Can the same violation result in fines under both regimes?

Yes, when the violation triggers both regimes' obligations. A credit-scoring AI system that fails to log decisions under Article 12 and that fails to maintain GDPR records of processing under Article 30 can face concurrent penalties. The ne bis in idem principle limits cumulative punishment for the same offense, and the supervisory authorities typically coordinate, but the two regimes' obligations are distinct enough that violations can be characterized separately.

Which regime takes precedence when they conflict?

The regimes are designed to coexist, with the AI Act explicitly stating in Article 2 that GDPR continues to apply alongside it. In practice, the regimes address different aspects of the same processing: GDPR addresses the personal data processing, the AI Act addresses the AI system that performs the processing. Apparent conflicts usually resolve into complementary obligations rather than substantive conflicts.

What is the typical timeline from violation to fine under each regime?

Under GDPR, the typical timeline from violation to decision runs 18 to 36 months, with cross-border cases through the One-Stop-Shop mechanism running longer. Under the AI Act, the enforcement pattern is still developing, with the August 2, 2026 deadline likely producing the first significant enforcement decisions through 2027 and 2028. The supervisory practice in both regimes emphasizes structured corrective action before final penalty decisions in many cases.

Do the fines apply to the deployer or the provider?

Under the AI Act, the obligations split between providers (Articles 8-17, 43, 47) and deployers (Article 26). The penalty tiers under Article 99 apply to violations of either provider or deployer obligations. The supervisory authority assesses against the entity that violated the specific obligation. In practice, both regimes recognize that the deployer is operationally closest to the high-risk decisions and bears substantial operational responsibility.

How does the AI Act interact with sector-specific regulations like DORA or the Digital Services Act?

The AI Act explicitly does not displace sector regulations. A financial institution deploying a high-risk AI system in scope of DORA faces both regimes concurrently. A large online platform deploying a high-risk AI system in scope of the Digital Services Act faces both. The penalty exposure aggregates. The compliance architecture has to satisfy the sector framework's specific evidence requirements alongside the AI Act and GDPR baselines.

EU AI Act Fines vs GDPR Fines: How the Two Penalty Regimes Compare

The EU AI Act and GDPR operate parallel penalty regimes for AI deployers handling personal data in the EU. GDPR caps the highest tier at 20 million EUR or 4% of global annual turnover, whichever is higher. The EU AI Act Article 99 caps its highest tier at 35 million EUR or 7% for prohibited AI practices under Article 5, with 15 million EUR or 3% for high-risk non-compliance and 7.5 million EUR or 1% for supplying misleading information to authorities. The two regimes can apply concurrently to the same deployment, with different enforcement bodies and different trigger conditions.

The penalty calculation depends on which regime catches the gap. The architectural answer to both is the same per-decision record at the AI request boundary.

I want to walk through the tier structures of both regimes, where the obligations overlap, where they diverge, which enforcement bodies act on each, and how a single architecture can satisfy both.

The GDPR penalty structure

GDPR has two penalty tiers. The lower tier sits at 10 million EUR or 2% of global annual turnover and applies to violations of obligations like records of processing under Article 30, data protection by design under Article 25, data protection officer appointment under Articles 37-39, and breach notification under Article 33.

The higher tier sits at 20 million EUR or 4% of global annual turnover and applies to violations of the data processing principles under Article 5, the lawfulness conditions under Article 6, the consent conditions under Article 7, the data subject rights under Articles 12-22, the international transfer rules under Articles 44-49, and orders from the supervisory authority.

The enforcement body is the supervisory authority in each member state, with cross-border cases handled through the One-Stop-Shop mechanism under Articles 56 and 60. The European Data Protection Board provides binding decisions on cross-border disputes under Article 65. The Court of Justice of the European Union handles appeals on points of EU law.

GDPR fines published in the past three years have ranged from low-five-figure to billion-EUR amounts. The largest single fine to date was issued against Meta Platforms in 2023 for 1.2 billion EUR over US data transfers. The pattern of enforcement has emphasized substantial fines for systemic compliance gaps in large data processors.

The EU AI Act penalty structure

The AI Act has three penalty tiers under Article 99. The highest tier sits at 35 million EUR or 7% of global annual turnover and applies to violations of the Article 5 prohibited AI practices: social scoring, exploitative AI, untargeted facial recognition database scraping, emotion recognition in workplaces and educational institutions, real-time remote biometric identification in publicly accessible spaces by law enforcement, and predictive policing based on profiling.

The middle tier sits at 15 million EUR or 3% of global annual turnover and applies to non-compliance with the high-risk AI system obligations under Articles 8-29. This is the tier most enterprise deployers face. The Article 12 record-keeping obligation, the Article 14 human oversight requirement, the Article 26 deployer monitoring duty, and the Article 73 serious-incident reporting all sit in this tier.

The lower tier sits at 7.5 million EUR or 1% of global annual turnover and applies to supplying incorrect, incomplete, or misleading information to notified bodies and national competent authorities. The tier exists to cover the case where a deployer or provider obstructs the supervisory function.

The enforcement bodies are the national competent authorities designated by each member state, with the AI Office at the European Commission handling general-purpose AI model oversight. The AI Board provides advisory coordination. The Court of Justice of the European Union handles appeals on points of EU law.

The AI Act took effect on August 1, 2024, with the prohibited practices under Article 5 applicable from February 2, 2025, the general-purpose AI rules applicable from August 2, 2025, and the high-risk obligations under Articles 8-29 applicable from August 2, 2026. The August 2, 2026 deadline is the next major enforcement milestone for enterprise deployers.

Where the obligations actually overlap

The two regimes overlap when AI processes personal data. GDPR applies to the processing of personal data regardless of whether the processing involves AI. The AI Act applies to the deployment of AI systems regardless of whether the AI processes personal data, with additional obligations when the AI is high-risk under Annex III.

An AI system used for credit scoring of EU residents triggers both regimes. GDPR governs the processing of the applicants' personal data through the credit scoring pipeline. The AI Act governs the high-risk AI system itself. The supervisory authorities are different: the data protection authority enforces GDPR, the national competent authority designated for the AI Act enforces the AI Act.

The Article 12 record-keeping obligation under the AI Act and the Article 30 records of processing obligation under GDPR cover different things but at different granularity. The Article 30 records cover the processing activity at the controller level: what categories of data, what purposes, what retention, what recipients. The Article 12 records cover the AI decision at the per-request level: who, what prompt, what classification, what policy, what outcome.

Where the regimes diverge

GDPR is data-centric. The obligations attach when personal data is processed, regardless of the technology. The data subject rights, the lawful basis requirements, and the international transfer rules apply uniformly to all processing operations.

The AI Act is system-centric. The obligations attach when an AI system is placed on the market or put into service, with the highest obligations on the high-risk categories and the prohibited practices. The system's classification under Annex III drives the obligation set.

GDPR fines have an established enforcement pattern with hundreds of decisions across the supervisory authorities. The AI Act's enforcement pattern is still developing, with the first high-risk obligations taking effect August 2, 2026 and the supervisory bodies in many member states still being formally designated.

The fact patterns that draw the regulator's attention also differ. GDPR enforcement has emphasized data breach notification compliance, international transfer compliance, and processing without lawful basis. The AI Act enforcement, based on the Commission's signaling and the AI Office's posture, is expected to emphasize the high-risk classification compliance, the conformity assessment quality, and the deployer's operational evidence under Article 26.

What concurrent application looks like

A deployer running a high-risk AI system that processes personal data faces both regimes concurrently. The penalty exposure adds: a deployer found in violation of both regimes faces fines under both, with the regimes' upper bounds being additive in principle. In practice, the supervisory authorities coordinate on cases that touch both regimes, with the lead authority depending on the primary substantive violation.

The deployer's compliance posture has to be coherent across the regimes. A single AI deployment with separate compliance evidence streams (one for GDPR, one for the AI Act, one for the sector regulation that applies) is operationally heavy and prone to gaps. The per-decision record at the AI request boundary collapses much of the evidence layer: the record captures the natural person (relevant to both regimes), the data classification (relevant to both), the policy in effect (relevant to the AI Act), and the decision outcome (relevant to both).

DeepInspect

This is the architecture both regimes assume at the operational layer. DeepInspect sits at the AI request boundary as a stateless proxy between the application and the LLM provider. The per-decision audit record produced by the proxy captures the inputs both regimes treat as material: the verified user identity, the data classification, the policy version in effect, the decision outcome, the model destination, and the timestamp.

For GDPR, the record supports the data protection accountability under Article 5(2), the records of processing under Article 30, the data subject rights under Articles 12-22, and the security of processing under Article 32. For the AI Act, the record satisfies the Article 12 automatic recording obligation, the Article 19 retention floor, and the Article 26 monitoring obligation.

The architectural pattern is the same for both. The policy expressed at the proxy reflects the deployer's risk management decisions under both regimes. The records produced satisfy the evidence requirements of both regimes. The operational layer is one architecture, with two enforcement bodies and three penalty tiers in scope.

If your AI deployment is processing personal data and falls into a high-risk Annex III category, both regimes apply on August 2, 2026. The architecture that satisfies the AI Act also produces the GDPR accountability evidence. Book a demo today.