Does the percentage-of-turnover penalty apply to subsidiaries or to the global group?

Article 99 sets the penalty as €X million or Y% of total worldwide annual turnover for the preceding financial year, whichever is higher. The worldwide annual turnover is the group's consolidated turnover. A subsidiary that fails an obligation can be subject to a penalty calculated against the group's turnover, not the subsidiary's standalone turnover. The interaction with national procedural law varies by Member State, but the Commission's guidance treats consolidated turnover as the baseline.

Are there reduced penalties for SMEs and start-ups?

Article 99 allows Member States to lay down lower penalties for SMEs and start-ups. The discretion sits with the national authority. The reduction is not automatic and depends on how the Member State has transposed the framework into national law. The Commission has signaled a preference for proportionate penalties for SMEs, and several Member States are expected to introduce specific SME tiers in their national implementation. The 7% / 3% / 1% percentage caps still apply, but the absolute caps may be reduced.

Can a single incident trigger multiple penalty tiers?

Yes. A prohibited practice violation under Article 5 carries Tier 1 exposure. If the entity also fails the related transparency obligation and misrepresents the failure to the authority, Tier 2 and Tier 3 stack on top. Member State authorities can aggregate the penalties into a single sanctioning decision, but the substantive basis for each finding can be assessed independently. The aggregation rules vary by Member State and remain subject to the proportionality principle that governs the framework as a whole.

How does Article 99 interact with the GDPR penalty regime?

GDPR and the EU AI Act run in parallel. A breach that violates both regimes can trigger penalties under each. GDPR's tier reaches €20 million or 4% of global turnover. A deployer that fails Article 12 record-keeping under the AI Act and also fails GDPR's records-of-processing obligation can face both penalties for the same underlying incident, on different substantive grounds. The ne bis in idem principle limits double-jeopardy within a single substantive basis, but the AI Act and GDPR are treated as distinct substantive regimes for penalty purposes.

When does the Article 99 penalty regime begin to apply?

The general application date of the EU AI Act is August 2, 2026, at which point the high-risk obligations and the penalty framework backing them take effect. Article 5 prohibited practices took effect earlier, on February 2, 2025, and the related Tier 1 penalty exposure has been live since then. General-purpose AI model obligations under Articles 50 to 56 are subject to a separate phase-in that completes by August 2, 2027.

EU AI Act Article 99: The Penalty Tiers and What Triggers Each One

Article 99 of the EU AI Act sets three penalty tiers. The highest tier reaches €35 million or 7% of total worldwide annual turnover for the preceding financial year, whichever is higher, for violations of the prohibited practices in Article 5. The middle tier reaches €15 million or 3% for non-compliance with the high-risk obligations under Articles 8 to 27 and the general-purpose AI obligations under Articles 50 to 56. The lower tier reaches €7.5 million or 1% for supplying incorrect, incomplete, or misleading information to notified bodies and national authorities. The mandate takes effect on August 2, 2026.

I want to walk through what each tier covers, how the tiers interact with the operational obligations elsewhere in the Act, and what evidence holds up under enforcement.

Mandate

Article 99 establishes the penalty regime that backs the substantive obligations of the EU AI Act. Member States are required to lay down national penalty rules consistent with the Article 99 framework and to ensure those rules are effective, proportionate, and dissuasive.

The penalties apply to providers, deployers, importers, distributors, and authorized representatives of AI systems. Member States may apply lower penalties for SMEs and start-ups. The Commission retains a separate penalty regime for general-purpose AI model providers under Article 101, which can reach €15 million or 3% of total worldwide annual turnover.

Tier 1: prohibited practices (€35M / 7%)

The highest tier applies to violations of Article 5, which prohibits certain AI practices outright. The prohibited list includes systems that deploy subliminal techniques to materially distort behavior, systems that exploit vulnerabilities of specific groups, social scoring by public authorities, predictive policing based solely on profiling, untargeted scraping of facial images for facial recognition databases, emotion inference in workplaces and educational settings, biometric categorization based on sensitive attributes, and real-time remote biometric identification in publicly accessible spaces for law enforcement purposes. Most enterprise AI deployments do not fall under Tier 1.

Tier 2: high-risk non-compliance (€15M / 3%)

The middle tier covers the bulk of operational AI compliance work. It applies to non-compliance with provider obligations under Articles 16 to 22, deployer obligations under Article 26, transparency obligations under Articles 13 and 50, record-keeping obligations under Article 12 and Article 19, human oversight obligations under Article 14, and the conformity assessment obligations under Article 43. For most enterprise deployments, Tier 2 is the relevant exposure.

Tier 3: supplying misleading information (€7.5M / 1%)

The lower tier applies to supplying incorrect, incomplete, or misleading information to notified bodies and national competent authorities in reply to a request. The tier sits separately from the substantive compliance obligations. A deployer that fails Article 26 monitoring and then misrepresents the failure to the authority faces both the Tier 2 penalty for the substantive failure and the Tier 3 penalty for the misrepresentation.

Compliance gap

Most organizations I look at have built compliance posture around Tier 1 because Tier 1 is the headline number. The operational exposure sits in Tier 2.

The Tier 2 exposure is per obligation, not per system

A single high-risk deployment can incur multiple Tier 2 penalties across distinct obligations. A deployer that fails Article 12 record-keeping, Article 13 transparency, and Article 26 monitoring faces three distinct compliance findings. National authorities can aggregate, but the substantive basis for each finding stands independently. Treating Tier 2 as a single €15 million exposure misreads the structure.

Evidence drives the multiplier

The penalty figure is a cap. The actual penalty within the cap turns on the nature, gravity, and duration of the infringement, the intentional or negligent character, prior infringements, cooperation with the authority, and the size of the entity. Cooperation requires the entity to produce evidence on demand. A deployer that cannot produce the audit trail Article 19 expects faces the structural failure of the record-keeping obligation and a worse multiplier on the penalty calculation, because the absence of evidence is treated as inability to cooperate.

Tier 3 is the audit-failure tier

Tier 3 is the supplying-misleading-information tier. The misleading information does not have to be intentional. Incomplete information supplied in good faith can trigger Tier 3 if the authority concludes the information was incomplete in a material way. The structural answer to Tier 3 exposure is to have the evidence to respond completely. Deployers who can produce the per-decision audit record do not have to estimate, paraphrase, or extrapolate when the authority asks.

What the architecture must produce

An architecture that minimizes Article 99 exposure produces, for every high-risk decision, evidence that the underlying obligations were satisfied at the time of the decision. The evidence is structured, signed, retained for the applicable period, and available to the deployer on demand.

The evidence has to map to specific obligations. The Article 12 record proves automatic recording. The Article 19 record proves retention and content compliance. The Article 13 instructions for use prove transparency. The Article 26 monitoring record proves human oversight functioned. Tier 2 enforcement against any individual obligation is rebutted by the corresponding evidence. Tier 3 exposure is reduced because the deployer can respond completely.

The architecture that produces this evidence is the same architecture that produces compliance under the rest of the Act. The penalty exposure is the financial restatement of the substantive obligations.

DeepInspect

This is the evidence infrastructure that backs the penalty rebuttal. DeepInspect sits as a stateless proxy between authenticated users and the LLM. Every request produces a signed per-decision record containing identity, role, policy version, data classification, outcome, and timestamp. The records are retained for the deployer's specified period, searchable across deployments, and produced on demand.

For Article 99, that record set is the evidence layer that rebuts Tier 2 findings and reduces Tier 3 exposure. The Article 12 obligation is satisfied structurally. The Article 19 retention is enforced. The Article 26 monitoring evidence is generated per request. The deployer responding to an authority inquiry produces complete records rather than estimates.

If you are running AI in a high-risk category and your Article 99 exposure depends on the application's ability to produce records under inquiry, that exposure is open.

Book a demo today.