Regulations & Compliance

EU AI Act Fines Reach €35 Million, Most Boards Are Not Ready

EU AI Act Fines Reach €35 Million, Most Boards Are Not Ready

The EU AI Act is now partially in force and the penalty structure is not a negotiating position. Organizations found to have deployed prohibited AI systems face fines of up to €35 million or 7% of global annual turnover, whichever is higher. For high-risk AI systems that fail to meet the Act’s technical and governance requirements, the ceiling is €15 million or 3% of global turnover. These are not theoretical maximums reserved for egregious cases. They are the ceiling the European Commission set deliberately to ensure the numbers are large enough to hurt any company operating at scale.

The AI Act entered into force on 1 August 2024. The first prohibitions on unacceptable-risk AI systems became enforceable from 2 February 2025. High-risk system requirements apply from August 2026. General-purpose AI model obligations including transparency and safety requirements for the most capable foundation models, apply from August 2025. The implementation timeline is staggered but enforcement is not a distant prospect.

What the Act Actually Regulates

The EU AI Act is a risk-based framework. It does not regulate all AI systems equally. It classifies them into four tiers including unacceptable risk, high risk, limited risk and minimal risk. The unacceptable-risk category is already prohibited. It covers real-time biometric surveillance in public spaces (with narrow law enforcement exceptions), social scoring systems operated by governments and AI designed to exploit psychological vulnerabilities to influence behaviour.

High-risk is where most enterprise AI compliance work sits. The Act defines high-risk systems as those used in hiring and employment decisions, credit scoring, education and vocational training, access to essential services, law enforcement, migration management and administration of justice. AI used to manage critical infrastructure also qualifies. Any organization deploying AI in these categories must conduct conformity assessments, maintain technical documentation, implement human oversight mechanisms and register the system in the EU’s AI database before deployment. The registration obligation alone is new territory for most legal and compliance teams.

General-purpose AI models, which includes the large language models that European companies are integrating into products and internal workflows at speed, face their own obligations under Title VIII of the Act. Providers of models with systemic risk, defined by a training compute threshold above 10^25 FLOPs, must conduct adversarial testing, report serious incidents to the European AI Office and implement cybersecurity protections. The European AI Office is the body responsible for enforcement at the model level and sits within the European Commission.

The Compliance Gap Is a Board Governance Problem

The AI Act puts legal responsibility on boards not IT departments. Article 26 places obligations on deployers of high-risk AI systems, requiring them to ensure human oversight, monitor system performance and report serious incidents. These are governance obligations. A board that has delegated AI deployment decisions entirely to a technology function, without documented oversight and approval processes, is exposed regardless of whether the underlying system is technically compliant.

That is the structural problem most organizations have not yet addressed. Many European companies have invested in AI tools, some have published AI policies, but the documentation trail that regulators will want to see during an investigation including risk assessments conducted before deployment, human oversight logs and incident reporting procedures, is absent in most cases. The Act does not accept good intentions as a substitute for records.

The compliance challenge is compounded by the pace of AI adoption. Legal and risk teams are being asked to assess systems that were procured and deployed before the Act existed, by business units that did not involve them in the decision. Working backwards through an AI inventory to identify what is in scope for high-risk classification is time-consuming and at many organizations, has not started.

Extraterritorial Reach: Non-EU Organizations Are Not Exempt

The AI Act applies to providers and deployers whose AI systems produce outputs used in the EU, regardless of where those organizations are based. An American software company selling an AI-powered HR screening tool to a German employer is subject to the Act’s high-risk requirements for that tool. A Singaporean fintech offering AI-driven credit decisions to EU consumers is in scope. The territorial logic is the same as GDPR where the effect occurs, not where the organization is incorporated.

This matters for Nordic companies with non-EU subsidiaries and partners and for Nordic subsidiaries of non-EU parent companies. The compliance obligation follows the deployment and the user, not the corporate structure.

Three Actions Before August 2026

Start with an AI inventory. Before any compliance work is meaningful, organizations need to know what AI systems they are running, who deployed them, what decisions they inform and whether any fall into the high-risk categories defined in Annex III of the Act. This is not a technology exercise. It requires input from HR, finance, customer operations and procurement alongside IT.

Classify before you build controls. The conformity assessment process for high-risk systems is different from a standard IT risk assessment. It requires documentation of the system’s intended purpose, the datasets used to train it, technical accuracy and robustness testing and a bias evaluation. Organizations that have not yet classified their AI systems cannot complete conformity assessments and cannot legally deploy those systems in high-risk contexts from August 2026.

Establish an incident reporting workflow now. The Act requires deployers of high-risk AI systems to report serious incidents to the relevant national market surveillance authority. In Sweden, MSB is the lead supervisory authority for many sectors under related frameworks. Testing the reporting chain before an incident occurs, rather than discovering it does not exist during one, is the single most underused preparation step available to compliance teams today.

The European Commission’s official AI Act compliance portal and the European AI Office guidance are the authoritative starting points. Vendor-issued compliance checklists and consultant frameworks are not substitutes for reading the Act itself. The text is public, it is specific, and it is the document an enforcement authority will use.

References

  1. EU AI Act Full Text (Regulation 2024/1689)
  2. European AI Office – AI Act Implementation
  3. European Commission: AI Act Entry Into Force
  4. ENISA: AI Cybersecurity Guidance
  5. MSB: AI and Information Security

This post is also available in: Svenska

Per Häggdahl

Per Häggdahl is Head of Business Unit and CISO at eBuilder Security, with more than 20 years securing systems for banks, central banks, stock exchanges and central securities depositories, now leading the team that brings that same enterprise-grade protection to organisations of every size.