Three Penalty Tiers Under Art. 99
The EU AI Act establishes a tiered penalty system that scales with the severity of the violation. Like the GDPR, penalties are calculated as the higher of a fixed amount or a percentage of global annual turnover.
Tier 1: Up to €35 Million or 7% of Turnover
The highest penalties apply to violations of the prohibited AI practices under Art. 5:
- Social scoring systems by public authorities
- Subliminal manipulation techniques
- Exploitation of vulnerable groups
- Real-time remote biometric identification in public spaces
- Biometric categorisation by sensitive attributes
- Untargeted facial image scraping
- Emotion recognition in workplaces and schools
Reference: Art. 99(3) EU AI Act
Tier 2: Up to €15 Million or 3% of Turnover
This tier covers most operational non-compliance, including:
- Failure to comply with high-risk AI system requirements (Art. 8–15)
- Missing or inadequate technical documentation (Art. 11, Annex IV)
- No Fundamental Rights Impact Assessment (Art. 27)
- Failure to register in the EU AI database (Art. 49)
- Missing conformity assessment (Art. 43)
- Inadequate human oversight measures (Art. 14)
- Non-compliance with provider or deployer obligations
Reference: Art. 99(4) EU AI Act
Tier 3: Up to €7.5 Million or 1% of Turnover
The lowest tier applies to supplying incorrect, incomplete, or misleading information to authorities or notified bodies.
Reference: Art. 99(5) EU AI Act
How Penalties Are Calculated
When determining the specific fine amount, Art. 99(7) requires authorities to consider:
- Nature and severity of the infringement and its consequences
- Size and market share of the company
- Intentional or negligent character of the violation
- Actions taken to mitigate the harm caused
- Degree of cooperation with authorities
- Previous infringements and recidivism
- Any financial benefit gained from the infringement
SME and Startup Provisions
The EU AI Act explicitly addresses proportionality for smaller organisations. Art. 99(6) states that penalties for SMEs (including startups) should be calculated using the lower of the fixed amount or the percentage, ensuring that fines are proportionate to company size.
For example, a startup with €2 million annual turnover faces a maximum Tier 2 penalty of €60,000 (3% of turnover), not €15 million.
Comparison with GDPR Fines
| Regulation | Maximum Fixed | Maximum % Turnover | Scope |
|---|---|---|---|
| EU AI Act (Tier 1) | €35 million | 7% | Prohibited practices |
| EU AI Act (Tier 2) | €15 million | 3% | High-risk non-compliance |
| GDPR (Art. 83(5)) | €20 million | 4% | Data protection violations |
| GDPR (Art. 83(4)) | €10 million | 2% | Technical/organisational measures |
The EU AI Act's Tier 1 penalties exceed the GDPR's maximum by 75% in fixed amounts, signalling the EU's seriousness about AI regulation.
Who Enforces the EU AI Act?
Each EU Member State designates national competent authorities (Art. 70) responsible for enforcement. For sector-specific AI systems:
- Financial sector: Existing financial supervisors (e.g. BaFin in Germany, ACPR in France, FMA in Austria)
- Healthcare: Health regulators and medical device authorities
- General: Horizontal regulators (e.g. BNetzA in Germany, ARCOM in France)
At EU level, the European AI Office coordinates enforcement and has direct supervisory power over general-purpose AI models (Art. 64–68).
When Do Penalties Start?
Penalties are enforceable on the same timeline as the obligations:
- Since February 2025: Fines for prohibited AI practices (Tier 1)
- From August 2025: Fines for GPAI and AI literacy non-compliance
- From August 2026: Fines for high-risk AI non-compliance (Tier 2) – approximately 5 months away
How to Avoid Penalties
The most effective way to avoid penalties is documented compliance. Companies should:
- Classify your AI systems – use our free risk check to determine if your system is high-risk
- Create required documentation – FRIA, Technical Documentation, and Transparency Notices
- Establish governance – designate responsible persons, implement AI literacy training
- Register in the EU database – before placing high-risk systems on the market
- Engage legal review – have a specialised lawyer refine and validate your compliance documentation
Even if enforcement is not immediate, having documented compliance efforts demonstrates good faith – a key factor in penalty calculation under Art. 99(7).