EU AI Act Fines of Up to €35 Million Reshape Europe’s AI Compliance

The EU AI Act’s most punishing compliance deadlines moved back by 18 months on 11 June 2026, when the European Parliament voted 423 to 57 to pass the digital omnibus amendment.

The fines for missing them did not move at all. The omnibus extends the high-risk AI compliance horizon to 2 December 2027, more than two years after the law’s full application date of 2 August 2026; transparency rules, the AI literacy obligation, and the three-tier fine structure, capped at €35 million or 7 percent of global annual turnover, all stay in force.

The Hard Calendar That Just Got Softer

The calendar the EU published when the AI Act passed in 2024 has been redrawn, per the AI Act’s published implementation timeline. The first hard date, 2 February 2025, when bans on prohibited practices and the AI literacy obligation under Article 4 took effect, has already passed. The next one is 2 August 2026, the day most of the regulation begins to apply, when Article 50 transparency rules become enforceable.

What changed is what comes after. Standalone high-risk AI systems listed in Annex III, the systems that touch credit scoring, employment screening, education, law enforcement, and critical infrastructure, now have until 2 December 2027 to meet the conformity assessment, risk management, and technical documentation requirements. AI embedded as a safety component inside regulated products, such as AI in medical devices, machinery, or lifts, gets until 2 August 2028. By one industry assessment, around 90 percent of AI applications in German companies do not fall into the top two risk tiers, and most enterprise stacks are now governed by Article 50 rather than the heaviest conformity regime.

• 2 February 2025: Bans on prohibited AI practices (social scoring, biometric categorisation, manipulative AI) and the Article 4 AI literacy obligation take effect.
• 2 August 2025: Obligations for general-purpose AI model providers apply; Member States must designate national competent authorities.
• 2 August 2026: Full application of the AI Act; Article 50 transparency rules become enforceable; national AI regulatory sandboxes must be operational.
• 2 December 2026: Deadline for nudifier app providers to comply with the new ban; AI-generated content watermarking obligations apply.
• 2 December 2027: Standalone high-risk AI systems (Annex III) must comply.
• 2 August 2028: AI systems embedded as safety components in regulated products (Annex I) must comply.

What the June Omnibus Changes (and Doesn’t)

The amendment does five things the Parliament spelled out in its 11 June 2026 press release on the digital omnibus. It delays the standalone high-risk AI deadline to 2 December 2027 and the safety-component AI deadline to 2 August 2028, and it adds a ban on AI systems that generate non-consensual intimate images, sometimes called nudifier apps, with a compliance deadline of 2 December 2026.

It also pushes the watermarking rule for AI-generated content to 2 December 2026 for systems already on the market, and tightens the definition of a safety component so AI that merely optimises performance or assists a user no longer automatically inherits the high-risk classification. The amendment does not touch the fine schedule, the AI literacy duty, or Article 50. Penalties for Article 5 prohibitions, capped at €35 million or 7 percent of global annual turnover, remain the maximum the Act allows. Co-rapporteur McNamara, presenting the omnibus in plenary, framed the change as ‘limited’ on substantive duties, ‘with clear safeguards’ on machinery products, and ‘an outright ban’ on nudifier apps.

They impact real people, overwhelmingly women, with the purpose of humiliating, degrading and objectifying them. I’m proud that this Parliament fought for the ban, which will enter into force before the end of this year.

McNamara, the co-rapporteur for the Civil Liberties, Justice and Home Affairs committee, said the words in the European Parliament’s plenary debate on the digital omnibus on 11 June 2026.

How the Three-Tier Fine Structure Works

The fine schedule in Article 99 of the AI Act is the part that did not move in the omnibus. It sets three tiers, each expressed as a fixed euro cap or a percentage of total worldwide annual turnover for the preceding financial year, whichever is higher. For most companies, the percentage will be the binding number long before the euro ceiling is reached.

The first tier covers Article 5 prohibitions, the practices banned since 2 February 2025 such as social scoring and biometric categorisation, with a cap of €35 million or 7 percent of global annual turnover. The second tier covers most other obligations, including the Article 50 transparency rules, with a cap of €15 million or 3 percent of global annual turnover. The third tier applies when a company supplies incorrect or misleading information to a notified body or national authority, with a cap of €7.5 million or 1 percent. The Act also caps fines for small and medium enterprises at the lower of the percentage or the euro amount, and Member States had until 2 August 2025 to set their own penalty rules.

The Article 50 Disclosure Layer That Bites First

The first obligations most companies will feel are the transparency duties in Article 50. From 2 August 2026, any AI system that interacts directly with people, including chatbots used in customer service or HR, must clearly disclose that it is an AI. The rule covers deepfakes, emotion recognition at the workplace, and AI-generated content in public communication.

Synthetic content placed on the market before 2 August 2026 has a four-month grace period, until 2 December 2026, to add machine-readable watermarking. After that, every AI-generated image, video, or audio published in the EU must carry the marker.

• 41% of German companies actively used AI in 2026, up from 17% in 2024 (Bitkom AI Study 2026).
• 48% of German companies are planning to adopt AI (Bitkom AI Study 2026).
• 40.9% of German companies used AI in business processes as of June 2025 (ifo Institute).

Germany and Italy Put Their Own Stakes In

Germany moved on the national enforcement side the same week the Parliament voted in Strasbourg. On 11 June 2026, the Bundestag passed the AI Market Surveillance and Innovation Promotion Act, known as KI-MIG, six days before the omnibus vote in plenary; the law still needs Bundesrat approval, but the target is entry into force before the 2 August 2026 application date, as covered in Germany’s KI-MIG countdown for enterprise compliance.

KI-MIG designates the Federal Network Agency, BNetzA, as Germany’s central AI market surveillance authority outside the regulated sectors. Sectoral oversight stays where it is, with BaFin for finance, BfArM for medical devices, and the Federal Data Protection Commissioner for biometric and personal data. The Federal Network Agency also pools AI expertise for cross-cutting questions of legal interpretation under the EU regulation.

A new body, the Coordination and Competence Centre for the AI Regulation, or KoKIVO, is being set up at BNetzA to run a free AI Service Desk with a particular focus on SMEs. KoKIVO also operates the German AI regulatory sandbox, where companies can test new applications under supervisory guidance with a binding response within 30 days. The Federal Network Agency becomes the single point of contact for most companies, while AI used in press and broadcasting remains under state media authority oversight. The structure is unusual for German federal rule-making, and its success depends on KoKIVO acting proactively to avoid reproducing what industry group DIHK called an administration-heavy, innovation-light approach.

Italy took a different path earlier, passing Law No. 132/2025, the country’s first comprehensive national AI framework, which took effect on 10 October 2025, per Italy’s national AI law in force since October 2025. The law prohibits fully automated decisions in employment relationships, requiring meaningful human oversight of any AI system used in recruitment, performance evaluation, task allocation, or termination; the fine schedule under the Italian law runs up to €1,500 per employee, with additional monthly increases for ongoing violations.

The Adoption Gap Behind the Fines

The compliance gap behind the fines is real. The Bitkom AI Study 2026 found that 41 percent of German companies were actively using AI in 2026, up from 17 percent in 2024, with another 48 percent planning adoption. The ifo Institute’s June 2025 survey put the figure at 40.9 percent of German companies using AI in business processes, a level that has been climbing steadily. The European Commission’s own target, set by Commissioner Henna Virkkunen, is 75 percent of EU businesses using AI by 2030.

The 18-month reprieve on high-risk obligations is the political acknowledgement of that gap. Companies that have not yet classified their AI systems, documented training under Article 4, or built the Article 50 disclosure layer are now operating against a December 2027 deadline for the heaviest obligations rather than an August 2026 one. For systems that are not high-risk, the August 2026 application date, with its transparency, literacy, and watermarking duties, still binds. The same regulatory pressure has reached other jurisdictions in parallel, as shown by the RBI’s AI kill switch rule for Indian banks, which also puts AI risk at the board level and comments close on 24 July 2026.

The Sandbox Era Before the Audits Begin

The first audit window will not wait for the high-risk deadlines. From 2 August 2026, every Member State must have at least one AI regulatory sandbox operational, and the AI literacy obligation under Article 4 moves from a duty of effort to an enforceable one; the 2 December 2026 nudifier ban deadline and the 2 December 2026 watermark deadline follow four months later.

National competent authorities, the bodies designated across 2025 in every EU country, will be the ones fielding complaints and issuing fines. In Germany, the AI Service Desk at KoKIVO is positioned as the advisory first stop for companies that discover gaps. Italian authorities have already set up the Oversight Committee on AI in the workplace under the Ministry of Labour, and AI-built résumés flooding recruiter inboxes in 2026 show how the underlying HR-screening use case, now on the high-risk list, is already a daily test for compliance teams.

Most other Member States are still in the staffing-up phase, and the first wave of enforcement will likely be procedural, missing labels, missing watermarks, missing training records. The 2 December 2026 nudifier ban deadline and the 2 December 2027 high-risk deadline give companies two hard rails to plan against. Anything that touches the most sensitive categories, employment, credit, education, biometrics, will need full conformity work long before December 2027 if it is going to be sold in 2028. Bitkom has warned that the small number of additional staff planned for AI Act implementation, around 60, will force the German authorities to use AI themselves to manage the workload.

Frequently Asked Questions

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the European Union’s risk-based regulation of artificial intelligence. It categorises AI systems by risk level, from prohibited practices to minimal risk, and sets obligations for providers and deployers that place AI systems on the EU market or whose systems affect people in the EU.

When does the EU AI Act fully apply?

Most of the AI Act’s provisions take effect on 2 August 2026. Bans on prohibited practices and the AI literacy obligation under Article 4 have applied since 2 February 2025. Standalone high-risk AI systems must comply by 2 December 2027, and safety-component AI systems by 2 August 2028.

What are the highest fines for violating the EU AI Act?

The maximum fine is €35 million or 7 percent of total worldwide annual turnover, whichever is higher, for violations of Article 5 prohibitions such as social scoring or biometric categorisation. Most other violations, including Article 50 transparency breaches, carry fines of up to €15 million or 3 percent of turnover. Supplying incorrect information to authorities can trigger fines of €7.5 million or 1 percent of turnover.

What did the June 2026 omnibus change?

The European Parliament approved the digital omnibus amendment on 11 June 2026 with 423 votes in favour, 57 against, and 174 abstentions. It pushed the standalone high-risk AI compliance deadline from August 2026 to 2 December 2027, added a ban on nudifier apps with a 2 December 2026 compliance deadline, and delayed AI-generated content watermarking to 2 December 2026.

Do companies outside the EU need to comply?

Yes. The AI Act applies to any provider or deployer that places AI systems on the EU market, or whose AI systems affect people in the EU. Non-EU companies must appoint an EU-based authorised representative under Article 22 of the regulation.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. The EU AI Act and national implementing laws are subject to ongoing amendment and interpretation. Companies should consult qualified legal counsel for compliance guidance specific to their operations, and figures cited are accurate as of publication.