Enforcement and penalties
Enforcement runs through central authorities (EU AI Office, SK Ministry of Science & ICT, China's CAC), sectoral regulators and advisory bodies, using Tiered penalties. The EU pairs are €35m or 7% of global turnover for prohibited AI and €15m or 3% for other noncompliance (mnemonic 35-7 / 15-3).
Who enforces, the shared global logic, and the numbers worth memorising.
- 🏛️ Central authority → overall supervision sits with the EU AI Office, South Korea's Ministry of Science & ICT, and China's CAC.
- 🏥 Sectoral regulators → enforce within domains (financial regulators, health regulators for medical devices and patient safety).
- 🧑⚖️ Advisory bodies → technical guidance from the EU AI Board and Japan's expert councils.
- 🏗️ Providers themselves → embed compliance in existing oversight (ISO/IEC AI management standards, GDPR structures).
Central plus sectoral regulators enforce; tiered penalties are highest for prohibited or systemic risks, with proportionate caps for SMEs and startups; pre-market filing or registration plus post-market monitoring; a mix of hard law (EU, SK, China, US) and soft law (Japan); mandatory incident reporting and corrective powers. Beyond fines → operational restrictions (suspension, licence revocation) and reputational damage.
| Regime | Penalty picture |
|---|---|
| 🇪🇺 EU AI Act | Prohibited AI → up to €35,000,000 or 7% of global turnover for the preceding fiscal year; other noncompliance → up to €15,000,000 or 3%; proportionate caps for startups and SMEs; phased enforcement 2025–27 |
| 🇰🇷 South Korea | Fines and corrective orders → up to 30 million won for notification, domestic-agent or corrective-order failures |
| 🇺🇸 US states | Attorney general enforcement (Colorado, California) → impact assessments, transparency, watermarking duties |
| 🇨🇳 China | CAC filings → fines, suspensions, takedowns for noncompliance |
| 🇯🇵 Japan | Soft law → industry-led compliance, reputational enforcement |
EU penalty pairs → €35m or 7% for prohibited AI; €15m or 3% for other noncompliance.
EU AI Office · Minister/Ministry of Science and ICT (South Korea) · CAC (China) · state attorneys general (US) · industry and reputation (Japan).
Four takeaways → 1️⃣ identify stakeholder roles (provider, deployer, importer, distributor - deployers can morph into providers); 2️⃣ embrace a risk-based strategy across the four tiers; 3️⃣ keep abreast of regulations (EU Act + Omnibus, South Korea, the US state wave, China's CAC regime, Japan's soft law); 4️⃣ build on the strictest requirements and harmonise into one unified framework. Mnemonic bank → Please Handle Laws Mindfully, Producers Import, Distributors Deploy, 35-7 / 15-3. One last anchor → higher risk equates to more duties, lower risk equals a lighter touch.