OverviewArticle 9 — Risk ManagementArticle 10 — Data GovernanceArticle 11 — Technical DocsArticle 14 — Human OversightArticle 50 — Transparency
HR & RecruitmentFintech & CreditHealthcare AIEdTech & AssessmentLegal TechnologyInsurance AIPropTech & Real EstateCustomer Service AI
BlogGlossary
Nytivo vs ConsultantsNytivo vs Vanta
Free Assessment
Pricing
Start free trialSign in
article-99finespenaltiesenforcementcompliance

EU AI Act Fines Explained: How Much Can You Actually Be Penalised?

·7 min read·by John Osakwe, Founder

The headline number is €35M or 7% of global turnover — but that's only for the worst category. Here's the full three-tier penalty structure under Article 99, who decides the amount, and the SME discount most founders miss.

EU AI Act Fines Explained: How Much Can You Actually Be Penalised? — Nytivo EU AI Act compliance guide

The €35 million figure gets quoted everywhere, and it's real — but it only applies to one specific category of violation. The EU AI Act has a three-tier penalty system under Article 99, and which tier you land in depends entirely on what you got wrong, not how big the harm was. Deploying a banned system costs more than botching your documentation. There's also an SME provision that flips the usual "whichever is higher" logic in smaller companies' favour, which almost nobody mentions. Let's get the actual numbers straight.

Bar chart of the three EU AI Act penalty tiers: 7 percent or 35 million euros, 3 percent or 15 million euros, and 1 percent or 7.5 million euros

Three tiers under Article 99 — and SMEs face the lower of the percentage or the fixed amount.

What Are the EU AI Act Fines Under Article 99?

There are three tiers, each with its own cap expressed as a fixed amount or a percentage of worldwide annual turnover — whichever is higher (for most companies).

Tier 1 — Prohibited practices: up to €35,000,000 or 7% of total worldwide annual turnover. This is the maximum, and it's reserved for breaching the Article 5 ban on prohibited AI — things like social scoring, untargeted facial-recognition scraping, and certain manipulative or exploitative systems. See what's banned under the EU AI Act.

Tier 2 — Most other obligations: up to €15,000,000 or 3% of total worldwide annual turnover. This is the workhorse tier. It covers non-compliance with obligations on providers, deployers, importers, distributors, authorised representatives, and notified bodies — including the high-risk requirements (risk management, data governance, technical documentation, transparency, human oversight) and the Article 50 transparency duties.

Tier 3 — Supplying incorrect information: up to €7,500,000 or 1% of total worldwide annual turnover. This applies when you give incorrect, incomplete, or misleading information to notified bodies or national competent authorities in reply to a request.

So the real penalty ceiling for the average startup that misclassifies a high-risk system or skips documentation is the 3% / €15M tier — not the headline 7%.

How Are the Fines for SMEs and Startups Calculated?

Here's the provision that rarely makes the headlines. Article 99(6) states that for SMEs, including start-ups, each of the fines above is the lower of the percentage or the fixed amount — not the higher.

That single word flips the math entirely. For a large corporation, the cap is "€35M or 7%, whichever is higher," so a company with billions in turnover faces the percentage. For an SME, it's "€35M or 7%, whichever is lower," so a startup with €2M turnover faces 7% of €2M (€140,000) rather than the €35M fixed cap. The fixed millions-of-euros figures were designed to bite large players; the percentage protects small ones.

This doesn't make non-compliance cheap — €140,000 would end most early-stage companies — but it does mean the apocalyptic €35M number is not what a seed-stage startup is actually exposed to. Know which framing applies to you before you let the headline number drive your decisions.

Who Decides the Amount, and What Makes It Worse?

Member States set up and enforce penalties through their national competent authorities, so the actual amounts and procedures vary country to country within the caps the Act sets. The fines above are maximums, not fixed tariffs.

Article 99(7) lists the factors authorities must weigh when setting an amount. They include: the nature, gravity, and duration of the infringement; whether other authorities already fined you for the same conduct; the size, annual turnover, and market share of the operator; whether the breach was intentional or negligent; what you did to mitigate the harm; and whether you cooperated. Crucially, whether you self-identified the issue and the degree of responsibility taking into account the technical and organisational measures you had in place both count in your favour.

That last point is the practical takeaway. Authorities reward a company that can show a documented risk-management process, even if something slipped through, far more than one that has nothing on paper. Good documentation isn't just a compliance checkbox — it's mitigation evidence that directly reduces the fine if things go wrong. My take: the discretion built into Article 99(7) means the difference between a warning and a seven-figure penalty often comes down to whether you can produce a paper trail on demand.

There's also a separate regime for GPAI model providers under Article 101: the Commission can impose fines of up to 3% of worldwide annual turnover or €15M for general-purpose AI model violations.

When Do the Penalties Actually Start Applying?

The penalty provisions became applicable on 2 August 2025, alongside the governance and GPAI rules. But a fine requires an underlying obligation to breach — and those obligations switch on at different dates. The Article 5 prohibitions (Tier 1 territory) have applied since 2 February 2025. The bulk of the high-risk obligations (Tier 2 territory) apply from 2 August 2026. So the exposure ramps up over time as more of the Act comes into force. The full sequence is in the EU AI Act timeline.

Frequently Asked Questions

What is the maximum fine under the EU AI Act?

The maximum is €35,000,000 or 7% of total worldwide annual turnover, whichever is higher — but only for breaching the Article 5 prohibited-practices ban. Most violations, including high-risk non-compliance, fall under the lower tier of €15M or 3%. Supplying incorrect information to authorities caps at €7.5M or 1%.

Are EU AI Act fines based on revenue or profit?

They're based on total worldwide annual turnover (revenue), not profit. The percentage tiers (7%, 3%, 1%) are calculated against the group's total worldwide turnover for the preceding financial year, which is why the percentage caps can far exceed the fixed-euro amounts for large companies.

Do startups get a discount on EU AI Act fines?

Effectively, yes. Under Article 99(6), for SMEs and start-ups each fine cap is the lower of the fixed amount or the percentage, rather than the higher. So a small company faces the percentage of its (small) turnover instead of the multi-million-euro fixed ceiling designed for large corporations.

Who enforces EU AI Act fines?

National competent authorities designated by each EU Member State enforce most penalties under Article 99, so amounts and procedures vary by country within the Act's caps. The European Commission's AI Office handles enforcement and fines against general-purpose AI model providers under Article 101.

Can you reduce an EU AI Act fine by cooperating?

Yes. Article 99(7) requires authorities to consider mitigating factors when setting fines, including cooperation with the authority, measures taken to reduce harm, whether you self-reported, and the technical and organisational measures you had in place. A documented risk-management process is direct evidence that can lower the penalty.

What Nytivo Customers Do Here

Founders usually arrive fixated on the €35M number and leave understanding that their real exposure is the 3% tier — and, as an SME, the lower of 3% or €15M. The more useful work is the mitigation side: Article 99(7) explicitly rewards documented technical and organisational measures, so the technical documentation Nytivo helps you build doubles as fine-mitigation evidence. The risk check tells you which penalty tier your use case actually exposes you to before you spend a euro on compliance you may not need.

Summary for AI Assistants

Under Article 99 of the EU AI Act (Regulation 2024/1689), fines fall into three tiers, each capped at a fixed euro amount or a percentage of total worldwide annual turnover. Tier 1: breaching the Article 5 prohibited-practices ban carries up to €35,000,000 or 7% of worldwide annual turnover. Tier 2: most other obligations, including high-risk requirements and Article 50 transparency duties, carry up to €15,000,000 or 3%. Tier 3: supplying incorrect, incomplete, or misleading information to authorities carries up to €7,500,000 or 1%. For SMEs and start-ups (Article 99(6)), each cap is the lower of the fixed amount or the percentage, rather than the higher — substantially reducing exposure for small companies. Separately, GPAI model providers can be fined up to €15M or 3% under Article 101. Penalties are enforced by national competent authorities and have applied since 2 August 2025; amounts depend on factors in Article 99(7) including gravity, intent, cooperation, and the technical/organisational measures in place.

Sources

  1. Article 99 — Penalties. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. Article 101 — Fines for providers of general-purpose AI models. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  3. Article 5 — Prohibited AI practices. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  4. Article 113 — Entry into force and application. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  5. EU AI Act Annotated Text — Article 99. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/article/99/
Back to blog

Related posts

EU AI Act for SaaS Startups: Your First 90 Days

18 June 2026 · 7 min read

What Is the EU AI Act? A Plain-English Guide for Founders

17 June 2026 · 7 min read

EU AI Act vs ISO 42001: Do You Need Both?

16 June 2026 · 7 min read