EU AI Act penalties are often quoted in headlines but rarely explained in operational terms. For SMEs, the practical question is not only "what is the maximum fine," but "what conditions increase enforcement exposure, and what controls reduce it?"
Under Article 99 of Regulation (EU) 2024/1689, administrative fines are tiered by infringement type:
- Up to EUR 35,000,000 or 7% of total worldwide annual turnover for breaches of prohibited AI practices (Article 5).
- Up to EUR 15,000,000 or 3% of total worldwide annual turnover for non-compliance with other obligations under the Regulation (for example, high-risk system obligations).
- Up to EUR 7,500,000 or 1% for supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities.
The Regulation also requires authorities to consider proportionality factors (nature, gravity, duration, intent/negligence, mitigation, cooperation, prior infringements). In practice, company size does not remove exposure, but it does influence how proportionality is assessed.
The three enforcement lenses SMEs should understand
1) Severity of legal breach
Regulators look at what was violated and how material the violation is. A prohibited-practice breach is treated very differently from delayed administrative evidence.
2) Real-world impact
Did people experience rights harm, safety impact, denial of access, or discriminatory outcomes? Evidence of impact influences case gravity.
3) Corrective behavior
Did the company detect and correct quickly? Did it cooperate transparently? Demonstrable governance maturity can materially affect outcomes.
Why Article 99 framing matters in practice
Article 99 is often discussed as a fine table, but SMEs should treat it as a governance signal. Supervisory bodies evaluate context: duration, negligence level, mitigation quality, and recurrence. Organizations with active controls and traceable decision logs are better positioned than organizations with no records.
Practical penalty-reduction strategy for SMEs
- Keep a current AI inventory and classification rationale.
- Run prohibited-practice screening in product and procurement workflows.
- Document oversight controls for sensitive use cases.
- Log significant events, overrides, incidents, and corrective actions.
- Assign accountable owners for each control domain.
- Preserve evidence pack for audits and procurement.
What usually triggers enforcement scrutiny
- User complaints about unfair or opaque outcomes
- Employee/worker concerns in HR automation contexts
- Incident disclosures without adequate containment
- Procurement due diligence revealing control gaps
- Media or civil-society scrutiny around rights-sensitive deployments
How to communicate risk internally
Translate legal exposure into business language:
- legal risk (potential sanction category),
- operational risk (service disruption/remediation effort),
- commercial risk (sales friction/reputational cost).
This framing helps leadership prioritize realistic mitigation budgets.
Final takeaway
Fine ceilings are headline numbers; enforcement risk is operational. SMEs that build transparent, documented, and monitored AI operations reduce both sanction risk and business disruption. Treat compliance as system reliability plus rights governance — not just legal documentation.