Overview
The EU AI Act contains a tiered sanctions system. Art. 99 defines three fine tiers, graduated according to the severity of the violation.
The level of potential sanctions demonstrates that AI compliance is not an optional governance topic but an economically significant risk.
This article explains:
- The three fine tiers in detail
- Responsible authorities
- Special provisions for SMEs
- Comparison with the GDPR
- Strategic implications for companies
The Three Fine Tiers
1. Most Serious Violations -- Prohibited Practices
Violations of Art. 5 (prohibited AI practices) can be sanctioned with:
- Up to EUR 35 million or
- Up to 7% of global annual turnover
Whichever amount is higher applies.
Highest Fine Tier
Art. 5 violations are the most severely sanctioned offences in the entire AI Act.
2. Violations of Other Obligations
These include, among others:
- Non-compliance with high-risk requirements
- Missing conformity assessment
- Violation of transparency obligations
- Non-compliance with GPAI obligations
Fine range:
- Up to EUR 15 million or
- Up to 3% of global annual turnover
3. False or Misleading Information
For example:
- False information provided to market surveillance authorities
- Incomplete documentation
Fine range:
- Up to EUR 7.5 million or
- Up to 1% of global annual turnover
Responsible Authorities
Each member state designates:
- A national market surveillance authority
- Competent supervisory bodies
These authorities can:
- Initiate investigations
- Request documents
- Issue market bans
- Impose fines
Special Provisions for SMEs
The AI Act provides for:
- Proportionality review
- Consideration of economic capacity
- Potentially reduced sanctions
SME Protection
Small companies are not exempt -- but fines must be proportionate.
Comparison with the GDPR
| Regulation | Maximum Fine |
|---|---|
| GDPR | EUR 20 million or 4% of turnover |
| EU AI Act (Art. 5) | EUR 35 million or 7% of turnover |
The AI Act surpasses the GDPR at the highest tier.
Market Ban as an Additional Measure
In addition to fines, authorities can:
- Withdraw AI systems from the market
- Prohibit CE marking
- Prohibit deployment
For technology-driven companies, a market ban can be more severe than a fine.
Enforcement Perspective
To be expected:
- Focus on high-risk systems
- Particular attention to biometric applications
- Reviews of generative AI
Documentation will be a central audit point.
Compliance as a Strategic Decision
Companies should:
- Establish governance structures early
- Document risk classifications
- Prepare conformity assessments
Violations are not only a legal risk but also a reputational risk.
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.
Next Steps
- Conduct an AI Act risk classification.
- Review potential Art. 5 risks.
- Establish documentation standards.
- Implement internal control mechanisms.
- Plan compliance budgets early.
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.