The three statutory tiers
| Tier | Cap | Triggers |
|---|---|---|
| Article 99(1) | EUR 35M or 7% global turnover (higher applies) | Article 5 prohibited practices: social scoring by public authorities, untargeted facial-image scraping, emotion recognition in workplace/education, biometric categorisation by sensitive characteristics, real-time RBI in public spaces outside Articles 5(2)–(7), predictive policing solely on profiling. |
| Article 99(2) | EUR 15M or 3% global turnover | Non-compliance with provider obligations under Article 16 (which incorporates Articles 9–15), authorised-representative duties (Art 22), importer duties (Art 23), distributor duties (Art 24), deployer duties (Art 26), notified-body duties (Art 31, 33, 34), transparency obligations (Art 50). |
| Article 99(3) | EUR 7.5M or 1% global turnover | Supplying incorrect, incomplete, or misleading information to authorities — including notified bodies — in connection with the AI Act. |
How "higher applies" works in practice
Article 99(4) directs that the maximum is the higher of the absolute amount and the turnover-based percentage. For a EUR 100M revenue company, 7% is EUR 7M — so the cap is EUR 35M (the absolute). For a EUR 1B revenue company, 7% is EUR 70M — so the cap is EUR 70M (the percentage). The "global turnover" basis is the corporate group's total worldwide annual turnover for the preceding financial year, not the offending subsidiary's revenue alone.
SMEs and start-ups
Article 99(6) requires the deciding authority to take into account the size of the undertaking and its annual turnover. Article 99(7) allows specifically for proportionality for SMEs and start-ups. In practice, national supervisors are signalling tiered enforcement guidance with reductions for small entities — but the statutory framework is the maximum cap, and an SME violating Article 5 still faces a Tier 1 cap of 7% of its (smaller) turnover.
GPAI provider penalties under Article 101
For GPAI providers, Article 101 establishes a parallel regime: the Commission may impose fines of up to 3% of the provider's total worldwide annual turnover or EUR 15M, whichever is higher, for breaching Article 53 obligations, Article 54 obligations for systemic-risk GPAI, or for failing to follow Commission decisions. The Article 101 process is administered by the AI Office at EU level, separate from national-authority enforcement of Article 99.
Article 99(6) decision factors
When deciding the amount within the cap, authorities must consider:
- Nature, gravity, and duration of the infringement and its consequences.
- Whether the same authority or other authorities have already imposed administrative fines on the same operator for the same infringement.
- Size, annual turnover, and market share of the operator.
- Whether the infringement was intentional or negligent.
- Cooperation by the operator with authorities.
- Degree of responsibility taking into account technical and organisational measures.
- Manner in which the infringement became known.
- Action taken to mitigate damage.
- Adherence to approved codes of conduct or certification mechanisms.
Practical exposure modelling
For finance and legal teams modelling AI Act exposure:
- Identify your worst-case Article 5 surface (prohibited practices). For most enterprises this is zero — you do not deploy prohibited practices. Confirm this rather than assuming.
- For Tier 2 exposure (Article 99(2)): the operative number is 3% of global turnover. Compare to 4% under GDPR; the AI Act is a meaningful step up.
- For Tier 3 (Article 99(3)): treat this as a process risk — incorrect information to authorities is fixable by good documentation hygiene.
- For dual-regime exposures (AI Act + GDPR + DORA + NIS2 on the same incident): authorities may impose fines under each regime independently. Build a stacked-cap exposure scenario for the worst-case event.