Skip to main content
+34 699 71 93 06

Fines for the Misuse of AI: What Self-Employed Professionals and SMEs Need to Know

Written by Margaret on . Posted in Artificial Intelligence, Artificial Intelligence and Law, Business Law.

Artificial intelligence is already part of the day-to-day operations of many businesses.

Self-employed professionals, retailers, professional firms and small and medium-sized enterprises use tools such as ChatGPT, Microsoft Copilot and other AI systems to draft documents, respond to enquiries, prepare marketing campaigns, analyse information and improve internal processes.

Using these tools is not, in itself, unlawful.

However, the professional use of artificial intelligence is not free from legal obligations. The European Union Artificial Intelligence Act establishes a system of responsibilities and penalties that may also apply to self-employed professionals and SMEs.

The key question is not simply whether a business uses artificial intelligence. It is how the technology is used, for what purpose and what consequences it may have for clients, employees, job applicants or consumers.

Can an SME be fined for using artificial intelligence?

Yes.

A self-employed professional or an SME may fall within the scope of the EU AI Act when using an AI system as part of its professional or commercial activity.

The Regulation uses the term “deployer” to describe a natural or legal person who uses an AI system under their authority, except where the system is used in the course of a personal, non-professional activity.

This means that a business does not need to have developed its own artificial intelligence system in order to assume legal responsibilities.

It may be sufficient for the business to use an AI tool to make decisions, screen job applicants, assess employees, classify customers, generate content or provide services.

Not all uses of artificial intelligence, however, carry the same level of risk.

The EU AI Act follows a risk-based approach. The most demanding obligations apply to prohibited AI practices and systems classified as high-risk.

When does the EU AI Act apply?

The Regulation is being introduced progressively.

The general provisions and prohibitions relating to certain AI practices began to apply on 2 February 2025.

The rules concerning penalties began to apply on 2 August 2025.

Most of the Regulation will become fully applicable from 2 August 2026, although some specific provisions are subject to different implementation dates.

Businesses should therefore not wait until the last moment to review how artificial intelligence is being used within their organisations.

What fines does the EU AI Act establish?

The Regulation provides for three principal levels of administrative fines.

1. Prohibited AI practices

Breaching the prohibition on certain artificial intelligence practices may lead to fines of up to:

€35 million or 7% of the company’s total worldwide annual turnover.

Prohibited practices include, in certain circumstances, AI systems that manipulate human behaviour, exploit people’s vulnerabilities, carry out certain forms of social scoring or use prohibited biometric technologies.

2. Breaches of other obligations under the Regulation

Failure to comply with other obligations applicable to providers, deployers, importers, distributors or notified bodies may lead to fines of up to:

€15 million or 3% of total worldwide annual turnover.

This category may include breaches connected with high-risk AI systems, transparency, documentation, human oversight or cooperation with the competent authorities.

3. Providing incorrect, incomplete or misleading information

Providing incorrect, incomplete or misleading information to the relevant authorities or notified bodies may lead to fines of up to:

€7.5 million or 1.5% of total worldwide annual turnover.

Do the same maximum amounts apply to SMEs?

The Regulation expressly takes account of the position of small and medium-sized enterprises, including start-ups.

Where the infringing business is an SME, the maximum fine in each category is the lower of:

  • the fixed monetary amount established in the Regulation; or
  • the relevant percentage of the business’s annual turnover.

For example, if a small business has an annual turnover of €500,000, the percentage-based maximums would be:

  • up to €35,000 for a prohibited AI practice: 7%;
  • up to €15,000 for other infringements: 3%;
  • up to €7,500 for providing incorrect, incomplete or misleading information: 1.5%.

This does not mean that these amounts will automatically be imposed.

The competent authority must consider the circumstances of the individual case and ensure that any penalty is effective, proportionate and dissuasive.

Relevant factors may include:

  • the nature and seriousness of the infringement;
  • its duration;
  • the number of people affected;
  • the damage caused;
  • whether the conduct was intentional or negligent;
  • the measures taken to correct the infringement;
  • the level of cooperation with the authorities;
  • any previous infringements;
  • and the financial capacity of the business.

Can the use of ChatGPT lead to a fine?

Using ChatGPT, Copilot or another generative AI tool does not, by itself, constitute an infringement.

The legal risk arises when a business uses artificial intelligence without appropriate safeguards or for purposes that may affect the rights of other people.

Examples may include:

  • entering clients’ personal data or confidential information into an AI system without first assessing the risks;
  • using AI to select or reject job applicants without sufficient human oversight;
  • assessing employee performance or behaviour through automated systems;
  • publishing AI-generated or manipulated images, videos or audio without complying with applicable transparency obligations;
  • making significant decisions solely on the basis of AI-generated output;
  • using tools that produce discriminatory or biased results;
  • or allowing staff to use AI systems without training or internal guidance.

Other legislation may also apply alongside the EU AI Act, including the General Data Protection Regulation, employment law, consumer protection law, intellectual property law and professional duties of confidentiality.

AI literacy is also a legal obligation

The EU AI Act requires providers and deployers of AI systems to take measures to ensure that the people using those systems on their behalf have a sufficient level of AI literacy.

This does not necessarily mean turning every member of staff into a technical expert.

It means ensuring that employees understand, according to their roles:

  • which AI tools they are permitted to use;
  • what information they must not enter;
  • the limitations of the system;
  • when AI-generated output must be reviewed;
  • what risks may arise;
  • and when human intervention is required.

Allowing employees to use AI without any training, policy or supervision may expose a business to unnecessary legal and operational risks.

What should an SME do now?

The first step is not to prohibit artificial intelligence.

It is to understand how AI is actually being used within the organisation.

Many businesses believe that they do not use AI in any significant way, while their employees may already be using it to summarise documents, draft emails, review CVs, prepare quotations, generate images or respond to client enquiries.

An initial review should include the following measures.

1. Identify the AI tools being used

The business should know which artificial intelligence systems are used by its employees, collaborators and external service providers.

2. Determine how they are being used

Using AI to improve the wording of a document does not create the same level of risk as using it to select employees or decide whether a customer should receive a service.

3. Assess the level of risk

The business should determine whether the system falls within a prohibited practice, a high-risk system, a system subject to transparency duties or a lower-risk use.

4. Review the information entered into the system

It is important to determine whether employees are entering personal data, confidential information, trade secrets or client documents into AI tools.

5. Establish human oversight

AI-generated outputs should not be accepted automatically, particularly where they may have legal, financial or personal consequences.

6. Train employees

Staff should receive clear and proportionate guidance on the authorised use of artificial intelligence.

7. Adopt an internal AI policy

An internal policy can establish which tools are authorised, for which purposes they may be used and which safeguards must be followed.

Compliance without preventing innovation

The EU Artificial Intelligence Act is not intended to prevent businesses from using this technology.

Its purpose is to promote artificial intelligence that is safe, transparent and respectful of fundamental rights.

For self-employed professionals and SMEs, compliance does not have to become a disproportionate burden. The measures adopted should reflect the size of the business, the nature of its activity and the actual risks created by the AI systems it uses.

However, ignoring the legislation or assuming that a practice must be acceptable because “everyone is using AI” may lead to legal, reputational and financial consequences.

The best form of prevention is to review current AI use, identify the risks and establish clear internal rules before a problem arises.

How can Bennet & Rey help?

Bennet & Rey offers a legal AI compliance assessment and internal policy service for SMEs and professional firms.

The service may include:

  • identifying the AI tools currently used within the business;
  • analysing their purposes and legal risks;
  • reviewing the use of personal data and confidential information;
  • classifying AI systems according to their level of risk;
  • preparing an internal AI use policy;
  • establishing human oversight procedures;
  • drafting clauses for employees, collaborators and suppliers;
  • and recommending appropriate AI literacy and training measures.

The objective is not to prevent a business from using artificial intelligence, but to help it use AI safely, proportionately and in a way that reflects its actual activities.

Every organisation uses artificial intelligence differently. The first step should therefore be an individual assessment to determine which measures are genuinely necessary.

Does your business use artificial intelligence, and are you unsure whether it complies with the new rules?

Contact Bennet & Rey to request an AI compliance assessment.

Is your company ready for the European Artificial Intelligence Regulation?

Written by Margaret on . Posted in Artificial Intelligence, Business, Digital Law.

Artificial intelligence is no longer a future issue. It is already present in many areas of business life: emails, chatbots, customer service, data analysis, recruitment tools, marketing, translations, image generation and internal productivity systems.

However, from 2 August 2026, the use of artificial intelligence in the European Union will enter a new regulatory phase.

The European Artificial Intelligence Regulation, also known as the EU AI Act, will become fully applicable, subject to certain exceptions and a gradual implementation calendar. Its aim is not to prohibit artificial intelligence, but to ensure that it is used safely, transparently and in a way that respects fundamental rights.

The question many companies should now be asking is not simply whether they use artificial intelligence.

The real question is:

Do we know exactly which AI tools we are using, what we are using them for, and what legal risks they may involve?

What is the European Artificial Intelligence Regulation?

The European Artificial Intelligence Regulation is the first major EU law specifically designed to regulate the development, placing on the market and use of artificial intelligence systems.

Its approach is based on risk. Not all AI tools have the same impact, and not all of them require the same level of legal control.

Using an AI tool to help draft a general text is not the same as using an automated system to select candidates, assess a person’s creditworthiness, process biometric data or make decisions that may affect fundamental rights.

For this reason, the Regulation distinguishes between different levels of risk:

✔️Unacceptable risk: AI systems that are prohibited.

✔️High risk: AI systems that may affect safety, employment, education, migration, access to essential services, critical infrastructure or fundamental rights.

✔️Limited risk: systems mainly subject to transparency obligations.

✔️Minimal risk: everyday uses with a lighter regulatory burden.

Why should companies pay attention?

Many businesses assume that the EU AI Act only applies to large technology companies or to businesses that develop artificial intelligence systems.

That assumption may be risky.

The Regulation can also affect companies that use AI systems in their daily activity, even if they did not create those systems themselves.

For example, a company may be using AI for:

  • recruitment or HR processes;
  • customer service;
  • data analysis;
  • content generation;
  • marketing;
  • client scoring or profiling;
  • document management;
  • productivity tools;
  • translations or contract reviews;
  • automation of internal decisions.

The legal issue is not just the use of AI. The real issue is using it without knowing exactly which tool is being used, what data is being entered, who has access to that information, what decisions are being automated and what impact this may have on clients, employees or third parties.

What obligations may apply?

The obligations will depend on the type of AI system, the role of the company and the level of risk involved.

A company that develops an AI system will not have the same obligations as a company that simply uses one. Likewise, using AI to draft an internal note is not the same as using AI to make decisions that affect individuals.

Depending on the case, companies may need to:

  • identify which AI systems are being used;
  • classify the level of risk;
  • inform individuals when they are interacting with AI;
  • ensure human oversight;
  • keep appropriate documentation;
  • review suppliers and contracts;
  • establish internal AI policies;
  • train staff on the responsible use of AI;
  • avoid prohibited AI practices;
  • protect personal and confidential data;
  • control the use of generative AI tools such as ChatGPT, Copilot and similar systems.

The Regulation also provides for significant sanctions. In the most serious cases, breaches involving prohibited AI practices may lead to fines of up to €35 million or 7% of the company’s total worldwide annual turnover, whichever is higher.

The common mistake: thinking “we are only testing it”

Many companies are currently in what seems to be an informal phase. They are testing tools, automating tasks, generating texts, analysing information or introducing AI assistants without a clear internal policy.

But from a legal point of view, “testing” does not always eliminate risk.

If personal data, confidential information, client documents, employee data or information affecting real decisions is being entered into an AI system, the company may already be creating legal exposure.

Artificial intelligence can be an excellent tool, but it must be used with judgement, traceability and care.

What should companies do before 2 August 2026?

There is no need for panic, but companies should start preparing in an organised way.

A first legal review should include:

1. AI tools inventory

Identify which AI tools are being used, who is using them and for what purpose.

2. Risk classification

Assess whether the use is low risk, limited risk or potentially high risk.

3. Data review

Check whether personal data, sensitive data, trade secrets or confidential information are being entered into AI systems.

4. Internal AI policy

Establish clear rules for employees, collaborators and management.

5. Supplier review

Review contractual terms, data protection clauses, confidentiality, server location and liability provisions.

6. Transparency

Assess when clients, users or employees must be informed that they are interacting with AI or that certain content has been generated by AI.

7. Training

Staff should know what they can and cannot do with AI tools.

AI yes, but responsibly

Artificial intelligence should not be seen as a threat in itself. Used properly, it can save time, improve processes and increase business productivity.

However, technological enthusiasm should not replace legal judgement.

The European Artificial Intelligence Regulation requires companies to move from improvisation to responsible management. It will no longer be enough to say “we use an AI tool”. Companies will need to understand and explain what they use, why they use it, what data is involved, what controls are in place and what safeguards apply.

Conclusion

2 August 2026 is a key date for the application of the European Artificial Intelligence Regulation.

Companies that already use AI should begin reviewing their processes now. The point is not to stop innovation, but to innovate with legal certainty.

At Bennet & Rey Abogados, we can help businesses review their use of artificial intelligence, identify legal risks and prepare an internal AI policy adapted to their needs.

Artificial intelligence can be a powerful ally. But only if it is used with judgement, transparency and responsibility.

Contact us at: [email protected]