BlogDigitalizacija

GDPR & EU AI Act: The €35 Million Fine Your Company Could Be Facing

Siniša DagaryJul 4, 2026
GDPR & EU AI Act: The €35 Million Fine Your Company Could Be Facing

GDPR & EU AI Act: The €35 Million Fine Your Company Could Be Facing

Author: Siniša Dagary | Category: AI Compliance & Legal Risk | Platform: sinisadagary.com, slaff.io, investra.io, unifyr.space


GDPR & EU AI Act: The €35 Million Fine Your Company Could Face

The EU AI Act is fully in force in 2026. Fines reach €35 million or 7% of global turnover. Learn what your business must do now to avoid catastrophic penalties.

EU AI Act fines 2026, GDPR AI compliance, EU AI Act penalties, high-risk AI compliance, EU AI Act business requirements, GDPR fines 2026, AI regulation Europe


The Regulatory Reckoning Has Arrived

For years, European businesses treated AI regulation as something on the horizon — important to monitor, but not yet urgent. That era is over. The EU AI Act is now in full force, and the compliance deadlines that once seemed distant are either already passed or approaching rapidly.

The numbers are not abstract. Fines for prohibited AI practices reach €35 million or 7% of global annual turnover — whichever is higher. For a company with €500 million in annual revenue, that's a potential fine of €35 million. For a company with €1 billion in revenue, it's €70 million. These are not theoretical maximums reserved for extreme cases — they are the legal ceiling for violations that regulators are actively investigating.

Combined with GDPR enforcement — which has already issued €7.1 billion in cumulative fines with €1.2 billion in 2025 alone — European businesses are operating in the most demanding AI compliance environment in the world. The question is no longer whether to comply, but how quickly and comprehensively.

Quick Answer: The EU AI Act uses a three-tier fine structure: up to €35M or 7% of global turnover for prohibited AI practices, up to €15M or 3% for high-risk AI non-compliance, and up to €7.5M or 1.5% for other violations. Combined with GDPR (up to €20M or 4% of turnover), European businesses face unprecedented AI compliance obligations in 2026.


Understanding the EU AI Act Fine Structure

The EU AI Act (Regulation 2024/1689) establishes a risk-based framework for AI governance. The penalty structure reflects the severity of violations.

Tier 1 — Prohibited AI Practices: Up to €35 Million or 7% of Global Turnover

The highest tier covers AI systems that are outright banned under the Act. These include:

  • AI systems that use subliminal manipulation techniques to influence behavior in harmful ways
  • AI systems that exploit vulnerabilities of specific groups (age, disability, social situation)
  • Social scoring systems by public authorities
  • Real-time remote biometric identification in public spaces (with narrow exceptions)
  • AI systems used to infer sensitive characteristics (race, political opinions, religious beliefs, sexual orientation) from biometric data
  • AI systems that create or expand facial recognition databases through untargeted scraping

Any company deploying these systems faces the maximum penalty tier.

Tier 2 — High-Risk AI Non-Compliance: Up to €15 Million or 3% of Global Turnover

The second tier covers failures to meet requirements for high-risk AI systems. This is the tier that affects the largest number of businesses, because the definition of "high-risk" is broad.

Tier 3 — Other Violations: Up to €7.5 Million or 1.5% of Global Turnover

The third tier covers violations including providing incorrect or misleading information to national competent authorities or notified bodies.

Violation Category Maximum Fine Examples
Prohibited AI practices €35M or 7% of turnover Social scoring, subliminal manipulation, banned biometrics
High-risk AI non-compliance €15M or 3% of turnover Missing risk assessment, no human oversight, inadequate documentation
Other violations €7.5M or 1.5% of turnover False information to regulators, transparency failures

Key Fact: GDPR fines have reached €7.1 billion cumulatively. The largest single GDPR fine of 2025 was €530 million against TikTok for unlawful EU-China data transfers. Meta was fined €1.2 billion in 2023. Amazon was fined €746 million in 2021. The EU AI Act adds a new layer of enforcement on top of existing GDPR obligations.


What Makes an AI System "High-Risk"?

The high-risk classification is the most consequential aspect of the EU AI Act for most businesses. If your AI system falls into a high-risk category, you face a comprehensive set of compliance obligations — not just a fine risk, but ongoing operational requirements.

High-risk AI categories under the EU AI Act include:

Employment and HR. AI systems used for recruitment, CV screening, candidate assessment, performance evaluation, promotion decisions, task allocation, and termination decisions. This is one of the most commercially significant categories — virtually every company using AI in HR processes is affected.

Credit and financial services. AI systems used for creditworthiness assessment, insurance risk scoring, and financial product recommendations. Banks, insurers, and fintech companies using AI in these processes must comply with high-risk requirements.

Education and training. AI systems used for student assessment, admission decisions, and educational content personalization.

Access to essential services. AI systems used for decisions about access to healthcare, social benefits, housing, and utilities.

Law enforcement. AI systems used for risk assessment of individuals, polygraph testing, evaluation of evidence reliability, and crime prediction.

Critical infrastructure. AI systems used in the management of road traffic, water supply, gas, heating, and electricity.

For businesses operating in the real estate sector — including investment platforms like Investra.io — AI systems used for property valuation, investment recommendations, and creditworthiness assessment may fall into high-risk categories depending on their specific application and the decisions they support.

Quick Answer: High-risk AI categories under the EU AI Act include employment and HR (recruitment, performance evaluation), credit and financial services (creditworthiness, insurance scoring), education, access to essential services, law enforcement, and critical infrastructure. Any company using AI in these areas must comply with strict requirements including risk assessments, technical documentation, human oversight, and transparency obligations.


The Compliance Requirements for High-Risk AI

If your AI system is classified as high-risk, the EU AI Act imposes a comprehensive set of obligations before and during deployment.

Risk Management System. You must establish, implement, document, and maintain a risk management system throughout the AI system's lifecycle. This includes identifying and analyzing known and foreseeable risks, estimating and evaluating risks, and implementing appropriate risk management measures.

Data and Data Governance. Training, validation, and testing datasets must meet quality criteria. Data must be relevant, representative, free of errors, and complete. You must document data governance practices and data provenance.

Technical Documentation. Before placing a high-risk AI system on the market, you must prepare comprehensive technical documentation covering: the system's general description, design specifications, development process, validation and testing procedures, and monitoring approach.

Record-Keeping. High-risk AI systems must have automatic logging capabilities that allow for post-market monitoring and investigation of incidents.

Transparency and Information. Users of high-risk AI systems must receive clear information about the system's capabilities and limitations, the level of accuracy and robustness, and any known biases.

Human Oversight. High-risk AI systems must be designed to allow effective human oversight. Humans must be able to understand the system's outputs, monitor its operation, intervene when necessary, and override automated decisions.

Accuracy, Robustness, and Cybersecurity. High-risk AI systems must achieve appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle.


GDPR and AI: The Double Compliance Challenge

The EU AI Act doesn't replace GDPR — it adds to it. Companies using AI that processes personal data face compliance obligations under both frameworks, and the interaction between them creates additional complexity.

GDPR obligations relevant to AI include:

Lawful basis for processing. AI systems that process personal data must have a lawful basis — typically consent, legitimate interests, or contractual necessity. Automated decision-making that significantly affects individuals (including AI-driven employment decisions, credit scoring, and profiling) requires explicit consent or other specific legal bases.

Data minimization. AI systems should only process the personal data necessary for their specific purpose. Training large AI models on broad datasets of personal data raises significant GDPR compliance questions.

Right to explanation. Under GDPR Article 22, individuals have the right not to be subject to solely automated decisions that significantly affect them, and the right to obtain an explanation of such decisions. This creates significant operational requirements for AI systems used in high-stakes decisions.

Data transfers. AI systems that transfer personal data outside the EU — including to AI providers based in the US — must comply with GDPR data transfer requirements. The TikTok €530 million fine in 2025 was specifically for unlawful EU-China data transfers facilitated by the platform's AI systems.

Data breach notification. If an AI system is involved in a data breach, GDPR's 72-hour notification requirement applies.

Key Fact: GDPR Article 22 gives individuals the right not to be subject to solely automated decisions that significantly affect them. This means any AI system making consequential decisions about individuals — hiring, credit, insurance, healthcare — must include meaningful human review. The combination of GDPR and EU AI Act creates a dual compliance obligation that most companies are not yet fully prepared for.


The Timeline: What's Already in Force

Understanding what is already legally required — versus what is coming — is essential for prioritizing compliance efforts.

February 2025 — Already in force: Prohibition of banned AI practices. Any company using prohibited AI systems (social scoring, subliminal manipulation, certain biometric systems) is already in violation.

August 2025 — Already in force: Requirements for general-purpose AI models (including large language models like GPT-4, Claude, and Gemini). Providers of these models must comply with transparency and copyright obligations.

August 2026 — Coming: Full application of high-risk AI system requirements. This is the most significant deadline for most businesses.

December 2026 — Coming: Full compliance required for all remaining provisions.

For businesses that have not yet begun their EU AI Act compliance assessment, the August 2026 deadline for high-risk AI requirements is approaching rapidly. Starting now is not early — it's necessary.


A Practical Compliance Roadmap for Businesses

Step 1: AI Inventory and Classification

The first step is understanding what AI systems your business uses and how they are classified under the EU AI Act. This requires a comprehensive inventory of all AI tools — including third-party tools and SaaS platforms — and an assessment of whether each falls into prohibited, high-risk, limited-risk, or minimal-risk categories.

Step 2: Gap Analysis

For each high-risk AI system identified, conduct a gap analysis against the EU AI Act requirements. What documentation exists? Is there a risk management system? Are there human oversight mechanisms? What data governance practices are in place?

Step 3: Remediation Planning

Based on the gap analysis, develop a remediation plan with clear timelines and ownership. High-risk AI systems that don't meet requirements must either be brought into compliance or discontinued before the applicable deadline.

Step 4: Documentation and Record-Keeping

Implement the documentation and record-keeping requirements. This includes technical documentation for high-risk AI systems, data governance documentation, and logging systems.

Step 5: Human Oversight Implementation

Design and implement human oversight mechanisms for high-risk AI systems. This is often the most operationally challenging requirement — it means changing how AI outputs are used in decision-making processes.

Step 6: Ongoing Monitoring and Review

EU AI Act compliance is not a one-time exercise. High-risk AI systems must be monitored throughout their lifecycle, with regular reviews of performance, bias, and compliance status.

For businesses seeking expert guidance on AI compliance frameworks, Findes Group & Partners provides specialized consulting services for European companies navigating the EU AI Act and GDPR intersection.


Frequently Asked Questions

What are the maximum fines under the EU AI Act? Tier 1 (prohibited AI): up to €35M or 7% of global turnover. Tier 2 (high-risk non-compliance): up to €15M or 3% of global turnover. Tier 3 (other violations): up to €7.5M or 1.5% of global turnover.

When does the EU AI Act apply to businesses? Prohibited practices: February 2025 (already in force). General-purpose AI model requirements: August 2025 (already in force). High-risk AI requirements: August 2026. Full compliance: December 2026.

Does the EU AI Act apply to non-EU companies? Yes. The EU AI Act applies to any company that places AI systems on the EU market or whose AI systems affect EU residents, regardless of where the company is headquartered. US, UK, and other non-EU companies serving EU customers must comply.

What AI systems are considered high-risk? High-risk categories include AI used in employment, credit and financial services, education, access to essential services, law enforcement, and critical infrastructure. The full list is in Annex III of the EU AI Act.

How does the EU AI Act interact with GDPR? The EU AI Act adds to GDPR — it doesn't replace it. Companies using AI that processes personal data must comply with both frameworks. GDPR Article 22 (right not to be subject to automated decisions) is particularly relevant for AI systems making consequential decisions about individuals.

What is the difference between prohibited AI and high-risk AI? Prohibited AI systems are banned outright — they cannot be deployed under any circumstances. High-risk AI systems can be deployed but must comply with strict requirements including risk assessments, documentation, human oversight, and transparency obligations.

How do I know if my AI system is high-risk? Review Annex III of the EU AI Act, which lists the eight high-risk categories. If your AI system is used in any of these areas and makes or supports significant decisions affecting individuals, it is likely high-risk. Consult with a legal expert for specific guidance on your situation.


Recommended Reading


Connect With Me

Navigating EU AI Act and GDPR compliance is complex. I help businesses understand their obligations, assess their AI systems, and build compliance frameworks that protect them from regulatory risk while preserving the benefits of AI adoption.

Follow me for daily insights on AI regulation, business strategy, and risk management:

Siniša Dagary is a business consultant and AI strategist with 20+ years of experience helping European companies navigate the opportunities and risks of AI adoption. He is the founder of sinisadagary.com and a partner at Findes Group & Partners.