The Math
Article 99 of the EU AI Act sets the top penalty at €35M or 7% of total worldwide annual turnover, whichever is higher, for prohibited practice violations (Article 5). High-risk system non-conformity caps at €15M or 3%; supplying incorrect information to authorities caps at €7.5M or 1%. SMEs get the lower of the two figures.
Run the numbers on a Fortune 500: $50B turnover translates to a $3.5B maximum at 7% and $1.5B at 3%. Even a settled-down 1% of turnover lands well into nine figures. GDPR caps at 4% — the AI Act now holds the title of largest enterprise regulatory exposure in the EU.
The penalties apply per violation, not per company per year. A facial-recognition prohibition breach on 10 product lines is 10 violations.
Enforcement Timeline
Prohibited practice provisions (Article 5) became enforceable February 2, 2025. General-purpose AI obligations (Articles 53, 55) on August 2, 2025. High-risk system obligations (Article 6) phase in through August 2, 2026, with the final tranche covering safety-component AI on August 2, 2027. Member-state market surveillance authorities are stood up and issuing first findings in 2026. The AI Office at the EU Commission handles GPAI cases directly.
What’s Funded
Mature compliance programs in 2026 budget for:
- Dedicated AI compliance function (1–5 FTE depending on AI footprint), reporting into Legal or a CIO/CISO joint structure.
- External legal counsel with AI Act specialty (Bird & Bird, Hogan Lovells, Linklaters all have practices billing $700–$1,200/hr).
- Notified-body conformity assessment for high-risk systems — €50K–€500K per system.
- Continuous system documentation (Annex IV technical file maintenance) — typically 0.25–0.5 FTE per high-risk system.
- Employee AI literacy training (Article 4 obligation) — €20–€80 per head, $200K–$1M annually for a 10,000-person enterprise.
- Technical remediation of existing systems flagged as high-risk — variable, often the largest single line item.
Total budget for a Fortune 1000 with material AI deployment runs $5M–$25M annually, excluding technical remediation. Factor an additional $10M–$100M one-time for retrofitting legacy systems.
Risk Calibration
Not every AI system creates 7% exposure — only Article 5 prohibitions do. Most enterprise AI sits in Article 6 high-risk (3% cap) or unregulated low-risk territory. Risk-weight the portfolio:
- Lead-scoring agents with employment-decision implications: high-risk.
- Customer-service chatbots without consequential decision-making: limited-risk transparency obligations only.
- Internal productivity tools: minimal-risk, Code of Conduct optional.
Overspend on minimal-risk = wasted budget. Underspend on high-risk = catastrophic exposure. Your AI inventory and risk classification is the single most leveraged compliance investment.
Common Failure Modes
- “We don’t operate in the EU.” The Act applies to any provider whose AI output is used in the EU, regardless of where the company sits.
- Treating GDPR DPIAs as sufficient for AI Act FRIA (Fundamental Rights Impact Assessment) — different scope, different methodology.
- No version control on model behavior — when the regulator asks “what was the system doing on January 15?” you need a precise answer.
- Vendor pass-through assumption — you remain the deployer, with deployer obligations, even when using OpenAI or Anthropic.
Board-Level Visibility
AI Act compliance is board conversation now. Directors want to know exposure quantified in euros, mitigation posture mapped to articles, and residual risk with named owners. Prepare a one-page briefing per quarter: inventory count by risk tier, conformity status, open findings, budget vs. spend. “We’re on it” without numbers does not survive a 7% conversation.
