EU AI Act Fines: What Luxembourg Firms Actually Risk by August

EU AI Act Fines: What Luxembourg Firms Actually Risk by August 2026

Learn more about AI implementation in Luxembourg in our comprehensive guide.

It is roughly seven weeks to 2 August 2026 — the date that, in Luxembourg compliance scoping calls, has stopped being abstract and started being a board agenda item. We have written about the headline deadline itself, about whether you are a provider or a deployer, about high-risk systems, about Article 4 literacy, about GPAI obligations, and about Article 5 prohibitions. One question remains: what is the actual fine if a Luxembourg SME does nothing?

This piece answers that. No jargon, no scare tactics, real numbers, three tiers, the Luxembourg-specific enforcement context, and the three pragmatic moves that get you to "defensible" before 2 August.

The three fine tiers, in plain numbers

The AI Act creates three tiers of administrative fines for non-compliance. Maximum amounts:

1. Article 5 prohibited practices (social scoring, manipulative AI, untargeted facial-recognition scraping, and the rest of the Article 5 list): up to €35 million or 7% of global annual turnover, whichever is higher.
2. Most other obligations — including high-risk system requirements, GPAI obligations, transparency obligations: up to €15 million or 3% of global annual turnover, whichever is higher.
3. Supplying incorrect, incomplete, or misleading information to a notified body or competent authority: up to €7.5 million or 1% of global annual turnover, whichever is higher.

For SMEs, the regulation explicitly states (Article 99(6)) that the lower of the two amounts applies — not the higher. So for a Luxembourg SME with, say, €30 million in turnover, an Article 5 violation tops out at €35 million OR 7% × €30m = €2.1m → the €2.1m, not the €35m. That is still a company-ending number for most Luxembourg SMEs, but it is not the €35m headline that the trade press has fixated on.

Who actually issues the fines in Luxembourg?

The AI Act delegates national enforcement to "competent authorities" designated by each member state. Luxembourg's designation process is still finalising at time of writing (mid-June 2026), but the working consensus across the legal community is:

• CNPD (Commission nationale pour la protection des données) — likely lead for transparency, automated-decision, and biometric obligations, given the existing GDPR overlap.
• ILR (Institut Luxembourgeois de Régulation) — likely lead for market surveillance of AI products placed on the market.
• CSSF for financial sector AI systems, ILNAS for general product safety, sector-specific regulators for their verticals.

Practically: a single AI system in a Luxembourg financial-services firm could be supervised by CSSF and CNPD and ILR for different aspects, with cross-referrals between them. The administrative pain of multiple supervisors is a real cost on top of the financial fine — plan for it.

What "doing nothing" actually means by 2 August

There are six categories of obligation that bite on 2 August 2026. Roughly in order of likelihood-of-enforcement against a Luxembourg SME:

1. AI literacy (Article 4)

Applies to providers AND deployers. Every Luxembourg company using an AI system has to ensure a "sufficient level of AI literacy" among the people who deploy and operate it. There is no certification scheme; there is a documentation expectation. "Doing nothing" here means no training, no register, no documented literacy programme. It is the cheapest fix and the most expensive thing to be caught not having done — see our Article 4 literacy piece.

2. Article 5 prohibited practices

If you operate any prohibited practice, the deadline has already passed (Article 5 entered into force 2 February 2025). "Doing nothing" here is the highest-severity category. Most Luxembourg SMEs are not in Article 5 territory; the ones that are usually know they are. Confirm with the Article 5 piece.

3. Provider vs deployer classification

Every Luxembourg company using or building any AI system needs a documented classification per system. "Doing nothing" means no register, no documented analysis, no clear contractual allocation of responsibilities. This is the foundational documentation gap — and the one that makes every other compliance step harder. Five-minute self-classification test here.

4. High-risk systems (Annex III)

If you are deploying recruitment screening, creditworthiness scoring, biometric categorisation, education access, or critical-infrastructure AI — you are in high-risk territory. Tier 2 fines apply. Doing nothing means no risk management system, no data governance documentation, no human oversight design, no logging. Highest single Luxembourg SME compliance bill.

5. GPAI transparency and copyright obligations

If you fine-tune or train a general-purpose AI model, you have copyright-policy and training-data-summary obligations from 2 August 2025 (already in force). See the GPAI piece.

6. Documentation and record-keeping

Providers of high-risk systems must keep technical documentation; deployers must keep usage logs. "Doing nothing" means the documentation does not exist. This is the category that turns a tier-2 fine into a tier-3 fine on top (information-supply failure).

Quick checkpoint. If you have not done the provider-vs-deployer classification across your AI systems yet, stop reading this and do that first. It takes 30 minutes per system and it is the prerequisite to every other compliance step. Book a 15-minute working session at 20more.lu/en/contact and we will walk you through your first three systems live.

What enforcement actually looks like in practice

The regulation does not exist in a vacuum — it lands on top of a national regulatory culture. Luxembourg's regulatory culture is, by EU standards, risk-based, dialogue-first, and proportionate to the size of the regulated entity. That is not legal advice and it is not a guarantee, but it is the consistent pattern across CSSF, CNPD, and ILR over the last decade.

What that means in practice for a Luxembourg SME:

• First contact is likely a question, not a fine. Competent authorities tend to open with a request for information.
• A defensible documentation file changes everything. If you have a register of AI systems, a documented provider/deployer classification, a literacy training log, and a written human-oversight design — the conversation will be very different from a conversation where none of those exist.
• The fine, if it comes, is calibrated. Article 99(7) requires authorities to take SME size into account when setting the amount. "Up to" means up to.

The three pragmatic moves that get you to "defensible" before 2 August

If you do these three things, you will be inside the dialogue-first window for a Luxembourg competent authority. None of them are expensive.

1. Build the AI systems register. One spreadsheet, one row per system, columns: name, owner, provider-or-deployer, Annex III high-risk yes/no, training-data summary if applicable, human-oversight design, current literacy training. Half a day of work. This single document changes 80% of what an enforcement conversation looks like.
2. Document the literacy programme. Even if your "programme" is a 20-minute internal video and a one-pager attached to the employment contract — write it down. Half a day of work for a 30-person SME. See the Article 4 piece for the template.
3. Do the provider/deployer classification across every AI system. Use the 5-minute test. One day of work for ~10 systems.

Two days of work, total. That is the difference between a defensible posture on 2 August and a non-defensible one. For most Luxembourg SMEs, the fine exposure for not doing this is six-figure to seven-figure. The cost of doing it is four-figure. The ratio is the kind of compliance investment that is almost embarrassing to argue against.

Want help building the register? Book a free 15-minute call at 20more.lu/en/contact. We will send you the register template the same day, pre-filled with the columns Luxembourg regulators ask for. No pitch deck. Seven weeks to go.