AI Act Fines: The Article 99 Penalty Tiers Explained

Key Takeaway: EU AI Act fines under Article 99 reach €35 million or 7% of global annual turnover for the most serious violations — exceeding GDPR's €20M / 4% maximum. The fines are tiered by violation type, scale with company turnover, and apply to both providers and deployers of AI systems.

What Are AI Act Fines?

AI Act fines are the administrative penalties that EU member state authorities can impose on providers, deployers, importers, distributors, and authorized representatives of AI systems for violations of [link:/glossary/ai-act] obligations. The fines are defined in Article 99 of the regulation (EU) 2024/1689 and apply progressively from 2 February 2025 (for prohibited practices under Article 5) through full applicability on 2 August 2026 for high-risk systems.

The Article 99 fine structure is intentionally GDPR-shaped — calibrated to ensure enforcement is meaningful for multinationals — but with a higher ceiling. The top tier of €35 million or 7% of global annual turnover (whichever is higher) exceeds the GDPR maximum of €20 million or 4%. For enterprises with global revenue above approximately €500 million, the percentage clause is the binding one, making AI Act exposure proportionate to corporate scale.

How AI Act Fines Are Structured

Article 99 defines three tiers based on the severity and category of violation:

Tier 1 — Prohibited practices (€35M / 7%): Violations of Article 5, which prohibits specific AI practices including manipulative or deceptive techniques causing significant harm, exploitation of vulnerabilities, social scoring by public authorities, certain real-time biometric identification in public spaces, predictive policing based solely on profiling, untargeted scraping of facial images for biometric databases, emotion inference in workplaces and educational institutions, and biometric categorization based on sensitive characteristics. The €35M ceiling is the highest in EU regulatory history for AI-related conduct.

Tier 2 — Non-conformity by providers and deployers (€15M / 3%): Violations of the substantive obligations on high-risk AI systems (Articles 8–15), transparency obligations (Article 50), or the obligations of providers (Article 16), authorized representatives (Article 22), importers (Article 23), distributors (Article 24), and deployers (Article 26). This is the tier most enterprises will encounter — failures in risk management, technical documentation, audit logging, or human oversight.

Tier 3 — Incorrect information to authorities (€7.5M / 1.5%): Supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities, including in response to a request, in registration submissions to the EU AI database, or during conformity assessment procedures. The deliberately lower tier reflects that the offense is procedural rather than substantive.

A separate provision in Article 101 covers fines for general-purpose AI model providers (€15M / 3%) for breaches of GPAI obligations under Articles 53–55.

The fine "whichever is higher" rule means small companies with low turnover face the absolute amounts (€35M, €15M, €7.5M), while large enterprises face the percentage clauses. For SMEs, Article 99(6) allows national authorities to consider proportionality — fines should not threaten the economic viability of small providers acting in good faith.

Why AI Act Fines Matter for Business

Procurement risk: Enterprise buyers are starting to demand contractual indemnification for AI Act fine exposure when procuring AI systems. Vendors that cannot demonstrate compliance lose deals — the fine risk is reframed as a procurement gate. The [link:/glossary/ai-conformity-assessment] file becomes a sales asset.

Boardroom visibility: A €35M fine on a single non-conformity event is a materiality threshold for most public companies. AI compliance has moved from middle-management oversight to board-level disclosure in many EU jurisdictions, with audit committees now receiving quarterly AI Act compliance briefings.

Insurance pricing: D&O insurance and cyber liability insurance increasingly differentiate pricing based on AI compliance maturity. Insurers ask whether the insured maintains structured technical documentation under Article 11, automatic logging under Article 12, and a quality management system aligned with ISO/IEC 42001:2024.

Cumulative exposure with GDPR: Article 99 fines do not replace GDPR fines. A violation that touches both regimes (an [link:/glossary/high-risk-ai-systems] processing personal data without lawful basis) can trigger both. For multinationals, the cumulative exposure can exceed €50M for a single incident.

How the Fines Are Imposed

National competent authorities under Article 70 — designated by each member state — impose Article 99 fines. In Italy, the AI Office italiano under the Ministero per le imprese coordinates with the Garante per la protezione dei dati personali on cases involving personal data. In Germany, the Bundesnetzagentur and the BfDI share competence. In France, CNIL and ARCOM coordinate. Cross-border cases involve coordination through the European AI Office under Article 64.

The procedure follows administrative due-process principles: the authority opens a formal investigation, requests documentation (Article 21 production rights), conducts on-site inspection if needed (Article 74), permits the entity to respond, and issues a reasoned decision. The decision is appealable to the relevant national court.

Aggravating and mitigating factors under Article 99(7) include: the nature, gravity, and duration of the infringement; the number of affected persons; the level of damage; whether the infringement was intentional or negligent; cooperation with the authority; remediation actions; previous infringements; and the financial benefit gained from the infringement. A documented [link:/glossary/ai-governance] program with active remediation is an explicit mitigating factor.

Related Concepts

  • Link to AI Act — The full regulation defining the obligations whose violation triggers Article 99 fines.
  • Link to AI Compliance — The operational discipline that prevents fine exposure through documented adherence to AI Act obligations.
  • Link to AI Conformity Assessment — The procedural step whose proper completion forms the primary defense in Article 99 proceedings.
  • Link to High-Risk AI Systems — The system category most exposed to Tier 2 fines under Article 99(4).
  • Link to AI Audit — The activity that surfaces compliance gaps before they convert to enforcement risk.

Knowlee Perspective

Knowlee operationalizes AI Act compliance at the runtime level — every job declares its risk classification, data categories, and human-oversight requirements in the structured automation registry, and every execution is logged in the audit trail. This pattern produces Article 11 (technical documentation), Article 12 (records and logs), and Article 14 (human oversight) evidence as a runtime byproduct rather than a manual workflow — directly addressing the most common Tier 2 fine triggers. For the comprehensive frame, read the AI Act Fines Explained article and the AI Act Compliance Software Guide.