Penalty Framework Overview
Understanding the AI Act's administrative fine structure.
Learning Objectives
By the end of this chapter, you will be able to:
- Explain the three-tier penalty structure under Article 99
- Calculate maximum penalty exposure for different violations
- Apply turnover calculation rules including group considerations
- Understand SME and startup proportionality provisions
- Compare AI Act penalties with other EU regulatory frameworks
The AI Act Penalty Framework (Article 99)
The AI Act establishes one of the most significant penalty regimes in EU regulatory history, with maximum fines rivalling those under GDPR and exceeding many sector-specific regulations.
Penalty Structure Overview
| Tier | Maximum Fine (€) | Maximum Fine (% Turnover) | Applicable Higher | Violations |
|---|---|---|---|---|
| Tier 1 | €35 million | 7% worldwide turnover | Whichever is higher | Prohibited AI practices (Article 5) |
| Tier 2 | €15 million | 3% worldwide turnover | Whichever is higher | Most AI Act requirements |
| Tier 3 | €7.5 million | 1% worldwide turnover | Whichever is higher | Information violations |
Tier 1: Prohibited AI Practices (€35M / 7%)
Covered Violations
Tier 1 applies to violations of Article 5 prohibited AI practices:
| Prohibited Practice | Article | Examples |
|---|---|---|
| Subliminal manipulation | Article 5(1)(a) | Hidden persuasion techniques, dark patterns causing harm |
| Exploitation of vulnerabilities | Article 5(1)(b) | Targeting children, disabled persons, economically vulnerable |
| Social scoring | Article 5(1)(c) | General-purpose social credit systems |
| Real-time remote biometric ID | Article 5(1)(h) | Facial recognition in public spaces (law enforcement exceptions) |
| Biometric categorisation | Article 5(1)(g) | Inferring race, religion, sexual orientation from biometrics |
| Emotion recognition in workplaces/schools | Article 5(1)(f) | AI detecting emotions in employment/education contexts |
| Predictive policing (individuals) | Article 5(1)(d) | Crime prediction based solely on profiling |
| Facial image scraping | Article 5(1)(e) | Untargeted internet/CCTV facial database creation |
Risk Assessment
| Factor | Impact on Risk |
|---|---|
| Intentionality | Deliberate prohibited use = maximum severity |
| Scale | Number of affected persons increases severity |
| Duration | Longer violation periods increase exposure |
| Harm caused | Actual harm to individuals raises severity |
Compliance Note
Prohibited practice violations carry the highest penalties and are likely enforcement priorities. Zero tolerance is the only acceptable approach.
Tier 2: General AI Act Violations (€15M / 3%)
Covered Violations
Tier 2 covers the broadest range of AI Act requirements:
| Category | Specific Violations | Article References |
|---|---|---|
| High-Risk AI Requirements | Risk management, data governance, technical documentation, transparency, accuracy, human oversight, cybersecurity | Articles 8-15 |
| Provider Obligations | Quality management, conformity assessment, registration, post-market monitoring | Articles 16-25 |
| Deployer Obligations | Use in accordance with instructions, human oversight, data retention, transparency to users | Article 26 |
| Transparency Requirements | AI-generated content marking, disclosure of AI use | Article 50 |
Note: GPAI provider violations (Articles 51-56) are not penalised under Article 99 Tier 2. They fall under the separate Commission enforcement regime in Article 101. See the GPAI-Specific Fines section below.
Violation Scenarios and Exposure
| Scenario | Likely Penalty Range | Factors |
|---|---|---|
| Complete absence of conformity assessment | Upper range | Fundamental breach |
| Documentation gaps | Mid range | Depends on severity |
| Minor technical non-compliance | Lower range | If good faith evident |
| Multiple concurrent violations | Cumulative | Each violation assessed |
| Systemic compliance failure | Upper range | Organisational culpability |
Tier 3: Information Violations (€7.5M / 1%)
Covered Violations
Tier 3 addresses the integrity of regulatory information:
| Violation | Description | Context |
|---|---|---|
| Incorrect information | Factually wrong information provided | Response to authority requests |
| Incomplete information | Material omissions | Failing to disclose relevant facts |
| Misleading information | Information designed to deceive | Creating false impressions |
| Information to notified bodies | False information to conformity assessors | Conformity assessment process |
| Information to authorities | False information to competent authorities | Investigations, audits |
Aggravating Circumstances
| Circumstance | Effect |
|---|---|
| Deliberate falsification | Upper penalty range |
| Obstruction of investigation | Severe view taken |
| Repeat information violations | Cumulative penalties possible |
| Material impact on decisions | Higher severity |
Expert Insight
Tier 3 is often underestimated but can be particularly damaging. Beyond the direct penalty, information violations undermine trust with authorities and may lead to enhanced scrutiny of all compliance claims.
Turnover Calculation
Basic Calculation (Article 99(3))
| Element | Definition |
|---|---|
| Total worldwide annual turnover | Full annual revenue from all sources |
| Preceding financial year | Most recent complete financial year |
| Worldwide | Global turnover, not EU only |
| Undertaking | Economic unit, may include parent company |
Group and Parent Company Considerations
| Scenario | Turnover Basis |
|---|---|
| Subsidiary violator | May include parent company turnover |
| Joint ventures | Depends on control and economic unity |
| Group economic unit | Consolidated group turnover possible |
| Multiple subsidiaries | Combined entity assessment |
Calculation Examples
| Company Profile | Turnover | Tier 1 (7%) | Tier 2 (3%) | Tier 3 (1%) |
|---|---|---|---|---|
| Large multinational | €50 billion | €3.5 billion | €1.5 billion | €500 million |
| Mid-size enterprise | €500 million | €35 million (cap) | €15 million (cap) | €7.5 million (cap) |
| Growth company | €100 million | €35 million (cap) | €15 million (cap) | €7.5 million (cap) |
| SME | €5 million | €350,000 | €150,000 | €50,000 |
| Startup | €500,000 | €35,000 | €15,000 | €5,000 |
"Whichever is Higher" Rule
| Company | Turnover | Fixed Cap | % Calculation | Applied Penalty (Tier 1) |
|---|---|---|---|---|
| TechCorp | €100 billion | €35 million | €7 billion | €7 billion (% higher) |
| MidTech | €400 million | €35 million | €28 million | €35 million (cap higher) |
| SmallTech | €10 million | €35 million | €700,000 | €35 million (cap higher) |
SME and Startup Provisions (Article 99(6))
Proportionality Requirements
The AI Act requires proportionate treatment of SMEs and startups:
| Provision | Application |
|---|---|
| Lower cap applies | SMEs benefit from fixed € amount if lower than % |
| Financial capacity | Must consider ability to pay |
| Proportionality | Penalty must be proportionate to violation |
| First infringement | Mitigating factor for SMEs |
| Good faith efforts | Compliance efforts considered |
SME Definition
| Criteria | Micro | Small | Medium |
|---|---|---|---|
| Employees | < 10 | < 50 | < 250 |
| Annual turnover | ≤ €2 million | ≤ €10 million | ≤ €50 million |
| Balance sheet | ≤ €2 million | ≤ €10 million | ≤ €43 million |
Practical Effect for SMEs
| SME Size | Tier 1 Exposure | Tier 2 Exposure | Context |
|---|---|---|---|
| Medium (€50M) | Up to €3.5M (7%) | Up to €1.5M (3%) | Still significant |
| Small (€10M) | Up to €700K (7%) | Up to €300K (3%) | Material but survivable |
| Micro (€2M) | Up to €140K (7%) | Up to €60K (3%) | Could threaten viability |
GPAI-Specific Fines (Article 101)
Article 101 establishes a separate penalty regime for GPAI model providers, enforced by the Commission (not national authorities):
| Violation | Maximum Fine |
|---|---|
| Infringement of GPAI provisions (Articles 51-56) | €15 million or 3% worldwide turnover |
| Failure to comply with information requests (Article 91) | €15 million or 3% worldwide turnover |
| Failure to provide access for evaluation (Article 92) | €15 million or 3% worldwide turnover |
| Failure to comply with Commission measures (Article 93) | €15 million or 3% worldwide turnover |
All GPAI-related violations under Article 101 share the same maximum penalty of €15 million or 3% of worldwide turnover, whichever is higher. There is no separate lower tier for incorrect information specific to GPAI providers under this article.
⚠️ Key Distinction: Unlike other AI Act penalties enforced by national authorities, GPAI fines are imposed directly by the Commission. Providers have the right to be heard, and decisions are subject to CJEU review.
EU Institution Fines (Article 100)
Article 100 establishes a separate reduced penalty regime for EU institutions, bodies, offices and agencies:
| Violation Type | Maximum Fine |
|---|---|
| Prohibited practices (Art. 5) | €1.5 million |
| Other AI Act violations | €750,000 |
Comparison with Other EU Regulatory Frameworks
Maximum Penalty Comparison
| Regulation | Maximum Fine | % Turnover | Notes |
|---|---|---|---|
| AI Act (Tier 1) | €35 million | 7% | Prohibited practices |
| GDPR | €20 million | 4% | Data protection violations |
| Digital Services Act | €6 million | 6% | Very large online platforms |
| Digital Markets Act | €20 million | 10% | Gatekeepers |
| Competition Law | No fixed cap | 10% | Cartels, abuse of dominance |
| NIS2 Directive | €10 million | 2% | Cybersecurity |
AI Act in Context
| Aspect | Observation |
|---|---|
| Absolute maximum | Among highest in EU law |
| Percentage cap | Second only to DMA for turnovers |
| Scope | Applies to all AI operators, not just large platforms |
| Enforcement body | Mix of national authorities and AI Office |
Penalty Avoidance Strategy
Risk Prioritisation
| Priority | Violation Type | Action | Rationale |
|---|---|---|---|
| Critical | Prohibited practices | Complete elimination | Tier 1 penalties, no justification |
| High | High-risk AI without conformity | Full conformity assessment | Core requirement, high visibility |
| High | GPAI documentation gaps | Complete documentation | AI Office enforcement active |
| Medium | Transparency violations | Implement disclosures | User-facing, detectable |
| Medium | Post-market monitoring gaps | Establish systems | Ongoing compliance |
| Lower | Minor documentation deficiencies | Remediation plan | Good faith efforts count |
Penalty Exposure Calculator
| Input | Value |
|---|---|
| Global turnover | [Enter amount] |
| Entity type | Large / SME / Startup |
| AI system classification | Prohibited / High-risk / GPAI / Limited |
| Current compliance status | Full / Partial / Gaps / None |
| Violation history | First / Repeat |
| Output | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
| Maximum exposure | [Calculate] | [Calculate] | [Calculate] |
| Risk-adjusted estimate | [Estimate] | [Estimate] | [Estimate] |
What You Learned
Key concepts from this chapter
The AI Act establishes **three penalty tiers** with maximum fines of €35M/7%, €15M/3%, and €7.5M/1%
**GPAI providers** face a separate penalty regime under Article 101, enforced directly by the Commission (up to €15M/3%)
**EU institutions** face reduced fines under Article 100 (up to €1.5M)
**"Whichever is higher"** means large companies face % turnover penalties, smaller companies face fixed € amounts
**Turnover calculation** includes worldwide turnover and may include parent company/group turnover
Chapter Complete
Governance & Penalties
3/8
chapters