EU AI Act

Penalties of the EU AI Act: The High Cost of Non-Compliance

Authored by
Osman Gazi Güçlütürk
Legal & Regulatory Lead in Public Policy at Holistic AI
Airlie Hilliard
Senior Researcher at Holistic AI
Published on
Jan 23, 2025
last updated on
January 23, 2025
share this
Penalties of the EU AI Act: The High Cost of Non-Compliance

Key Takeaways

  • The heftiest fines are imposed on operators for violations related to prohibited systems of up to €35,000,00 or 7% of worldwide annual turnover for the preceding financial year, whichever is higher.
  • The lowest penalties for AI operators are for providing incorrect, incomplete, or misleading information, up to €7,500,000 or 1% of total worldwide annual turnover for the preceding financial year, whichever is higher.
  • SMEs receive fines up to the lower threshold.
  • There are specific penalties for operators of general purpose AI systems and Union agencies.

With its risk-based approach, the EU AI Act is set to become the global gold standard for AI regulation. Imposing requirements that are proportionate to an AI system’s risk, the EU AI Act distinguishes between systems that have unacceptable levels of risk, high levels of risk, and limited risk, where high-risk systems have the most stringent obligations. Similarly,  penalties for non-compliance follow a tiered system, with more severe violations of obligations and requirements carrying heftier penalties. In this blog post, we breakdown the particularly hefty penalties that can be issued for non-compliance under the EU AI Act.

What is the tiered approach the EU AI Act takes for penalties?

Penalties of the EU AI Act target three key actors:

  • Operators of AI systems
  • Providers of general purpose AI models, and
  • Union institutions, agencies, and bodies.

As we explore below, penalties for AI operators form a three-tier system that ranges in severity. There are also penalties specifically for operators of general purpose AI systems and a two-tier system for Union bodies.

Penalties of the EU AI Act

Penalties for AI system operators

Tier 1: Non-compliance with the prohibitions

The heftiest fines are given for using or making available systems that are prohibited by the AI Act. Non-compliance with prohibitions carries the heftiest fine under the EU AI Act – up to €35,000,000 or up to 7% of annual worldwide turnover for companies. This also surpasses the penalties under GDPR, with the AI Act therefore imposing some of the heftiest penalties for non-compliance in the EU.

Tier 2: Non-compliance with obligations

The second highest fines are = for non-compliance with specific obligations for providers, representatives, importers, distributors, deployers, notified bodies, and users. Non-compliance with the relevant provisions is subject to fines of up to €15,000,000 or up to 3% of annual worldwide turnover for companies.‍

Specifically, these penalties can be issued for non-compliance with

Specifically, these penalties are incurred by not meeting the following provisions on obligations:

  1. Obligations of the providers of HRAIs under Article 16
  1. Obligations of authorized representatives under Article 22
  1. Obligations of the importers of HRAIs under Article 23
  1. Obligations of the distributors of HRAIs under Article 24
  1. Obligations of the deployers of HRAIs under Article 26
  1. Requirements and obligations of notified bodies under Articles 29-34
  1. Transparency obligation for providers and users of certain AI systems under Article 50

Tier 3: Supplying incorrect, incomplete, or misleading information to the authorities

Failure to supply the correct or incomplete information is a violation of Article 21 of the AI Act, which requires cooperation with component authorities. Upon request by a competent national authority, providers of HRAIs shall provide the necessary information and documentation to demonstrate the conformity of the HRAI with the relevant requirements.

Replying with incorrect, incomplete, or misleading information to a request of national authorities or notified bodies is subject to fines of up to €7,500,000 or 1% of the total worldwide turnover, whichever is higher.

Are there any considerations for SMEs?

In the case of SMEs, including start-ups, fines will be whichever is lower of the percentage and value instead of the higher of the two.

Administrative fines against providers of GPAI models

Providers of GPAI models can be issued fines of up to 3% of total worldwide turnover or 15 million EUR, whichever is higher under Article 101. Fines can be incurred if a provider of a GPAI intentionally or negligently:

  • Fails to comply with a request for document or information or supplies incorrect, incomplete, or misleading information under Article 91,
  • Fails to comply with a measure requested under Article 93,
  • Fails to make available to the Commission access to the GPAI model or GPAI with systemic risk with a view to conducting an evaluation under Article 92.

Administrative fines against Union bodies

According to Article 100, the European Data Protection Supervisor can also impose administrative fines on Union agencies, bodies, and institutions. Fines could be up to €1,500,000 for non-compliance with the prohibitions of the Act and €750,000 for non-compliance with obligations other than those laid down in Article 5.

How are penalties decided?

The general principle of the AI Act is that penalties shall be effective, dissuasive, and proportionate to the type of offense, previous actions, and profile of the offender. As such, the EU AI Act acknowledges that each case is individual and designates the fines as a maximum threshold, although lower penalties can be issued depending on the severity of the offense. Factors that may be considered when determining penalties include:

  • The nature, gravity, and duration of the offense,
  • The intentional or negligent character of infringements,
  • Any actions to mitigate the effects,
  • Previous fines,
  • The size, annual turnover, and market share of the offender,
  • Any financial gain or loss resulting from the offense,
  • Whether the use of the system is for professional or personal activity.

As there is no union-wide central authority to issue fines, taking the above into consideration, penalty amounts generally depend on the national legal system of the Member States. On the other hand, for the providers of GPAI models and for the Union bodies, the fines are imposed by the Commission and the European Data Protection Supervisor, respectively.

Simplify EU AI Act Compliance with Our AI Governance Platform

Stay ahead of the AI revolution while ensuring compliance with the EU AI Act. Discover how Holistic AI's purpose-built governance platform can help your organization accelerate innovation, minimize risk, and meet stringent regulatory standards. Book a demo today and take the first step toward responsible, scalable, and impactful AI transformation. Together, let's unlock the full potential of AI—safely and securely.

Schedule a call to learn more about how Holistic AI can help you get ahead with your EU AI Act preparedness.

Last updated: 23 January, 2025

DISCLAIMER: This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.

Holistic AI OSL Library
Table of contents
Text LinkText Link
Heading 2
Subscriber to our Newsletter
Join our mailing list to receive the latest news and updates.
We’re committed to your privacy. Holistic AI uses this information to contact you about relevant information, news, and services. You may unsubscribe at anytime. Privacy Policy.

See the industry-leading AI governance platform in action

Schedule a call with one of our experts

Get a demo
product
Holistic AI SafeguardHolistic AI TrackerHolistic AI AuditsHolistic AI Governance Platform
Resources
BlogPapers & ResearchNewsEvents & WebinarsGlossaryGitHubDocumentationEU AI Act Risk Calculator
COmpany
About Holistic AI
Careers
We're Hiring
CustomersPress ReleasesAnalyst CoverageMedia CoverageExecutive BiosMedia LibrarySitemap
legal
Privacy PolicyTerms & Conditions
we@holisticai.com
© Holistic AI. All rights reserved.

DISCLAIMER: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser; Holistic AI does not recommend or endorse the contents of the third-party sites.

Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, or committee members and their respective employers.

The views expressed at, or through, this site are those of the individual authors writing in their individual capacities only – not those of their respective employers, Holistic AI, or committee/task force as a whole. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided "as is;" no representations are made that the content is error-free.