The EU Artificial Intelligence Act (AI Act) entered into force on 1 August 2024 and is considered the world’s first comprehensive law regulating artificial intelligence. Its goal is clear: to enable innovation without endangering safety, transparency, and fundamental rights.

In overview articles we have already described the basic structures of the law: the risk-based model, what makes an AI system high-risk, and recommendations for companies in the DACH region.

But how will the requirements of the AI Act actually be implemented?

Each EU Member State appoints one or more competent authorities responsible for supervision and sanctions. These national bodies are coordinated by the newly created EU AI Board, which ensures that sanctions are imposed consistently across Europe.

In cross-border cases – for example, when a provider distributes AI systems in several EU countries – the Board takes on a mediating role. This creates an enforcement mechanism similar to the “one-stop-shop” principle known from the GDPR, but extended by technical review bodies.

Unlike many data protection laws, the AI Act is not limited to financial sanctions. It allows immediate market interventions, including:

In practice, this means that a company can effectively lose its AI product before a fine is even legally final. This combination of market intervention and the threat of penalties significantly increases the pressure for early compliance.

The maximum amounts stated in the regulation are only the outer limit. When determining a fine, the authorities must take into account several balancing factors, including:

Thus, enforcement of the AI Act resembles competition or data protection law more than classic product liability cases. Important: self-reporting and transparent communication with authorities can significantly reduce fines.

Large AI models – i.e. General Purpose AI (GPAI) or foundation models – are subject to their own sanctioning regime. Violations of documentation or transparency obligations (e.g., missing information about training data or lack of copyright compliance) can be penalized separately.

Providers of these models are subject to stricter thresholds because they can cause systemic risks. They must perform adversarial testing, report security incidents, and submit risk reports to the Commission. Violations of these obligations incur independent fines – regardless of whether the model is classified as “high-risk” or not.

The obligations of the AI Act come into force gradually. While some rules (e.g., on prohibited practices) already apply from 2025, the requirements for high-risk systems and GPAI will only apply in full from 2026 or 2027.

This is relevant for fine practice: a company will not be sanctioned for an obligation that does not yet apply – but it can be penalized if it misses transition deadlines or cannot demonstrate sufficient preparations.

Another often overlooked point: sanctions can be imposed in parallel under several EU regulations.
For example, if an AI system unlawfully processes personal data, fines under the GDPR may also apply.
If it causes physical harm, product liability law may apply.

The interaction of these frameworks makes the risk profile more complex. In practice, supervisory authorities are expected to establish joint investigation procedures and information exchanges, similar to cooperation in data protection and consumer protection.

Particularly relevant for international providers: like the GDPR, the AI Act has an extraterritorial effect. This means that AI companies without a seat in the EU also fall under its scope if their systems are placed on the EU market or used within the EU.

This concerns, for example:

These companies must appoint an authorised representative (“Authorised Representative”) in the EU who acts as a contact for supervisory authorities and may also be responsible for enforcement and sanctions in case of need.

This extraterritorial structure makes the AI Act a global standard-setter – similar to the GDPR. International companies must therefore prepare not only technically but also organizationally for EU compliance.

The penalties of the AI Act are more than just sums of money; they are rules that require companies to demonstrate technical and organizational responsibility.

Those who establish transparency, documentation, and internal control mechanisms early reduce not only their financial risk but also protect their market position. The AI Act is therefore less a “fine law” and more a compliance framework for responsible AI development.