Penalties and Enforcement

The EU AI Act has teeth — fines are higher than under GDPR and can hit companies hard. In this lesson, you'll learn what penalties apply, who enforces them, and how to file complaints.

Fine Levels

The AI Act defines three fine levels — depending on the severity of the violation:

Level 1: Prohibited AI Practices

Up to €35 million or 7% of global annual turnover (whichever is higher)
Applies to: Use of prohibited AI systems (social scoring, manipulative AI, etc.)
For comparison: GDPR maximum €20 million or 4% of turnover

Level 2: High-Risk Violations

Up to €15 million or 3% of global annual turnover
Applies to: Non-compliance with High-Risk system obligations
Examples: Missing documentation, no risk management, missing logging

Level 3: False Information

Up to €7.5 million or 1% of global annual turnover
Applies to: False or misleading information to authorities
Examples: False conformity declaration, concealment of risks

Special Rules for SMEs and Start-ups

For small and medium enterprises (under 250 employees) and start-ups, reduced fines apply — the lower of the two values (absolute amount or turnover percentage) is applied.

Competent Authorities

EU Level

EU AI Office: Central coordination body, responsible for GPAI models
AI Board: Advisory body composed of member state representatives

National Level

Each member state designates:

Market surveillance authority: For monitoring the AI Act
Notifying authority: For designating conformity assessment bodies

Germany: The Federal Network Agency (BNetzA) is designated as the national market surveillance authority. Details are regulated in the national implementing law.

Complaint Mechanism

Affected persons can file complaints with:

The competent national market surveillance authority
Consumer organizations and associations

The procedure resembles the GDPR complaint mechanism:

File a complaint (informal submission possible)
Authority examines the matter
Authority can order measures (adaptation, recall, fine)
Legal recourse before courts possible

Liability and Damages

Beyond fines, civil law consequences also apply:

AI Liability Directive (in preparation): Eased burden of proof for affected parties
Product Liability Directive: AI systems are considered products — manufacturers are liable
Contractual liability: Toward customers receiving defective AI products

How to Avoid Penalties

Measure	Risk Reduction
AI inventory with risk classification	Foundation for everything
Create and maintain documentation	Proof of compliance
Implement monitoring	Early warning system for violations
Train employees	Prevention of unintentional violations
Involve legal counsel	Expertise for borderline cases

Remember: The fines are deterrent — but the real danger is reputational damage and market bans. An AI system that must be withdrawn from the market costs more than any fine.