Search pages, courses, and articles
AI deployments touching personal data can trigger fines under multiple regimes simultaneously. This calculator shows the combined maximum exposure under EU AI Act Article 99, GDPR Article 83, and Consumer Credit Directive Article 24 for a single incident. SME relief under Article 99(6) and the post-Omnibus SMC extension are factored in.
Sources: AI Act on EUR-Lex + GDPR + Consumer Credit Directive. Self-assessment, not legal advice.
Self-assessment, not legal advice. Real enforcement varies by Member State, coordination between authorities, and aggravating / mitigating factors under Article 99(7). Authorities typically do not double-stack on a single incident, but the legal exposure is real.
In practice, supervisory authorities coordinate to avoid double counting on a single incident, particularly the AI market surveillance authority and the data protection authority. But the legal exposure under each regime is real. A worst-case enforcement under all three regimes is theoretically possible, and the EU Commission has signalled that aggravating-factor stacking under Article 99(7) can occur. The numbers in this calculator are the maximum theoretical exposure, not the expected outcome.
Article 99(6) of the EU AI Act provides that for SMEs (including startups), administrative fines apply at the LOWER of the two thresholds, fixed amount or percentage of turnover, rather than the higher. For a EUR 30M SME with a Tier 2 high-risk violation, the fine is capped at the LOWER of EUR 15M (fixed) or 3% of EUR 30M = EUR 900K. The 7 May 2026 Omnibus deal extended this relief to small mid-caps (SMCs) as well.
Article 99 + GDPR Article 83 both treat each violation as a separate enforcement opportunity. The fine cap is per-incident not lifetime. A pattern of failures could trigger multiple separate enforcement actions, each fineable up to the relevant cap, with the higher caps applying to aggravated or systematic violations under Article 99(7).
Consumer Credit Directive (2023/2225) Article 24 leaves penalty levels to Member States. National implementations typically range from EUR 5K to EUR 500K per affected consumer, with the higher end reserved for systematic failures affecting many consumers. The EUR 500K shown in this calculator is the typical per-consumer upper bound, not a turnover-based cap like the AI Act and GDPR.
Article 101 of the EU AI Act sets fines for GPAI provider obligations: up to EUR 15M or 3% of global turnover. These apply to providers of general-purpose AI models (foundation model providers). Most readers of this calculator are deployers, not providers, so Article 101 won't apply. If you are a GPAI provider, you'd substitute Article 101 in place of Article 99(4) for your tier.
The article explains how each tier is calculated, how authorities actually coordinate enforcement, the Article 99(7) aggravating factors, and what civil liability adds on top.
