The EU AI Act establishes a decentralized approach to enforcing its provisions by authorizing Member States to create their own regulations regarding penalties, which include administrative fines for breaches of the Act. Consequently, each Member State must appoint at least one national authority responsible for overseeing compliance and conducting market surveillance.
Similar to GDPR, the EU AI Act employs a tiered penalty system (refer to the table below). The fines are determined based on the type of AI system, the seriousness of the violations, and the size of the company. Penalties may reach up to a specified maximum amount or a percentage of annual turnover. The penalty framework under the AI Act surpasses even the fines outlined in the General Data Protection Regulation (GDPR), which can be as high as €20 million.
Essentially, any entity required to adhere to the AI Act’s stipulations may face penalties if they fail to meet these obligations. This encompasses providers, whether individuals or organizations, authorities, institutions, or other entities involved in developing, placing on the market, or operating AI systems. Additionally, manufacturers, importers, traders, or deployers of AI systems may also incur fines.
The penalties are designed to be severe, so they discourage violations and ensure accountability. Key penalties include:
I. For placing on the market, deploying, or using AI systems that present unacceptable (prohibited) risks:
Fines of up to €35 million or 7% of the total global annual turnover from the previous fiscal year, whichever is greater.
II. For non-compliance with requirements for high-risk and limited-risk AI systems, such as data quality, technical documentation, transparency, human oversight, and robustness:
Fines of up to €15 million or 3% of the total global annual turnover from the previous fiscal year, whichever is greater.
III. For providing false, incomplete, or misleading information to notified bodies and competent authorities:
Fines of up to €7.5 million or 1% of the total global annual turnover from the previous fiscal year, whichever is greater.
Unlike the GDPR, which applies uniform penalties regardless of company size, the EU AI Act takes into account the financial power and size of SMEs and start-ups. While these entities are still subject to penalties, the fines are adjusted to a lower amount or percentage, providing a more favorable approach considering their limited financial resources.
All these penalties are intended to ensure that all parties involved in the development, deployment, and use of AI systems within the EU comply with the rigorous standards set by the AI Act, fostering the development of safe and reliable AI technologies.