Reading an EU AI Act fine notice: what gets you and what doesn't

You have seen the headline: up to €35 million, or 7% of worldwide annual turnover, for violating the EU AI Act. It is a genuinely frightening number, and it is doing exactly what large numbers in regulation are designed to do — get your attention. But a fine ceiling is not an enforcement strategy, and treating €35M as a uniform threat hanging over every AI system is the fastest way to spend your compliance budget in the wrong places.

This is a practical reading of how AI Act enforcement actually works: what the tiers mean, the three questions that determine your real exposure, and the unglamorous thing investigators reach for first.

The number behind the number

The AI Act’s penalties under Article 99 are tiered, not flat. The headline figure applies to the most serious category — deploying a prohibited AI practice under Article 5 (things like manipulative subliminal techniques or untargeted facial-recognition scraping). That tier carries up to €35M or 7% of global turnover, whichever is higher.

• Prohibited practices (Article 5): up to €35M / 7% of turnover.
• Most other obligation breaches (high-risk requirements, transparency duties): up to €15M / 3% of turnover.
• Supplying incorrect, incomplete, or misleading information to authorities: up to €7.5M / 1% of turnover.

For SMEs and startups, the regulation explicitly uses the lower of the fixed amount or the percentage — a deliberate proportionality valve. The €35M scenario is reserved for conduct most companies will never come close to. Knowing which tier your risk actually lives in is the first step to right-sizing your response.

Three questions that decide your exposure

Whether enforcement is a remote tail-risk or a live concern comes down to three questions, in order.

1. Which obligation are you alleged to have breached? A transparency slip (failing to disclose that users are interacting with AI, or that content is AI-generated) sits in a different universe from deploying a banned practice. Map your alleged failure to the right Article before you panic about the ceiling.

2. Is your system “high-risk” under Annex III? This is the single biggest determinant. Annex III enumerates the high-risk categories: biometric identification, critical infrastructure, education and vocational access, employment and worker management, access to essential public and private services, law enforcement, migration and border control, and administration of justice. If your AI system genuinely falls outside these buckets, the weight of obligation drops dramatically — most of the AI Act’s heaviest requirements are conditioned on the high-risk classification.

3. Do you have technical documentation under Annex IV? If you are high-risk, Annex IV defines the technical documentation you must be able to produce. The presence or absence of that documentation is, in practice, what an investigation turns on.

What enforcers actually open with

Here is the part that does not make headlines: early enforcement looks for documentation completeness, not technical perfection. Regulators are not, in the opening move, re-running your model evaluations or auditing your loss curves. They are asking whether you can hand over a coherent, dated, complete paper trail showing you understood your obligations and acted on them.

Two provisions are the bedrock:

• Article 11 (technical documentation): the obligation to draw up and keep current the Annex IV documentation before a high-risk system goes to market.
• Article 18 (record-keeping): the obligation to retain documentation, logs, and the artifacts that let an authority reconstruct what your system did and why.

A company with complete, well-organized, verifiable documentation and one control in active remediation is in a defensible position. A company with an excellent model and a documentation trail that is partial, undated, or impossible to authenticate is not. Investigations punish the second profile far harder than the first.

The timeline you’re actually on

Panic is also a function of timing, and the AI Act phases in rather than landing all at once. The prohibitions on unacceptable-risk practices applied first. Obligations for general-purpose AI models followed. The full weight of the high-risk regime under Annex III phases in over a longer horizon, giving providers and deployers time to build conformity assessments and documentation. The practical implication: for most high-risk obligations you are in a preparation window, not a liability window. That is the cheapest time to get documentation right — before an authority is asking, and before remediation happens under deadline pressure.

Using that window well means treating documentation as a standing artifact you maintain, not a binder you assemble in a fire drill. The teams that will struggle are the ones who treat the AI Act as a future problem and discover, when a customer or regulator asks, that their Annex IV trail was never actually assembled.

A practical documentation checklist

If you want a concrete starting point, the documentation that consistently matters maps to a short list:

• A clear classification decision: is each AI system high-risk under Annex III, with the reasoning recorded?
• Annex IV technical documentation for every high-risk system — purpose, design, data, and known limitations.
• A risk-management record showing identified risks and the mitigations applied (Article 9).
• Data governance documentation covering training, validation, and testing datasets (Article 10).
• Logging and record-keeping sufficient to reconstruct system behavior (Articles 12 and 18).
• Human-oversight and transparency measures, documented and dated.

Notice that every item is a document whose value depends on being complete, current, and trustworthy. That is the whole exposure surface, and it is also exactly the surface a verifiable evidence trail protects.

Why “verifiable” is the word that matters

There is a subtle trap in record-keeping. Documentation that you generated, that lives only in your own systems, and that you could in principle have edited after the fact is weaker evidence than most teams realize. The question an investigator — or an opposing counsel — will eventually ask is: how do we know this record is what you say it is, created when you say it was?

This is precisely the gap Probatum is built to close, and it is the core of what we do. Every finding is sealed into a cryptographic evidence package: a SHA-256 hash chain that makes tampering detectable, and an Ed25519-signed Verifiable Credential that an authority can validate independently, offline, without trusting us or logging into anything. The point is not that we expect you to be fined. The point is that the only documentation that genuinely survives scrutiny is documentation a third party can verify without taking your word for it.

Who actually enforces it

It helps to know who is on the other side of the table. Enforcement is not one monolithic regulator. The European AI Office oversees general-purpose AI models at the EU level, while each member state designates national competent authorities — typically market-surveillance authorities — to enforce against high-risk systems in their territory. That structure means your first contact is usually a national authority responding to a complaint, a market-surveillance sweep, or a serious-incident report you yourself were obligated to file.

The practical upshot is that cases rarely begin with a regulator reverse-engineering your model. They begin with a request: show us your documentation, your risk assessment, your logs. Companies that can respond completely and verifiably tend to resolve inquiries quickly; companies that cannot turn a routine request into an escalation. The asymmetry between those two outcomes is enormous, and it is decided entirely by preparation you control today.

The navigable version of the threat

So the honest framing is this. The €35M ceiling is real but narrow. Your actual exposure is a function of which obligation, whether you are high-risk, and whether your documentation holds up. The single highest-leverage investment is not chasing technical perfection on every control — it is making your Article 11 and Article 18 documentation complete, current, and independently verifiable. Get that right and the AI Act stops being a vague existential number and becomes what regulation is supposed to be: a navigable set of obligations you can demonstrably meet.