Skip to content
Deep dive · 8 min read

EU AI Act fines and penalties explained (2026)

"Up to 15 million euros" makes headlines. Here is how Article 99 actually works: the three tiers, the SME cap, who investigates, and what triggers them.

The three fine tiers of Article 99

ViolationMaximum fineOr percent of global turnover
Prohibited AI practices (Article 5): social scoring, emotion recognition at work or school, manipulative AI, untargeted face scraping€35,000,0007%
Most other obligations, including Article 50 transparency (chatbot disclosure, AI content labels), high-risk system duties, GPAI duties€15,000,0003%
Supplying incorrect, incomplete or misleading information to authorities€7,500,0001%

For each tier the applicable maximum is whichever amount is higher, except for SMEs and startups, where it is whichever is lower. That SME exception is written directly into Article 99(6) and it is the single most misunderstood part of the penalty regime.

What a realistic enforcement case looks like

Authorities do not open with the maximum. A typical path: a complaint or a sweep finds your chatbot with no AI disclosure. The authority requests information (answering wrong already risks the 1 percent tier). You get an order to comply within a deadline. Ignore it, and the fine arrives, sized to your turnover, your cooperation, whether the violation was negligent or intentional, and whether you profited from it. Every step is documented, which is exactly why your own dated evidence dossier matters: it converts "we never thought about this" into "we prepared in good faith, here is the paper trail".

Why competitors are the enforcement engine

Anyone can file a complaint with a market surveillance authority, and complaints are free. The realistic threat for a small business is not a Brussels task force; it is a competitor who lost a deal to you, an ex-employee, or a customer in a dispute. GDPR enforcement history shows the same pattern: the majority of investigations start with complaints, not sweeps.

The cheapest insurance is transparency

For limited-risk AI (chatbots, AI content), full compliance costs you a disclosure line, metadata labels, a transparency page, and a documented inventory. That is hours of work against a fine measured in percent of turnover. The economics are not subtle. Follow the 8-step compliance checklist or let ActHub generate the artifacts for you.

Frequently asked

Can a small business really be fined millions?

The maximums are "up to" amounts and fines must be effective, proportionate and dissuasive. For SMEs and startups, Article 99 explicitly caps each fine at the LOWER of the fixed amount or the percentage of turnover. A tiny business will not get the headline number, but four or five figure fines plus orders to stop using a system are realistic and painful.

Who actually issues the fine?

The national market surveillance authority of each EU member state. For example the FPS Economy in Belgium, the Bundesnetzagentur in Germany. They act on their own investigations or on complaints from anyone, including competitors and unhappy customers.

Is there a grace period after August 2, 2026?

No formal grace period for Article 50. The obligations became law in 2024 and the enforcement date is the grace period. Authorities do tend to focus early enforcement on the worst offenders and on companies that ignored warnings, which is why documented good-faith preparation matters.

Can I be fined under both GDPR and the AI Act?

Yes, they stack. An emotion recognition tool processing employee data without a legal basis can violate both laws at once, and both authorities can act.

Sources: Article 99 full text, Article 5 prohibited practices, European Commission AI policy.

Where do you stand today?

The free self-check maps your exposure in 60 seconds.

Take the free self-check