In the eleventh part of our EU AI Act unpacked blog series, we delve into the penalty framework of the EU AI Act (AI Act). Similar to the GDPR and other laws being part of the EU Digital Strategy, the AI Act foresees the possibility of the competent authorities to impose severe fines based on the offender’s total worldwide annual group turnover. It therefore establishes penalty frameworks for AI systems and general-purpose AI models (GPAI models).
Penalty framework for AI systems
As the rules applicable to AI systems will be enforced by to be designated market surveillance authorities of the EU Member States (for more information see our blog on the regulators of the AI Act), each EU Member State is also required to establish a penalty system with regard to these rules. Such national penalty systems must be notified to the European Commission as soon as possible – at the latest by the date of entry into application from 2 August 2026. These penalties should be effective, proportionate, and dissuasive, respecting the ne bis in idem principle to prevent double prosecution for the same offence.
While, in principle, the AI Act thereby provides for the establishment of a fully decentral penalty framework for AI systems, it nevertheless includes explicit conditions for administrative fines with regards to infringements of certain provisions of the AI Act. These conditions aim to harmonise the amount of imposed administrative fines across the EU, in particular by defining the following upper fine limits:
- Prohibited AI practices: Infringements of the rules on prohibited AI practices can lead to administrative fines of up to EUR 35 million or 7% of the total worldwide annual group turnover of the preceding financial year, whichever is higher.
- Obligations of stakeholders along the value chain regarding AI systems: Providers, product manufacturers, deployers, authorised representatives, importers, or distributors of AI systems must comply with various obligations under the AI Act (for more information see our previous blog here). Failure to meet these obligations set out in Chapter III and IV of the AI Act shall be sanctioned with fines of up to EUR 15 million or 3% of the total worldwide annual group turnover of the preceding financial year, whichever is higher.
- Supply of misleading information: Providing incorrect, incomplete, or misleading information to notified bodies or national competent authorities can be sanctioned with fines reaching up to EUR 7.5 million or 1% of the total worldwide annual group turnover, whichever is higher.
In addition, the AI Act harmonises the criteria to determine the amount of an administrative fine. These criteria include, among others, the nature, gravity, and duration of the infringement, the intentional or negligent character of the violation, and the financial capacity of the entity. Also, the degree of cooperation with authorities, and any previous infringements can be considered. Each individual case will be assessed based on these and other relevant circumstances. Despite this harmonised set of criteria, regulators will likely have considerable discretion in justifying individual fines. The lack of foreseeability of fine amounts across the EU could create uncertainty for all stakeholders in the AI system value chain potentially becoming subject to fines.
Penalty framework for GPAI models
Contrary to the rules on AI systems, the rules on GPAI models are subject to the oversight of the Commission and therefore not in the hands of the EU Member States. The Commission has exclusive powers to supervise and enforce obligations concerning GPAI models, whereas it shall entrust the implementation of its tasks to the AI Office. Also, a scientific panel of independent experts can advise and support the AI Office, in particular by providing alerts where it has reason to suspect that a GPAI model poses a systemic risk (for more information see our blog on the regulators of the AI Act).
In line with the approach of central enforcement regarding the obligations applicable to GPAI models, the AI Act establishes a corresponding central penalty framework for GPAI models by setting out administrative fines for providers of GPAI models. Specifically, the Commission can impose fines of up to EUR 15 million or 3% of the total annual worldwide group turnover of the preceding financial year, whichever is higher. Such fines can be issued where a GPAI model provider intentionally or negligently:
- infringes relevant GPAI model provisions;
- fails to comply with a document or information request or supplies incorrect, incomplete or misleading information;
- fails to comply with a requested mitigation measure; or
- fails to make available to the Commission access to the GPAI model to conduct certain evaluations.
When determining the amount of an administrative fine, the Commission shall consider various criteria, including any commitments made by the provider to implement mitigation measures. Compared to the criteria for imposing fines on the operators of AI systems, the criteria to be considered by the Commission under the AI Act are less detailed, making predictions of fine amounts less predictable to a certain extent. However, before imposing fines, the Commission is required to communicate preliminary findings to the provider and shall offer an opportunity for the provider to be heard. Also, the Commission will adopt implementing acts on procedural safeguards for proceedings in relation to such fines. The CJEU has unlimited jurisdiction to review the Commission’s decisions on fines, including the power to cancel, reduce, or increase the fines imposed.
Key takeaways
- The AI Act establishes, on the one hand, a (decentral) penalty framework for compliance with its rules on AI systems by mandating EU Member States to adopt national penalty systems. In this regard, the AI Act harmonises upper limits and criteria to determine the amounts of an administrative.
- On the other hand, the AI Act puts a (central) penalty framework for rules on GPAI models in place. Given the Commission’s exclusive competence, providers of GPAI models can generally expect more certainty with regard to fine proceedings than operators of AI systems.
- It remains to be seen how EU Member States will adopt their national penalty frameworks for AI systems. Since the AI Act does not set out which specific regulator shall act as market surveillance authority, this may lead to severe differences in fine practices across the EU.
What’s next?
In our next blog post, we will take a look at some of the most well-known international soft law approaches to regulate AI.