are budgeting for a €15 million fine under the EU AI Act.
This is a massive, systemic miscalculation. By anchoring financial risk to the standard penalty tier, boards are drastically underestimating their true regulatory exposure.
As teams scramble through the EU AI Act August 2026 enforcement deadline checklist, a hard truth is emerging.
The €15M figure is merely the middle band. If your organization triggers an Article 5 violation through a prohibited practice—even accidentally—the ceiling instantly more than doubles.
Understanding exactly how the EU AI Act fines €15 million 3% turnover explained tier compares to the maximum penalty is non-negotiable.
Here is the exact penalty matrix your legal team needs to decode before the first audit strikes.
The Four-Tier Penalty Matrix Under Article 99
The EU AI Act does not apply a flat penalty rate.
Instead, Article 99 establishes a strict four-tier penalty structure based on the severity of the infraction.
Failing to properly map your AI systems to these specific tiers is a direct path to a catastrophic budgetary failure.
Tier 1: The €35M / 7% Turnover Trap (Article 5)
This is the tier most US and UK enterprises ignore because they assume they don't engage in "prohibited practices."
However, Article 5 covers subliminal manipulation, social scoring, and untargeted facial-image scraping.
If your HR department deploys an emotion-recognition tool during remote interviews, you immediately cross into this tier.
The penalty is up to €35 million or 7% of total worldwide annual turnover for the preceding financial year, whichever is higher.
Tier 2: The €15M / 3% Turnover Standard Tier
This is the baseline tier for non-compliance with Annex III high-risk obligations and GPAI provider rules.
If you fail to conduct a conformity assessment, lack proper technical documentation, or miss the data governance standards outlined in Article 10, this is your exposure.
The penalty here is up to €15 million or 3% of total worldwide annual turnover, whichever is higher.
Tier 3: The Incorrect Information Penalty
Simply supplying incomplete, misleading, or outright false information to a notified body or national competent authority triggers its own distinct fine.
This tier caps at €7.5 million or 1% of total worldwide annual turnover.
Never attempt to obscure a shadow AI inventory EU AI Act compliance violation from an auditor, as this will immediately trigger a Tier 3 fine on top of the base violation.
Calculating "Global Annual Turnover" for Enterprises
Corporate structuring will not save you from a massive financial hit.
The regulation explicitly applies to the economic undertaking.
If a US-based parent company generates $20 billion globally, but the violation occurs via a small €10 million subsidiary operating in Germany, the fine is calculated against the $20 billion parent revenue.
There is no legal mechanism to ringfence AI Act liability strictly within the borders of your EU entity.
SME Protections vs. Cumulation Risks
The AI Act does contain a proportionality clause designed to protect smaller businesses.
For SMEs and start-ups, the regulator applies the lower of the two figures (the fixed millions or the turnover percentage).
However, for large enterprises, the authority is legally mandated to apply the higher of the two figures.
Furthermore, violations can theoretically cumulate. If you deploy a non-compliant high-risk system and simultaneously lie to the regulator about it, you are looking at stacked enforcement actions from the market surveillance authorities.
The GDPR and AI Act Stacking Effect
The most devastating financial scenario for an enterprise is the "dual enforcement" trap.
The AI Act operates without prejudice to the GDPR. If your AI system unlawfully processes personal data while simultaneously breaching an AI Act high-risk obligation, you face two separate fines from two separate regulators.
A Data Protection Authority can levy a GDPR fine of up to €20M or 4% of turnover, while the AI market surveillance authority simultaneously levies an AI Act fine of up to €15M or 3%.
For international tech hubs, such as Indian Global Capability Centres managing EU data, this risk multiplies.
Navigating this requires a unified compliance posture, mirroring the disciplines outlined in the DPDP Act AI Compliance Guide India, ensuring data privacy and AI safety are governed under a single pane of glass.
Conclusion
The era of theoretical AI compliance is over. The European Commission has armed its market surveillance authorities with one of the most aggressive penalty matrices in global corporate history.
Budgeting for a €15M standard fine while ignoring the €35M prohibited-practice ceiling is a failure of basic risk management.
Enterprises must immediately audit their AI portfolios, root out shadow IT deployments, and establish continuous, operational oversight before August 2026.
Frequently Asked Questions (FAQ)
The highest possible fine is €35 million or 7% of a company's total worldwide annual turnover for the preceding financial year, whichever is higher. This maximum tier is strictly reserved for violations of Article 5, which covers banned and prohibited AI practices.
The €15M / 3% tier applies to breaches of high-risk AI system obligations (like missing documentation or lack of human oversight) and GPAI provider rules. The €35M / 7% tier is exclusively triggered by deploying outright prohibited AI practices, such as real-time biometric ID in public spaces.
Turnover is calculated at the level of the economic "undertaking," meaning the entire corporate group. If an EU subsidiary commits the violation, the fine percentage is levied against the global revenue of the ultimate parent company from the preceding financial year.
Yes. The AI Act includes a proportionality clause for SMEs and start-ups. When calculating their fines, regulators must apply the lower of the two threshold figures (the fixed monetary amount or the turnover percentage), whereas large enterprises face the higher of the two.
If a provider supplies false, incomplete, or misleading information to a national competent authority or a notified body, they face a specific penalty tier. This fine is capped at €7.5 million or 1% of the company's total worldwide annual turnover.
Fines are levied by the national market surveillance authorities of the specific EU Member State where the infringement occurred. The revenue from these administrative fines typically goes into the national treasury of that specific Member State, not a central EU fund.
No, they fall under the same penalty matrix. General-purpose AI (GPAI) model providers who violate their specific obligations face the standard Tier 2 penalty ceiling: up to €15 million or 3% of their global annual turnover.
Yes, regulators can stack violations. If an enterprise deploys a prohibited system (Tier 1) and also lies to the regulator during the investigation (Tier 3), authorities can pursue enforcement for both infractions, aggressively escalating the total financial liability.
As of early 2026, initial investigations regarding Article 5 prohibited practices (which became enforceable in February 2025) are actively underway. While formal public fines may still be navigating the appeals process, regulatory audit demands have already been issued.
The AI Act does not displace GDPR. If an AI system violates both AI Act rules (e.g., lack of risk management) and GDPR rules (e.g., unlawful processing of personal data), the company can be fined by both the AI market authority and the Data Protection Authority simultaneously.