The EU AI Act provides for decentralised enforcement of the provisions by empowering Member States to lay down their own rules on penalties, including administrative fines for infringements of the Act. Each Member State must, therefore, designate at least one national authority to oversee the implementation of the rules and market surveillance.
Through a fine and penalty structure divided into levels that are dependent on the severity of the breach (see tables below) – the European institutions make clear how they assess AI systems and the associated requirements and obligations. The framework for fines exceeds even penalties provided for in the General Data Protection Act (GDPR), which are up to €20 million. In principle, any entity required to fulfil the requirements and obligations of the EU AI Act may be the subject of a breach if such requirements and obligations are violated. This includes providers who, as natural or legal persons, authorities, institutions or other bodies, develop AI systems or have them developed and place them on the market or put them into operation. In addition, product manufacturers, importers, traders or deployers of AI systems can also be the recipients of fines. Third parties may also incur a penalty, although the EU AI Act does not specify who is to be included. Under Article 28 of the EU AI Act, third parties may be considered providers under certain conditions and thus also assume the obligations of the provider.
The EU AI Act requires utmost diligence from all parties participating in a high-risk AI system's lifecycle. The requirements for these systems are lengthy, and the stakes are high, emphasising that high risk does not mean high reward. The EU AI Act is currently going through the Trilogue among three major European institutions, which is an informal step of the European ordinary legislative procedure, and this will likely lead to significant changes in the final common text. Whether these changes will also affect the level of fines once again remains to be seen. However, it should be noted that there are already quite serious threats of fines, which have been increased even further for some actions in the European Parliament's latest position and, in the case of Article 71 (3) of the AI Act, go far beyond those of the GDPR.
Instead of the three-tiered approach in the Council of the EU General Approach, the latest text adopted by the European Parliament on 14 June 2023, just before the start of the Trilogue, introduced a four-tier approach to penalties under Article 71 and removed separate thresholds for SMEs.
The previous three-level structure for fines set out in Article 71 of the Council of the EU's General Approach that was issued back in December 2022 was as follows:
Please keep in mind that this form is only for feedback and suggestions for improvement.