EU AI Act Fines: How Article 99 Sets €35M / €15M / €7.5M Tiers and Who Pays Each One

Article 99 of the EU AI Act sets three penalty tiers for non-compliance, and the structure of the article matters more than the headline numbers. The top tier reaches €35 million or 7% of global annual turnover, whichever is higher. The middle tier sits at €15 million or 3%. The supplying-misleading-information tier sits at €7.5 million or 1%. The "whichever is higher" rule is the critical clause. A €2 billion enterprise deployer faces a €60 million ceiling on the middle tier, not €15 million. The high-risk system requirements take effect August 2, 2026, and most enterprise AI deployments today produce zero of the records Article 12 and Article 19 will require an auditor to see.

I want to walk through which tier applies to which conduct, how the math actually computes for a regulated enterprise, and which architectural failures map directly to a finding under each tier.

Mandate

Article 99 codifies three categories of conduct and assigns a maximum fine to each.

The €35 million / 7% tier (prohibited practices)

The top tier applies to conduct prohibited under Article 5. Examples include social scoring by public authorities, real-time biometric identification for law enforcement outside narrow exceptions, and exploitation of vulnerabilities of specific groups. Most enterprise AI deployments do not sit in this tier. A regulated enterprise running a copilot for back-office finance, a healthcare summarization tool, or a customer-service LLM is not engaging in Article 5 prohibited practice. The Commission flagged this tier primarily at sovereigns and at the small set of vendors who build AI systems with social-scoring or biometric-surveillance use cases.

The €15 million / 3% tier (high-risk non-compliance)

The middle tier is the one most enterprise deployers should plan around. It applies to non-compliance with the high-risk system obligations in Article 16 through Article 27, which include the Article 12 record-keeping mandate, the Article 13 transparency obligation, the Article 14 human oversight requirement, the Article 16 quality management system, and the Article 26 deployer obligations.

A finding here can be triggered by a single auditable failure. The audit visit asks: produce the logs for AI request 47832 against your high-risk system. If the deployer cannot produce a per-decision record containing identity, data classification, policy state, and decision outcome, the finding is non-compliance with Article 12. The fine ceiling is €15 million or 3% of global turnover, whichever is higher.

The €7.5 million / 1% tier (incorrect, incomplete, or misleading information)

The third tier covers supplying incorrect, incomplete, or misleading information to notified bodies or to the national competent authority. The conduct here is a documentation failure during the conformity assessment or post-market monitoring process. The deployer represents the system as having capability X. The auditor finds capability X is absent. The finding is in this tier even if the underlying high-risk system is otherwise compliant.

The "higher of" rule

Each tier is structured as "X million or Y% of total worldwide annual turnover for the preceding financial year, whichever is higher." The percentage is the binding constraint for any enterprise with more than approximately €500 million in turnover at the middle tier, and approximately €214 million at the top tier. The absolute caps are floors, not ceilings.

Compliance gap

Most enterprise AI deployments today have no architecture that produces the records the middle tier presumes exist.

The application-controlled audit log fails the Article 12 test

When the application that calls the model also writes the compliance log, the audit record has three failure modes. Selective logging: the application logs successes and misses edge cases. Suppression: logs can be wiped by the same software that failed. Loss on crash: the application crashes after the model responds but before the log commits. A regulator reviewing a high-risk system that produced harm asks for an immutable record showing identity, classification, policy state, and decision outcome at the moment of the request. An application-controlled JSON log fails every part of that question.

Identity context is missing at the request layer

Article 19 requires the log to identify the natural persons involved in result verification. Most enterprise AI deployments call the model API with a static service credential or an application API key. The credential identifies the application, not the human or agent acting through it. Without identity context attached at the HTTP request layer, the log either omits the natural person or fabricates one from a session-cookie heuristic. The Article 19 record fails the identity check.

Data classification is not evaluated at request time

Article 19 requires the log to capture the input data that led to a result. Reconstructing classification after the fact, weeks after the request, fails the contemporaneous-record test. The classification must be present in the record at the moment of decision.

Vendor-embedded AI is invisible to the deployer

A material share of enterprise AI usage flows through SaaS vendors who embed model calls under the hood. The customer-service vendor uses an LLM to summarize tickets. The credit-decisioning vendor uses ML to flag high-risk applications. The deployer's environment never sees the prompt, the response, or the data classification. The Article 26 deployer obligation does not transfer to the vendor. The deployer owns the disclosure on demand.

Mandate vs Compliance

The text of Article 99 reads at one level of abstraction. The infrastructure that survives a regulatory review sits several levels lower. The gap between them is where most enterprises are exposed.

Disclosure test

A regulator asks: produce the audit record for AI request 47832 against your high-risk system, including the identity of the requester, the classification of the data in the prompt, the policy version that governed the decision, and the decision outcome. A compliant architecture produces this within minutes. A non-compliant architecture produces unstructured application logs, missing fields, and a workflow of engineers reconstructing context from production traces. The disclosure failure itself can trip the €7.5 million tier even if the underlying decision was correct.

Vendor liability

Microsoft and SAP declined to comment when The Register asked the major AI vendors how much liability they accept for AI agent decisions. Oracle, Salesforce, ServiceNow, and Workday did not respond. Under Article 26, the deployer obligation does not transfer through a contract clause. The deployer remains the regulated party.

Compliance gap

The compliance gap is architectural. The records the middle tier presumes exist are not produced by application logs, by network firewalls, or by model-side guardrails. They are produced by an inspection layer that sits inline on the AI request path and writes the per-decision record before the model response returns to the application.

DeepInspect

This is the architecture the EU AI Act requires the deployer to provide. DeepInspect sits at the AI request boundary as an external enforcement layer that operates as a stateless proxy between authenticated users or agents and the LLM endpoint. Every HTTP request is evaluated against per-route, per-role policies using identity context the application supplies. The per-decision record is committed by the proxy, independent of the application, before the model response returns to the calling system.

The record contains a verified identity, the role and authorization context, the data classification applied to the prompt, the policy version that governed the decision, the decision outcome, and a cryptographic signature that prevents post-hoc modification. The record is the artifact a regulator accepts under Article 12 and Article 19. Production latency stays under 50 ms in internal testing, which keeps the enforcement layer outside the model inference budget.

If you are facing the August deadline, let's talk.

Beyond the EU AI Act

The same architecture satisfies adjacent regimes. DORA Article 19 requires log retention and contemporaneous records for digital operational resilience in financial services. Fannie Mae Lender Letter LL-2026-04 takes effect August 6, 2026 and requires disclosure on demand for AI and ML decisions in mortgage origination. Texas TRAIGA, the Texas Responsible AI Governance Act, took effect January 1, 2026 with civil penalties and AG enforcement. The vocabulary differs across these regimes. The architectural pattern that satisfies each one is the same: an inspection layer on the AI request path that writes the audit record independent of the application.