What Happens If You Ignore the EU AI Act?

The €35 million headline figure gets quoted in almost every article about the EU AI Act. It is technically accurate and practically misleading — not because the fine is small, but because it is the last thing that happens to a non-compliant organisation, not the first. Between ignoring the Regulation and receiving a maximum administrative penalty sits a long chain of compounding exposures: enforcement action that can remove your product from the EU market, enterprise deals you lose because you cannot answer a due-diligence questionnaire, the legal and reputational cost of being named in a public finding, and the sheer operational expense of doing compliance work in a panic the week before your deadline.

This article maps that chain accurately. The goal is not to alarm — most companies that miss some obligations will face a corrective notice before they face a fine, and the Act is proportionate by design. But "we will deal with it later" is not a neutral choice. For companies using AI in Annex III areas, some obligations are already live; others have a fixed deadline that is closer than the typical product-documentation cycle. Knowing the real order of consequences is the prerequisite for an honest cost-benefit analysis.

Administrative Fines Under Article 99

Article 99 of Regulation (EU) 2024/1689 sets three penalty tiers, each expressed as "whichever is higher" of a fixed euro amount or a percentage of total worldwide annual turnover for the preceding financial year.

The top tier — €35,000,000 or 7% of global turnover — applies to breaches of the Article 5 prohibitions (the banned practices: social scoring by public authorities, manipulative subliminal techniques, real-time remote biometric identification in public spaces for law enforcement without authorisation, and similar). These prohibitions have been in force since 2 February 2025, so non-compliance here is live today, not hypothetical.

The middle tier — €15,000,000 or 3% of global turnover — covers most other obligations: failing to meet the high-risk requirements for a provider (Article 16 duties including the Article 9 risk management system, Article 11 technical documentation, Article 14 human oversight, and the Article 43 conformity assessment), deployer obligations under Article 26, and the Article 50 limited-risk transparency duties that apply from 2 August 2026. This is the tier that will apply to most non-compliant companies with high-risk AI.

The lowest tier — €7,500,000 or 1% of global turnover — applies to supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.

The SME and start-up cap matters here. Under Article 99(6), for small and medium-sized enterprises and start-ups, the fine is capped at the lower of the percentage or the fixed euro amount. For a company with €2 million in annual turnover, the relevant ceiling for a high-risk breach is €60,000 — not €15 million. That is a material but not existential number for most businesses. Larger companies face the percentage calculation, which scales sharply.

What Article 99 does not tell you is that fines are typically the end of an enforcement process, not the beginning. A market surveillance authority will ordinarily issue a request for information, then a finding of non-compliance, then an order for corrective action, before a fine enters the picture. The interim steps carry their own costs and risks — and for some companies, those steps are more consequential than the fine itself.

Enforcement Action That Removes Your System from the Market

Under Article 79, if a market surveillance authority concludes that an AI system presents a risk — to health, safety, fundamental rights, or other public interests — it can require the provider and, where relevant, the deployer to take corrective action within a defined period, restrict or prohibit the system's availability on the EU market, order its withdrawal, or require a recall. The procedure applies to AI systems presenting a risk even where the system is not yet determined to be definitively non-compliant.

For a software company whose EU market is the product, losing the right to make that product available is a bigger operational threat than the fine. A €60,000 fine is survivable; a prohibition order that prevents you from serving EU customers while a remediation is underway is not. Providers who distribute through third parties or operate on a SaaS basis face additional complexity: an authority can require corrective action across the distribution chain, and your downstream customers — who have their own Article 26 deployer obligations — may be required to stop using the system in the interim.

The timeline matters too. Remediation under an enforcement order is not the same as scheduled compliance work. You will be operating under regulatory scrutiny, with authority-set deadlines, potentially with temporary restrictions on your product, and with the obligation to demonstrate the corrective measures taken. Doing compliance documentation under those conditions costs far more in time, legal fees, and management distraction than doing it as a structured programme before the deadline.

Complaints and Scrutiny

Article 85 gives natural persons and organisations the right to lodge a complaint with a market surveillance authority about an AI system they believe is non-compliant or harmful. The authority is then required to handle the complaint and keep the complainant informed of the outcome. Complaints do not require the complainant to demonstrate that they are directly affected — an NGO or civil-society body can file.

Failing to cooperate with an authority conducting a conformity assessment, providing misleading information, or obstructing an investigation is itself a violation of the Act — and falls into the Article 99 penalty structure. Practically, this means that once an authority opens an inquiry, even a company that was in good faith can create a secondary legal exposure through a badly managed regulatory interaction.

High-profile use cases — recruitment AI, creditworthiness scoring, systems deployed in public services — are precisely the areas that attract complaint-based scrutiny. A company that has no documentation, has not classified its system, and cannot demonstrate any risk management process will have little to say when an authority asks for evidence.

Commercial and Deal Consequences

Enterprise buyers — particularly banks, insurers, large retailers, and public-sector bodies — have their own AI Act obligations as deployers under Article 26. Those obligations include taking appropriate technical and organisational measures before deploying a high-risk system, ensuring human oversight, and monitoring for risks. A deployer who cannot get a conformity package from their provider has a problem: they cannot demonstrate that the due diligence they owe under Article 26 was actually done.

The practical result is that AI Act due diligence has become a procurement filter. Enterprise sales teams are already asking for Article 11 / Annex IV technical documentation, conformity assessment evidence under Article 43, and the Article 47 EU Declaration of Conformity. A vendor who cannot produce these documents loses deals — not to a regulator, but to a competitor who can. Lost sales cycles and blocked market access arrive on the revenue line before any enforcement action does.

For deployers on the buy side, the same logic applies in reverse. A company that deploys a third-party AI tool for a high-risk use without verifying the provider's compliance status inherits the risk if something goes wrong and the provider's documentation does not exist. Article 26 due diligence is not a formality — it is the deployer's first line of legal exposure.

The Cost of Starting Late

Some obligations are not future risks — they are current ones. The Article 5 prohibitions and the Article 4 AI literacy requirement have both applied since 2 February 2025. If your organisation uses AI in a prohibited way, or has made no effort to ensure staff using AI systems are adequately informed about capabilities and limitations, you are already non-compliant. The penalties chapter (Article 99) has applied since 2 August 2025.

For companies with systems in Annex III high-risk areas, the formal deadline under the Digital Omnibus (agreed politically in May 2026) is 2 December 2027 for stand-alone systems. That sounds like 18 months. In practice, a provider's path to compliance involves: classifying the system and confirming it actually falls within Annex III; identifying whether the Article 6(3) exemption applies and documenting that assessment; standing up the Article 9 risk management system; preparing the Article 11 / Annex IV technical documentation (nine content areas, covering purpose, architecture, training data, testing, accuracy metrics, and more); implementing Article 14 human oversight arrangements; completing the Article 43 conformity assessment; and registering in the EU database under Article 49.

For a company building that documentation from scratch, six to nine months is a realistic estimate for a single complex system — if the organisation is focused and has outside help. Organisations managing multiple high-risk systems, or discovering mid-process that their system needs re-architecture to meet Article 9 or Article 15 requirements, should assume a longer timeline. Compressing all of this into the final three months before 2 December 2027 is the most expensive way to comply. Rushed documentation fails audits; gaps found under deadline pressure result in corrective orders rather than compliance certificates; and the staff and legal costs per hour rise sharply when the deadline is imminent.

The companies that will have the easiest 2027 are the ones starting the inventory, classification, and documentation programme now.

Reputational Exposure

Market surveillance findings are not private administrative proceedings. An authority that concludes a system is non-compliant, issues a withdrawal order, or fines a company will typically publish its decision. In sectors where trust is a core part of the product proposition — HR technology, credit decisioning, insurance underwriting, healthcare — a public enforcement finding is an event that persists in Google searches for years.

The reputational dimension is harder to model than a fine, but it is not speculative. The EU's track record under GDPR enforcement shows that even fines in the lower ranges of a penalty scale generate significant press coverage and customer scrutiny. The AI Act involves systems that interact with employment, credit, and public services — areas where the public and media attention to AI misuse is already high. A company that builds an early compliance programme and can demonstrate it was acting in good faith is in a structurally different position from one that had no documentation and received a corrective order.

What "Not Ignoring It" Minimally Looks Like

The floor for a credible compliance posture is lower than many organisations assume. It does not require a notified body, a six-month consulting engagement, or ISO/IEC 42001 certification before anything else.

A practical starting point: build an AI inventory — a register of every AI system your organisation builds or deploys professionally. Screen each system against Article 5 (the prohibitions, live since February 2025). Classify each under Article 6 and Annex III to determine whether it is high-risk, limited-risk, or minimal-risk. For any system in an Annex III area, start the Annex IV technical documentation file now, even in skeleton form — beginning the evidence trail early is cheaper than reconstructing it later. And for any system deployed in public services, creditworthiness assessment, or life and health insurance, check whether a Fundamental Rights Impact Assessment under Article 27 is required.

None of this is optional for companies with high-risk AI. But none of it requires a specialist team or a year of project management to begin. The bottleneck for most organisations is not willingness — it is the procedural overhead of doing classification and documentation in a way that is accurate, consistent, and audit-defensible.

For more detail on the classification process, see the AI risk classification guide. For the full documentation requirements, see Annex IV and Article 11. For the current deadline picture, see the Digital Omnibus and the 2027 high-risk date.

How Confir Helps

Confir is a rule-based EU AI Act compliance tool built for companies that need to do this work without a dedicated compliance team or an extended consulting engagement. The classification engine is deterministic — same inputs, same output every time, no AI inference involved. You answer plain-English scenarios; Confir applies the Article 6 and Annex III logic and returns a risk tier and a role determination (provider under Article 16, or deployer under Article 26).

From that classification, Confir drives the structured documentation workflow: the Article 9 risk management system, the Article 11 / Annex IV technical documentation pack, the Article 43 conformity assessment path, the Article 47 / Annex V EU Declaration of Conformity, and the Article 27 FRIA for qualifying deployers. The output is a print-ready documentation package that can go directly into an audit or a procurement due-diligence response.

The cost is €600 per year for the entry tier. The purpose is to make doing the work cheaper than the cost of not doing it. Compliance is the deliverable; the documentation is the product.

Start at confir.eu.

---

Frequently Asked Questions

When does the EU AI Act actually start applying to my business?

It depends on which obligations you are looking at. The Article 5 prohibitions and the Article 4 AI literacy requirement have applied since 2 February 2025 — they are live now. Penalties under Article 99 have applied since 2 August 2025. The Article 50 limited-risk transparency rules apply from 2 August 2026. For providers of stand-alone high-risk AI systems in Annex III areas, the full compliance deadline is 2 December 2027 under the Digital Omnibus. For high-risk AI embedded in regulated products (Annex I), the deadline is 2 August 2028.

Can a small company really be fined €15 million for a high-risk AI breach?

In practice, no — for a genuinely small company. Article 99(6) caps fines for SMEs and start-ups at the lower of the percentage or the fixed sum. A company with €2 million annual turnover would face a ceiling of €60,000 for a high-risk breach (3% of €2M), not €15 million. The percentage cap is the relevant number for smaller companies; the fixed cap is the number that bites for large organisations. Either way, fines are typically the end of an enforcement process, not the starting point.

What is the first thing a regulator will actually do if my AI system is non-compliant?

Market surveillance authorities generally begin by requesting information and documentation. They are required under Article 79 to give an operator the opportunity to take corrective action within a defined period before escalating to restrictions or fines. The exception is where a system presents an immediate serious risk — in that case, provisional measures can be imposed quickly. For most companies, the realistic first contact with enforcement is a documentation request or a corrective-action order, not a fine.

If I'm a deployer buying AI from a third-party provider, do I have obligations too?

Yes. Deployers have a defined set of obligations under Article 26, including verifying that the provider's documentation exists, implementing appropriate technical and organisational measures, ensuring human oversight, monitoring the system in use, and retaining logs for at least six months. A deployer who cannot demonstrate that they reviewed a provider's conformity package has a gap in their own Article 26 compliance, independent of whether the provider was actually compliant. Due diligence on your AI vendors is not optional.

Is non-compliance with the EU AI Act a criminal matter?

The EU AI Act itself creates administrative fines, not criminal liability. Criminal liability for AI-related harm may arise under national law in individual member states, depending on the facts and the applicable national criminal framework. Separately, claims for damage caused by defective AI may be brought under national tort and contract law, or under applicable EU product liability rules, without reference to the AI Act's penalty structure.

Do the penalties apply to non-EU companies selling into the EU?

Yes. The EU AI Act has extraterritorial reach. It applies to providers whose AI systems are placed on the EU market or put into service in the EU, regardless of where the provider is established. It also applies to deployers established outside the EU where the output of the AI system is used within the EU. Non-EU providers must appoint an authorised representative in the EU under Article 22. The enforcement mechanism runs through market surveillance authorities and, ultimately, the EU courts. For detail on territorial scope, see the extraterritorial application guide.

The high-risk deadline is 2027 — why start now?

Two reasons. First, the Article 5 prohibitions and Article 4 literacy obligation are already in force; if your systems touch those, late is now. Second, the Annex IV technical documentation for a complex high-risk system takes months to assemble — that includes the Article 9 risk management system, architecture documentation, data governance records under Article 10, testing results, and the conformity assessment under Article 43. Starting in October 2027 for a December 2027 deadline is the scenario that produces rushed, incomplete documentation packages that fail audits. The documentation timeline is the main argument for starting early; the fines are secondary.

---

Related guides

• EU AI Act Article 99: Penalties Explained
• EU AI Act Article 5: Prohibited Practices
• AI Risk Classification: How to Tier Your AI Systems
• EU AI Act Enforcement Timeline
• Digital Omnibus: The 2027 High-Risk Deadline
• Deployer Obligations Under Article 26
• Conformity Assessment Under Article 43