Penalty Tiers (Art. 99)
Article 99 establishes three penalty tiers calibrated to violation severity. Tier 1 covers prohibited AI practices (Article 5), with maximum fines of EUR 35 million or 7% of global annual turnover. Tier 2 covers high-risk system obligation breaches (Articles 8–15, 16, 17, 25–27, 43–49), with maximum fines of EUR 15 million or 3% of turnover. Tier 3 covers providing incorrect, incomplete, or misleading information, with maximum fines of EUR 7.5 million or 1% of turnover.
The higher of the two amounts (absolute figure or turnover percentage) applies, except for SMEs and start-ups where Article 99(6) provides that the lower amount applies. Tier 1’s maximum exceeds GDPR’s penalty ceiling, signalling the Act’s prioritisation of fundamental rights protection.
Tier 2 covers the obligations most directly relevant to AISDP preparation: inadequate technical documentation, failure to conduct conformity assessment, missing EU database registration, inadequate human oversight, absent post-market monitoring, and delayed serious incident reporting. Article 99(4) applies broadly to non-compliance with any requirement or obligation under the Regulation, extending beyond the commonly enumerated articles.
Key outputs
- Three-tier penalty structure documented with thresholds
- Tier 2 obligations mapped to AISDP activities
- SME and start-up reduced threshold awareness
- Module 10 AISDP documentation
Enforcement Triggers
Competent authorities may initiate enforcement proceedings through several channels: proactive market surveillance (systematic review of AI systems in the jurisdiction), reactive investigation following a complaint from an affected person, deployer, or competitor, the provider’s own Article 73 serious incident notification prompting broader investigation, cross-border referral from another member state’s authority, or media and civil society reporting drawing attention to a system’s behaviour.
The AISDP is central to the enforcement process. The authority’s first request will typically be for the complete technical documentation. An AISDP that is incomplete, inconsistent with the deployed system, or unsupported by evidence is itself a non-compliance finding triggering Tier 2 penalties. The AISDP is therefore both the object of scrutiny and the organisation’s primary defence.
Maintaining inspection readiness is the practical response to enforcement trigger risk.
Key outputs
- Five enforcement trigger channels identified
- AISDP as primary evidence in enforcement proceedings
- Inspection readiness as trigger risk mitigation
- Module 10 AISDP documentation
Mitigating Factors (Art. 99(7))
Article 99(7) directs competent authorities to consider mitigating and aggravating factors when determining penalty amounts. Mitigating factors include the nature, gravity, and duration of the infringement; whether corrective actions were taken promptly; the degree of cooperation with the authority; the technical and organisational measures the provider had implemented; whether the provider proactively brought the infringement to the authority’s attention; and the size, annual turnover, and market share of the operator committing the infringement.
Aggravating factors include the deliberate nature of the infringement, failure to take corrective action after authority identification, and a history of previous infringements.
The practical implication is that the quality of the compliance programme is itself a mitigating factor. An organisation that can demonstrate a thorough AISDP, a functioning PMM system, responsive incident reporting, and a cooperative posture will face materially lower penalty exposure. The AISDP is both the document the authority reviews and part of the evidence determining the consequence of any deficiency found.
Key outputs
- Mitigating factors mapped to AISDP activities
- Thorough AISDP as penalty reduction evidence
- Cooperative posture and proactive disclosure as mitigation
- Module 10 AISDP documentation