A company that has not trained its staff on AI does not face an automatic 35 million euro fine, despite what you read almost everywhere. Regulation (EU) 2024/1689 does set out heavy penalties, but they target specific failures. Here is what your SME actually risks, and what is mostly a myth kept alive by fear sellers.
Read the full guide
AI Training for Business: The Complete 2026 Guide (Funding, Certification, EU AI Act)
Answer a few questions and get a personalized assessment with recommendations tailored to your industry.
Assess my AI maturityRelated articles
Dive deeper with these complementary articles.
AI training for businesses in France costs between €350 and €3,300 ex. VAT per person in 2026, with up to 100% OPCO funding for SMEs under 50 employees. Since August 2, 2026, the EU AI Act requires every company using ChatGPT, Claude, or Copilot to guarantee minimum AI literacy across its teams, with sanctions up to €7.5M or 1.5% of global annual turnover. Here is how to design a truly operational, funded, and compliant program.
A company that has not trained its staff on AI does not face an automatic 35 million euro fine, despite what you read almost everywhere. Regulation (EU) 2024/1689 does set out heavy penalties, but they target specific failures. Here is what your SME actually risks, and what is mostly a myth kept alive by fear sellers.
To place these penalties within the full framework, you can start from our complete guide to AI training for business, which covers funding, certification and obligations.
No, failing to train your staff does not trigger a 35 million euro fine. That ceiling does exist, but it punishes one very specific case: placing on the market or using a prohibited AI system under Article 5 of the regulation, such as general social scoring or behavioural manipulation. Failure to train falls under an entirely different regime.
The training obligation comes from Article 4, the so-called "AI literacy" requirement, applicable since 2 February 2025. Yet Article 4 does not appear in the list of breaches tied to a fixed ceiling in Article 99. So the regulation sets no dedicated fine for the mere fact of not training your teams. Penalties for this type of breach are the ones each Member State must lay down in national law (Article 99, paragraph 1), applied proportionately by the supervisory authorities.
Keep that nuance in mind, because it changes everything: the issue is not a flat fine landing on 2 August 2026, but a genuine obligation whose breach weakens you on several fronts. For the detail of this obligation, see exactly what Article 4 of the AI Act requires regarding training.
The AI Act organises its fines into three ceilings, depending on the severity of the breach. The higher the risk created for people, the higher the maximum penalty. Here is the scale set by Article 99 and, for general-purpose AI models, by Article 101.
| Type of breach | Ceiling | Calculation rule |
|---|---|---|
| Prohibited practices (Article 5) | 35M euros or 7 % of total worldwide annual turnover | the higher amount |
| Operator breaches (providers, deployers, importers, distributors) and transparency obligations | 15M euros or 3 % of worldwide annual turnover | the higher amount |
| Incorrect, incomplete or misleading information supplied to authorities or notified bodies | 7.5M euros or 1 % of worldwide annual turnover | the higher amount |
| General-purpose AI models (Article 101) | 15M euros or 3 % of worldwide annual turnover | the higher amount |
An SME that simply uses ChatGPT, Claude or a business tool with embedded AI is, in the vast majority of cases, a "deployer". It is therefore not exposed to the 35 million ceiling, which is reserved for prohibited practices. Its obligations centre on transparency, human oversight and, precisely, the literacy of its teams.
For an SME, it is the lower amount that applies, not the higher one. Article 99, paragraph 6, sets a reversed rule for small and medium-sized enterprises and startups: between the percentage of turnover and the fixed euro ceiling, the authority keeps whichever is lower. For a large company it is the opposite, the higher amount prevails.
Take a concrete figure. An SME with 4 million euros in turnover that committed a breach falling under the 3 % ceiling would be exposed, at most, to 3 % of 4 million, that is 120,000 euros, and not to the 15 million fixed ceiling. The regulation calibrates the penalty to the actual size of the operator, rather than choking an SME over a good-faith breach.
This does not make the risk negligible. A fine of several tens of thousands of euros still hurts, especially when added to the cost of rushed compliance work.
From 2 August 2026, national supervisory authorities can genuinely monitor and penalise. The AI Act entered into force on 1 August 2024, but its obligations activate in stages. Prohibited practices have applied since February 2025, and so has the literacy obligation. The governance and penalty regime, however, becomes fully operational on 2 August 2026, the date by which each Member State must have designated its competent authorities and made its penalty framework applicable.
In practice, before that date the risk of a formal check on training stays theoretical, for lack of a fully equipped authority. After it, the framework is in place. To understand everything that shifts at that deadline, read what really changes for SMEs with AI training becoming mandatory on 2 August 2026.
One useful point: enforcement is meant to be proportionate. Article 99 requires authorities to consider the nature and gravity of the breach, whether it was intentional or negligent, the steps already taken to remedy it, and the size of the operator. An SME that can show a training effort under way will be treated very differently from a company that has done nothing.
Before any administrative fine, the immediate danger is commercial, contractual and insurance related. This is the angle most articles miss, even though it weighs far more in an SME's daily life than the threat of a public penalty.
The first risk is tenders and large clients. More and more major accounts and public buyers ask their suppliers to demonstrate AI compliance, including staff training. Without a certificate, you drop off the shortlist.
The second risk is liability after an incident. An untrained employee who feeds client data into a consumer AI tool, produces a biased decision or circulates an erroneous output exposes the company. Depending on the context, this can intersect with the GDPR and engage your contractual liability well before any AI Act penalty.
The third risk is insurance and reputation. Cyber insurers are starting to fold AI governance into their questionnaires. And a poorly handled AI incident is usually paid first in lost trust, not in euros sent to a regulator.
Documented training is the first proof of compliance, and the cheapest to put in place. There is no need to aim for regulatory perfection on day one. A structured, traceable approach is enough to keep you on the right side.
A few concrete actions, in order of priority:
The choice of provider matters as much as the content. Training delivered by a certified body explains why Qualiopi certification for AI training is non-negotiable: it drives both quality and access to funding. And before you sign, these 9 criteria for choosing your AI training provider help you avoid bad surprises.
Can an SME really be fined 35 million euros under the AI Act? No, unless it deploys a prohibited AI system under Article 5, which does not match an SME's everyday uses. For other breaches the ceiling is 15M euros or 3 % of turnover, and for an SME the lower amount applies.
Does simply not training my staff lead to a fixed fine? No. Article 4 on literacy has no dedicated fine ceiling in the regulation. Penalties fall under each Member State's national law and are applied proportionately from 2 August 2026.
When do the penalties actually apply? 2 August 2026 marks the general entry into application of the governance and penalty regime. That is when national supervisory authorities have the means to monitor and penalise.
Who enforces the AI Act in France? Supervision rests with the national authorities designated by each Member State. The precise designation of the French authorities and their control procedures depend on national implementing texts. [To verify before sending]
What exactly does the training obligation require? Article 4 requires providers and deployers to ensure a sufficient level of AI literacy among the people who use these systems, based on their knowledge, role and the context of use. It sets no mandatory format or duration.
How do I prove my teams are trained? Through simple traceability: program followed, dates, participants, certificates. Training delivered by a Qualiopi-certified body makes that proof easier and unlocks funding through your OPCO.
GrowthPerf is a Qualiopi-certified training provider specialised in AI, no-code and automation for SMEs and nonprofits. We start from your real uses to build a useful, traceable training plan that meets the literacy obligation without turning compliance into a bureaucratic maze.
Our approach combines a quick audit of your AI uses, training tailored to each level of exposure, and documentation ready to present in a check or a tender. It all starts with tailored AI training for business, designed for teams that need to build skills fast and well.
To set these penalties within your broader upskilling strategy, the complete guide to AI training for business remains your starting point. Prefer a costed budget before deciding? First compare AI training prices and funding in 2026.
Request your free 30-minute AI Act audit: we map your risk areas and the training plan that brings you into compliance before 2 August 2026.
