Penalties GuideEU AI Act

EU AI Act penalties and fines

Map AI Act penalty exposure to the exact infringement tier: banned practices, high-risk operator duties, transparency duties, incorrect information, and GPAI model obligations.

Use Article 99 as the starting point, then separate Member State penalty rules, SME and startup proportionality, Union-body fines, and Commission fines for general-purpose AI model providers.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The EU AI Act does not set one flat fine. Article 99 creates three main administrative fine tiers for operators and notified bodies, requires Member States to set penalty and enforcement rules, and tells authorities to consider proportionality, SME and startup viability, cooperation, intent, harm, and mitigation. GPAI model providers also have a separate Commission fine route under Article 101.

Section 1

Article 99 fine tiers

Start every penalties review by identifying the relevant AI Act obligation and actor. Article 99 applies to operators and notified bodies, while Article 101 separately addresses providers of general-purpose AI models.

For undertakings, the highest Article 99 tier uses the greater of the fixed euro amount or a percentage of worldwide annual turnover. For SMEs, including startups, Article 99 uses the lower of the fixed amount or turnover percentage for the relevant tier.

  • Article 5 prohibited practices: up to EUR 35,000,000 or up to 7% of total worldwide annual turnover, whichever is higher for undertakings.
  • Specified operator and notified-body obligations, including provider, authorised representative, importer, distributor, deployer, notified-body, and Article 50 transparency duties: up to EUR 15,000,000 or up to 3% of worldwide annual turnover, whichever is higher for undertakings.
  • Supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities in response to a request: up to EUR 7,500,000 or up to 1% of worldwide annual turnover, whichever is higher for undertakings.
  • For SMEs and startups, the relevant Article 99 fine is capped at the lower of the fixed euro amount or the turnover percentage.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 99 sets the three administrative fine tiers, the SME and startup lower-cap rule, and the proportionality factors for penalty decisions.
Section 2

Highest exposure: prohibited AI practices

The largest Article 99 tier is tied to non-compliance with Article 5 prohibited AI practices. This is not the same as ordinary high-risk AI non-compliance; it covers AI practices the Act prohibits because of unacceptable risk.

Penalty triage should therefore begin with an Article 5 screen before moving to high-risk, transparency, or GPAI duties. If the system, feature, deployment context, or customer use case could fall into Article 5, escalate before launch or continued use.

  • Screen for manipulative or deceptive techniques that materially distort behaviour and cause or are reasonably likely to cause significant harm.
  • Screen for exploitation of age, disability, or social or economic vulnerability that materially distorts behaviour and causes or is reasonably likely to cause significant harm.
  • Screen for social scoring, certain criminal-offence risk prediction based solely on profiling or personality traits, untargeted facial-image scraping, workplace or education emotion inference, and sensitive biometric categorisation.
  • Treat real-time remote biometric identification by law enforcement in publicly accessible spaces as a specialised Article 5 issue with strict conditions, safeguards, and national-law dependencies.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 5 lists the prohibited AI practices that trigger Article 99's highest administrative fine tier.
AI Act Service Desk - Article 5 prohibited AI practices
Official AI Act Service Desk article page for checking the Article 5 prohibited-practice text.
Section 3

Other operator duties and incorrect information

The EUR 15,000,000 or 3% tier is tied to listed obligations, not every possible AI Act topic. It covers key high-risk value-chain actors and Article 50 transparency duties for certain AI systems.

The EUR 7,500,000 or 1% tier is specifically about supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities in reply to a request. Do not describe this as a general paperwork fine; the trigger is the requested information response.

  • Provider duties under Article 16 belong in the 15 million euro or 3% tier when Article 99 applies.
  • Authorised representative, importer, distributor, deployer, and specified notified-body duties also sit in the 15 million euro or 3% tier.
  • Article 50 transparency duties for providers and deployers are expressly included in the 15 million euro or 3% tier.
  • Authority-response workflows should preserve the request, legal basis, supplied information, reviewer approvals, and correction history because incorrect, incomplete, or misleading responses have their own Article 99 tier.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 99(4) lists the operator and notified-body provisions in the 15 million euro or 3% tier; Article 99(5) sets the incorrect-information tier.
AI Act Service Desk - Article 50 transparency obligations
Official AI Act Service Desk source URL for Article 50, which Article 99 includes in the 15 million euro or 3% penalty tier.
Section 4

Member State rules and proportionality factors

Article 99 requires Member States to lay down rules on penalties and other enforcement measures. Those measures may include warnings and non-monetary measures, and Member States must notify the Commission of their rules and later amendments.

Fine decisions are not meant to be mechanical. Article 99 instructs authorities to consider circumstances such as nature, gravity, duration, consequences, affected persons, damage, prior fines for the same activity or omission, operator size, turnover, market share, financial benefit, cooperation, responsibility, notification, intent or negligence, and mitigation.

  • Check the applicable Member State rules before stating who imposes a fine or whether public authorities can be fined.
  • Record whether the issue affects one Member State, several Member States, or EU-level GPAI supervision.
  • Keep mitigation evidence close to the infringement record: containment steps, affected-person remediation, authority cooperation, corrective actions, and governance changes.
  • Avoid unsupported claims that a specific national authority will fine a company unless the relevant Member State rule or authority action is actually sourced.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 99 requires Member States to set penalty rules and lists the circumstances authorities should consider when deciding whether and how much to fine.
Section 5

GPAI model provider fines are separate

General-purpose AI model providers should not rely only on the Article 99 operator table. Article 101 gives the Commission power to impose fines on GPAI model providers of up to 3% of annual total worldwide turnover in the preceding financial year or EUR 15,000,000, whichever is higher.

Article 101 covers intentional or negligent infringements, failures to comply with Commission requests for documents or information, incorrect, incomplete, or misleading information, failures to comply with requested measures, and failures to provide model access for evaluations.

  • Separate AI system operator duties from GPAI model provider duties in the enforcement register.
  • For GPAI documentation, track Article 53 technical documentation, downstream-provider information, copyright policy, and public training-content summary obligations.
  • For GPAI models with systemic risk, track Article 55 risk assessment, mitigation, serious-incident, cybersecurity, and reporting obligations separately from ordinary GPAI documentation duties.
  • Preserve Commission and AI Office requests, response deadlines, supplied documents, access decisions, and model-evaluation correspondence because Article 101 directly covers failures around these requests.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Articles 53, 55, 88 to 93, and 101 ground GPAI model provider obligations, Commission supervision powers, and GPAI fine exposure.
European Commission - GPAI provider guidelines
Commission guidance page for the scope of GPAI model provider obligations under the AI Act.
GPAI Code of Practice - Transparency chapter
Code of Practice transparency chapter describing model documentation and downstream-provider information commitments for GPAI providers using the Code.
Section 6

Penalty exposure checklist

Use this checklist when a launch, incident, authority request, supplier change, model update, or customer deployment raises AI Act penalty questions.

The goal is to classify the exposure without overstating enforcement. Record what is known, what is not sourced yet, and which authority route is relevant.

For Union institutions, bodies, offices, and agencies, Article 100 creates a separate administrative-fine route handled by the European Data Protection Supervisor, so public-sector penalty triage should not stop at Article 99.

What is the maximum AI Act fine for prohibited AI practices?

Under Article 99, non-compliance with Article 5 prohibited AI practices can be fined up to EUR 35,000,000 or, for undertakings, up to 7% of total worldwide annual turnover for the preceding financial year, whichever is higher. For SMEs and startups, the Article 99 lower-cap rule applies.

Is the incorrect-information fine 1% or 1.5% under Article 99?

Article 99(5) of Regulation (EU) 2024/1689 states EUR 7,500,000 or, for undertakings, up to 1% of total worldwide annual turnover for supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities in reply to a request.

Do Member States set their own AI Act penalty rules?

Yes. Article 99 requires Member States to lay down rules on penalties and other enforcement measures, which may include warnings and non-monetary measures, and to notify the Commission of those rules and later amendments.

Are GPAI model provider fines handled under the same Article 99 table?

Not entirely. GPAI model providers have a separate Article 101 route under which the Commission may impose fines of up to 3% of annual total worldwide turnover or EUR 15,000,000, whichever is higher, for intentional or negligent failures covered by that article.

  • Identify the actor: provider, deployer, product manufacturer, authorised representative, importer, distributor, notified body, public authority, Union body, or GPAI model provider.
  • Classify the trigger: Article 5 prohibited practice, Article 99(4) listed obligation, Article 99(5) authority-response information issue, Article 100 Union-body issue, or Article 101 GPAI model provider issue.
  • Calculate only the sourced maximum tier and label it as a maximum, not an expected fine.
  • Apply the SME or startup lower-cap rule where the entity qualifies, and keep evidence of the SME/startup status used for the calculation.
  • Collect proportionality evidence: harm, number of affected persons, duration, intent or negligence, cooperation, mitigation, prior authority actions, turnover, market share, and benefit gained or loss avoided.
  • Check Member State penalty rules before naming a national authority, public-sector fine exposure, court route, warning route, or non-monetary measure.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Primary source for Article 99, Article 100, Article 101, prohibited-practice penalties, SME lower-cap treatment, and GPAI model provider fines.
Recommended next step

Classify the fine tier before assigning remediation

Sorena can help map AI Act penalty exposure to the relevant article, actor, fine tier, Member State rule, GPAI obligation, and mitigation evidence.

Research workflow
Open Research Copilot for EU AI Act

Ask source-linked questions about Article 99, Article 101, prohibited practices, GPAI duties, and penalty evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your AI Act fine-tier classification, authority-response workflow, and remediation evidence with Sorena.

Explore next step
Primary sources

References and citations

AI Act Service Desk - Article 50 transparency obligations
ai-act-service-desk.ec.europa.eu
Referenced sections
  • Official AI Act Service Desk source URL for Article 50, which Article 99 includes in the 15 million euro or 3% penalty tier.
"Transparency obligations for providers and deployers of certain AI systems"
GPAI Code of Practice - Transparency chapter
ec.europa.eu
Referenced sections
  • Code of Practice transparency chapter describing model documentation and downstream-provider information commitments for GPAI providers using the Code.
"drawing up and keeping up-to-date model documentation"
Regulation (EU) 2024/1689 (EU AI Act)
eur-lex.europa.eu
Referenced sections
  • Primary source for Article 99, Article 100, Article 101, prohibited-practice penalties, SME lower-cap treatment, and GPAI model provider fines.
"whichever is higher"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 5 Prohibited AI Practices Screening Guide
Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Article 73 serious incident FAQ
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
EU AI Act Compliance Checklist by Risk Class
A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents
Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide
Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act post-market monitoring and serious incident reporting
Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
EU AI Act post-market monitoring FAQ for high-risk AI systems
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act serious incident reporting triage workflow: Article 73 and Article 55
Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
FAQ: EU AI Act conformity assessment procedures and notified body selection
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.