You already know the EU AI Act exists. You probably know the fines can reach 35 million euros. If you have read our first guide, you understand the risk categories and who the law applies to. If you have worked through the 10-step checklist, you have a sense of how much work compliance actually requires.
But here is the question almost nobody asks: who actually comes after you? How do they find out you are not compliant? And what exactly happens when they do?
This is not about the maximum fine numbers. You have seen those. This article is about the enforcement machinery behind those numbers β because understanding how enforcement works is the first step to being prepared for it.
Who Enforces the EU AI Act?
There is no single "AI police." Enforcement is split across two levels, and understanding this structure matters because it determines who might knock on your door.
National Market Surveillance Authorities
Every EU member state must designate at least one market surveillance authority responsible for enforcing the AI Act within its borders. These are the frontline enforcers. If you operate in Germany, the German authority investigates. If you serve customers in France, the French authority has jurisdiction β even if your company is based elsewhere.
These authorities already exist for product safety. The EU AI Act extends their mandate to cover AI systems. They have the power to request documentation, conduct on-site and remote inspections β including unannounced ones β test your AI systems, order you to fix compliance issues, pull non-compliant AI systems from the market, and impose fines.
Key point: Market surveillance authorities can order your AI system off the market entirely. For a business that depends on AI-powered operations, this is potentially more damaging than any fine.
The European AI Office
At the EU level, the European Commission has established the AI Office. This body has direct enforcement authority over providers of general-purpose AI models β think foundation model providers like the companies behind GPT, Claude, or Gemini. For most SMEs, the AI Office is not your direct regulator. But if you use a general-purpose AI model in your product, and that model's provider is found non-compliant, it creates a supply chain problem that hits you too.
Cross-Border Enforcement
If your AI system operates in multiple EU countries, authorities cooperate through mutual assistance and joint investigations. You cannot avoid enforcement by serving customers in smaller markets where you assume oversight is lighter. A complaint in any member state can trigger an investigation that follows your product across borders.
How Violations Are Discovered
This is the part most businesses never think about. They assume that if they are small, nobody will notice. That assumption is wrong, and here is why.
Complaints from Anyone
Under the EU AI Act, any person can submit a complaint about an AI system to the relevant authority. This includes your customers, your employees, your competitors, or anyone affected by your AI system's decisions. Under GDPR, complaints became the single largest source of enforcement actions. There is no reason to expect the AI Act will be different.
Real-world parallel: Under GDPR, a significant number of enforcement actions started with a single complaint β often from a disgruntled employee or a competitor. The AI Act uses the same complaint mechanism. One unhappy customer reporting "I think this chatbot is making decisions about me and nobody told me" is enough to trigger an investigation.
Your Own Customers Force It
This is already happening. EU enterprise customers are starting to require AI compliance proof from their vendors before signing contracts. Reports suggest that some SaaS founders have already lost deals because they could not provide EU AI Act documentation. Your customers will not wait for regulators β they will audit you themselves, or they will simply choose a compliant competitor.
Routine Market Surveillance
Authorities conduct proactive monitoring. They sample AI systems on the market and check for compliance β documentation, transparency disclosures, risk classifications. You do not need to be reported. You can be selected at random.
Incident Reports
If your AI system causes a serious incident β harm to a person, a discriminatory outcome, a safety failure β you are legally required to report it. If you fail to report it and the incident comes to light through other channels, you face penalties for both the incident itself and the failure to report. If you do report it, you trigger an investigation into your compliance status.
What Happens After You Are Caught
Enforcement does not begin with a fine. It follows a process, and understanding this process is important because each stage gives you less room to respond.
Information Request
The authority contacts you and requests documentation β technical files, risk assessments, audit logs, conformity declarations, data processing records. You typically have 15 to 30 days to respond. If you do not have these documents ready, this is where the panic begins.
Document Review and Technical Evaluation
Authorities review what you provide against AI Act requirements. They may also conduct or commission technical testing of your AI system β including accessing and testing the system in operation. In justified cases, they can request access to your source code.
On-Site Inspection
If the document review raises concerns, inspectors may visit your premises β potentially without advance notice. They verify that documented practices match actual operations, interview staff, and inspect systems in their real environment.
Findings and Corrective Action Order
The authority communicates findings. If non-compliance is identified, you are ordered to fix it within a specified timeframe. During this period, your AI operations may be restricted.
Escalation: Fines, Withdrawal, or Market Ban
If corrective action is insufficient or if the violation is severe, authorities escalate. This means administrative fines calculated based on the violation tier, an order to withdraw your AI system from the market, a prohibition on making the system available, and β critically β public disclosure of the enforcement action.
The hidden penalty: Under GDPR, every enforcement action and fine is published. The AI Act follows the same transparency approach. When you are fined, everyone β your customers, competitors, and partners β will know. For an SME, the reputational damage often exceeds the financial penalty.
The Three Ways SMEs Get Hit Hardest
Large corporations have legal teams and compliance departments preparing for enforcement. SMEs do not. Here are the three patterns that will catch the most small businesses off guard.
1. "We Just Use the Tool"
The most common misconception. An SME uses an AI-powered tool β a chatbot, a hiring screener, an analytics platform β and assumes compliance is entirely the provider's responsibility. It is not. The EU AI Act holds deployers independently accountable. As a deployer, you must ensure human oversight of AI-driven decisions, retain the audit logs generated by the providerβs system for at least six months, conduct fundamental rights impact assessments for certain high-risk use cases, and report serious incidents. "We just use the tool, it's their problem" is not a legal defense. It is the fastest path to a Tier 2 penalty.
2. The "Materially Influences" Trap
Your AI system does not make the final decision β a human does. So you think you are safe. But the AI Act looks at whether the AI "materially influences" the outcome. If your AI tool scores job candidates and your HR team follows the AI's ranking 95 percent of the time, regulators will not see that as meaningful human oversight. They will see a high-risk AI system operating without proper safeguards. The cultural habit of trusting automated outputs β accepting AI recommendations without genuine scrutiny β is the compliance risk that almost nobody talks about.
3. No Documentation, No Defense
When the information request arrives, you need to produce technical documentation, risk assessments, audit logs, training data records, oversight procedures, and incident logs. Not next month. Within days. If you have not been generating and maintaining this evidence from the start, you cannot create it retroactively. The organizations that survive inspections are those that can produce evidence at all three levels β documented policies, implemented controls, and operating records β within hours. A last-minute document collection exercise will not pass scrutiny.
SME Penalty Caps: Protection, Not Immunity
There is a common misunderstanding that the EU AI Act goes easy on small businesses. The reality is more nuanced. Article 99 does provide a proportionality mechanism for SMEs and startups: for each penalty tier, the fine is capped at the lower of the fixed amount or the turnover percentage β the inverse of the rule for large enterprises. Member states must also consider an SME's economic viability when setting the final penalty.
This means a freelancer with 100,000 euros in annual revenue faces a maximum Tier 2 fine of 3,000 euros (3 percent of turnover), not 15 million. That is proportionate. But 3,000 euros plus the cost of forced remediation, potential loss of the right to use your AI systems, and public disclosure of the violation can still be devastating for a solo business.
The caps protect you from existential fines. They do not protect you from enforcement itself.
What You Can Do Right Now
If you have not started preparing, the enforcement timeline is not abstract. August 2, 2026 is less than six months away.
Start with the 10-step compliance checklist we published. It covers the full range of preparation β from auditing your AI systems to building documentation to reviewing your supply chain. If you have already read it, go back and honestly assess which steps you have completed and which you have not.
The steps that matter most for surviving an enforcement action are audit logging (Step 4), compliance documentation (Step 7), and supply chain review (Step 8). These are the areas where the gap between "we think we're compliant" and "we can prove we're compliant" is widest.
If building and maintaining this infrastructure yourself feels like more than your team can handle, that is exactly the problem Hlinix was designed to solve.
Hlinix handles Steps 3, 4, 5, and 10 at the infrastructure level. Data stays on EU servers, supporting your GDPR obligations. Provider-generated logs are stored, timestamped, and export-ready for regulatory review from day one. Transparency controls are configurable from a dashboard. And as the AI Act evolves, the platform updates β so you do not need to track regulatory changes yourself. Starting at 25 euros per month.
Not Sure If the EU AI Act Applies to You?
Find out in 2 minutes β free, no signup required.
Check Your Risk LevelDon't Wait for the Information Request
When the authority contacts you, your compliance status is already decided. The question is whether you can prove it. Join the waitlist and be audit-ready before August 2026.
Join the WaitlistSummary
The EU AI Act is not a regulation that sits on paper. It has a real enforcement machinery β national market surveillance authorities with the power to inspect, test, restrict, and fine. Violations are discovered through complaints, customer audits, routine surveillance, and incident reports. The process escalates from information requests to on-site inspections to fines and market bans. SMEs face proportionate penalties, but enforcement itself β the disruption, the forced remediation, the public disclosure β can be as damaging as any fine.
"I didn't know" is not a defense. "I wasn't ready" is worse. Start preparing now.
Implementation Guide
A free, 15-chapter guide to EU AI Act compliance β from risk classification to documentation.
Start with Chapter 1 β