Skip to main content
HashnodeComplizo

Command Palette

Search for a command to run...

The Real Cost of an EU AI Act Fine Isn't the Fine

Updated
6 min read
A
Ari Volcoff

117 days. That's how long businesses operating AI systems in the EU have before the full weight of the EU AI Act's enforcement machinery kicks in on August 2, 2026.

If your company uses AI in hiring, customer scoring, fraud detection, or any other meaningful decision-making context, you need to understand exactly what you're risking.

How the EU AI Act Penalty Structure Works

The EU AI Act creates a three-tier penalty structure. Each tier has an absolute cap in euros and a percentage of global annual turnover — the higher applies.

Tier 1: Prohibited Practice Violations — Up to €35M or 7% of Turnover

The harshest penalties cover AI systems that should never exist: social scoring, real-time biometric surveillance, AI that exploits vulnerable people, subliminal manipulation, and systems predicting criminal intent based on protected characteristics.

If your product falls into a prohibited category and you continued operating it after February 2, 2025, you're already exposed. For a company with €10M in annual revenue, that's a maximum fine of €700,000. For a company with €100M in revenue: €7M. For a multinational: up to €35M.

Tier 2: High-Risk AI Obligations — Up to €15M or 3% of Turnover

This is where most SMBs face real risk. High-risk AI systems (Annex III) include AI used in:

  • Recruitment and HR decisions — CV screening, interview scoring, performance monitoring
  • Credit scoring and insurance — automated loan decisions, creditworthiness assessments
  • Education — AI determining access to educational institutions or evaluating students
  • Critical infrastructure — safety-critical components in energy, water, transport
  • Healthcare — diagnostic AI, treatment recommendations
  • Law enforcement — risk assessment tools
  • Border control — automated risk profiling

Failing to meet obligations — incomplete technical documentation, missing risk assessment, inadequate human oversight, lack of conformity assessment — can result in fines of up to €15M or 3% of global turnover. For a €5M revenue startup, that’s €150,000.

Tier 3: Providing Incorrect Information — Up to €7.5M or 1% of Turnover

If you supply false or misleading information to a national AI authority during an investigation, that’s a separate violation — up to €7.5M or 1% of turnover.

What "Global Annual Turnover" Actually Means for You

It’s global annual turnover, not just EU revenue. If your company makes €2M in the EU but €8M globally, the fine is calculated on €10M.

For multinational groups, the parent company’s consolidated revenue is used. This matters if you’re a startup operating as a subsidiary: the whole group’s revenue is in scope.

SME protections: For SMEs (under 250 employees, under €50M turnover), the percentage-of-turnover cap applies even when the absolute figure would otherwise be higher. An early-stage startup with €500K in revenue faces a maximum of €35,000 for a Tier 1 violation — still painful, but not existential.

Enforcement: Who Has the Power to Fine You?

National Market Surveillance Authorities (MSAs) are the primary enforcers for high-risk AI systems. Each EU member state must designate at least one MSA by August 2, 2025. They investigate complaints, conduct audits, and issue fines.

The European AI Office handles enforcement against General Purpose AI (GPAI) model providers.

Data Protection Authorities enforce aspects intersecting with GDPR.

Enforcement starts at the national level — different MSAs across member states will have different priorities, similar to how GDPR enforcement has varied between Ireland’s DPC and Germany’s BfDI.

What Triggers an Investigation?

Unlike GDPR’s complaint-driven model, the EU AI Act also enables proactive market surveillance. MSAs can:

  1. Require documentation on demand — conformity assessments, technical documentation, risk management records
  2. Investigate based on complaints — from employees, customers, or competitors
  3. Act on notified body reports
  4. Conduct sector-wide sweeps — similar to what DPAs have done under GDPR

The most common near-term trigger is likely competitor and employee complaints. Any person or organisation can report suspected non-compliance to the relevant MSA.

The Hidden Costs Beyond the Fine

  • Mandatory remediation: MSAs can order you to bring your AI system into compliance — or withdraw it from market entirely.
  • Reputational damage: EU AI Act violations are public. The European AI Office maintains a registry of decisions.
  • Customer contract risk: Enterprise customers are already including EU AI Act compliance warranties in procurement contracts.
  • Investor scrutiny: Post-August 2026, compliance status will be a standard diligence item.

The Four Highest-Risk Mistakes SMBs Are Making Right Now

1. Assuming "we’re too small to be targeted"

The Act creates citizen complaint rights. A former employee’s complaint about your AI-powered hiring tool doesn’t get ignored because you’re small.

2. Not knowing whether your AI system is "high-risk"

A recruitment scoring tool almost certainly is. A customer support chatbot probably isn’t. A fraud detection system in financial services: yes. Get a clear risk classification on paper before August 2026.

3. Confusing "we use AI" with "we provide AI"

The Act applies to deployers as well as providers. If you use a third-party AI model in a high-risk context, you’re a deployer with compliance obligations — even if the model is from OpenAI or Anthropic.

4. No human oversight documentation

Article 14 requires documented human oversight mechanisms — a named role, defined procedures, a documented intervention capability, and evidence that oversight actually happens. Most SMBs have none of this in writing.

What You Should Do in the Next 30 Days

Step 1: Get classified. Run your AI systems through an Annex III risk classification and document the reasoning.

Step 2: Inventory your documentation gaps. High-risk systems need technical documentation, a risk management system, data governance records, accuracy/robustness metrics, human oversight procedures, and a conformity assessment.

Step 3: Assign accountability. Name the person responsible for compliance. Give them authority and a budget.

Step 4: Start the paper trail now. Enforcement actions look at the state of your documentation at the time of investigation. Contemporaneous records of good-faith compliance efforts matter.

Step 5: Get a compliance baseline. Complizo can help you classify your AI systems, identify documentation gaps, and generate Annex IV technical files — in hours, not months.

The Bottom Line

€35 million. 7% of global revenue. These are not theoretical — they are the law, effective in 117 days.

The question isn’t whether to comply. It’s whether to start now, or start after an MSA investigation makes compliance mandatory under a tighter timeline with public scrutiny.

Starting now costs less, takes less time, and gives you a defensible record.

Complizo helps SMBs classify their AI systems, identify documentation gaps, and generate compliance documentation in hours. Start for free →

#compliance#eu-ai-act#sme

More from this blog

Complizo

17 posts