EU AI ActPenaltiesFinesSMEs

EU AI Act fines and penalties: what do EU SMEs actually risk?

Published July 18, 2026 · 5 min read

The headline numbers are frightening: up to EUR 35 million, or 7% of global turnover. But those are ceilings for the worst violations by the largest companies. If you run an SME, the EU AI Act contains a rule that flips the maths in your favour. Here is what the penalties actually are, and what they mean for a small business.

The three penalty tiers

The EU AI Act (Regulation (EU) 2024/1689) sets three ceilings for administrative fines, depending on what was breached:

  • Up to EUR 35M or 7% of worldwide annual turnover for using one of the prohibited AI practices banned under Article 5 (Article 99(3)).
  • Up to EUR 15M or 3% for breaching most other obligations: the duties of providers and deployers of high-risk systems, the transparency rules, or notified-body requirements (Article 99(4)).
  • Up to EUR 7.5M or 1% for supplying incorrect, incomplete or misleading information to authorities or notified bodies (Article 99(5)).

For a company that is not an SME, each fine is the higher of the fixed euro amount or the percentage of total worldwide annual turnover for the preceding financial year, measured at group level, on turnover, not on profit.

The SME rule most headlines miss

Article 99(6) reverses that rule for smaller firms. For SMEs and start-ups, each fine is capped at the lower of the percentage or the fixed amount, not the higher. That single word changes everything for a small business.

Take the top tier. A large group faces up to the higher of EUR 35M or 7% of turnover. An SME with, say, EUR 2M in annual turnover faces up to the lower of the two: 7% of EUR 2M is EUR 140,000, well below EUR 35M, so EUR 140,000 is the ceiling. The percentage, not the eye-watering fixed figure, is what bounds an SME's exposure.

General-purpose AI models: fined by the Commission

There is a separate track for providers of general-purpose AI (GPAI) models. Under Article 101, the European Commission, not a national authority, can fine a GPAI provider up to EUR 15M or 3% of worldwide annual turnover, whichever is higher, for intentional or negligent breaches. Those fines can be reviewed by the Court of Justice of the EU.

Fines are ceilings, not tariffs

Every figure above is a maximum: the law says "up to." There is no fixed or minimum fine. When an authority sets an actual amount, Article 99(7) requires it to weigh factors including:

  • the nature, gravity and duration of the breach and its consequences;
  • the size, turnover and market share of the operator;
  • whether the breach was intentional or negligent;
  • how far the operator cooperated, and what technical and organisational measures it had in place;
  • whether the operator reported the problem itself and acted to limit the harm.

In other words, a documented, good-faith compliance effort directly lowers the fine an authority is likely to impose.

Who issues the fine

Enforcement is split three ways: national market surveillance authorities impose the Article 99 fines on companies; the European Commission, through the AI Office, fines GPAI model providers under Article 101; and the European Data Protection Supervisor fines EU institutions under Article 100 (capped at EUR 1.5M or EUR 750,000).

When do the fines start to bite?

Some already apply. The Article 5 prohibitions have been enforceable since 2 February 2025. GPAI obligations apply from 2 August 2025, with the Commission's fining power from 2 August 2026. The high-risk obligations, the largest source of exposure for most SMEs, were rescheduled by the Digital Omnibus to 2 December 2027 for Annex III systems (adopted, pending Official Journal publication). See our deadlines guide for the full timeline.

How to lower your exposure

The cheapest way to cut penalty risk is to be able to show a compliance trail: classification, a technical file, human oversight and monitoring, because those are exactly the mitigating factors Article 99(7) rewards. Not sure which of your systems are even in scope? Start with the free EU AI Act Snapshot, two minutes, no signup, then work through our 9-step compliance checklist. Plans start at EUR 0.

Related guides