EU AI Act Article 99
EU AI Act Article 99 sets the penalty framework for non-compliance with the rest of the Act. It defines three tiers. Tier 1 covers prohibited practices under Article 5 and carries fines of up to 35 million euro or 7 percent of global annual turnover, whichever is higher. Tier 2 covers high-risk system obligations under Articles 9 through 27 (including Article 12 logging) and carries fines of up to 15 million euro or 3 percent of turnover. Tier 3 covers supplying incorrect, incomplete, or misleading information to authorities and carries fines of up to 7.5 million euro or 1 percent.
How Article 99 is enforced
Each Member State designates a national competent authority that opens investigations, requests evidence, issues fines, and orders corrective measures. The European AI Board coordinates across Member States so a deployer operating in several jurisdictions faces a coordinated enforcement posture rather than a single regulator. The Article 12 logs are the central artifact the competent authority asks for during a review. When the logs lack identity context, policy state, or tamper-evidence, the deployer cannot rebut the regulator's reading of the incident, and the fine bracket moves toward the top of the tier.
How Article 99 interacts with SME relief and turnover calculation
Article 99 caps fines at the higher of the fixed euro amount or the turnover percentage for most entities. For small and medium enterprises and startups, the cap is the lower of the two figures. Turnover is calculated on the preceding financial year at the group level, which means a subsidiary inside a large group faces the parent-level turnover percentage even when the subsidiary's own revenue is small. The penalty calculus changes how the engineering organization scopes audit logging: under-investing in evidence infrastructure becomes a board-level risk decision once the tier brackets are on the table.
Related reading
- EU AI Act Article 99: The Penalty Tiers and What Triggers Each One
Article 99 of the EU AI Act sets three penalty tiers reaching 35M EUR or 7% of global turnover for prohibited practices, 15M EUR or 3% for high-risk non-compliance, and 7.5M EUR or 1% for supplying misleading information. The mandate takes effect August 2, 2026.
- EU AI Act Compliance Checklist: The 23 Items Your Deployment Must Pass
A 23-item operational checklist for EU AI Act high-risk compliance, organized across scope, documentation, evidence, monitoring, and incident reporting. The mandate takes effect August 2, 2026. Items 12 to 18 are where most deployments fail.
- How to Comply with the EU AI Act: The Six-Workstream Operating Plan
EU AI Act compliance breaks into six operational workstreams: scope classification, technical documentation, conformity assessment, runtime evidence, deployer monitoring, and incident reporting. The mandate takes effect August 2, 2026. Most organizations are running three of the six and missing the rest.