Compliance and legal teams comparing exposure across markets need one figure they can trust and update, not ten separate regulatory filings read in isolation. This tracker consolidates the maximum penalty, the enforcement authority, and the current legislative status for the ten jurisdictions most relevant to operators deploying AI agents across the EU, North America, the UK, and Asia-Pacific. Figures are stated as published by the relevant authority or legislative text; currency conversions are approximate and provided only for orientation.

Key takeaways

  • The EU AI Act (Regulation 2024/1689) carries the highest enacted, monetarily specified ceiling in the world: up to EUR 35 million or 7 percent of global turnover for the most serious prohibited-practice violations under Article 5, enforced by the AI Office and national market surveillance authorities.
  • The United States has no federal AI-specific penalty regime. Colorado's AI Act (SB 24-205) is the most developed state-level framework, enforced solely by the Colorado Attorney General with a statutory cure period, and its effective date has been delayed by the state legislature into mid-2026 amid industry pushback.
  • Canada's federal AI penalty regime, the Artificial Intelligence and Data Act, is not currently law. It died with Bill C-27 when Parliament was prorogued in January 2025 and would need fresh legislation to take effect.
  • China, South Korea, and Japan each take a materially different enforcement philosophy: corrective orders and service suspension feature more heavily than fixed monetary fines, though China's measures interact with broader cybersecurity and data law penalties that can be substantial.
  • Brazil's AI bill (PL 2338) remained pending in the Brazilian Congress as of mid-2026, with proposed fines modelled on the LGPD (Brazil's data protection law) structure rather than yet being enacted.

How to read this tracker

Maximum penalty figures are a starting point, not a complete risk picture. A jurisdiction with a lower headline fine but an active, well-resourced enforcement body, such as an EU member state data protection authority already experienced in GDPR enforcement, may pose more practical exposure in the near term than a jurisdiction with a higher theoretical ceiling but no enforcement track record. Where a framework remains a proposal rather than enacted law, this is marked explicitly, because it is the single most common source of confusion in cross-border compliance planning: operators frequently prepare for penalty regimes that have not yet taken legal effect, or fail to prepare for ones that have.

Jurisdiction Instrument Maximum penalty Enforcement body Status (mid-2026)
European Union AI Act, Regulation (EU) 2024/1689, Article 99 EUR 35 million or 7% of global turnover AI Office and national market surveillance authorities In force; high-risk obligations subject to Digital Omnibus delay discussion
European Union GDPR, Regulation (EU) 2016/679, Article 83 EUR 20 million or 4% of global turnover National data protection authorities In force since 2018; applies to AI processing personal data
United States (federal) No AI-specific statute; FTC Act Section 5 Case-by-case; no fixed AI ceiling Federal Trade Commission No enacted federal AI penalty regime
Colorado, United States Colorado AI Act, SB 24-205, C.R.S. 6-1-1701 et seq. Civil penalties under Colorado Consumer Protection Act; no private right of action Colorado Attorney General Enacted; effective date delayed by the state legislature into mid-2026
United Kingdom No dedicated AI statute; UK GDPR, sectoral regulators Up to GBP 17.5 million or 4% of global turnover (data protection) ICO; sectoral regulators including FCA, CMA, Ofcom, MHRA Pro-innovation, principles-based approach; White Paper (2023) implemented via existing regulators
China Interim Measures for the Management of Generative AI Services (2023) Suspension of services; fines and penalties under linked cybersecurity and data law Cyberspace Administration of China (CAC) In force since August 2023
South Korea AI Basic Act (2024) Corrective orders and administrative fines, materially lower ceiling than the EU AI Act Ministry of Science and ICT (MSIT) Obligations effective from January 2026
Japan AI Promotion Act (2024) No fixed fines; publication of non-compliance and government requests METI and relevant sectoral ministries In force; soft-law, disclosure-based enforcement model
Brazil PL 2338 (proposed AI framework law) Proposed fines modelled on LGPD, up to 2% of Brazilian revenue capped per infraction Proposed: a national AI authority, or the existing data protection authority (ANPD) Pending in the Brazilian Congress as of mid-2026; not yet enacted
Canada Artificial Intelligence and Data Act (AIDA), part of Bill C-27 Not applicable; bill lapsed Not applicable Died on the order paper at prorogation, January 2025; requires reintroduction
Singapore No dedicated AI statute; Personal Data Protection Act (PDPA) Up to 10% of annual turnover in Singapore or SGD 1 million, whichever is higher (data breaches) Personal Data Protection Commission (PDPC) Model AI Governance Framework (IMDA) and AI Verify remain voluntary

The EU AI Act: the ceiling other jurisdictions are measured against

The EU AI Act's penalty architecture, set out in Article 99 of Regulation (EU) 2024/1689, tiers fines by the severity of the violation. The most serious tier, up to EUR 35 million or 7 percent of total worldwide annual turnover for the preceding financial year, whichever is higher, applies to non-compliance with the prohibited AI practices in Article 5, such as social scoring or manipulative AI systems. A second tier of up to EUR 15 million or 3 percent applies to non-compliance with most other obligations, including the high-risk system requirements in Articles 9 through 17 and the deployer obligations in Article 26. A third, lower tier applies to the supply of incorrect information to authorities.[1] National market surveillance authorities, coordinated by the EU AI Office, are responsible for enforcement, and the framework operates alongside, not instead of, the GDPR's own penalty regime where AI processing involves personal data.

The United States: no federal ceiling, a patchwork of state action

The United States has taken a materially different structural approach: no enacted federal AI-specific statute exists, and the Federal Trade Commission instead relies on its general authority under Section 5 of the FTC Act to pursue AI-related conduct it considers unfair or deceptive, without a fixed penalty ceiling specific to AI.[2] The most developed state-level framework is Colorado's AI Act (SB 24-205, codified at C.R.S. 6-1-1701 et seq.), signed into law in May 2024. It is enforced exclusively by the Colorado Attorney General, provides no private right of action, and includes a statutory cure period before enforcement action can proceed. The Colorado legislature delayed the Act's original 1 February 2026 effective date amid sustained industry pushback, pushing implementation into mid-2026, and the final compliance timeline should be verified directly against the Colorado Attorney General's published guidance before any operator finalises a compliance plan around it.[3]

China, South Korea, and Japan: correction before punishment

China's Interim Measures for the Management of Generative AI Services, in force since August 2023 and enforced by the Cyberspace Administration of China, do not set a single fixed monetary ceiling in the way the EU AI Act does. Instead, non-compliant generative AI services can be suspended, and violations that also breach China's Cybersecurity Law or Personal Information Protection Law can trigger the substantial fines available under those separate statutes.[4]

South Korea's AI Basic Act, enacted in 2024 with core obligations effective from January 2026, is administered by the Ministry of Science and ICT and relies primarily on corrective orders directed at high-impact AI providers, with administrative fines available for non-compliance that are materially lower in ceiling than the EU AI Act's turnover-linked maximum.[5] Japan's AI Promotion Act, also passed in 2024, goes further in the direction of soft law: it sets out no fixed monetary fines at all, relying instead on public disclosure of non-compliance and formal requests from the relevant ministry, principally the Ministry of Economy, Trade and Industry, as its primary enforcement tool.[6] Operators used to the EU's fine-first enforcement culture should not assume the absence of a comparable penalty ceiling in Japan means the absence of real regulatory consequence: reputational and business consequences of public non-compliance disclosure can be significant.

Brazil and Canada: proposed and lapsed

Brazil's proposed AI framework law, PL 2338, would introduce a risk-based classification system with penalties modelled closely on Brazil's existing data protection law, the LGPD, including fines of up to 2 percent of Brazilian revenue capped per infraction. As of mid-2026, PL 2338 remained pending before the Brazilian Congress and had not been enacted, meaning no AI-specific penalty regime is currently in force in Brazil beyond the LGPD's existing application to AI systems that process personal data.[7]

Canada's proposed federal penalty regime, the Artificial Intelligence and Data Act, was part of Bill C-27, alongside privacy law reforms. The bill died on the order paper when the Canadian Parliament was prorogued in January 2025, meaning AIDA has no legal effect and no current penalties. Any future Canadian federal AI penalty regime would need to be reintroduced as new legislation in a subsequent Parliament, and operators should not treat AIDA's previously proposed structure as a reliable guide to what a reintroduced bill would ultimately contain.[8]

What this means for cross-border operators

An operator running the same AI agent across the EU, the United States, and Asia-Pacific markets faces genuinely different penalty architectures, not merely different numbers on the same scale. The EU model is a fixed-percentage-of-turnover ceiling enforced by a dedicated market surveillance structure. The US model, where it exists at all, is state-specific, attorney-general enforced, and typically includes a cure period. The East Asian models lean toward correction and disclosure before monetary punishment. Brazil and Canada illustrate that a well-publicised proposal is not the same as a binding obligation, and treating a bill as if it were already law is one of the more common and avoidable planning errors in this space.

The practical consequence for a compliance programme is that the EU AI Act's Article 26 documentation, built to satisfy the highest-stringency regime, will generally satisfy or exceed the evidentiary expectations of every other jurisdiction on this tracker, with the exception of jurisdiction-specific transparency or disclosure requirements that have no EU equivalent. Building to the EU standard first, then mapping gaps to each additional market, remains the most efficient sequencing for a multinational operator.

For the EU deployer obligations that anchor this comparison, see the Article 26 deployer obligations guide on agentliability.eu. For a single-jurisdiction deep dive using the same comparative method, see the Australia AI regulation guide and the South Africa AI regulation guide. For how documented compliance across jurisdictions supports an insurance submission, see agentcertified.eu's analysis of certification and underwriting.


Frequently asked questions

Which jurisdiction has the highest maximum AI-related penalty in 2026?

The EU AI Act (Regulation 2024/1689) carries the highest headline maximum: up to EUR 35 million or 7 percent of total worldwide annual turnover, whichever is higher, for the most serious violations, such as deploying a prohibited AI practice under Article 5. China's Interim Measures for the Management of Generative AI Services do not set a comparable fixed monetary ceiling but allow suspension of services and referral to broader cybersecurity and data law penalties. Among enacted, monetarily specified frameworks, the EU AI Act's ceiling remains the highest in the world as of mid-2026.

Does the United States have a federal AI penalty regime comparable to the EU AI Act?

No. The United States has no enacted federal cross-economy AI statute with its own penalty regime as of mid-2026. Regulation proceeds through existing agency authority, such as the FTC Act's prohibition on unfair or deceptive practices, and through state law, most notably the Colorado AI Act (SB 24-205), which is enforced exclusively by the Colorado Attorney General with civil penalties under the Colorado Consumer Protection Act and a statutory cure period.

Is Canada's AI penalty regime in force in 2026?

No. The Artificial Intelligence and Data Act, which would have introduced a federal Canadian penalty regime for high-impact AI systems, was part of Bill C-27. That bill died on the order paper when the Canadian Parliament was prorogued in January 2025, meaning AIDA is not law and carries no current penalties. A federal AI-specific penalty regime in Canada would need to be reintroduced as new legislation.

How does South Korea's AI Basic Act penalty regime compare to the EU AI Act?

South Korea's AI Basic Act, enacted in 2024 with obligations taking effect from January 2026, is administered by the Ministry of Science and ICT and relies primarily on corrective orders and administrative fines. The fines are materially lower in ceiling than the EU AI Act's 7 percent of global turnover maximum, reflecting a supervisory, correction-first enforcement philosophy rather than the EU's market-surveillance and product-safety-style penalty architecture.


References

  1. Regulation (EU) 2024/1689 (EU AI Act), Article 99, Penalties. Sets tiered maximum fines of EUR 35 million or 7% of global turnover, EUR 15 million or 3%, and lower amounts for lesser violations. Available at eur-lex.europa.eu.
  2. Federal Trade Commission Act, 15 U.S.C. Section 45, prohibition of unfair or deceptive acts or practices, applied by the FTC to AI-related conduct in the absence of a dedicated federal AI statute.
  3. Colorado AI Act, Senate Bill 24-205, codified at Colorado Revised Statutes Section 6-1-1701 et seq. Enforcement vested solely in the Colorado Attorney General, with a statutory right to cure. Effective date delayed by subsequent legislative action; verify current status directly with the Colorado Attorney General's office.
  4. Cyberspace Administration of China (CAC). Interim Measures for the Management of Generative Artificial Intelligence Services, effective 15 August 2023. Interacts with the Cybersecurity Law of the People's Republic of China and the Personal Information Protection Law for penalty purposes.
  5. Republic of Korea, AI Basic Act, enacted 2024, core provisions effective from January 2026. Administered by the Ministry of Science and ICT (MSIT).
  6. Japan, AI Promotion Act, enacted 2024. Administered principally by the Ministry of Economy, Trade and Industry (METI) with relevant sectoral ministries. Enforcement model based on public disclosure and government requests rather than fixed monetary fines.
  7. Brazil, PL 2338/2023, proposed general AI framework law, pending before the National Congress of Brazil as of mid-2026. Proposed penalty structure modelled on the Lei Geral de Protecao de Dados (LGPD), Law No. 13,709/2018.
  8. Canada, Bill C-27, Digital Charter Implementation Act, 2022, including the proposed Artificial Intelligence and Data Act (AIDA). Died on the order paper upon prorogation of the 44th Parliament, 6 January 2025.
  9. Regulation (EU) 2016/679 (GDPR), Article 83, general conditions for imposing administrative fines, maximum of EUR 20 million or 4% of global turnover.
  10. Singapore, Personal Data Protection Act 2012, as amended 2020, financial penalty provisions of up to 10% of annual turnover in Singapore or SGD 1 million, whichever is higher, enforced by the Personal Data Protection Commission.