Article 99 of the EU AI Act establishes three penalty tiers, each triggered by different categories of non-compliance. The regime is modelled on GDPR with higher maximums for the most serious violations.
Tier 1: Prohibited Practices. €35 Million or 7% of Turnover
The highest penalties apply to Article 5 violations: subliminal or manipulative techniques, exploitation of vulnerable groups, social scoring, real-time remote biometric identification in public spaces, untargeted facial recognition scraping, emotion inference in workplaces/education, biometric categorisation for sensitive attributes, and predictive policing based solely on profiling.
These prohibitions have applied since 2 February 2025. Maximum fine: €35,000,000 or 7% of total worldwide annual turnover, whichever is higher (Article 99(3)).
Tier 2: Operator Obligations. €15 Million or 3% of Turnover
Covers the broadest set of requirements: high-risk system obligations (Articles 8-15), provider obligations (Articles 16-22), deployer obligations (Articles 26-27), importer/distributor obligations (Articles 23-25), transparency (Article 50), GPAI model obligations (Articles 51-55), and post-market monitoring (Articles 72-73).
Maximum fine: €15,000,000 or 3% of total worldwide annual turnover, whichever is higher (Article 99(4)).
Tier 3: Incorrect Information. €7.5 Million or 1.5% of Turnover
Applies to supplying incorrect, incomplete, or misleading information to competent authorities or notified bodies, including inaccurate conformity documentation, misleading responses to requests, or incorrect EU database registration data.
Maximum fine: €7,500,000 or 1.5% of total worldwide annual turnover, whichever is higher (Article 99(5)).
Enforcement and Proportionality
Enforcement is through national market surveillance authorities in each member state, coordinated by the EU AI Office. Notified bodies conduct conformity assessments for high-risk systems where third-party assessment is required.
Article 99(6) caps SME and startup fines at the lesser of the percentage or fixed amount. For a company with €10M turnover, a Tier 1 violation caps at €700,000 (7%) rather than €35M.
Prioritisation
- Prohibited practices audit: Tier 1 exposure, already enforceable. Binary assessment against Article 5.
- High-risk classification: determine which systems carry Tier 2 obligations.
- Provider/deployer obligations: documentation, QMS, conformity assessment, monitoring.
- Reporting accuracy: Tier 3 exposure. Get it right first time.
Part of our guide: EU AI Act compliance for UK organisations.
Map your penalty exposure
HEX 165 evaluates non-compliant findings against Article 99 penalty tiers, showing which gaps carry which level of financial exposure. Book a demo to see your risk profile.