This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
The EU AI Act's largest fines, the ones that make headlines, target a narrow list of the most serious violations, not ordinary business AI use. The Act uses a tiered penalty structure, and understanding which tier actually applies to your business is far more useful than reacting to the size of the biggest possible number.
In short: The EU AI Act has three penalty tiers. Prohibited practices carry the largest fines, up to €35 million or 7% of global turnover. High-risk system violations carry up to €15 million or 3%. Supplying misleading information to a regulator carries up to €7.5 million or 1%. Smaller businesses get a proportionality adjustment. Most everyday AI tools, writing assistants, scheduling, general chatbots, don't fall into a penalty tier at all, because they don't breach any specific obligation in the first place.
The plain-English answer
A penalty only applies if your business is actually in breach of a specific obligation the Act sets out, using a prohibited AI practice, failing to meet a high-risk system's requirements, or giving false information to a regulator. If none of those apply to you, and for most businesses using ordinary AI tools, none of them do, there's no fine to be exposed to in the first place. The size of the numbers making headlines reflects the seriousness of the specific violation, not a general tax on using AI.
Why this matters for your business
A 15-person logistics company using an AI tool to help optimise delivery scheduling is a genuinely ordinary business use case, and the anxiety a headline fine can trigger is understandable but usually disproportionate to the real exposure. The businesses that actually face the largest fines are ones running prohibited practices (a very narrow, clearly defined list) or ones that knowingly or negligently failed to meet obligations for a high-risk system they were operating.
The real value of understanding the penalty structure isn't reassurance for its own sake, it's being able to tell the difference between genuine exposure worth acting on and headline anxiety that doesn't actually apply to your situation, so you can direct real attention to the tools that do carry risk rather than every tool equally.
The actual penalty tiers
The structure is set out in Article 99 of the EU AI Act. Tier one, prohibited practices: up to €35 million or 7% of global annual turnover, whichever is higher. This targets the Act's short list of banned uses, manipulative techniques exploiting vulnerabilities, social scoring, most real-time public biometric identification, and similar. Tier two, high-risk system obligations: up to €15 million or 3% of turnover. This covers failures to meet the specific requirements for high-risk AI systems, hiring tools, credit scoring, and the other Annex III categories, along with breaches of the transparency obligations that apply more broadly. Tier three, misleading information: up to €7.5 million or 1% of turnover, for supplying incorrect or incomplete information to a notified body or regulator during an assessment or investigation.
Smaller businesses get a proportionality adjustment: for SMEs and startups, the fine is calculated as the lower of the fixed amount or the percentage of turnover, rather than the higher, the opposite of how the calculation works for larger companies. The penalty provisions have applied since 2 August 2025, and the prohibited-practices ban has been enforceable since 2 February 2025, meaning enforcement is already active, not a future prospect.
What this looks like in practice
Picture the logistics company owner, initially rattled by a fine headline, working through where their own AI use actually sits. Their scheduling tool optimises delivery routes and staffing, it doesn't make decisions about hiring, credit, or any Annex III category, and it isn't anywhere near a prohibited practice. It's a minimal-risk tool with no specific obligation attached under the Act at all, which means none of the three penalty tiers apply to it.
The useful outcome isn't just relief, it's a documented, quick record of why: what the tool does, why it doesn't fall into a high-risk category, and when that assessment was made. That short note is worth more than anxious avoidance of AI tools generally, and it's the kind of evidence that would matter if the business's AI use were ever questioned.
What you can do about it
A short way to work out your real exposure rather than reacting to headlines:
- Check whether any of your AI tools fall into a high-risk category first, see our guide on risk tiers if you're not sure, this determines whether tier two applies at all.
- Confirm none of your AI use resembles a prohibited practice, this is a short, specific list, not a broad category most businesses need to worry about.
- If you're ever contacted by a regulator or notified body about an AI system, be accurate and complete in what you provide, tier three exists specifically to penalise misleading responses during that process.
- Document your risk-tier assessment for each AI tool, even briefly, this is the evidence that actually matters if your AI use is ever questioned.
- Don't let a headline fine drive a decision about your own AI use without checking whether the underlying violation category actually applies to you.
For the full breakdown of which AI tools count as high-risk in the first place, the classification that determines most of your real exposure, see our guide on EU AI Act risk tiers explained.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Try our free AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Can a small business really be fined the full €35 million?
The cap is set at the higher of the fixed amount or the turnover percentage for large companies, but SMEs and startups get a proportionality adjustment, the fine is calculated as the lower of the two figures instead. In practice, a genuinely small business's realistic exposure, if it were ever found in breach, is tied to its own turnover, not the headline maximum.
Does a minor, accidental mistake trigger the same penalty as a deliberate violation?
Enforcement generally accounts for the nature and severity of a violation, and regulators typically have a range of responses available, warnings and corrective orders among them, not only maximum fines. The Act's penalty ceilings represent the upper bound for serious violations, not a fixed penalty for every infringement regardless of circumstances.
Is enforcement actually happening yet, or is this still theoretical?
It's active. The penalty provisions have applied since 2 August 2025, and the prohibited-practices ban has been enforceable since 2 February 2025, with initial investigations already under way. This isn't a future date to plan around, it's a current regulatory reality.
What should we do if we're genuinely unsure whether our AI tool is high-risk?
Work through the classification properly rather than guessing in either direction, see our risk tiers guide for the specific Annex III categories. If real uncertainty remains after that, it's worth a proper assessment rather than assuming the best or worst case.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Not sure whether any of your AI tools actually count as high-risk?
Check the risk tiers