EU AI Act Draws First Blood With Major Fines

The EU AI Act has moved from policy to practice, as European regulators issue the first round of fines against companies failing to comply with the world's most comprehensive artificial intelligence regulation. Multiple organizations face penalties totaling over €65 million, marking a watershed moment for global AI governance and sending a clear message to the tech industry: compliance is no longer optional.

The enforcement actions, coordinated across several EU member states, target companies operating prohibited AI systems and those that failed to meet transparency and risk-assessment obligations that took effect earlier this year. Unlike the relatively slow rollout of GDPR enforcement in 2018, EU authorities appear determined to demonstrate immediate credibility with the AI Act.

Key Facts at a Glance

• €65 million+ in combined fines issued across at least 4 EU member states
• Penalties target violations of banned AI practices including social scoring and manipulative AI systems
• Fines can reach up to €35 million or 7% of global annual turnover, whichever is higher
• At least 3 major technology companies and 2 smaller firms face enforcement actions
• The European AI Office coordinated cross-border investigations starting in late 2024
• Companies have 30 days to respond before final penalty assessments are confirmed

Regulators Target Prohibited AI Practices First

The initial wave of enforcement focuses squarely on the AI Act's outright prohibitions, which became enforceable on February 2, 2025. These bans cover AI applications deemed to pose an unacceptable risk to fundamental rights, including systems that deploy subliminal manipulation techniques, exploit vulnerable groups, or enable real-time biometric surveillance in public spaces without proper authorization.

French regulators reportedly led one of the largest actions, targeting a marketing technology firm allegedly using AI-driven emotional manipulation in digital advertising. The system in question analyzed users' facial expressions and behavioral patterns to deliver psychologically targeted content, a practice that falls directly under the Act's prohibition on exploitative AI.

German authorities simultaneously moved against a human resources software provider whose AI-powered recruitment tool was found to engage in social scoring — evaluating job candidates based on aggregated personal data from social media, financial records, and other non-employment-related sources. The company faces a fine of approximately €18 million, representing roughly 4% of its annual revenue.

How the Fines Compare to GDPR Enforcement

The speed and scale of these initial penalties stand in stark contrast to the General Data Protection Regulation (GDPR) enforcement trajectory. When GDPR took effect in May 2018, it took regulators nearly a year to issue the first significant fine — a €50 million penalty against Google by France's CNIL in January 2019.

By comparison, the AI Act's enforcement apparatus appears far more prepared. The European AI Office, established in 2024 specifically to oversee the regulation, spent months conducting preliminary investigations and issuing compliance warnings before the prohibition deadlines hit. This proactive approach means regulators arrived at enforcement day with cases already substantially built.

Industry analysts note several reasons for the accelerated timeline:

• The EU learned from GDPR's slow start and invested in enforcement infrastructure earlier
• The AI Office hired over 140 technical specialists to evaluate AI systems
• Cross-border coordination mechanisms were tested during the transition period
• Companies received explicit guidance documents months before deadlines, reducing ambiguity
• Political pressure to demonstrate the Act's effectiveness drove faster action

Tech Giants Face Scrutiny Over Transparency Failures

Beyond the outright bans, regulators are also pursuing cases related to transparency obligations for general-purpose AI (GPAI) models. Under the Act, providers of foundation models and large language models must disclose training data summaries, publish technical documentation, and comply with EU copyright law.

At least 1 major US-based AI company reportedly received a formal notice regarding insufficient transparency disclosures for its large language model deployed across European markets. While the company has not been publicly named, sources familiar with the matter suggest the investigation centers on inadequate documentation of training data provenance and energy consumption metrics.

This aspect of enforcement carries particular significance for Silicon Valley. Companies like OpenAI, Google DeepMind, Meta, and Anthropic all operate GPAI models that fall under the Act's transparency provisions. The regulation requires these providers to maintain detailed technical documentation and make it available to downstream deployers and regulators upon request.

The GPAI Code of Practice, finalized in early 2025, provides the benchmark against which compliance is measured. Companies that signed onto the code received a degree of regulatory goodwill, but adherence to its principles is now being actively verified.

What This Means for Businesses Operating in Europe

The enforcement wave carries immediate practical implications for any company deploying AI systems in the EU market, regardless of where that company is headquartered. The AI Act's extraterritorial reach means US, UK, and Asian firms serving European customers must comply.

For businesses, the key takeaways are clear:

• Audit existing AI systems against the Act's prohibited practices list immediately
• Ensure all high-risk AI applications have proper risk assessments and documentation in place before the August 2026 deadline
• Appoint a dedicated AI compliance officer or team, especially for companies with multiple AI products
• Review contracts with third-party AI providers to ensure shared compliance responsibilities are clearly defined
• Budget for compliance costs — estimates range from $200,000 to $2 million annually depending on company size and AI portfolio complexity
• Engage with the EU AI Office's guidance resources to understand evolving interpretive standards

Smaller companies and startups face a particularly challenging landscape. While the Act includes some exemptions for SMEs and research activities, the compliance burden remains substantial. Several industry groups, including DigitalEurope and the European Startup Network, have called for additional support mechanisms to help smaller firms navigate the regulatory framework.

Industry Reactions Split Between Caution and Criticism

Reactions from the tech industry reflect a familiar divide. European policymakers and digital rights organizations have largely praised the enforcement actions as overdue accountability measures. Thierry Breton's legacy push for AI regulation appears to be bearing fruit, with the European Commission framing the fines as evidence that the EU takes AI safety seriously.

Meanwhile, industry trade groups have expressed concern about the enforcement's potential chilling effect on AI innovation in Europe. The Computer and Communications Industry Association (CCIA Europe) issued a statement urging regulators to 'balance enforcement with support for responsible AI development.' The group warned that overly aggressive penalties could drive AI investment toward less regulated markets.

US officials have been notably measured in their response. The Biden-era AI Executive Order established voluntary commitments from major AI companies, but the incoming regulatory approach in Washington remains far less prescriptive than Europe's. This regulatory asymmetry continues to fuel debate about whether the EU's approach will become a global template or an outlier.

Looking Ahead: The Compliance Clock Keeps Ticking

These initial fines represent just the beginning of a phased enforcement timeline that extends through 2027. The most consequential provisions — governing high-risk AI systems in areas like healthcare, law enforcement, education, and critical infrastructure — don't become fully enforceable until August 2, 2026.

When those provisions activate, the scope of enforcement will expand dramatically. Companies deploying AI in hiring decisions, credit scoring, border control, and judicial proceedings will face mandatory conformity assessments, human oversight requirements, and ongoing monitoring obligations.

The European AI Office has signaled it will continue ramping up investigations throughout 2025, with a particular focus on general-purpose AI transparency and the use of AI in consumer-facing applications. National regulators in France, Germany, Italy, and the Netherlands are expected to establish dedicated AI enforcement units by year's end.

For the global tech industry, the message from Brussels is unmistakable: the era of self-regulation in artificial intelligence is ending, at least in Europe. Companies that treat the AI Act as a distant concern rather than an immediate operational priority do so at significant financial and reputational risk. With fines scaling up to 7% of worldwide revenue, the cost of non-compliance could dwarf even the most ambitious compliance budgets.