EU AI Act Market Surveillance Finale: Art.99 Penalties, Enforcement Escalation & Developer Risk Mitigation

Post #1501 in the sota.io EU AI Act Compliance Series — EU-AI-ACT-MARKET-SURVEILLANCE-OPS-2026 #5/5

The first four posts in this series covered the operational mechanics of EU AI Act market surveillance: how NCAs conduct Art.74 inspections, how Art.72 post-market monitoring generates audit evidence, how Art.73 incident reports trigger NCA access, and how to respond when a corrective measure order lands. This finale closes the loop — what happens when corrective measures are not enough, and what Art.99 actually means for your organisation's risk exposure.

The short answer: up to €35 million or 7% of global annual turnover. The longer answer is more nuanced, and understanding the nuance is what separates developers who sail through NCA enforcement from those who don't.

The Art.99 Penalty Framework

Article 99 of the EU AI Act establishes three penalty tiers, each tied to a category of violation. Every EU member state must implement these through national administrative law, making NCA enforcement decisions subject to appeal at national level — but the ceilings are uniform across the EU.

Tier 1 — Prohibited Practices (Art.99(3))

Up to €35,000,000 or 7% of total worldwide annual turnover, whichever is higher.

This tier applies to violations of Article 5 — the prohibited AI practices. These include:

• Deploying subliminal manipulation techniques that alter behaviour without the subject's awareness
• Exploiting vulnerabilities based on age, disability, or socioeconomic circumstances
• Real-time remote biometric identification in public spaces (with narrow law-enforcement exceptions)
• Social scoring by public authorities
• AI systems that infer sensitive characteristics (race, political views, religion) from biometric data in non-permissible contexts

The "whichever is higher" formulation matters for small companies. A startup with €500,000 in annual turnover faces a potential €35,000,000 penalty — the percentage ceiling does not protect you here.

Tier 2 — High-Risk AI Obligation Failures (Art.99(4))

Up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher.

This is the tier most SaaS developers deploying high-risk AI systems will encounter in enforcement proceedings. It covers violations of obligations across Articles 6 through 65, including:

• Art.9 (Risk Management System): inadequate or absent RMS documentation
• Art.10 (Data and Data Governance): training data quality failures
• Art.11 (Technical Documentation): incomplete or outdated documentation
• Art.13 (Transparency): insufficient information to deployers
• Art.14 (Human Oversight): inadequate oversight mechanisms
• Art.16 (Provider Obligations): general non-compliance with provider duties
• Art.17 (Quality Management System): absent or non-functional QMS
• Art.21 (Cooperation): failure to cooperate with competent authorities
• Art.26 (Deployer Obligations): violations of deployer-specific obligations
• Art.72 (Post-Market Monitoring): absent or inadequate monitoring plan
• Art.73 (Incident Reporting): failure to report serious incidents

Note that Art.21 (cooperation with authorities) falls under this tier. Refusing or impeding an NCA inspection is not categorised as a technical failure — it is a direct Tier 2 violation.

Tier 3 — Misleading Information (Art.99(5))

Up to €7,500,000 or 1.5% of total worldwide annual turnover, whichever is higher.

This tier covers providing incorrect, incomplete, or misleading information to notified bodies, national competent authorities, or the European AI Office. Common scenarios include:

• Inaccurate conformity assessment documentation
• Misrepresentation of training data sources
• Incorrect CE marking declarations
• Incomplete or falsified technical documentation submitted during an Art.74 inspection

A seemingly minor documentation error submitted to an NCA during a market surveillance inquiry can independently trigger a Tier 3 violation on top of any substantive non-compliance findings.

Proportionality Factors: How NCAs Calculate Actual Fines

Article 99 establishes ceilings, not mandatory fines. Member state implementing legislation specifies how NCAs exercise discretion within those ceilings. Across the implementing laws published to date, the following factors consistently appear.

Factors that increase fines:

Factors that reduce fines:

The mitigating factors are not rhetorical — they are codified in the implementing legislation and actively influence NCA penalty calculations. An organisation that self-reports, cooperates fully, and demonstrates rapid remediation can realistically expect a penalty that sits well below the tier ceiling.

How Market Surveillance Findings Escalate to Penalties

Understanding the enforcement escalation path prevents surprises. The standard flow under Art.74 and national implementing law follows a consistent pattern.

Stage 1: Documentary Review

The NCA begins with a desk audit — requesting technical documentation, conformity assessment records, QMS evidence, and post-market monitoring logs. Most market surveillance proceedings start and end at this stage. Organisations with complete documentation and an established QMS typically resolve Stage 1 with minor findings and no corrective measure orders.

Stage 2: On-Site Inspection

If documentary review reveals gaps, the NCA may conduct an on-site inspection under Art.74(4). This includes access to source code, training data sampling, model output testing, and interviews with technical staff. Organisations that have rehearsed NCA access procedures (covered in Post #1/5 of this series) significantly reduce inspection duration and scope.

Stage 3: Corrective Measure Order

Following inspection findings, the NCA may issue a corrective measure order under Art.74(8). The order specifies the violation, the required remediation, and the compliance deadline. Typical deadlines range from 30 to 90 days for technical documentation failures, shorter for active prohibited-practice violations.

Complying with a corrective measure order before the deadline is the most effective penalty mitigation available. NCAs treat completed remediation as a strong mitigating factor in any subsequent penalty calculation.

Stage 4: Administrative Penalty Decision

If the organisation fails to comply with a corrective measure order — or if the violation is severe enough to proceed directly to penalty — the NCA issues an administrative penalty decision. This document:

• States the specific articles violated
• Identifies the evidence basis
• Calculates the proposed penalty within the Art.99 tier
• Lists the mitigating and aggravating factors applied
• Specifies the appeal timeline (typically 30–60 days under national administrative law)

Stage 5: Appeal

Administrative penalty decisions can be appealed through national administrative courts. The EU AI Act does not pre-empt national procedural law, so appeal timelines, costs, and success rates vary by member state. Germany's BNetzA decisions, for example, are subject to Verwaltungsgericht (administrative court) review. France's CNIAI decisions go to the Conseil d'État.

Appellate courts generally defer to NCA technical findings while actively reviewing proportionality — meaning a well-documented mitigation case is more valuable on appeal than a challenge to the underlying compliance determination.

The Market Surveillance Risk Surface: What Gets You Penalised

Based on the NCA methodology documents published by Germany, France, the Netherlands, and Austria ahead of August 2, 2026, the most commonly cited non-compliance categories in field guidance are:

Documentation failures (most common path to Tier 2):

• Absent or incomplete Art.11 technical documentation at system deployment
• No Art.9 RMS documentation, or RMS documentation that covers design phase only and lacks post-deployment risk tracking
• Art.17 QMS in name only — checklist exists but QMS is not operationally integrated into development and deployment processes
• Art.72 post-market monitoring plan exists but monitoring is not actually happening (no monitoring logs, no incident thresholds defined)

Transparency failures:

• Art.13 instructions for deployers either missing or insufficient — particularly for deployers who are not technically sophisticated
• Art.50 transparency notices absent for systems involving AI-generated content or emotional inference
• Art.14 human oversight mechanisms documented but not technically enforced

Cooperation failures (high aggravating weight):

• Delay in responding to Art.74 document requests (NCAs are treating 30+ day response delays as active cooperation failures)
• Providing documents that are responsive only on the surface — lengthy documents with the substantively required information buried or missing
• Technical staff unavailable or unprepared during inspection visits

Infrastructure jurisdiction issues (emerging enforcement focus):

• Technical documentation and training data stored on non-EU infrastructure subject to CLOUD Act or equivalent third-country access laws
• NCAs in Germany and the Netherlands have flagged this as a factor in their pre-August 2026 guidance — not yet an independent violation category but actively noted in inspection findings

35-Item Developer Risk Mitigation Checklist

Use this checklist to assess your penalty exposure before August 2, 2026. Items marked [P0] are verified common NCA audit triggers based on published methodology documents.

Documentation Completeness

• [P0] Art.11 technical documentation covers all required elements and is updated when system changes materially alter risk profile
• Art.17 QMS is operational — not just documented. Evidence of actual QMS use: meeting notes, review logs, version history
• [P0] Art.9 RMS covers post-deployment phase, not only pre-deployment design review
• RMS includes specific performance thresholds that trigger re-assessment
• [P0] Art.72 post-market monitoring plan specifies data sources, monitoring frequency, and escalation thresholds
• Monitoring logs exist and show active post-deployment monitoring activity

Incident Reporting Readiness

• Art.73 serious incident definition is mapped to specific observable system outputs
• Internal incident classification procedure identifies who decides whether an incident is "serious"
• NCA reporting templates are prepared and populated with non-incident-specific information
• 15-day initial reporting timeline is operationally achievable — internal escalation path tested

Transparency Compliance

• [P0] Art.13 information to deployers is complete — covers purpose, limitations, human oversight requirements, maintenance obligations
• Art.50 AI-generated content notices are implemented where required
• Art.14 human oversight controls are technically enforced, not advisory only

NCA Cooperation Infrastructure

• [P0] Designated NCA liaison — single point of contact identified and capable of coordinating document response within 14 days
• Document retrieval capability: all Art.11 documentation and Art.17 QMS records can be extracted, indexed, and delivered in 7 business days
• Legal counsel briefed on Art.74 rights (right to be heard, confidentiality protections for trade secrets)
• NCA access rehearsal conducted — at least one internal mock inspection using NCA methodology documents

Infrastructure and Data Jurisdiction

• Technical documentation stored on EU-hosted infrastructure (reducing CLOUD Act exposure for sensitive system data)
• Training data storage location documented and EU Data Act compliance assessed
• Conformity assessment certificates and EU declaration of conformity accessible from EU-hosted location

SME-Specific Mitigants (Art.62)

• SME status documented and ready to present to NCA (employee count, annual turnover, parent company relationships)
• Participation in any EU AI Act regulatory sandbox or pilot documented — Art.57 participation is a mitigation factor
• National NCA SME guidance document reviewed and specific SME concessions understood

Active Penalty Mitigation Posture

• Internal compliance audit completed before August 2, 2026 — findings documented and remediation in progress
• [P0] If monitoring reveals a potential violation: internal escalation procedure for voluntary NCA notification exists
• Legal basis for each AI system deployment reviewed — Annex III classification confirmed or excluded
• GPAI system obligations assessed separately if applicable
• Corrective action log maintained — documents self-identified issues and remediation steps taken
• Cooperation track record clean — no prior NCA correspondence gaps or delayed responses

Cross-Border Risk

• If deploying in multiple EU member states: identified lead NCA (typically member state where provider is established)
• Cross-border data flows comply with Art.9 RMS requirements in each deployment jurisdiction
• Local deployer contracts include Art.26 obligation pass-through language

Series Summary: What This Means Operationally

Across five posts, this market surveillance series has mapped the full Art.72→Art.73→Art.74→Corrective Measure→Art.99 enforcement arc:

1. Art.74 NCA Inspection Powers (Post #1): NCAs have documentary, on-site, and technical testing authority. Cooperation is mandatory.
2. Art.72 Post-Market Monitoring (Post #2): The monitoring data you generate is the primary evidence base NCAs examine first.
3. The Art.72→Art.73→Art.74 Pipeline (Post #3): Your monitoring logs → incident reports → NCA access. The pipeline must be technically implemented, not just documented.
4. Corrective Measure Response (Post #4): When an NCA issues an order, how you respond determines whether Art.99 proceedings follow.
5. Art.99 Penalties and Risk Mitigation (this post): Understanding the enforcement escalation path and penalty tiers before August 2 is the difference between remediation and a nine-figure penalty exposure.

The August 2, 2026 deadline is not the finish line — it is the starting gun for active NCA enforcement. Organisations with incomplete documentation, absent monitoring infrastructure, or untested NCA cooperation procedures will face a market surveillance environment where enforcement is systematic, not exceptional.

The developers who navigate this well are not necessarily those with the most sophisticated AI systems. They are the ones who treated compliance documentation as operational infrastructure rather than regulatory paperwork — and who chose hosting stacks that keep their evidence under EU jurisdiction.

Frequently Asked Questions

Does Art.99 apply to deployers or only providers?

Both, via different obligation sets. Art.99(4) covers violations of obligations under Art.6–65, which includes both provider obligations (Art.16–22) and deployer obligations (Art.26). A deployer that fails to maintain human oversight measures under Art.14, or fails to conduct a FRIA under Art.27 when required, faces Tier 2 exposure.

Can individual employees be personally liable?

The EU AI Act's penalty provisions target legal persons (companies). However, several member states' implementing legislation — including Germany's — establishes that senior executives who actively direct or approve prohibited practices may face personal administrative liability under national law. This is a national implementation question, not a uniform EU rule.

What if my system is under €1 million in annual revenue?

The Art.99 penalty ceilings are capped at the higher of the absolute amount or the percentage of global annual turnover. For very small revenue businesses, the absolute amounts (€7.5M, €15M, €35M) represent existential exposure. This is intentional — the EU AI Act treats prohibited practice violations as categorically unacceptable regardless of company size.

How does the EU AI Act enforcement interact with GDPR penalties?

The EU AI Act and GDPR can both apply to the same AI system. Regulators coordinate but enforce separately. An AI system that violates both GDPR (e.g., unlawful training data processing) and EU AI Act (e.g., inadequate Art.9 RMS) faces potential simultaneous enforcement by both the data protection authority and the AI Act NCA. The penalties are assessed independently — there is no joint cap.

Where can I find my national NCA's published enforcement methodology?

Germany: Bundesnetzagentur (BNetzA) — bnetza.de/ai-act-enforcement
France: Commission Nationale de l'Intelligence Artificielle (CNIAI) — cniai.gouv.fr
Netherlands: Rijksdienst voor Digitale Infrastructuur (RDI) — rdi.nl/ai-act
Austria: Datenschutzbehörde (DSB, for data-related systems) + Telekom-Control-Kommission
For other member states: check the EUAI Office's national authority registry at artificialintelligenceact.eu

This post is the fifth and final entry in the EU-AI-ACT-MARKET-SURVEILLANCE-OPS-2026 series. For related deep-dives: EU AI Act Art.74 NCA Inspection Powers, Art.72 Post-Market Monitoring Readiness, the Art.72→73→74 Incident Pipeline, and the NCA Corrective Measure Response Playbook. The August 2, 2026 deadline applies to all high-risk AI systems listed in Annex III. Developer infrastructure note: storing technical documentation and training data evidence on EU-hosted infrastructure (free from CLOUD Act and other third-country access laws) reduces your NCA cooperation exposure. sota.io manages that hosting layer.