Brussels Draws a Red Line
For the past two years, the EU AI Act has been called everything from a landmark safeguard to an innovation-stifling overreach. This week, the European Commission confirmed its first three enforcement actions under the Act’s high-risk AI provisions, totalling €14.5 million in fines across a German HR-automation vendor, a French credit-scoring platform, and an Italian facial-recognition integrator.
The actions — the first since the Act’s high-risk rules came into full force in August 2025 — signal regulators are done waiting for voluntary compliance.
The Three Cases
HR Automation (Germany): Berlin-based Talentix GmbH was fined €4.2 million after an audit found its AI candidate-screening tool lacked mandatory conformity assessments and human-review override documentation under Annex III. The system processed more than 280,000 job applications across 47 corporate clients in 2025.
Credit Scoring (France): FinScore Analytics received a €6.8 million penalty for deploying a consumer creditworthiness model without registering it in the EU AI database and failing to provide borrowers with meaningful explanations of AI-driven rejection decisions. France’s national AI regulator identified the breach during a routine neo-bank inspection.
Facial Recognition (Italy): A systems integrator contracted for municipal surveillance was fined €3.5 million for deploying real-time biometric identification in public spaces without the emergency-use exemption under Article 5. The fine was reduced from €5.1 million after the firm cooperated and disabled the contested modules within 72 hours.
What the Fines Signal
All three cases were detected through proactive audits, not whistleblower complaints. The Commission’s AI Office now employs approximately 140 technical auditors, up from 60 at launch.
The fines represent roughly 0.3–0.7% of each firm’s global annual turnover — well below the Act’s maximum of 3% for high-risk violations. Legal analysts say the calibrated penalties are deliberate: a clear signal without the shock of maximum fines in inaugural cases.
“These are not existential fines,” said Dr. Annalisa Ferretti, AI policy lead at Brussels think tank AlgoWatch. “They are meant to trigger compliance across the thousands of companies that have been quietly hoping enforcement would never come.”
Compliance Deadline Pressure
With GPAI model rules now applying to all foundation model providers since February 2026, and the next audit cycle targeting healthcare and critical infrastructure set for Q3 2026, companies face mounting pressure to complete conformity assessments and establish human oversight mechanisms.
A Linklaters survey this month found only 38% of EU enterprises subject to high-risk AI rules have completed full conformity assessments, while 29% have not yet begun. Industry groups lobbied for a further grace period; the Commission declined.
Takeaway
The EU AI Act has teeth. The first bites are measured, but the auditor count is growing and the next cycle targets higher-stakes sectors. The window for comfortable voluntary transition has closed.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.