Fines under the EU AI Act are not automatic. Article 99 establishes ceilings, not mandatory minimums. But the ceilings are high, the factors that reduce them are not guaranteed, and the obligation to produce documentation on short notice is real. Understanding Article 99 accurately is the precondition for making rational compliance investment decisions.

Key takeaways

  • Article 99 of Regulation (EU) 2024/1689 creates three fine tiers: up to EUR 35 million or 7 per cent of global annual turnover for violations of Article 5 prohibited practices; up to EUR 15 million or 3 per cent for most other obligations including all deployer duties under Article 26; and up to EUR 7.5 million or 1 per cent for supplying incorrect or misleading information to authorities.
  • In each tier, the higher of the two figures (absolute amount or percentage of turnover) applies. For large enterprises the percentage figure will typically exceed the absolute cap.
  • Article 99(6) lists eight factors supervisors must consider when setting the actual fine: these include intent, duration, harm mitigation, degree of responsibility, prior history, cooperation, and the operator's financial strength, including its size.
  • SME proportionality is explicitly required by Article 99(6) and elaborated in Recital 165. The turnover-percentage ceiling mechanism itself limits fine exposure for small operators in absolute terms.
  • Article 101 is the separate GPAI model penalty provision. It is addressed to GPAI model providers, not to deployers. Deployers face Article 99 exposure if they violate their own obligations, including when using a GPAI model in a non-compliant manner.
  • The Article 5 prohibitions are in force now. All other Article 99 liability timelines depend on when the underlying substantive obligation applies to the deployer's specific system and context.

The structure of Article 99

Article 99 of Regulation (EU) 2024/1689 is titled "Penalties." It does not create substantive obligations itself. Instead, it assigns penalty consequences to violations of obligations created elsewhere in the Regulation. Reading Article 99 in isolation produces only a map of exposure ceilings; the content of the underlying obligations must be found in Articles 5, 9 through 15, 26, and elsewhere.

The Article operates through a three-tier ceiling structure. Each tier defines a maximum fine, expressed as the higher of an absolute euro amount and a percentage of the operator's total worldwide annual turnover for the preceding financial year. Where an operator is part of a group, the group's consolidated turnover is typically the reference figure, consistent with the approach established in EU competition law and adopted by reference in several member states' implementing guidance to date.

Article 99 applies to providers, deployers, authorised representatives, importers, distributors, and product manufacturers who are subject to the Regulation. Each actor type faces exposure for violating the obligations the Regulation places on them specifically. A deployer's Article 99 exposure map is therefore shaped by which articles create deployer obligations, not by the full range of obligations the Regulation contains.

Tier one: Article 5 prohibited practices (EUR 35 million or 7 per cent)

The highest fine tier applies to violations of Article 5 of Regulation (EU) 2024/1689, which lists AI practices that are prohibited outright. The ceiling is EUR 35 million or 7 per cent of worldwide annual turnover, whichever is higher.

Article 5 entered force on 2 February 2025. It prohibits, among other things: AI systems that deploy subliminal manipulation or exploit vulnerabilities to distort a person's behaviour in a way that causes or is likely to cause harm; real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes, except within the narrowly defined exceptions in Article 5(1)(h); social scoring by public authorities; and AI systems that infer sensitive attributes including race, political opinions, trade union membership, religious or philosophical beliefs, sexual orientation, or health status from biometric data for categorisation purposes, except in specific permitted contexts.

For most enterprise deployers, the Article 5 prohibited practices are not close cases. The clearest risk is a deployer who uses a GPAI-model-based agent that includes manipulation patterns designed to influence consumer behaviour, or one that processes biometric data in a way that incidentally infers sensitive characteristics beyond what the provider's documentation describes. Both scenarios may constitute Article 5 violations that the deployer cannot cure by pointing to the provider's design decisions.

For a detailed analysis of what each Article 5 prohibition requires deployers to check before putting a system into service, see the Article 5 prohibited practices deployer guide.

Tier two: Substantive obligations (EUR 15 million or 3 per cent)

The middle tier applies to violations of obligations other than the Article 5 prohibitions and other than the information accuracy obligation covered by tier three. The ceiling is EUR 15 million or 3 per cent of worldwide annual turnover.

For deployers, the obligations that fall into this tier include the full duty-set under Article 26. Article 26 contains eight categories of deployer obligation: using the system in accordance with the provider's instructions for use (Article 26(1)); assigning competent oversight persons (Article 26(2)); monitoring operation (Article 26(3)); notifying providers of risks (Article 26(4)); reporting serious incidents to market surveillance authorities (Article 26(5)); retaining logs (Article 26(7)); informing affected persons (Article 26(8)); and conducting a fundamental rights impact assessment where required (Article 26(9)).

The same tier covers violations of the risk management obligations in Article 9, the data governance requirements in Article 10, the technical documentation obligations in Articles 11 and 17, the logging and record-keeping requirements in Article 12, the transparency obligations in Article 13, the human oversight design requirements in Article 14, and the accuracy and robustness requirements in Article 15, to the extent deployers have obligations under those provisions.

The middle tier also covers failure to comply with orders and requests from market surveillance authorities and the AI Office, including requests to produce documentation, submit to audits, or implement corrective measures.

For a full map of which obligations apply to deployers and when, see the Article 26 deployer obligations complete guide.

Tier three: Incorrect information (EUR 7.5 million or 1 per cent)

The lowest tier applies to the supply of incorrect, incomplete, or misleading information to notified bodies and competent authorities in response to a request. The ceiling is EUR 7.5 million or 1 per cent of worldwide annual turnover.

This tier is sometimes underestimated because its ceiling is the smallest of the three. In practice, it is significant for two reasons. First, the obligation it enforces arises in the context of supervisory investigations, where an authority has already opened a formal inquiry. Providing inaccurate information in that context is a separate infringement from whatever triggered the investigation, so it can stack onto underlying Article 99 exposure. Second, the threshold for this tier is lower than it might appear: the provision covers information that is incorrect, incomplete, or misleading. Omissions that leave a materially false impression can satisfy this standard even without an affirmative false statement.

How supervisors set the fine amount: Article 99(6)

The ceiling in each tier is a maximum. Article 99(6) requires competent authorities to give due consideration to a set of factors when determining the actual amount of any administrative fine. The provision does not establish a formula. It requires a structured assessment of multiple dimensions.

The factors listed in Article 99(6) are: the nature, gravity, and duration of the infringement and of its consequences, taking into account the purpose of the AI system as well as, where relevant, the number of affected persons and the level of damage suffered by them; whether the infringement was committed intentionally or through negligence; any action taken by the provider or deployer to mitigate the damage suffered by affected persons; the degree of responsibility of the provider or deployer taking into account the technical and organisational measures implemented; any relevant previous infringements by the provider or deployer; the degree of cooperation with the competent authorities in order to remedy the infringement and mitigate its possible adverse effects; any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, from the infringement.

Each of these factors has direct practical implications for how deployers should build their compliance programmes. A deployer who identified a monitoring signal that an AI system was operating outside its expected parameters, documented that signal, and took corrective action before harm materialised is in a materially different position than one who identified no signal because no monitoring procedure existed. The first deployer's Article 99(6) assessment looks like: low gravity, negligent at most, proactive mitigation, high degree of organisational responsibility. The second looks like: higher gravity, potentially reckless, no mitigation, low degree of organisational readiness.

The turnover percentage mechanism performs a related function. For a global technology company with EUR 10 billion in turnover, a 3 per cent fine is EUR 300 million. The EUR 15 million absolute ceiling does not apply because the percentage produces a larger figure. For a EUR 5 million turnover deployer, the 3 per cent calculation produces EUR 150,000, well below the EUR 15 million ceiling. The ceiling in each tier is therefore not the realistic outcome for most deployers; it is the worst case for large operators.

SME proportionality under Article 99(6)

Article 99(6) includes an explicit instruction that when determining the amount of an administrative fine, the financial strength of the provider or deployer, including their total worldwide annual turnover, is to be taken into account. Recital 165 of Regulation (EU) 2024/1689 elaborates this into a named SME principle: the fine amounts provided for in Article 99 should apply in a proportionate manner taking into account the size, economic situation, and scale of the operators concerned, in particular to avoid that fines would threaten the economic viability of SMEs and micro-enterprises.

This is meaningful but not unlimited. The proportionality instruction does not exempt SMEs from enforcement. It requires authorities to set the fine at a level that is proportionate to the SME's size, not to set no fine at all. An SME that operates a prohibited Article 5 practice without mitigation remains within the highest tier. The proportionality instruction means the authority should set the fine lower within that tier relative to what it would impose on a large enterprise for the same conduct, not that the SME escapes.

For SMEs and start-ups that have taken genuine compliance steps but face a residual infringement, the combination of the percentage-of-turnover ceiling and the Article 99(6) proportionality factors provides real downward pressure on the fine amount. Documenting compliance efforts, cooperation with the authority, and any harm mitigation is therefore especially important for smaller operators because those records directly engage the factors that govern fine calibration.

Article 101: GPAI model fines and the boundary with Article 99

Article 101 is a separate penalty provision in Regulation (EU) 2024/1689 that applies specifically to providers of general-purpose AI models. It is addressed to GPAI model providers, not to deployers.

Under Article 101(1), GPAI model providers who fail to comply with their obligations under Articles 53 and 55 may be fined up to EUR 15 million or 3 per cent of worldwide annual turnover. Article 53 sets the general obligations of GPAI model providers: technical documentation, cooperation with the AI Office, copyright compliance, and a summary of training data. Article 55 imposes additional obligations on providers of GPAI models with systemic risk, including adversarial testing, incident reporting to the AI Office, and cybersecurity measures.

Article 101(2) sets a lower ceiling of EUR 3 million or 1 per cent of turnover for GPAI model providers who supply incorrect or misleading information to the AI Office, notified bodies, or other authorities in the GPAI model oversight process.

The boundary between Article 99 and Article 101 matters for deployers in two directions. First, a deployer who integrates a GPAI model into their product and then violates their own deployer obligations under Articles 9 to 15 and Article 26 faces Article 99 liability, not Article 101 liability. The fact that a GPAI model is involved does not convert the deployer's infringement into a GPAI provider infringement. Second, a deployer who builds a product on a GPAI model that the provider has not adequately documented or assessed under Article 53 may have limited defence against a claim that they violated Article 13 transparency obligations, because the upstream technical information they needed was not available. This is the deployer-side exposure from GPAI model provider non-compliance, and it runs through Article 99, not Article 101.

For a detailed analysis of GPAI model obligations and their implications for deployers who build on GPAI models, see the GPAI models deployer exposure guide.

Enforcement architecture and who imposes fines

Article 99 fines are imposed by national competent authorities, specifically the market surveillance authorities designated by each member state under Articles 70 and 74 of Regulation (EU) 2024/1689. The AI Office, established under Article 64, has enforcement competence for GPAI model providers under Article 101, but its direct enforcement authority against deployers is more limited.

The European Artificial Intelligence Board, established under Article 65, coordinates national supervisory activity and provides guidance on consistent application. Significant enforcement decisions by national authorities are expected to be shared through the EAIB to promote convergence. As of mid-2026, the major national authorities being built up include the German Federal Office for Artificial Intelligence, the French Commission Nationale de l'Informatique et des Libertes as designated AI supervisor, and the Dutch AI Authority. The UK's AI Safety Institute operates under a different framework outside the Regulation's geographic scope.

Article 99(7) preserves the right of member states to establish additional penalties for infringements not covered by the Article 99 tiers, and for infringements of obligations established under national law implementing the Regulation. This means the Article 99 ceilings are floors below which member states can add, not ceilings above which they cannot go through separate national instruments.

The connection to insurance coverage

Article 99 fines are regulatory administrative penalties. They are, in most market-standard professional indemnity and technology errors-and-omissions wordings, expressly excluded from coverage. Fines and penalties imposed by regulators are typically uninsurable under public policy grounds in most EU jurisdictions.

What insurance can address is the investigation cost, the legal representation cost during supervisory proceedings, the cost of third-party harm claims that arise from the same conduct that triggered the fine, and the cost of the remediation programme required as part of a supervisory settlement. Products in the developing AI liability market, including Munich Re's aiSure framework, Armilla's AI warranty product, and Lloyd's AI liability capacity, are structured around indemnifiable third-party loss rather than regulatory penalty exposure. Current product scope and availability vary; confirm terms with a specialist broker.

The practical implication is that Article 99 fine risk must be managed through compliance architecture, not transferred through insurance. The documentation that satisfies Article 99(6) in the event of a supervisory investigation is substantially the same documentation that supports an insurance underwriting submission: evidence of risk management, oversight procedures, incident logs, and a monitoring programme. Both exercises converge on the same file.

Practical implications: building an Article 99-aware compliance programme

An Article 99-aware compliance programme is not a fines-avoidance programme. Fines are the last step in a chain that begins with a deployed system, continues through a supervisory inquiry, and ends in a fine only if the inquiry reveals a violation and the authority decides to impose one. The compliance programme's function is to make the chain much less likely to reach that endpoint, and to produce the Article 99(6) mitigation factors if it does.

The minimum documents that engage Article 99(6) mitigation factors are: a risk management system record under Article 9 demonstrating systematic pre-deployment assessment; monitoring procedure records under Article 26(3) demonstrating ongoing operational review; an incident log under Article 26(5) demonstrating incidents were identified and reported; and correspondence records with the relevant supervisory authority demonstrating a cooperative posture.

The specific exposure ceiling for a deployer's situation depends on: whether any Article 5 prohibited practice is involved (tier one); whether a substantive obligation under Articles 9 to 15 or Article 26 was violated (tier two); and whether any information supplied to an authority was incorrect or misleading (tier three). Most deployers who face investigation will face tier two exposure for Article 26 obligation violations, and potentially tier three if their responses to the authority's information requests are found inadequate.

For context on the national supervisory authorities who would impose these fines and how they are building their enforcement capacity, see the national supervisors reference guide.

Frequently asked questions

What are the three fine tiers under Article 99 of the EU AI Act?

Article 99 of Regulation (EU) 2024/1689 establishes three administrative fine tiers. The highest tier applies to violations of the prohibited practices in Article 5: up to EUR 35 million or 7 per cent of worldwide annual turnover, whichever is higher. The middle tier applies to most other substantive obligations, including all deployer duties under Articles 9 to 15 and Article 26: up to EUR 15 million or 3 per cent of worldwide annual turnover. The lowest tier applies to supplying incorrect or misleading information to competent authorities or notified bodies: up to EUR 7.5 million or 1 per cent of worldwide annual turnover.

How do supervisory authorities decide the actual fine amount within a tier?

Article 99(6) lists the factors that competent authorities must consider: the nature, gravity, and duration of the infringement; whether the infringement was intentional or negligent; action taken to mitigate harm; the degree of responsibility; the financial strength of the operator including turnover and size; any prior infringements; the degree of cooperation with the authority; and the manner in which the authority became aware of the infringement. No single factor is determinative. The ceiling is not the expected fine for a first-time, moderate infringement by a small operator.

Does Article 99 include any proportionality protection for SMEs?

Yes. Article 99(6) requires competent authorities to take into account the financial strength of the operator, including turnover and size, when setting the fine amount. Recital 165 elaborates that for SMEs and start-ups, fines should be proportionate and should not jeopardise their economic viability. The turnover-percentage ceiling mechanism itself limits fine exposure for small operators: a deployer with EUR 2 million turnover faces a maximum middle-tier fine of EUR 60,000 under the 3 per cent cap, well below the EUR 15 million absolute ceiling.

What is the relationship between Article 99 and Article 101 GPAI model fines?

Article 99 applies to providers, deployers, and other operators subject to the Regulation's general obligations. Article 101 is a separate provision addressed exclusively to GPAI model providers for violations of Articles 53 and 55. Deployers face Article 99 exposure for their own obligation violations. If a deployer builds on a GPAI model and violates their deployer duties in doing so, the relevant penalty article is Article 99, not Article 101. Article 101's ceiling for GPAI model providers is EUR 15 million or 3 per cent of turnover for substantive violations, with EUR 3 million or 1 per cent for incorrect information.

Which deployer violations carry the highest Article 99 fine exposure?

The highest Article 99 tier, up to EUR 35 million or 7 per cent of turnover, applies to violations of Article 5 prohibited practices. For deployers this includes using prohibited manipulation or exploitation techniques, deploying biometric categorisation to infer sensitive attributes outside permitted exceptions, and deploying real-time remote biometric identification in public spaces outside the law enforcement exceptions. All deployer obligations under Articles 9 to 15 and Article 26 fall under the middle tier of EUR 15 million or 3 per cent. Submitting incorrect or incomplete information to market surveillance authorities falls under the lowest tier of EUR 7.5 million or 1 per cent.

Can a deployer face fines from multiple member states for the same AI system?

Article 99 fines are imposed by national competent authorities. The enforcement architecture under Articles 70 to 78 allocates primary competence to the authority in the member state where the deployer is established or where the affected persons are located. The AI Office and the European Artificial Intelligence Board under Articles 64 and 65 coordinate cross-border enforcement. The Regulation does not exclude parallel national investigations for separate infringements in different jurisdictions, but the general principle against double jeopardy for the same act applies.

References

  1. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (Artificial Intelligence Act), OJ L, 12.7.2024.
  2. Article 99, Regulation (EU) 2024/1689, administrative fines for violations of the Regulation.
  3. Article 5, Regulation (EU) 2024/1689, prohibited AI practices.
  4. Article 9, Regulation (EU) 2024/1689, risk management system.
  5. Articles 10 to 15, Regulation (EU) 2024/1689, requirements for high-risk AI systems.
  6. Article 17, Regulation (EU) 2024/1689, quality management system obligations.
  7. Article 26, Regulation (EU) 2024/1689, obligations of deployers of high-risk AI systems.
  8. Article 50, Regulation (EU) 2024/1689, transparency obligations for certain AI systems.
  9. Articles 53 and 55, Regulation (EU) 2024/1689, obligations of GPAI model providers.
  10. Article 64, Regulation (EU) 2024/1689, AI Office.
  11. Article 65, Regulation (EU) 2024/1689, European Artificial Intelligence Board.
  12. Articles 70 to 74, Regulation (EU) 2024/1689, national competent authorities and market surveillance.
  13. Article 101, Regulation (EU) 2024/1689, penalties for GPAI model providers.
  14. Recital 165, Regulation (EU) 2024/1689, proportionality of fines for SMEs and start-ups.
  15. Annex III, Regulation (EU) 2024/1689, high-risk AI systems classification.
  16. Directive (EU) 2024/2853 of the European Parliament and of the Council on liability for defective products (Product Liability Directive), OJ L, 18.11.2024.
  17. European Insurance and Occupational Pensions Authority. Opinion on artificial intelligence governance in the insurance and occupational pensions sectors. August 2025.
  18. European Commission. Digital Omnibus package, COM(2026) 65. Proposal to amend Regulation (EU) 2024/1689 including extension of the high-risk AI deadline to 2 December 2027. Trilogue agreement reached 7 May 2026. Not yet formally adopted as of 14 June 2026.