Five regimes, five very different theories of deterrence. We compare the actual penalty math from Brussels to Beijing and ask which AI law can really make a company flinch.
Global AI regulation comparison 2026: which regime has teeth
In any honest global AI regulation comparison 2026, the European Union has the sharpest teeth on paper, with fines of up to EUR 35 million or 7% of global annual turnover, but China is the regime that bites fastest, because its 2026 Cybersecurity Law amendments let regulators impose severe fines immediately without the old warning step. Everyone else is somewhere in between, and the gaps are enormous.
Five major jurisdictions now have meaningful AI rules either in force or arriving in 2026: the EU, individual US states, China, South Korea, and Brazil. They do not agree on what to regulate, how to classify risk, or how hard to hit violators. The EU and Brazil tie penalties to revenue, so the punishment scales with company size. South Korea sets a flat cap so low that it functions more as a notice than a deterrent. The United States has no horizontal federal statute at all, yet Texas can levy daily penalties that compound into real money. China pairs a modest headline cap with the procedural change that matters most: speed.
The phrase to keep in mind throughout this comparison is ‘teeth versus reach.’ A high maximum fine has teeth. Extraterritorial application and fast, certain enforcement give a law reach. The regime you should fear is the one with both, and in 2026 no single jurisdiction maxes out every axis. That is exactly why multinational AI builders cannot pick one rulebook and ignore the rest.
How the five regimes structure penalties
The five regimes split into three penalty philosophies: revenue-percentage fines that scale with the company (EU and Brazil), flat administrative caps (South Korea), and consequence-tiered fixed amounts (China and US states). Understanding which bucket a law falls into tells you more than the headline number does.
The EU AI Act (Regulation 2024/1689) runs a three-tier system. Prohibited AI practices draw up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher. High-risk and general-purpose AI non-compliance draws up to EUR 15 million or 3%. Supplying incorrect information to regulators draws up to EUR 7.5 million or 1.5%. The ‘whichever is higher’ rule for large firms is what makes the EU regime genuinely frightening for hyperscalers.
Brazil’s Bill 2338 also uses revenue, but inverts the logic for fairness: penalties are capped at R$50 million per infraction or 2% of revenue earned in Brazil, whichever is lower. That single word, ‘lower,’ transforms the law from a corporate death sentence into a calibrated cost of doing business. Brazil also classifies risk by potential harm to affected populations, a subject-based model, rather than by use case the way the EU does.
South Korea’s AI Basic Act takes the opposite approach with a flat ceiling of KRW 30 million, roughly USD 21,000, for failures such as not notifying users that AI is in use or not appointing a domestic representative. China’s amended Cybersecurity Law caps the most severe fines at RMB 10 million, about USD 1.4 million, while the synthetic-content labeling Measures are enforced through the broader content-governance apparatus. US states like Texas use fixed dollar ranges per violation with daily accrual, which we break down below.
Maximum AI penalty by regime, normalized
When you normalize the maximum penalties, the EU’s 7% of global turnover dwarfs every flat-cap regime by orders of magnitude, while South Korea’s roughly USD 21,000 ceiling sits at the very bottom of the global AI regulation comparison 2026. The chart below puts the headline numbers on a comparable footing, but read it with care: percentages and flat caps are not the same kind of animal.
For a company with USD 50 billion in global revenue, the EU’s 7% tier translates to a theoretical USD 3.5 billion exposure. Brazil’s 2% of Brazilian revenue, applied to a far smaller local figure and capped at R$50 million, might land in the low single-digit millions of dollars. South Korea’s flat KRW 30 million is fixed no matter how large the violator. China’s RMB 10 million cap is similarly fixed. The US has no national ceiling at all, so exposure depends entirely on which states you operate in and how many violations stack up.
This is the central insight of the comparison: a flat cap is regressive. It punishes a startup and a trillion-dollar platform identically, which means it barely registers for the companies most capable of large-scale harm. Revenue-linked fines, by contrast, are progressive and therefore far more credible as a deterrent against the biggest players. The EU and Brazil understood this; Korea, for now, did not.
The EU bar is a percentage applied to a hypothetical USD 50B revenue base, so it moves with company size. The other three bars are fixed statutory ceilings that do not change no matter how large the violator. Comparing a percentage to a flat cap is the whole point, and the whole trap, of any cross-border AI penalty analysis.
The enforcement timeline: who is live and who is still loading
Sept 1, 2025
China synthetic-content labeling live
Explicit + implicit labels, already enforced
Jan 1, 2026
US state laws + China CSL effective
California SB 53, Texas TRAIGA, RMB 10M cap
Jan 22, 2026
South Korea AI Basic Act in force
1-year grace before fines
Aug 2, 2026
EU high-risk obligations enforceable
The most demanding deadline of the year
By enforcement date, China moved first with synthetic-content labeling on September 1, 2025, followed by US state laws and South Korea’s AI Basic Act in January 2026, with the EU’s high-risk obligations becoming the marquee deadline on August 2, 2026. A law’s passage date is marketing; its enforcement date is when your legal team actually wakes up.
China’s Measures for Labeling of AI-Generated Synthetic Content took effect September 1, 2025, requiring both explicit visible labels and implicit metadata labels on AI text, images, audio, video, and virtual scenes. Enforcement has not been theoretical: multiple mobile apps were penalized in late 2025 for missing labels and metadata. Then on January 1, 2026, the amended Cybersecurity Law entered force, raising the top fine to RMB 10 million and, critically, removing the strict requirement for an initial warning before fines for certain failures.
January 2026 was a pivotal month elsewhere too. US state laws including California’s Transparency in Frontier Artificial Intelligence Act (SB 53) and the Texas Responsible Artificial Intelligence Governance Act (HB 149) took effect January 1. South Korea’s AI Basic Act entered force on January 22, 2026, though the Ministry of Science and ICT granted a one-year grace period before administrative fines actually apply, pushing real penalty exposure into 2027.
The EU’s calendar is the one most builders have circled. Prohibited practices have carried penalties since February 2025. General-purpose AI model rules are already live. But the operationally demanding wave, the high-risk system obligations covering risk management, data governance, technical documentation, transparency, and cybersecurity, becomes enforceable August 2, 2026. Brazil is the outlier with no firm enforcement date: Bill 2338 passed the Senate and remains under review in the Chamber of Deputies, so its 2% penalties are a forecast, not a live wire.
The United States: no federal law, but plenty of teeth at the state level
The US has no horizontal federal AI statute as of mid-2026, but that absence is misleading: Texas can fine uncurable AI violations up to USD 200,000 each plus USD 2,000 to USD 40,000 for every day they continue, and California’s frontier-model transparency law is live. The federal government is actively trying to shrink this state patchwork, which adds a layer of legal uncertainty on top of the rules themselves.
On December 11, 2025, the President signed Executive Order 14365, ‘Ensuring a National Policy Framework for Artificial Intelligence.’ It directed the Attorney General to stand up an AI Litigation Task Force within 30 days, charged with challenging state AI laws seen as inconsistent with federal policy. The Department of Justice launched that task force in late December 2025. Its explicit target list includes California’s SB 53, which forces the largest model developers to publish risk assessments.
Texas’s TRAIGA is the state law with the most concrete bite. Enforced exclusively by the Texas Attorney General, with no private right of action, it carries civil penalties of up to USD 12,000 for curable violations and up to USD 200,000 for uncurable ones, with daily fines of USD 2,000 to USD 40,000 for each day a violation continues. A 60-day cure period softens the edge, but a willful, uncured violation can compound quickly. Colorado’s AI Act, with a June 30, 2026 effective date, is the next domino watched closely by compliance teams.
The net effect is a uniquely American paradox: the country with the most AI capital and the most frontier labs has the least unified rulebook, and its own executive branch is litigating to keep it that way. For a builder, that means tracking individual state statutes and the federal challenges to them simultaneously, a moving target no other regime imposes.
“The country with the most frontier labs has the least unified rulebook, and its own executive branch is litigating to keep it that way.”
On the US state-versus-federal AI standoff in 2026
Teeth versus reach: how the regimes actually rank
Ranked by real-world deterrent power rather than headline numbers, the EU leads on teeth, China leads on speed and certainty of enforcement, the US leads on unpredictability, and South Korea and Brazil trail because of low caps and unsettled timelines respectively. The table below scores each regime on the four axes that determine whether a law changes corporate behavior.
Maximum penalty alone is a poor proxy for deterrence. A 7% turnover fine is meaningless if a regulator never issues one; a USD 21,000 cap is irrelevant to a company that would happily pay it as a cost of operations. What actually moves behavior is the product of four factors: how large the penalty can be, how certain enforcement is, how fast it lands, and how far the law reaches across borders.
China scores highest on certainty and speed precisely because of the 2026 procedural change. Removing the warning-first step means a violation can convert to a fine in one move, and the labeling Measures have a track record of actual enforcement against apps. The EU scores highest on raw penalty size and has strong extraterritorial reach, but its enforcement machinery is newer and slower-moving. South Korea’s extraterritorial reach is real, but its flat cap and one-year grace period blunt the deterrent until 2027.
Pros
Cons
| Regime | Max penalty | Risk model | Extraterritorial | Speed to fine | Live now? |
|---|---|---|---|---|---|
| EU (AI Act) | EUR 35M / 7% global turnover | Use-case tiers | Yes | Slower, new machinery | Partial; high-risk Aug 2 2026 |
| China (CSL + labeling) | RMB 10M (~USD 1.4M) | Content + security | Broadened 2026 | Immediate (no warning) | Yes |
| US states (TX/CA) | Up to USD 200K + USD 40K/day | Prohibited practices / transparency | Varies by state | Cure period, then daily accrual | Yes (Jan 1 2026) |
| South Korea | KRW 30M (~USD 21K) | High-impact / generative | Yes | 1-year grace to 2027 | In force, fines deferred |
| Brazil (Bill 2338) | R$50M / 2% Brazil revenue | Subject-based (harm to people) | Pending text | Not yet enforceable | No; in Chamber of Deputies |
What multinational AI builders should actually do
The practical move for any company shipping AI across borders is to engineer for the strictest regime you touch, label and log everything by default, and treat the EU’s August 2, 2026 high-risk deadline and China’s already-live labeling rules as your two hard constraints. Compliance built to those two standards generally satisfies Korea and Brazil automatically.
Start with provenance and labeling, because China already enforces it and the EU and US states are converging on transparency. If your generative outputs carry both visible labels and metadata watermarks from day one, you have pre-cleared China’s Measures and most US transparency requirements simultaneously. This is the lowest-effort, highest-coverage control available in 2026.
Next, stand up the documentation spine the EU high-risk regime demands: risk-management records, data-governance logs, technical documentation, and audit trails. These artifacts are not EU-specific in spirit; they are exactly what a Brazilian ANPD investigation or a Texas Attorney General inquiry would request. Build them once, reuse them everywhere. Appoint local representatives where required, notably South Korea, since failing to do so is one of the few things that actually triggers Korea’s otherwise modest fine.
Finally, track enforcement dates, not press releases. A law with a one-year grace period or one still in committee is a planning horizon, not an emergency. Put the EU’s August 2, 2026 date and China’s live labeling enforcement at the top of your risk register, and revisit Brazil only when Bill 2338 clears the Chamber of Deputies and gets a real effective date.
Why label everything even if you do not sell in China
China’s labeling Measures are the most prescriptive and the most actively enforced AI-content rules in the world as of 2026, and the EU plus several US states are moving toward transparency mandates. Building explicit visible labels and implicit metadata labels into your generation pipeline once means you satisfy the strictest current standard and are positioned for the rest. It is cheaper than retrofitting later.Why the EU high-risk documentation doubles as global insurance
Risk-management files, data-governance logs, technical documentation, and audit trails are mandated by the EU AI Act for high-risk systems from August 2, 2026. But these same artifacts are what any regulator, Brazilian, Korean, or American, would demand in an investigation. Producing them for Brussels means you already have the evidence file every other regime would ask for.The verdict: teeth, reach, and the regime to watch
EU has the teeth, China has the speed, and you must comply with both
In the final 2026 reckoning, the EU AI Act has the most teeth by penalty size, China has the most teeth in practice because it can fine immediately and already enforces its labeling rules, and the smart compliance posture is to build for both at once. No single regime dominates every axis, which is precisely why a one-rulebook strategy fails for any company operating across the EU, US, China, Korea, and Brazil.
South Korea’s law is historically significant as one of the first comprehensive national AI frameworks, but its KRW 30 million cap and one-year grace period mean it will not change behavior until 2027 at the earliest. Brazil’s Bill 2338 has a thoughtful, progressive penalty structure, but it remains a bill, not a law, so its 2% exposure is a forecast. The US is the wild card: no federal ceiling, real state-level penalties that accrue daily, and an executive branch actively litigating against its own states.
If you build AI products and want one number to anchor your 2026 planning, make it August 2, 2026, the EU high-risk enforcement date, and one fact to anchor your operations, China’s already-live, already-enforced labeling regime. Satisfy those two, document everything, and the rest of the global patchwork becomes a tracking exercise rather than an existential threat.
Builder’s take
I run two AI products, Cyntr and Loomfeed, and I read these statutes the way an engineer reads a rate-limit header: what is the actual number, when does it fire, and who is on the other end of the request. After mapping all five regimes side by side, here is what I would tell another founder.
- Turnover-percentage fines are the only deterrent that scales with you. The EU’s 7% and Brazil’s 2% grow as you grow; a flat KRW 30M cap is a rounding error for anyone past seed stage.
- The scariest regime in 2026 is not the one with the biggest headline number, it is China, because the 2026 amendments let regulators skip the warning and fine immediately, and the synthetic-content labeling rules are already being enforced against apps.
- Do not over-index on the US ‘no federal law’ story. A single uncurable TRAIGA violation in Texas can accrue at up to USD 40,000 per day, and California’s SB 53 is live regardless of the federal task force fighting it.
- Build for the strictest regime you touch and inherit compliance everywhere else. If your labeling, logging, and transparency satisfy Brussels and Beijing simultaneously, Seoul and Brasilia are basically free.
- Watch the enforcement date, not the passage date. A law on the books with a one-year grace period (Korea) or stuck in committee (Brazil) is a planning signal, not a live threat. The EU’s August 2, 2026 high-risk deadline is the one I have circled.
Frequently asked questions
The European Union’s AI Act has the highest maximum penalty, reaching up to EUR 35 million or 7% of a company’s total worldwide annual turnover, whichever is higher, for prohibited AI practices under Regulation 2024/1689. For a large multinational, the 7% figure can dwarf the EUR 35 million floor and run into billions of dollars of theoretical exposure.
The EU AI Act’s high-risk system obligations become enforceable on August 2, 2026. This is the most operationally demanding deadline in the Act’s rollout, covering risk management, data governance, technical documentation, transparency, and cybersecurity requirements. Prohibited-practice penalties have applied since February 2025, and general-purpose AI model rules are already live.
South Korea’s AI Basic Act caps administrative fines at KRW 30 million, roughly USD 21,000, for failures such as not notifying users that AI is in use, not appointing a domestic representative, or refusing inspections. The law took effect January 22, 2026 and applies extraterritorially, but the Ministry of Science and ICT granted a one-year grace period before fines are actually imposed.
No. As of mid-2026 the US has no horizontal federal AI statute. Executive Order 14365, signed December 11, 2025, created an AI Litigation Task Force to challenge state AI laws. Meanwhile state laws are live, including California’s Transparency in Frontier Artificial Intelligence Act and the Texas Responsible AI Governance Act, both effective January 1, 2026.
Two things. China’s Measures for Labeling of AI-Generated Synthetic Content took effect September 1, 2025, requiring explicit and implicit labels on AI content. Then the amended Cybersecurity Law, effective January 1, 2026, raised the top fine to RMB 10 million and removed the strict requirement for an initial warning before fines for certain failures, allowing regulators to penalize immediately.
Brazil’s Bill 2338 caps penalties at R$50 million per infraction or 2% of revenue earned in Brazil, whichever is lower, protecting smaller firms from existential fines. The EU AI Act uses 7% of global turnover, whichever is higher. Brazil also classifies risk by potential harm to affected populations (subject-based) rather than by use case. Bill 2338 is still under review in the Chamber of Deputies and not yet enforceable.
Primary sources
- Article 99: Penalties — EU Artificial Intelligence Act
- Penalties of the EU AI Act: The High Cost of Non-Compliance — Holistic AI
- South Korea’s AI Basic Act: Overview and Key Takeaways — Cooley
- Brazil AI Bill 2338: Compliance Guide & Tools — FairNow
- State AI laws under federal scrutiny: Key takeaways from the executive order — White & Case
- The Texas Responsible AI Governance Act — Norton Rose Fulbright
- China Finalises Amendments to the Cybersecurity Law — Mayer Brown
- China’s AI-Labeling Measures and Mandatory National Standards Take Effect September 1 — Loeb & Loeb
Last updated: June 1, 2026. Related: Governance.
