The EU AI Act Starts Biting: First Fines, Who Got Hit, What Now

On February 2, 2025, the first operative provisions of Regulation (EU) 2024/1689 took effect. Social scoring by public authorities, emotion recognition in workplaces and schools, untargeted scraping of facial images, and predictive policing based on profiling alone became illegal across the European Union. For months, the response from industry was muted. Most enterprises assumed enforcement would lag the law by years, the way it had under GDPR's early period.

That assumption is now wrong.

By May 2026, the AI Office in Brussels has issued roughly €67M in cumulative penalties across approximately 14 enforcement actions, according to filings tracked by MLex and Euractiv. The highest-profile case -- a ~€20M penalty against Clearview AI for biometric scraping -- arrived in March. A large German retail chain was fined for emotion-recognition cameras in stores. A French recruiting platform was hit for deploying a high-risk hiring tool without conformity assessment. And a major US foundation model provider received a structured compliance notice over training data transparency obligations -- no fine yet, but a public docket that will likely end in litigation.

The EU AI Act is no longer a paper risk. It is a line item.

Where We Are in the Rollout

The Act entered into force on August 1, 2024, but its operative provisions phase in over three years. The structure matters because penalties attach to specific provisions on specific dates, and a system that was lawful in July 2025 may be unlawful in August 2026 without a single line of code changing.

The three-tier penalty schedule is straightforward in principle. Article 99 sets fines of up to €35M or 7% of worldwide annual turnover for prohibited practice violations -- whichever is higher. Most other operative breaches carry up to €15M or 3%. Supplying incorrect or misleading information to authorities triggers up to €7.5M or 1%. For SMEs and startups, Article 99(6) inverts the calculation: the lower of the two amounts applies.

The numbers are larger than GDPR's ceilings (4% global turnover, capped at €20M). The political signal was deliberate. The Commission wanted a credible deterrent against the worst categories of misuse, and it wanted the headline penalty to scale to the largest providers without effort.

The First Enforcement Wave

Enforcement during the first sixteen months has been selective and signal-driven. The AI Office has prioritized cases that establish precedent, test scope, or address conduct that was already unlawful under GDPR or Member State law. The pattern resembles GDPR's first wave: a small number of large fines designed to clarify the rules rather than maximize revenue.

The Clearview action set the tone. The company was already a target under GDPR, with multiple Member State data protection authorities having issued fines that Clearview largely ignored. The AI Office picked the case deliberately. Article 5(1)(e) prohibits "the placing on the market, the putting into service for this specific purpose, or the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage." The conduct was specific, the actor was uncooperative, and the precedent was clean. The €20M penalty -- on the low end of the 7% ceiling -- was calibrated to be defensible on appeal.

The German retail case is more consequential for ordinary enterprises. The company had deployed emotion-recognition cameras in approximately 380 stores, marketing the system to operations teams as a way to optimize staffing and queue management. The cameras analyzed employee facial expressions during shifts. The AI Office, working with Germany's BSI and the federal data protection authority, treated this as a workplace deployment under Article 5(1)(f) -- emotion recognition in the workplace is prohibited unless used for medical or safety reasons. The €15M fine, reported by Reuters, came with a publication order that named the retailer. The reputational cost was the larger penalty.

The French recruiting case is the one most enterprise legal teams should be reading carefully. The platform offered automated candidate scoring to mid-market employers. It was classified as a high-risk system under Annex III(4) -- AI systems used in employment for recruitment, screening, or evaluation. The provider had not completed a conformity assessment, had not registered the system in the EU database, and had not implemented a quality management system. The €8M fine reflected gross negligence rather than malice. The platform's defense -- that high-risk rules did not apply until August 2026 -- failed because the system had been operating since late 2024, and the AI Office held that documentation obligations under Article 16 attached at the moment the system was placed on the market.

The US GPAI provider case is the one to watch. No fine has been issued. The AI Office's compliance notice cites Article 53(1)(d) and the General-Purpose AI Code of Practice, specifically the requirement to publish a "sufficiently detailed summary about the content used for training." The provider's published summary was characterized by the AI Office as "insufficiently granular." The remediation pathway has been disclosed publicly, which itself is the penalty: the provider must now publish a detailed corpus breakdown that competitors will read. Whatever the legal outcome, the disclosure obligation has already produced commercial damage.

Who's Actually Enforcing

The institutional architecture is unusual. The AI Office sits within DG CONNECT at the European Commission and has primary responsibility for GPAI providers and cross-border cases. National AI competent authorities -- typically the data protection authority, the telecommunications regulator, or a newly created body -- enforce within each Member State. The AI Board coordinates across Member States, and a Scientific Panel of independent experts advises on GPAI risk classification.

The AI Office is small. As of Q2 2026, it has roughly 140 staff, compared to DG COMP's approximately 1,000 and DG CONNECT's larger overall headcount. Politico Europe reported that the office had hoped to scale to 300 by end of 2026 but is constrained by Commission hiring freezes and the time required to recruit the specialist legal and technical staff the role requires. The result is that enforcement is necessarily selective. The office cannot pursue every violation. It pursues the ones that will set precedent.

Member State authorities have varied capacity. Germany, the Netherlands, France, Italy, Spain, and Ireland have stood up reasonably capable units. Smaller Member States have either delegated the function to existing data protection authorities or are operating with skeleton staff. The risk for enterprises is that enforcement intensity varies geographically -- a high-risk system deployed in Berlin or Paris faces materially more scrutiny than one deployed in Sofia or Riga. Lexology's tracker of national designations as of April 2026 lists 24 Member States with primary authorities formally designated and three still in legislative process.

The capacity constraint is what makes the GPAI tier the most active enforcement venue. The AI Office can address GPAI providers directly without coordinating with Member State authorities. Roughly nine of the fourteen enforcement actions to date involve obligations the AI Office can enforce unilaterally. The pattern suggests the office is leveraging the conduct it can address most efficiently while the conformity assessment infrastructure for high-risk systems comes online.

The GPAI Dispute

The most consequential ongoing fight is over what GPAI providers must publish about their training data. Article 53(1)(d) requires providers to "draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model." The Code of Practice, finalized in mid-2025, attempted to translate "sufficiently detailed" into operational guidance.

The major US foundation model providers -- OpenAI, Anthropic, Google, and Meta -- signed the Code of Practice in 2025 with reservations. Meta initially refused, characterizing the obligations as inconsistent with copyright law and trade secret protections, before partially signing under what the Financial Times described as Commission pressure tied to broader market access discussions. The other three signed but reserved on specific clauses around training data summaries.

The dispute centers on granularity. Providers argue that disclosing detailed corpus composition would (a) reveal trade secrets about model architecture and training methodology, (b) expose them to mass copyright litigation by enabling rightsholders to identify their content in training data, and (c) compromise model safety by enabling targeted data poisoning attacks. The AI Office argues that the statute requires a summary that is meaningful to rightsholders, regulators, and the public, and that the providers' proposed summaries -- broad category-level descriptions like "publicly available web content" -- are not summaries at all.

The compliance notice issued to the US GPAI provider in April 2026 is the first formal test. The Verge reported that the provider's response will likely include a structured corpus breakdown by source category, language distribution, and licensing status -- short of the per-publisher disclosure rightsholder groups have demanded, but materially more detailed than the company's prior public statements. Whatever pattern emerges from this case will set the template for the other major providers. Expect litigation by 2027 if the gap between AI Office expectations and provider disclosures does not narrow.

What's Working, What's Not

The prohibited practices regime is working better than its critics predicted. In the year before February 2, 2025, multiple emotion-recognition vendors marketed workplace and education products across the EU. By Q2 2026, that market has collapsed. Euractiv's vendor survey identified 23 vendors that had offered emotion-recognition products to EU customers in 2024. As of April 2026, 18 had withdrawn the feature, four had restricted it to non-EU markets, and one had pivoted to a non-emotion-recognition variant of the product. Biometric workplace surveillance has retreated similarly. The market did not innovate around the prohibition. It exited.

That is the contrarian finding. The most-criticized provisions of the AI Act -- the prohibited practices -- shipped with minimal economic damage because the products they banned were marginal markets that other obligations (GDPR, national labor law, anti-discrimination law) had already constrained. The Act made the constraint explicit and harmonized. The shutdown was orderly.

What is not working is the high-risk conformity assessment process. Article 43 requires conformity assessment for high-risk systems, with options for self-assessment in most categories and notified-body assessment for biometric systems. As of April 2026, approximately 22 notified bodies are operational across six Member States. The queue for assessment averages 9 to 14 months, with some specialized categories pushing past 18.

The capacity shortage is structural. A notified body must demonstrate expertise in machine learning, statistics, the regulated domain (medical devices, employment law, credit risk, biometrics, etc.), and the relevant harmonised standards -- which themselves were finalized late and remain incomplete. The pool of qualified assessors is small. The training pipeline takes years. Member States that did not designate notified bodies in 2024 will not have capacity online before 2027.

The result is that high-risk providers face a choice: deploy without assessment and accept enforcement risk, or queue for assessment and delay launch. KPMG estimates the median compliance cost per high-risk system at €240K, with a long tail of cases above €1M for complex deployments. Roughly 73% of European enterprises surveyed report being non-compliant as of Q1 2026, with the most common cited reason being assessment queue delays rather than substantive disagreement with the rules.

The bottleneck is bureaucratic, not regulatory. The fix is administrative capacity, not deregulation. That is a politically inconvenient finding for the deregulation lobby, but it is what the data shows.

The Brussels Effect Question

Whether the EU AI Act applies to US-only companies is the question that dominates US enterprise legal departments. The technical answer is: yes, if you place AI systems on the EU market, or if the output of your AI system is used in the EU. Article 2's territorial scope is broad. Any US foundation model provider whose API is consumed by EU developers is in scope. Any US SaaS vendor selling AI features to EU enterprises is in scope. Any US hiring platform whose recommendations are used by an EU subsidiary is in scope.

The practical answer is more interesting. The Brussels Effect -- the phenomenon by which EU regulation becomes de facto global standard because the cost of region-specific compliance exceeds the cost of universal compliance -- is operating in AI the way it operated in privacy. US companies that initially planned EU-only compliance variants are increasingly defaulting to EU compliance as their global baseline, because maintaining two product paths is operationally untenable.

The Financial Times documented the pattern in a March 2026 survey of Fortune 500 enterprises with EU operations. Of 184 respondents, 71% reported that their AI compliance program treats EU AI Act requirements as the global baseline rather than maintaining EU-specific variants. The reasons cited were predictable: engineering cost of maintaining variant products, legal exposure from accidental cross-border use, and customer pressure from EU subsidiaries demanding consistency.

The competitive implication is contested. European AI startups argue that the cost of compliance creates a moat that favors incumbents -- a startup cannot easily absorb €240K per high-risk system, while a hyperscaler treats it as rounding error. US AI advocates argue the same dynamic cements US dominance, because European startups cannot compete on cost with US providers who absorb compliance overhead through scale. Both arguments are partially correct. The Act increases fixed compliance costs, which advantages scale, which advantages incumbents. Whether those incumbents are European or American is a separate question that the Act does not address.

The Compliance Playbook for Operators

For an enterprise deploying AI in 2026, the operational requirements are concrete. The AI Office and major Member State authorities have converged on a common expectation set, even though specific enforcement priorities vary.

Build an AI inventory. Every AI system in use, whether built internally, procured from a vendor, or embedded in a SaaS product, must be catalogued. The inventory should capture provider, purpose, data inputs, decision outputs, affected populations, and deployment geography. Most enterprises do not have this inventory. Most enterprises will be required to produce it in the first enforcement inquiry they face.

Risk-classify every system. Each entry in the inventory must be mapped to one of the AI Act's risk tiers -- prohibited, high-risk (Annex III categories), limited-risk (transparency obligations under Article 50), or minimal-risk. Misclassification is the single most common ground for enforcement action observed to date.

Conformity assessment for high-risk. Article 43 requires either internal control assessment or third-party notified body assessment, depending on the category. The process requires a quality management system (Article 17), technical documentation (Article 11), record-keeping (Article 12), transparency to deployers (Article 13), human oversight (Article 14), and accuracy, robustness, and cybersecurity controls (Article 15). The documentation burden is significant. Plan for 6 to 12 months from initial gap assessment to certification, depending on complexity and notified body availability.

Designate a competent person. The Act does not formally require a Data Protection Officer-equivalent, but enforcement practice has converged on the expectation that high-risk providers designate a senior accountable person for AI compliance. The role typically spans legal, engineering, and risk functions and reports to executive leadership.

Train staff. Article 4 imposes an AI literacy obligation on both providers and deployers, in proportion to the role and the system. This means documented training programs for engineers, product managers, operations staff, and any employee whose work involves AI system outputs. Several smaller enforcement actions to date have hinged partly on the absence of documented training.

Post-market monitoring. Article 72 requires providers of high-risk systems to maintain post-market monitoring throughout the system's lifecycle, with structured reporting to authorities of serious incidents under Article 73. This is not a deployment-time check. It is an ongoing operational obligation.

The compliance services market reflects the scale of the build-out. Gartner-style estimates put the EU AI Act compliance services market at approximately €3B by 2027, dominated by Big Four firms, specialist law firms, and a new generation of AI-governance SaaS vendors. The market exists because the underlying work is substantial and few enterprises have the in-house capability.

What This Means for the Industry

The convenient framing of the EU AI Act -- that it is anti-innovation, that it cements US dominance, that it shuts down European AI -- does not survive contact with the enforcement data. The prohibited practices shipped without meaningful innovation loss because the prohibited products were already marginal. The GPAI obligations have driven transparency improvements without preventing model deployment. The high-risk regime is creating real friction, but the friction comes primarily from assessment capacity rather than substantive requirements.

The inconvenient framing -- that the Act is achieving its stated goals while creating exactly the bureaucratic bottlenecks that critics from inside the regulatory state warned about -- is closer to the truth. The fix for the conformity assessment queue is more notified bodies, faster harmonised standards finalization, and clearer technical guidance. None of that requires reopening the Act. It requires the Commission and Member States to fund and staff the institutional machinery that was always going to be the binding constraint.

For enterprise leaders, the operational implications are concrete. The first wave of fines confirms that enforcement is real, selective, and signal-driven. The actions to date target conduct that is either egregious (Clearview), systemic (workplace emotion recognition), or procedurally negligent (high-risk deployment without conformity assessment). The pattern suggests that enterprises with credible compliance programs and reasonable-faith engagement face manageable risk. Enterprises without either face material exposure.

Five Things Every AI Operator Should Do This Quarter

1. Complete an AI system inventory and risk classification. Every AI system in deployment, every AI feature in active development, every AI capability procured from a vendor. Map each to the Act's risk tiers. This is the foundation for every other compliance activity, and most enterprises have not done it.

1. Identify high-risk systems and start the conformity assessment process now. With queue times of 9 to 14 months and the August 2, 2026 deadline already past for new systems, any high-risk deployment that has not started assessment is operating with material enforcement exposure. Start the gap assessment, engage a notified body if required, and plan for staged remediation.

1. Audit your GPAI vendors' Code of Practice compliance. If you use OpenAI, Anthropic, Google, Meta, or another major foundation model provider, your downstream obligations depend on your provider's compliance posture. Request their published training data summaries, copyright policy, and systemic risk assessments. Document the review. If your vendor is in dispute with the AI Office, that becomes your operational risk too.

1. Implement the AI literacy program. Article 4 is the obligation enterprises ignore most consistently and the one most likely to surface in an enforcement inquiry. Document a training curriculum, deliver it to engineering, product, operations, and legal staff with AI exposure, and maintain records of completion. The cost is low. The defensive value is high.

1. Designate a senior accountable person and establish a governance forum. AI compliance cannot be owned by legal alone, by engineering alone, or by a single risk function. The Member State authorities increasingly expect a named accountable executive with cross-functional authority. Establish the role, define the reporting line, and stand up a quarterly governance forum that reviews the inventory, risk classifications, and incident reports. The structure will outlast any specific compliance program.

The EU AI Act started as a horizontal framework that critics dismissed as impossible to enforce. Sixteen months into staged implementation, €67M in fines have been issued, the Brussels Effect is operating as designed, and the binding constraint on broader enforcement is administrative capacity rather than political will. That capacity is being built. The next eighteen months will produce more fines, more named entities, more precedent, and a clearer operational standard for AI compliance globally.

The window for treating EU AI Act compliance as optional is closed. The window for treating it as solvable is open. The enterprises that act this quarter will be ahead of the queue. The ones that wait will discover that the queue itself is the penalty.