Last verified April 2026

Category 3: Compliance exposure

Compliance Fine Exposure: GDPR, HIPAA, PCI DSS, EU AI Act

Framework-by-framework penalty ranges, cited from official primary sources. The caps are statutory upper bounds, not expected fines; the calculation multiplies the cap by your disclosed enforcement probability assumption.

How to read this page

Each framework below has a statutory or contractual penalty ceiling (cited from the official source) and an explanation of how shadow IT specifically creates exposure under that framework. The numbers are caps, not expected fines. Combine with your subjective enforcement probability to produce an expected-value exposure figure, as in the interactive estimator.

GDPR (EU General Data Protection Regulation)

GDPR Art 83

EU General Data Protection Regulation, Article 83 (Penalties) (2018)

Measures: Maximum administrative fines under GDPR: up to 10 million euros or 2 percent of worldwide annual turnover (lower band), up to 20 million euros or 4 percent of worldwide annual turnover (upper band), whichever is higher.

Methodology: Statutory text. Penalty levels are statutory caps, not typical fine values. Actual fines vary by case and jurisdiction.

Trust: Official regulatory or statutory source

https://gdpr-info.eu/art-83-gdpr/

Article 83 sets two tiers of administrative fines. Lower tier: up to 10 million euros or 2 percent of worldwide annual turnover, whichever is higher. Upper tier: up to 20 million euros or 4 percent of worldwide annual turnover, whichever is higher, for the more serious violations (lawful basis, data subject rights, transfers outside the EU).

How shadow IT creates exposure: personal data of EU data subjects ending up in unapproved apps without a documented lawful basis, without a data protection impact assessment where required, without appropriate organizational and technical safeguards, or with transfers outside the EU that lack an adequacy decision or Standard Contractual Clauses. Shadow AI compounds this when personal data is processed by AI tools without a lawful basis.

Source: gdpr-info.eu/art-83-gdpr/

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA CMP

HHS HIPAA Civil Money Penalty tiers (45 CFR 160.404, as adjusted annually) (2024)

Measures: Civil money penalty tiers for HIPAA violations, ranging from approximately 137 dollars per violation (no knowledge tier, minimum) to over 2 million dollars annual cap (wilful neglect, not corrected).

Methodology: Statutory penalty tiers adjusted annually for inflation by HHS. Penalty per violation cap and annual cap are statutory; actual fines depend on Office for Civil Rights enforcement decisions.

Trust: Official regulatory or statutory source

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html

Civil money penalty tiers under 45 CFR 160.404, adjusted annually for inflation. 2024 figures (rounded): tier 1 (no knowledge), approximately $137 minimum per violation, up to approximately $68,928 per violation, with an annual cap near $2.134 million at the wilful-neglect tier. Criminal penalties under 42 USC 1320d-6 add imprisonment exposure for wilful violations involving personal gain.

How shadow IT creates exposure: protected health information transmitted to or stored in apps where the vendor is not a HIPAA-covered business associate with a signed BAA. Shadow AI specifically: entering PHI into an unapproved AI tool creates an immediate disclosure without a BAA. Each disclosure instance can be counted as a violation.

Source: hhs.gov/hipaa compliance enforcement

PCI DSS (Payment Card Industry Data Security Standard)

PCI SSC

PCI Security Standards Council, PCI DSS v4.0 (2022/2024)

Measures: Payment card industry data security standard. Penalty exposure flows from card brand contracts, not from the standard itself.

Methodology: Industry standard published by the PCI Security Standards Council. Card brand fines (Visa, Mastercard, etc.) typically reported in trade press as ranging from approximately 5,000 to 100,000 dollars per month for non-compliance, with higher post-breach assessments. Specific values are contractual and not published officially.

Trust: Official regulatory or statutory source

https://www.pcisecuritystandards.org/

PCI DSS v4.0 is an industry standard, not a regulation. Exposure flows from card brand contractual assessments against acquirers, which typically cascade to merchants. Non-compliance penalties are commonly reported in the trade press as monthly assessments in the $5,000 to $100,000 range depending on merchant tier and card brand, with higher post-breach assessments (forensic cost, card replacement cost, fines per compromised card). Exact values are contractual and not published officially.

How shadow IT creates exposure: cardholder data flowing through apps that are not within the validated cardholder data environment, network segmentation broken by shadow apps, unauthorized processors handling cardholder data without proper contractual and technical controls. Shadow SaaS used by customer-facing teams (support, sales) is a common finding.

Source: pcisecuritystandards.org

EU AI Act (Regulation (EU) 2024/1689)

EU AI Act

EU Artificial Intelligence Act (Regulation (EU) 2024/1689), penalty articles (2024)

Measures: Statutory penalty caps for AI Act violations: up to 35 million euros or 7 percent of worldwide annual turnover for prohibited AI practices, lower bands for other violations.

Methodology: Statutory text published in the Official Journal of the EU. Caps are statutory maxima, not typical fines.

Trust: Official regulatory or statutory source

https://eur-lex.europa.eu/eli/reg/2024/1689/oj

Penalty tiers under Article 99. Prohibited AI practices: up to 35 million euros or 7 percent of worldwide annual turnover, whichever is higher. Non-compliance with obligations on high-risk AI and general-purpose AI: up to 15 million euros or 3 percent of worldwide annual turnover. Incorrect information to authorities: up to 7.5 million euros or 1 percent of worldwide annual turnover. Application is phased: prohibited practices apply from February 2025; governance and general-purpose AI model obligations from August 2025; full high-risk AI obligations from August 2026.

How shadow AI creates exposure: high-risk AI applications (employment decisions, creditworthiness, access to public services, biometrics in the workplace) deployed through shadow channels without the documentation the Act requires (risk management system, data governance, quality management system, human oversight). Non-EU organizations are in scope when the output is used in the EU.

Source: eur-lex.europa.eu regulation 2024/1689

SOC 2 and ISO 27001 (attestation and certification)

AICPA TSC

AICPA Trust Services Criteria (SOC 2) (2017/2022)

Measures: Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy. SOC 2 is an attestation, not a regulatory regime, so there are no statutory fines.

Methodology: Attestation framework. Cost exposure flows from auditor findings, customer contract impact, and remediation cost rather than statutory fines.

Trust: Official regulatory or statutory source

https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2

ISO 27001

ISO/IEC 27001:2022 Information Security Management Systems (2022)

Measures: Standard for information security management systems. Certification standard, not a regulatory regime; no statutory fines.

Methodology: Voluntary international standard. Cost exposure flows from certification cost, audit findings, and customer contract impact rather than statutory fines.

Trust: Official regulatory or statutory source

https://www.iso.org/standard/27001

Neither is a regulatory regime; there are no statutory fines. Exposure flows through other mechanisms: auditor findings extending the audit timeline or forcing a qualified opinion, SaaS vendor or enterprise customer relationships requiring clean attestations (renewal friction, SLA credits, delayed deals), remediation cost for discovered gaps, and competitive positioning in sales processes that demand attestation evidence.

How shadow IT creates exposure: control gaps surfaced during audit (access controls, change management, asset inventory, vendor management) because shadow apps were not covered by documented controls. In enterprise-sales contexts, a single material exception can delay a renewal by months or cost seven-figure deals.

Sources: AICPA Trust Services Criteria, ISO/IEC 27001

Summary table of caps

Framework	Upper cap	Alternative measure	Source
GDPR Art 83 upper tier	EUR 20M	or 4% worldwide turnover	Statutory (EU)
GDPR Art 83 lower tier	EUR 10M	or 2% worldwide turnover	Statutory (EU)
HIPAA wilful-neglect annual cap	~$2.13M	per category, inflation-adjusted	45 CFR 160.404
PCI non-compliance monthly	~$5K - $100K	per reports; contractual	PCI SSC / card brands
EU AI Act prohibited practices	EUR 35M	or 7% worldwide turnover	Reg (EU) 2024/1689
EU AI Act high-risk AI	EUR 15M	or 3% worldwide turnover	Reg (EU) 2024/1689
SOC 2 / ISO 27001	No statutory fine	Contract / renewal impact	AICPA / ISO

Category 2

Breach risk ->

Category 4

Operational ->

Reference

Data sources bibliography ->

Frequently asked questions

Do the penalty caps represent what my organization will actually pay?+

No. The caps cited below are statutory or contractual maxima. Actual fines depend on the enforcement agency's discretion, the regulator's view of good-faith compliance effort, aggravating or mitigating factors, and the specific violation facts. The caps establish an upper-bound exposure figure; multiply by your subjective probability of enforcement for an expected-value treatment in your exposure estimate.

Is shadow IT illegal?+

Not illegal per se in any major jurisdiction. Shadow IT becomes a compliance violation when it causes a specific obligation to be breached: personal data processed without a lawful basis under GDPR, protected health information transmitted to an uncovered processor under HIPAA, cardholder data leaving the controlled environment under PCI DSS, a prohibited or high-risk AI application deployed without governance documentation under the EU AI Act. The underlying activity (using a tool IT did not approve) is not unlawful; the data protection or access control consequence can be.

How do I estimate enforcement probability?+

This is a subjective input you disclose as an assumption, not a measured quantity. Typical defensible annual ranges: under GDPR, 0.5 to 5 percent for organizations with a typical compliance posture; higher for organizations with an enforcement history, processing sensitive categories at scale, or in sectors under active regulator focus. Under HIPAA, 0.5 to 3 percent for covered entities and business associates with typical posture. Under PCI DSS, the probability scales with acquirer audit cadence rather than regulator action. Under the EU AI Act, enforcement is still developing; any specific number is a forward-looking assumption.

What does a defensible compliance exposure calculation look like?+

For each in-scope framework: penalty cap (cited from official source) x subjective annual enforcement probability (labelled as assumption) x subjective severity multiplier if applicable. Sum across in-scope frameworks. Present the low, expected, and high range where the width reflects the enforcement probability range you considered defensible. The /measure-your-exposure estimator computes this across GDPR, HIPAA, PCI DSS, EU AI Act, and SOC 2 with your inputs.

Should I include SOC 2 and ISO 27001 in this category?+

Yes, with a caveat. Neither is a regulatory regime, so there are no statutory fines. Exposure flows from auditor findings, customer contract impact (SLA credits, renewal friction, delayed deals), remediation cost, and competitive positioning. Treat them as opportunity-cost exposure rather than fine exposure, but include them in the category for completeness because the exposure is real and the magnitude is often significant in enterprise-sales contexts.

How does shadow AI fit here?+

Shadow AI creates exposure under the EU AI Act when high-risk AI applications are deployed without the governance documentation the Act requires (Article 9 risk management system, Article 10 data governance, Article 17 quality management). Prohibited AI practices (biometric categorisation, social scoring by public authorities) carry the highest penalty tier. Non-EU organizations are in scope where the AI output is used in the EU. Enforcement timelines are phased; keep the assumption honest about the fact that the regulation is new.