April 7, 2026 EU AI Act Enforcement 6 min read

EU AI Act Penalties: Fine Calculations and Real Enforcement Scenarios

Last updated: April 7, 2026

The EU AI Act (Regulation EU 2024/1689) establishes three penalty tiers with maximum fines reaching 35 million EUR or 7% of global annual turnover. For most Shopify merchants, the relevant tier is the third — up to 7.5 million EUR or 1.5% of turnover for transparency violations. Here is how the fine calculations actually work and what enforcement will realistically look like for e-commerce businesses.

The three penalty tiers

Article 99 of the AI Act defines the penalty structure. Each tier corresponds to the severity of the violation:

Tier 1: Prohibited AI practices — up to 35 million EUR or 7% of turnover

This is the maximum penalty, reserved for violations of Article 5 — the list of banned AI practices. These include social scoring systems, real-time biometric surveillance, and AI that exploits vulnerabilities of specific groups. Most e-commerce stores will never trigger this tier, but it sets the ceiling for the regulation's enforcement power.

Tier 2: High-risk AI system violations — up to 15 million EUR or 3% of turnover

This tier covers non-compliance with requirements for high-risk AI systems listed in Annex III. For Shopify merchants, the most relevant high-risk category is 5(b): AI systems used for creditworthiness evaluation and credit scoring, which can include fraud detection systems. If your store uses AI-based fraud analysis and fails to meet the requirements of Articles 9-15 (risk management, data governance, human oversight, logging), you are in Tier 2 territory.

Tier 3: Transparency and other violations — up to 7.5 million EUR or 1.5% of turnover

This is the tier that applies to most e-commerce AI compliance failures. It covers violations of Article 50 transparency obligations — failing to disclose AI-generated content, not labeling chatbots as AI, not marking AI-generated images. It also covers supplying incorrect information to authorities and other procedural violations.

How fines are calculated

The AI Act uses a "whichever is higher" model for corporations. For a company with 10 million EUR in global annual turnover:

Tier 1: 35 million EUR vs. 700,000 EUR (7%) = 35 million EUR maximum
Tier 2: 15 million EUR vs. 300,000 EUR (3%) = 15 million EUR maximum
Tier 3: 7.5 million EUR vs. 150,000 EUR (1.5%) = 7.5 million EUR maximum

For SMEs and startups, Article 99(6) provides a critical adjustment: the lower of the two amounts applies. This means a small Shopify store with 200,000 EUR annual turnover faces a Tier 3 maximum of 3,000 EUR (1.5% of 200,000), not 7.5 million EUR. This SME provision is one of the most important protections in the regulation.

Fines are assessed per company, not per violation. A store with 500 unlabeled AI product descriptions is committing one ongoing transparency violation, not 500 separate ones. However, different types of violations (unlabeled chatbot + unlabeled product descriptions + missing transparency page) could theoretically be treated as separate infringements.

Who enforces the AI Act?

Enforcement is decentralized across EU member states. Each country must designate at least one national competent authority by August 2, 2025. As of April 2026, most designations are complete:

Germany: Federal Network Agency (Bundesnetzagentur) — the same body that enforces telecommunications regulations
France: CNIL (Commission nationale de l'informatique et des libertes) — already experienced with GDPR enforcement
Ireland: Expected to handle many cases given that Shopify and other tech companies have EU operations there
European AI Office: Coordinates cross-border cases and enforces rules for general-purpose AI models directly

The enforcement model mirrors GDPR: complaints can come from consumers, competitors, or regulatory initiative. Cross-border cases are coordinated through the European AI Office, similar to the EDPB's role under GDPR.

The audit process

Based on GDPR precedent and the AI Act's enforcement provisions (Articles 74-78), here is how an enforcement action would typically proceed:

Trigger: A customer complaint, competitor report, or regulatory sweep identifies a potential violation
Investigation: The national authority requests information — what AI systems you use, what disclosures are in place, your compliance documentation
Assessment: The authority evaluates whether your disclosures meet Article 50 requirements
Corrective action: For first-time violations, authorities may issue a warning with a deadline to remediate (typically 30-90 days)
Fine: If corrective measures are not taken, or for serious violations, a formal fine is imposed

The regulation also grants authorities the power to conduct unannounced inspections and to order the withdrawal of non-compliant AI systems from the market (Article 79).

Real enforcement scenarios

Scenario 1: Small Shopify store, unlabeled AI product descriptions

Store profile: 100,000 EUR annual revenue, 200 products with AI-generated descriptions, no AI disclosures anywhere on the site.

Violation: Article 50(2) — failure to disclose AI-generated text content.

Likely outcome: As an SME, the lower amount applies: 1.5% of 100,000 EUR = 1,500 EUR maximum fine. In practice, a first-time violation would likely result in a warning letter with a 60-day compliance deadline. If the store complies within the deadline, no fine is imposed. If it ignores the warning, a fine in the range of 500-1,500 EUR is realistic.

Scenario 2: Mid-size store, no chatbot disclosure

Store profile: 2 million EUR annual revenue, AI chatbot handling 10,000 customer conversations per month with no AI disclosure.

Violation: Article 50(1) — failure to inform users they are interacting with AI.

Likely outcome: This is a more visible violation affecting thousands of customers. Maximum fine: 30,000 EUR (1.5% of 2 million) as an SME. Realistically, after a complaint, expect a corrective order first. If ignored, a fine of 5,000-15,000 EUR is plausible, given the scale of affected customers.

Scenario 3: Large store, AI fraud detection without oversight

Store profile: 20 million EUR annual revenue, AI fraud detection declining orders with no human review mechanism and no disclosure in privacy policy.

Violation: High-risk AI system requirements (Articles 9-15) + transparency violations (Article 50).

Likely outcome: This is a Tier 2 violation. Maximum: 15 million EUR or 600,000 EUR (3% of 20 million). A store this size may not qualify for SME protections. Expected fine range after investigation: 50,000-200,000 EUR, depending on how many customers were affected and whether any were demonstrably harmed by incorrect fraud flagging.

GDPR enforcement as a preview

GDPR has been enforced since May 2018, giving us 8 years of data on how EU regulators approach privacy enforcement. Key patterns that likely carry over to AI Act enforcement:

Slow start: GDPR fines were modest in 2018-2019. Regulators issued warnings and guidance before imposing major penalties. Expect the same for the AI Act in 2026-2027.
Big targets first: The largest GDPR fines went to Meta (1.2 billion EUR), Amazon (746 million EUR), and Google (several fines totaling over 200 million EUR). Small businesses were rarely targeted in the first two years.
Complaint-driven: Most GDPR enforcement actions started with consumer complaints, not proactive audits. Competitors also file complaints strategically.
Proportionality: Despite maximum fines of 4% of turnover, actual GDPR fines for SMEs averaged in the low thousands of EUR. The AI Act's SME provisions suggest similar proportionality.
Cumulative risk: The real cost of non-compliance is not a single fine — it is the ongoing risk, legal costs, reputational damage, and the operational disruption of a regulatory investigation.

Mitigating factors that reduce fines

Article 99(7) lists specific factors that authorities must consider when setting fine amounts:

Nature and gravity: How serious is the violation and how many people were affected?
Intentional or negligent: Did you knowingly violate the rules, or was it an oversight?
Mitigation steps: Did you take action to fix the issue once notified?
Cooperation: Did you cooperate with the investigation?
Previous violations: Is this your first offense?
Financial benefit: Did you gain a financial advantage from the violation?
Company size: SME and startup status is a formal mitigating factor

The most practical advice: if you receive a warning or inquiry from a national authority, cooperate immediately and fix the issue. Demonstrable good faith reduces penalties significantly — GDPR enforcement history confirms this consistently.

Complyo generates a compliance report that documents your AI disclosures, creating an evidence trail that demonstrates good faith compliance before enforcement begins.