EU AI Act Penalties: The Cost of Non-Compliance
If you are one of the many businesses that have employed artificial intelligence in your operations, you do not want to miss out on any information regarding the European Union Artificial Intelligence Act (EU AI Act). Staying true to the EU’s continued enforcement of digital protection for consumers, the EU AI Act penalties are nothing to sneeze at.
With the rise of artificial intelligence and its convenience to many consumers, it was only a matter of time before governments had to create regulations for its use. If your business operates with EU residents, you should be aware of the impending rules that the EU AI Act will bring into effect.
Luckily, we are here to help. This article will provide everything you need to know about potential penalties for non-compliance and what AI practices your business should be cautious of in the coming years.
- The EU AI Act is the leading regulation for AI systems businesses utilize in their operations within the EU. The law is predicted to come fully into effect in the next few years and will cover nearly all businesses that utilize AI in the EU.
- The penalties for non-compliance with the EU AI Act are determined by the administrative bodies of individual states within the EU. States have their own system to impose fines and adjust amounts based on things like a business’s size, the gravity of the violation, and any attempts to remedy the situation.
- Your business can be fined for violating the EU AI Act for reasons such as using prohibited applications of AI, breaching your obligations under the law, or reporting false or incomplete information.
EU AI Act Explained
The EU Artificial Intelligence Act is the world’s first large-scale AI regulation. Like the GDPR, the law is a part of the EU’s continued efforts to ensure data protection and minimize risk for its consumers.
The EU AI Act was proposed in April 2021 but has yet to be officially enacted (as of January 2024). The European Parliament officially recognized the contents of the law in December of 2023, and it is predicted to be applied and enforced 18 months after being adopted as official EU law.
The European Commission will enforce the EU AI Act and regulate businesses’ compliance in addition to the GDPR.
The general purpose of the EU AI Act is to serve as a framework for how businesses utilize AI systems, determine the risk of those systems, and determine whether or not to classify them as “high-risk AI systems.” The level of risk determines how strict the law is in regulating a business.
The major provisions of the law include
- Categorizing AI systems based on risk- minimal, low, high, or unacceptable risk
- Required transparent explanations of a business’s AI system
- Adequate data protection
One of the methods that the EU AI Act will employ to protect consumers' and data subjects' rights is a process known as a Fundamental Rights Impact Assessment. Businesses must conduct this assessment upon request to analyze their AI systems and detect any potential harm or unjustified collection of personal information.
The scope of the EU AI Act is yet to be finalized, but so far, it has established an expectation that it will be wide and include many businesses. Any business that utilizes an AI system will likely be subject to the law except for the following:
- Military/National Defense AI systems
- Research AI systems
- Specific instances of law enforcement using an AI system for identification purposes
EU AI Act Penalties for Non-Compliance
The penalties that the EU AI Act imposes range from smaller fines to large sums depending on several factors, including:
- The risk level of an AI system
- The size/annual turnover/market share of the business in question
- The gravity/nature of the infringement
- Other fines imposed on the business
- Business’s efforts to remedy the situation or mitigate the risk
- Other factors, such as any financial gain the business acquired during the violation
Ultimately, Member States of the EU individually decide the penalties for non-compliant businesses through laws they establish based on these factors and issue fines accordingly. These member states can be local governments or administrative bodies.
The Member States report their laws to the European Commission and any amendments made to them. However, the states alone are responsible for imposing these fines on businesses that violate their laws.
An administrative fine can range anywhere between 7.5 million to 35 million euros or up to 7% of the company's global turnover.
Reasons a Company Can Get a Penalty Under the EU AI Act
There are a few different kinds of violations that a business can commit under the EU AI Act. The fines for each type vary as well. If you suspect your business will be subject to the EU AI Act’s regulation, you must be aware of all the reasons you could receive a penalty to avoid them successfully. Here is our comprehensive list of violations for you to avoid:
Using Prohibited/Banned Applications of AI
The prohibited practices and applications of AI are outlined in Article 5 of the EU AI Act. As these practices are specifically outlined and declared as banned in the EU AI Act, a violation of Article 5 carries the maximum fine for a non-compliant business.
Your business could face fines of up to 35 million euros or 7% of your annual turnover from the previous financial year, whichever amount is higher. Smaller businesses, SMEs, and start-ups will face a maximum fine of up to 3% of their annual turnover for this violation.
Breaching the Obligations and Requirements
The EU AI Act outlines several obligations and requirements for businesses to follow revolving around data privacy, protection, and correct, safe use of AI systems. As a violation of Article 5, Member states are permitted to charge quite hefty fines for businesses that breach these obligations and requirements.
For violating these obligations, businesses can face fines of up to 20 million euros or 4% of their annual turnover from the previous financial year, whichever is higher. The maximum fine for SMEs and start-ups is 2% of their annual turnover from the previous financial year.
Misinformation or Incomplete Information
The last reason your business could be charged with a penalty for violating the EU AI Act deals with information requests. If a national authority or local body from a Member State requests information from your business and you provide false, incomplete, or misleading information, you could face a penalty.
Penalties for misinformation or incomplete information can reach up to 10 million euros or 2% of your annual turnover from the previous financial year, whichever is higher. SMEs and start-ups can face fines of up to 1% of their annual turnover from the previous financial year.
With so many different requirements and limits on AI systems and how you can use them, it may be challenging to navigate the EU AI Act. To help your business ensure your continued compliance with the law in the future, you can utilize the help of compliance professionals like Captain Compliance.
We offer a full suite of services and bring years of experience to ensure your business is compliant. When you outsource our help, you ensure your business remains compliant with all the requirements listed above and avoid any penalty from an EU AI Act violation.
How Can Captain Compliance Help?
The first large-scale AI compliance law, the EU AI Act, is predicted to become fully effective in the next few years and heavily regulate how your business utilizes AI. You must be prepared to comply with the EU AI Act or face the risk of significant penalties.
To help you ensure you comply with every intricacy the EU AI Act will throw at you, you can rely on our compliance expertise. Captain Compliance brings expertise in complying with both old laws like the GDPR and new laws like the EU AI Act.
Get in touch with us here and schedule your free consultation to discover how you can make your business compliant.
What is banned in the EU AI Act?
The EU AI Act specifically bans AI systems that utilize biometric identification, such as scanning images, to create facial or emotional recognition databases.
What are the obligations of the EU AI Act?
Businesses are obligated to perform fundamental rights impact assessments as well as regular testing, recording, ensuring transparency standards, and reporting.
What is high risk under the EU AI Act?
The EU AI Act defines a high-risk AI system as a system that falls under the EU’s product safety legislation and falls under one of the following categories: biometric identification, legal, educational, employment, public service, border control, or management.
What is the grace period for the EU AI Act?
Upon its coming into effect, the EU AI Act will grant businesses a two-year grace period to ensure their compliance. However, strictly prohibited systems must be adjusted within six months, and AI systems designated as high-risk must be adjusted within a single year.
What is the maximum penalty under the EU AI Act?
The maximum penalty under the EU AI Act is the penalty for a business that uses a prohibited application of AI. Member states of the EU can issue a fine for up to 35 million euros or 7% of that business’s annual turnover, whichever is higher.