Article 99: Penalties

The highest fines (€35M / 7%) apply to prohibited practices. For non-compliance with high-risk obligations: up to €15M / 3%. For incorrect information: €7.5M / 1%. Ensure your compliance is in order — the cost of a fine far exceeds the investment in compliance.

Deployers can also be fined for non-compliance. Fines are proportional to your turnover. Document your compliance efforts — this can be a mitigating factor in case of a violation.

SMEs and startups face lower fine caps. But being small is not an exemption — obligations apply in full. The good news: the AI Act takes proportionality into account.

Member States decide whether fines apply to public bodies. In the Netherlands, this is still being worked out. Prepare as if fines do apply.

The AI Act has three fine categories: up to €35 million or 7% turnover for prohibited practices, up to €15 million or 3% for other violations, and up to €7.5 million or 1% for providing incorrect information.

Yes, small and medium-sized enterprises (SMEs) and startups are subject to proportionally lower fine caps.

Article 99 of the AI Act does not provide a general exemption for SMEs. However, the AI Act includes supportive measures and potentially lighter obligations for small and medium-sized enterprises, depending on their role in the AI value chain.

Article 99 of the AI Act complements the GDPR. While the GDPR protects personal data, the AI Act focuses on the safety and trustworthiness of AI systems. Organisations must comply with both regulations when their AI system processes personal data.

The AI Act follows a phased implementation. Prohibited AI practices apply from February 2025, obligations for high-risk AI systems from August 2026, and other provisions take effect gradually. The specific deadline for Article 99 depends on the category of the obligation.

Yes, Article 99 of the AI Act may also be relevant when you purchase AI systems. As a deployer, you have your own obligations under the AI Act, regardless of whether you developed the system yourself or purchased it from a provider.

Under Article 99 of the AI Act, the provider is the entity that develops or places the AI system on the market, while the deployer is the entity that uses the system under its own authority. Both roles carry different obligations.

Article 99 of the AI Act requires that relevant documentation is maintained as part of the compliance process. This may include technical documentation, instructions for use, logs or declarations of conformity, depending on the classification of the AI system.

The AI Act has three categories: (1) up to €35 million or 7% of worldwide annual turnover for prohibited AI practices, (2) up to €15 million or 3% for violation of other obligations, and (3) up to €7.5 million or 1.5% for providing incorrect information to authorities.

The maximum AI Act fines (up to 7% turnover) are higher than maximum GDPR fines (up to 4% turnover). In case of overlap — when a violation concerns both the AI Act and GDPR — the fine ceiling of the regulation with the highest cap applies. Double fines are not imposed for the same violation.

Yes, Article 99(6) provides that for small and medium-sized enterprises (including startups) fines must be proportionate. Fine caps are calculated as a percentage of turnover or as a fixed amount, with the lower amount applying. This effectively provides protection for smaller organisations.

Fines are imposed by national market surveillance authorities of EU Member States. In the Netherlands, the Autoriteit Persoonsgegevens (Dutch DPA) has been designated as the supervisory authority for the AI Act. For GPAI models, the European Commission (via the AI Office) has direct enforcement powers.

The AI Act directs fines primarily at organisations (providers, deployers). However, personal liability can arise from national law, for example through director liability if it appears executives were negligent in complying with legal obligations.