The EU AI Act establishes a three-tier penalty regime under Article 99, with administrative fines that exceed even GDPR penalties. Member States are responsible for enforcement, with upper limits set at the EU level. Following the Digital Omnibus political agreement of 7 May 2026, additional protections for SMCs (Small Mid-Caps) were introduced.
Non-compliance with the prohibited AI practices set out in Article 5 is subject to fines of up to EUR 35,000,000 or, if the offender is an undertaking, up to 7% of its total worldwide annual turnover for the preceding financial year, whichever is higher.
This is the highest tier, reserved for the most serious violations: social scoring, exploitation of vulnerabilities, untargeted facial recognition scraping, and other banned practices. The Digital Omnibus political agreement of 7 May 2026 introduces an additional Article 5 prohibition (effective 2 December 2026) covering AI systems that generate or facilitate non-consensual intimate imagery and child sexual abuse material — bringing the same Tier 1 fines into scope.
Non-compliance with obligations of providers (Article 16), authorised representatives (Article 22), importers (Article 23), distributors (Article 24), deployers (Article 26), and notified bodies (Articles 31, 33) is subject to fines of up to EUR 15,000,000 or up to 3% of total worldwide annual turnover, whichever is higher.
This tier covers most registration-related violations, including failure to complete technical documentation, failure to conduct conformity assessment, failure to appoint an EU Authorised Representative (under Article 22 — the SecureFound mandate), and failure to register in the Article 71 database.
Supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities is subject to fines of up to EUR 7,500,000 or up to 1% of total worldwide annual turnover, whichever is higher.
Article 99(7) lists the factors authorities must consider when determining the specific fine:
Article 99(6) provides that for SMEs, including start-ups, each fine shall be up to the percentages or absolute amount referred to in paragraphs 3, 4, and 5, whichever is lower. This means SMEs benefit from the lower of the two caps in each tier.
Post-trilogue update: The Digital Omnibus political agreement of 7 May 2026 introduces equivalent protections for Small Mid-Cap companies (SMCs) — defined as undertakings with 50–500 employees and €10M–€100M annual turnover. Once formally adopted, SMCs benefit from the same "whichever is lower" cap structure historically reserved for SMEs. Until OJEU publication, the original Article 99(6) text remains legally binding.
Article 99(8) specifies that when a violation also constitutes an infringement under other EU legislation (such as GDPR), only the higher of the applicable fines shall be imposed — not both.
All penalty amounts are from Article 99 of Regulation (EU) 2024/1689 (EU AI Act), Official Journal version of 13 June 2024. SMC protections from the Digital Omnibus political agreement of 7 May 2026 (pending OJEU publication).
Implementation Timeline — when enforcement begins (AI Office full powers: 2 August 2026)
Step-by-Step Guide — how to achieve compliance before the deadline
EU Authorised Representative via SecureFound — mandatory for non-EU providers
Lexara Advisory and SecureFound (Spain) guide US companies through every step — from classification to database submission.
Contact Lexara Advisory →Lexara Advisory LLC is an AI governance consulting firm, not a law firm. SecureFound (SECURE FOUND, S.L., Spain) is the strategic EU partner providing Article 22 / Article 54 EU Authorised Representative services. This content is for informational purposes only and does not constitute legal advice.
🤖 AI — not a human or lawyer