EU AI Act enforcement — who supervises, who fines, and how penalties are calculated

The supervisory architecture in one map

• National market-surveillance authorities (Article 70). Each Member State designates at least one notifying authority and at least one market-surveillance authority for AI systems. These are the bodies that handle providers, importers, distributors and deployers of high-risk AI systems and prohibited AI practices.
• European AI Office (Article 64 and Chapter IX Section 2). Established within the European Commission. Holds the exclusive power to supervise and enforce obligations of providers of general-purpose AI models under Chapter V.
• European Artificial Intelligence Board (Article 65). Composed of one representative per Member State. Coordinates national authorities, issues opinions, recommendations and best practices, and helps ensure consistent application across the Union.
• Advisory Forum (Article 67) and scientific panel of independent experts (Article 68).Stakeholder and expert input feeding into the AI Office and Board.
• European Data Protection Supervisor (Article 100). Acts as the market-surveillance authority for Union institutions, agencies and bodies under the AI Act, except for the Court of Justice acting in its judicial capacity.
• Data-protection authorities (Article 74(8)). For high-risk AI systems listed in points 1, 6 and 7 of Annex III used by law-enforcement, border-management, justice and democracy entities, Member States designate as market-surveillance authorities for the purposes of the regulation either the competent data-protection supervisory authorities under Regulation (EU) 2016/679 or Directive (EU) 2016/680, or any other authority designated under the same conditions.
• Financial-services authorities (Article 74(6) and (7)). For high-risk AI systems listed in point 5(b) of Annex III placed on the market, put into service or used by financial institutions regulated by Union financial-services law, the market-surveillance authority for the purposes of this Regulation is the relevant national authority responsible for the financial supervision of those institutions under that legislation.

Article 99 — three tiers of administrative fines

Article 99(1) requires Member States to lay down the rules on penalties applicable to infringements of the regulation by operators, to take all measures necessary to ensure that they are properly and effectively implemented, and to provide for effective, proportionate and dissuasive penalties. Article 99(3) to (5) set the ceilings:

• Article 99(3) — up to EUR 35 000 000 or 7% of total worldwide annual turnover, whichever is higher. For non-compliance with the prohibition of the AI practices referred to in Article 5.
• Article 99(4) — up to EUR 15 000 000 or 3% of total worldwide annual turnover, whichever is higher. For non-compliance with the obligations of providers, of authorised representatives, of importers, of distributors and of deployers, the requirements relating to notified bodies, and the transparency obligations under Article 50 — other than those listed in Article 99(3).
• Article 99(5) — up to EUR 7 500 000 or 1% of total worldwide annual turnover, whichever is higher. For the supply of incorrect, incomplete or misleading information to notified bodies or national competent authorities in reply to a request.

The SME tie-breaker — Article 99(6)

For SMEs, including start-ups, each fine referred to in Article 99 must be up to the percentages or the amount referred to in paragraphs 3 to 5, whichever thereof is lower. For larger operators the rule is the opposite (the higher of the two). This is a deliberate proportionality measure for SMEs.

What a national authority weighs — Article 99(7)

Article 99(7) lists the factors the authority must take into account when deciding whether to impose an administrative fine and the amount, in each individual case:

• the nature, gravity and duration of the infringement and of its consequences;
• whether other market-surveillance authorities have already applied fines to the same operator for the same infringement;
• whether fines have already been applied by other authorities to the same operator for infringements of other Union or national law, when such infringements result from the same activity or omission constituting a relevant infringement of this Regulation;
• the size, the annual turnover and market share of the operator committing the infringement;
• any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement;
• the degree of cooperation with the national competent authorities;
• the degree of responsibility of the operator taking into account the technical and organisational measures implemented by it;
• the manner in which the infringement became known to the national competent authorities, in particular whether, and if so to what extent, the operator notified the infringement;
• the intentional or negligent character of the infringement;
• any action taken by the operator to mitigate the harm suffered by the affected persons.

Article 101 — the dedicated GPAI fines

Article 101(1) gives the Commission the power to impose on providers of general-purpose AI models fines not exceeding 3% of their annual total worldwide turnover in the preceding financial year or EUR 15 000 000, whichever is higher, when the Commission finds that the provider intentionally or negligently infringed the relevant provisions of the regulation, failed to comply with a request for a document or for information under Article 91, failed to comply with a measure requested under Article 93, or failed to make available to the Commission access to the general-purpose AI model or general-purpose AI model with systemic risk with a view to conducting an evaluation pursuant to Article 92.

Article 101(2) requires the Commission, in fixing the amount of the fine or periodic penalty payment, to have regard to the nature, gravity and duration of the infringement, taking due account of the principles of proportionality and appropriateness.

Due process for the alleged breacher

• Right to be heard (Article 101(3) for GPAI; general administrative law for national authorities). Before adopting a decision pursuant to Article 101(1), the Commission must communicate its preliminary findings to the provider of the general-purpose AI model and give it an opportunity to be heard.
• Right to an effective judicial remedy (Article 78 GDPR analogue; AI Act recital on effective remedies). Decisions of supervisory authorities are subject to judicial review under national administrative law and, ultimately, the Charter of Fundamental Rights.
• Affected persons — Article 85. Any natural or legal person having grounds to consider that there has been an infringement may submit complaints to the relevant market-surveillance authority.
• Right to explanation — Article 86. Any affected person subject to a decision taken by the deployer on the basis of the output from a high-risk AI system listed in Annex III, with the exception of point 2, which produces legal effects or similarly significantly affects that person in a way that they consider to have an adverse impact on their health, safety or fundamental rights, has the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

Common misconceptions

• “Article 99 fines are uniform across the EU.” The ceilings are uniform; the actual implementing rules, procedure and enforcement bodies are set by each Member State under Article 99(1).
• “The AI Office fines deployers.” The AI Office’s direct enforcement power under Article 101 is over providers of general-purpose AI models. Deployers are enforced against by the national market-surveillance authority of the Member State.
• “SMEs get a 50% discount.” The SME rule is structural: the cap is thelower of the percentage and the absolute amount, not a discount.
• “You can only be fined for high-risk AI breaches.” Article 50 transparency obligations carry the Article 99(4) tier 2 fine ceiling, even for non-high-risk systems.

Related EU guides

• EU AI Act timeline for deployers
• Human oversight — Article 14
• Record-keeping & logging — Article 12
• Data governance & bias testing — Article 10
• NIS2 essential vs important entities

Sources

• Regulation (EU) 2024/1689, Articles 50, 64, 65, 67, 68, 70, 74, 78, 85, 86, 88, 91, 92, 93, 99, 100, 101 — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
• European Commission — European AI Office overview: digital-strategy.ec.europa.eu/en/policies/ai-office