EU AI Act- Article 99 Penalties

Introduction

The European Union's Artificial Intelligence Act (EU AI Act) is a groundbreaking regulation aiming to address the ethical and legal challenges posed by artificial intelligence. Article 99, specifically, outlines the penalties for non-compliance with the Act. Understanding these penalties is crucial for businesses operating within the EU or dealing with EU citizens. In this article, we will delve into the fines and penalties associated with the EU AI Act, focusing on Article 99.

The EU AI Act is a comprehensive legal framework designed to regulate AI technologies within the European Union. Its primary goal is to ensure that AI systems are safe, transparent, and respect fundamental rights. The Act categorizes AI systems based on risk levels, ranging from minimal to unacceptable. High-risk AI systems, such as those used in critical infrastructure, education, and law enforcement, face stricter regulations and compliance requirements.

Overview of Article 99: Penalties for Non-Compliance

The EU AI Act establishes a tiered penalty regime with fines up to €35 million or 7% of worldwide annual turnover for the most severe violations, alongside corrective measures, warnings, and obligations tailored by severity and actor type, including specific rules for general-purpose AI providers. Penalties began applying from August 2, 2025, with some GPAI-related sanctions taking effect in 2026, and Member States empowered to set effective, proportionate, and dissuasive enforcement frameworks that consider SMEs’ viability.

Types of Penalties

• Administrative fines scale up to the higher of fixed euro amounts or a percentage of total worldwide turnover, with the top tier reaching €35 million or 7% for prohibited practices under Article 5, and other tiers at €15 million or 3% and €7.5 million or 1% for specified infringements, including supplying incorrect information to authorities.
  
  
• Corrective measures include orders to cease deploying non-compliant systems, impose changes to attain conformity, and other non-monetary remedies determined by national authorities under Article 99, as part of Member State penalty frameworks mandated by August 2, 2025.
  
  
• Public warnings and non-monetary sanctions form part of national enforcement tools to inform the public of non-compliance and prompt remediation, sitting alongside fines within the Act’s enforcement architecture.

Calculation of Fines

• Up to €7.5 million or 1% of worldwide turnover applies for supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities, whichever is higher, except SMEs/startups where the lower cap applies between amount and percentage.

• Up to €15 million or 3% of worldwide turnover applies for breaches of certain obligations under the Act outside prohibited practices, with the higher of amount or percentage used, and SME/startup proportionality adjustments set to the lower of the two.

• Up to €35 million or 7% of worldwide turnover applies for infringements related to prohibited AI practices in Article 5, reflecting the highest severity tier in the penalty structure.

Factors Influencing Penalties

• Nature, gravity, and duration guide penalty calibration by competent authorities, aligning with Article 99’s requirement for Member States to lay down effective, proportionate, and dissuasive penalties in national law.
  
  
• Intentional or negligent character, prior infringements, and cooperation with authorities can increase or mitigate penalties, consistent with EU enforcement principles and national frameworks implementing Article 99.
  
  
• SME and startup considerations require authorities to safeguard economic viability; for these entities, caps apply using the lower between the amount and the percentage thresholds defined in Article 99(6).

Importance of Compliance

• Non-compliance risks significant financial exposure and reputational damage, especially for prohibited uses and high-risk system obligations, making early alignment with risk-based duties critical for organizations operating in or impacting the EU market.

• Effective compliance also reduces enforcement uncertainty as Member States operationalize their penalty regimes and oversight processes, which began to apply from August 2, 2025, with staged obligations across 2025–2027.

Steps to Ensure Compliance

• Conduct a risk assessment: Map AI uses, classify by risk category (unacceptable, high, limited, minimal), and identify high-risk deployments under Annex III that trigger QMS, risk management, data governance, human oversight, technical documentation, and post-market monitoring.

• Implement compliance measures: Establish governance, documentation, vendor assurance, and transparency controls suitable to the system’s risk level, and prepare for registration and conformity assessment where required for high-risk systems.
  
  
• Monitor and review: Maintain continuous post-market monitoring, incident handling, and periodic reviews to keep technical documentation and controls current throughout the lifecycle.

• Engage with authorities: Track national implementation, interact with market surveillance bodies, and prepare for phased obligations and GPAI-specific compliance milestones, with some GPAI fines applying from August 2, 2026.

Key Timelines and GPAI Notes

• Penalties under Article 99 apply from August 2, 2025, alongside new governance structures, while many substantive duties phase in through 2026–2027, and GPAI administrative fines under Article 101 begin August 2, 2026.

• Providers of general-purpose AI models face a distinct regime where the European Commission can impose up to €15 million or 3% for violations such as failure to provide documentation or access for evaluation, applying the higher cap for non-SME entities.

Conclusion

The EU AI Act, and specifically Article 99, sets out clear penalties for non-compliance, emphasizing the importance of adhering to the regulation. By understanding and addressing the fines and penalties associated with the Act, organizations can avoid significant financial and reputational damage. Compliance with the EU AI Act is not only a legal obligation but also a commitment to ethical and responsible AI development and deployment. By taking proactive steps to ensure compliance, organizations can foster trust and confidence in their AI systems among stakeholders and the public.