FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionEU AI Act

EU AI Act Fines: 35 Million Euros or 7 Percent of Global Revenue (Whichever Is Worse)

By Basel IsmailMay 15, 2026

EU AI Act Fines: 35 Million Euros or 7 Percent of Global Revenue (Whichever Is Worse)

The EU AI Act entered into force on August 1, 2024, and its enforcement provisions phase in over a staggered timeline through August 2027. But the fine structure is already locked in, and it deserves your full attention. The maximum penalty for the most serious violations is 35 million euros or 7% of total worldwide annual turnover, whichever is higher. For context, GDPR's ceiling is 20 million euros or 4% of global annual turnover. The EU decided its AI regulation needed to hit harder than the regulation that reshaped global data privacy.

The Three-Tier Fine Schedule

The EU AI Act, formally Regulation (EU) 2024/1689, establishes a tiered penalty structure under Article 99. It works like this:

Tier 1: Up to 35 million euros or 7% of global annual turnover. This applies to violations involving prohibited AI practices under Article 5. Think social scoring by governments, real-time remote biometric identification in public spaces (with narrow exceptions), manipulation techniques targeting vulnerable groups, and AI systems that exploit subconscious behavior. These are the practices the EU considers fundamentally incompatible with European values.
Tier 2: Up to 15 million euros or 3% of global annual turnover. This covers most other obligations under the Act, including non-compliance with requirements for high-risk AI systems (Articles 8 through 15), failures in conformity assessment, inadequate risk management systems, and insufficient transparency obligations.
Tier 3: Up to 7.5 million euros or 1% of global annual turnover. This is for supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities. The "lying to the regulator" tier.

For SMEs and startups, the Act specifies that the lower of the two figures (fixed amount vs. percentage) applies rather than the higher. A meaningful carve-out, but one that obviously does not help the companies most likely reading this post.

How This Compares to GDPR

GDPR's two-tier structure maxes out at 20 million euros or 4% of global turnover (Article 83). When those fines started landing, they got everyone's attention. Meta was hit with a 1.2 billion euro fine in May 2023 for data transfers to the United States. Amazon took a 746 million euro penalty from Luxembourg's CNPD in 2021. These were not theoretical numbers.

The EU AI Act raises the ceiling by 75% on the fixed amount (from 20 million to 35 million) and by 75% on the turnover percentage (from 4% to 7%). For a company like Microsoft, with roughly 212 billion dollars in annual revenue for fiscal year 2024, a 7% penalty would exceed 14 billion dollars. Even at the Tier 2 level, 3% of that turnover is north of 6 billion. These are numbers that would be material to any company on earth.

There is also a compounding risk worth noting. GDPR and the AI Act are separate regulations. A single AI system processing personal data could trigger violations under both frameworks simultaneously. The European Data Protection Board has already signaled in its guidance that coordination between data protection authorities and AI Act market surveillance authorities will be necessary, but dual enforcement is explicitly not precluded.

Why This Is the Highest-Stakes AI Regulation Globally

No other jurisdiction has matched this combination of scope, specificity, and penalty severity. The US has no comprehensive federal AI law as of mid-2025. Executive Order 14110, signed by President Biden in October 2023, established reporting requirements and safety standards but carried no direct fine authority, and the current administration has moved to roll back portions of it. State-level efforts like Colorado's SB 24-205 (effective February 2026) and the proposed California AI transparency bills are narrower in scope and lighter on penalties.

China's AI regulations, including the Interim Measures for the Management of Generative AI Services (effective August 2023), impose penalties but cap fines at 100,000 RMB (roughly 14,000 USD) for most violations, with escalation to license revocation rather than massive financial penalties. The UK's approach under its "pro-innovation" framework remains largely voluntary and sector-specific, relying on existing regulators rather than creating new enforcement mechanisms.

The EU AI Act also has extraterritorial reach under Article 2. If your AI system's output is used within the EU, you are in scope, regardless of where your company is headquartered. This mirrors GDPR's extraterritorial application, which proved to be very much enforceable. Companies that assumed GDPR would not reach them learned otherwise. The same lesson will apply here.

Enforcement Timeline and Practical Implications

The phased enforcement schedule matters for planning purposes:

February 2, 2025: Prohibitions on banned AI practices (Article 5) become enforceable. Tier 1 fines are live.
August 2, 2025: Obligations for general-purpose AI models (Chapter V) take effect. The AI Office in Brussels has primary enforcement authority here.
August 2, 2026: Most remaining provisions become applicable, including the full high-risk AI system requirements.
August 2, 2027: Obligations for high-risk AI systems that are also regulated products (Annex I, Section A) under existing EU harmonization legislation become enforceable.

Each EU member state must designate at least one national competent authority for market surveillance by August 2025. Enforcement will be distributed, similar to GDPR's supervisory authority model, which means you could face action from any member state where your AI system operates. The European AI Office, established within the Commission, handles enforcement for general-purpose AI models directly.

One practical wrinkle: the Act requires companies to maintain detailed technical documentation, conduct conformity assessments, implement risk management systems, and register high-risk systems in an EU database before placing them on the market. Each of these obligations carries its own compliance burden, and failure on any one of them is independently finable. The aggregate exposure from multiple concurrent violations could theoretically exceed even the per-violation caps.

What Companies Should Be Doing Now

If you deploy AI systems that touch EU markets, the compliance clock is already running for prohibited practices and will accelerate through 2026. The practical priorities are straightforward: classify your AI systems against the Act's risk categories, audit your existing deployments for prohibited practices, build or update your risk management and documentation frameworks, and establish internal governance structures that can demonstrate compliance during a regulatory inquiry. Waiting for enforcement precedent is a strategy that worked poorly with GDPR and will likely work worse here, given the higher penalties and the EU's stated intent to enforce aggressively.

How FirmAdapt Addresses This

FirmAdapt's platform was built around the assumption that AI regulation would get more prescriptive and more punitive, not less. The architecture enforces compliance controls at the system level, including risk classification, documentation generation, audit logging, and conformity assessment workflows that map directly to the EU AI Act's requirements for high-risk systems. For companies operating across multiple regulatory regimes, FirmAdapt maintains parallel compliance tracks so that meeting EU AI Act obligations does not require a separate infrastructure from your GDPR, HIPAA, or SOC 2 compliance efforts.

The platform's approach to transparency and explainability requirements is particularly relevant here, since Articles 13 and 14 of the AI Act impose specific obligations around human oversight and interpretability that many general-purpose AI tools were not designed to satisfy. FirmAdapt builds these capabilities into the deployment layer rather than treating them as post-hoc additions, which is the difference between demonstrable compliance and a documentation exercise that may not survive regulatory scrutiny.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free