"Up to €35 million or 7% of global turnover, whichever is higher."
That line has appeared in a lot of EU AI Act coverage. It's accurate, and it's real. But it's also the number that applies to the most serious category of violations — prohibited AI practices: biometric surveillance systems, social scoring, AI that manipulates people against their own interests.
For most small businesses, that number describes a category of conduct they're nowhere near.
The more relevant number for an ordinary business that uses ChatGPT, Microsoft Copilot, or any other standard AI tool is the penalty associated with Article 4 — the AI literacy provision. It's smaller. It's proportionate. And it's the obligation that actually applies to you.
But "smaller and proportionate" doesn't mean you can ignore it. The August 2, 2026 enforcement date is real, the obligation is clear, and the businesses that haven't documented their AI training by then are taking a risk that's entirely avoidable.
Here's how the EU AI Act penalty structure actually works — and what small businesses using standard AI tools actually need to do.
How the EU AI Act Penalty Structure Works
The EU AI Act organizes violations into three tiers, each with a different penalty ceiling.
Tier 1 — Prohibited practices (Article 5): Up to €35 million or 7% of global annual turnover
These are the most serious violations. They cover AI uses that are outright banned under the Act: real-time biometric surveillance in public spaces (with narrow exceptions), AI that exploits vulnerabilities in specific groups, social scoring by public authorities, AI that manipulates subconscious behavior.
If you're a small business using ChatGPT for drafting or Copilot for productivity, you are not in this category.
Tier 2 — High-risk AI system obligations (Chapter III): Up to €15 million or 3% of global annual turnover
High-risk AI systems are defined in Annex III of the Act and include AI used in: critical infrastructure, education decisions, employment and worker management, essential services (credit scoring, insurance), law enforcement, migration, and the administration of justice.
If you're using AI to make consequential decisions about employees, screen loan applications, or assess creditworthiness — and the AI system falls under the Annex III categories — this tier is relevant to you. For most small businesses using AI as a productivity tool rather than a decision-making system, Tier 2 is also unlikely to apply.
Tier 3 — General obligation violations (including Article 4): Up to €7.5 million or 1.5% of global annual turnover
This is the tier that applies to most ordinary businesses using AI tools.
Article 4 — the AI literacy requirement — falls under this tier. If your organization fails to ensure documented AI literacy for employees who use AI systems at work, and enforcement authorities find you in violation, the maximum penalty is €7.5 million or 1.5% of global turnover.
For a company with €3 million in annual revenue, 1.5% is €45,000. For a €10 million company, it's €150,000. These are not symbolic numbers. But they're also not the apocalyptic fines that get quoted in most EU AI Act coverage — those apply to prohibited practices that small businesses aren't anywhere near.
How Enforcement Actually Works
The EU AI Act doesn't have a single European enforcement authority. Each EU member state designates its own national market surveillance authority — a regulatory body responsible for monitoring compliance and investigating complaints.
The complaint-driven model matters for SMBs. For small businesses, the realistic enforcement pathway is complaint-driven, not proactive audit-driven. An employee raises a concern with a national authority. A competitor files a complaint. A data protection authority that's already investigating an organization for GDPR issues expands its scope to include AI Act compliance.
Priority goes to high-risk systems. National authorities have finite investigative capacity. They will prioritize the highest-risk categories — AI systems used in employment decisions, healthcare, financial services, and law enforcement — over general productivity tools. A small business using ChatGPT for internal drafting is not where enforcement resources are going first.
But Article 4 creates a clear paper trail. Here's the practical risk for businesses that don't comply with Article 4: it's the easiest violation to document. Either you have training records or you don't. There's no ambiguity. When an investigation does reach you — whether through a complaint or as part of broader sector enforcement — the absence of AI literacy documentation is immediately demonstrable.
What Article 4 Actually Requires
Article 4 applies to both providers and deployers of AI systems. If your employees use AI tools to do their jobs, you're a deployer. The obligation is yours.
The requirement: "deployers shall take measures to ensure, to the best of their ability, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf."
What this means in practice:
Written AI Use Policy. Employees need documented rules: which tools are approved, what data can and cannot be entered, what responsible use looks like in your specific context. This exists in writing, is dated, and is accessible to employees.
Structured training. Training appropriate to each employee's role and the AI systems they work with. Not a verbal briefing. Not a memo. Structured training with a completion record attached to each employee.
Demonstrable documentation. If a regulator, an insurer, or an enterprise customer asks whether your employees have received AI literacy training, the answer is a document — not a story. Completion certificates with names, dates, and verifiable records.
The standard is "sufficient level of AI literacy" appropriate to the context of use — not a doctoral program in machine learning. For an employee using ChatGPT to draft communications, the training needs to cover: what ChatGPT can and cannot do reliably, what data should never enter the tool, what the organization's policies require, and how to handle AI-generated output appropriately. Ten minutes of structured training, properly documented, is a defensible basis for Article 4 compliance.
Why August 2, 2026 Is the Date That Matters
The EU AI Act has been phasing in enforcement since 2024. Different provisions take effect on different dates:
- February 2, 2025: Article 5 prohibited practices enforcement began
- August 2, 2025: GPAI (General Purpose AI) obligations began applying
- August 2, 2026: Article 4 (AI literacy), along with high-risk system obligations and national authority designations, becomes fully enforceable
August 2, 2026 is when member states' market surveillance authorities are expected to be fully operational and when enforcement of the general deployer obligations — including Article 4 — kicks in at scale.
If you're reading this and that date is within the next 60-90 days, the window to build your compliance infrastructure before enforcement begins is narrow but still open.
The US Business Question
US businesses with no EU operations often stop reading here. That's a mistake for two reasons.
First, EU exposure may be broader than you think. If you have any EU-based employees, serve EU customers through a digital platform, or work with EU business partners in ways that involve AI-mediated workflows, you may have Article 4 obligations. The Act applies based on where AI systems are deployed and their effects, not just where the organization is headquartered.
Second, Article 4 compliance is becoming a US market signal. Cyber insurance underwriters, enterprise procurement teams, and state regulators are beginning to use EU AI Act compliance — particularly Article 4 — as a benchmark for AI governance maturity, regardless of whether EU jurisdiction technically applies. Demonstrating Article 4 compliance tells the market that your AI use is documented and managed. That signal has value in US markets independent of EU legal obligations.
The Practical Action: Document Training Before August 2
If you take one thing from this post: the action is documentation.
The penalty for Article 4 non-compliance is real and proportionate. The exposure is not catastrophic for most small businesses — but it is unnecessary. The compliance requirement is not complex, and the window to get ahead of it is still open.
What compliance looks like:
- A written AI Use Policy — approved tools, prohibited data inputs, employee responsibilities, dated, on file
- Structured training for every employee who uses AI tools, with individual completion records
- Documentation you can produce on demand — certificates, acknowledgment records, a file you can hand to a regulator or insurer
That's the standard. August 2 is the date. The fix takes less than a day.
Get protected before the deadline →
AISafeIQ delivers Article 4-aligned training, a company-branded AI Use Policy, UUID-verified completion certificates, and a compiled Insurance Proof Pack — everything needed to demonstrate compliance before the enforcement clock runs out.
Or start with the policy foundation: download the free AI Use Policy template →
This post does not constitute legal advice. Penalty amounts and enforcement timelines are based on the EU AI Act text and publicly available information as of the date of publication. Organizations with EU operations or specific compliance obligations should consult qualified legal counsel.
AISafeIQ's training is designed to align with EU AI Act Article 4 requirements. "Aligns with" means the platform is built to support the documentation and training requirements of the regulation.