The AI Act establishes a graduated penalty framework under Article 99, calibrated to the severity of the violation. National competent authorities hold investigative powers under Article 74 to detect and pursue non-compliance.

Three penalty tiers apply. The first tier covers prohibited AI practices (Article 5) and carries fines of up to EUR 35 million or 7% of global annual turnover, whichever is higher. This is the highest penalty tier in the EU regulatory landscape, exceeding the GDPR’s maximum of EUR 20 million or 4%. The second tier covers breaches of high-risk system obligations under Articles 8 through 15, Articles 16 and 17, Articles 25 through 27, and Articles 43 through 49, with fines reaching EUR 15 million or 3% of global annual turnover. The third tier applies to providing incorrect, incomplete, or misleading information to notified bodies or competent authorities, carrying fines of up to EUR 7.5 million or 1% of turnover. For SMEs and start-ups, Article 99(6) provides that the lower of the two amounts (absolute figure or turnover percentage) applies.

Enforcement action may be triggered by proactive market surveillance, complaints from affected persons or deployers, the provider’s own serious incident notifications under Article 73, cross-border referrals from other member state authorities, or media and civil society reporting. The AISDP is central to enforcement; a competent authority’s first request will typically be for the complete technical documentation, and an AISDP that is incomplete or inconsistent with the deployed system is itself a non-compliance finding.

Article 99(7) directs competent authorities to consider mitigating factors when determining penalty amounts. A thorough AISDP, a functioning post-market monitoring system, responsive incident reporting, and a cooperative posture toward authorities will materially reduce penalty exposure. The AISDP is therefore both the document under review and part of the evidence that determines consequences.

Key outputs

None (contextual article)