Penalties for Non-Compliance and Governance

In our previous post we looked at what deployers of high-risk AI systems need to know.
In this blog, we’ll explore the penalties for non-compliance, the governance system, and how the Act extends its reach beyond the EU’s borders.

Penalties for Non-Compliance

The EU AI Act imposes significant fines for non-compliance, underlining the seriousness of its enforcement. Penalties are based on the type and severity of the violation:

Prohibited AI Infringements: Fines can be as high as 7% of global annual turnover or €35 million, whichever is greater, for violations involving the development or deployment of prohibited AI systems.
High-Risk AI and Transparency Violations: Fines of up to 3% of global annual turnover or €15 million, whichever is greater, for breaches related to high-risk AI systems or failure to meet transparency requirements.
Supply of Incorrect Information: Fines up to 1.5% of global annual turnover or €7.5 million, whichever is greater, for providing false or incomplete information.
Special Provisions for SMEs and Start-Ups: For small and medium-sized enterprises (SMEs), including start-ups, fines are capped at the lower of the percentage of global turnover or a fixed monetary amount.

This tiered approach ensures the penalties are proportionate while emphasising the importance of compliance with the Act.

Governance of the EU AI Act

The governance structure of the EU AI Act is designed to make sure the rules are implemented and enforced consistently across the EU. It involves several key bodies:

The EU AI Office: The EU AI Office plays a central role in overseeing the Act’s implementation. Its main responsibilities include:
- Supporting the rollout and management of the Act.
- Promoting research and innovation in trustworthy AI.
- Directly enforcing rules for General-Purpose AI (GPAI) models.
- Strengthening the EU’s role in international AI discussions.
The EU AI Board: Similar to the European Data Protection Board under the GDPR, the EU AI Board includes representatives from all EU Member States. Its tasks involve:
- Advising and helping Member States apply the AI Act consistently.
- Encouraging collaboration and sharing best practices among Member States.
Market Surveillance Authorities (MSAs): Each EU Member State must appoint a Market Surveillance Authority (MSA) to enforce the Act at a national level. MSAs are responsible for ensuring that AI systems marketed, deployed, or used within their jurisdiction comply with the law.

Extra-Territorial Scope: Does the AI Act Apply to Non-EU Organisations?

Yes, the EU AI Act has extra-territorial effect, much like the EU GDPR. This means:

Non-EU organisations must comply if their AI systems’ output is used within the EU.
This also applies to non-EU entities that place AI systems on the EU market or whose AI systems impact EU citizens.

The Act’s extra-territorial scope ensures a level playing field and protects EU citizens from the risks posed by AI systems developed outside the EU.

Conclusion

The EU AI Act’s penalty structure and governance framework reflect the EU’s commitment to regulating AI responsibly and effectively. Organisations operating within or affecting the EU must be aware of their obligations to avoid penalties and ensure compliance.

By promoting innovation through solid governance and clear enforcement mechanisms, the EU AI Act sets the global standard for trustworthy AI. Check out our next post, where we share practical steps to help organisations align with the Act’s requirements.