AI Act penalties: what a small business really risks

"Up to €15 million or 3% of worldwide turnover." The figure is everywhere, usually without the context that makes it meaningful. Here is what Article 99 says, what it provides for small businesses, and what an online shop with a non-transparent chatbot actually risks.

Content reviewed on 13 July 2026

The three tiers of Article 99

BreachCeilingNotes
Prohibited AI practices (Art. 5)€35 million or 7% of annual worldwide turnover, whichever is higherThe gravest tier: manipulation, social scoring, emotion recognition at work.
Breach of other obligations, including Art. 50 transparency€15 million or 3% of annual worldwide turnover, whichever is higherThis is the tier that covers a non-transparent chatbot.
Incorrect or misleading information to authorities€7.5 million or 1% of annual worldwide turnover, whichever is higherLying to the regulator is a separate breach.

The lower cap for SMEs and start-ups

This is the part almost nobody quotes, and it changes the picture entirely. For SMEs, including start-ups, Article 99 provides that the applicable cap is the lower of the percentage of turnover and the fixed amount — the exact opposite of the rule for large companies, where the higher of the two applies.

Concretely: for a company with €2 million of turnover the theoretical ceiling is not €15 million. It is 3% of €2 million. Still a serious penalty, but an order of magnitude away from what you read around.

Anyone showing you €15 million as your exposure has either not read Article 99 to the end, or is counting on the fact that you have not.

Penalties are proportionate, and the law says how

Article 99 lists the factors taken into account when setting the amount: the nature, gravity and duration of the breach, the number of people affected, whether it was intentional or negligent, the measures taken to mitigate harm, the size and market share of the operator, and whether the breach was self-reported.

Two of those factors are directly in your hands: having taken measures, and having documented them. That is why a register of AI systems and a training programme, even imperfect ones, are worth more than their contents: they evidence diligence.

Who supervises, in Italy

Law 132/2025 designates two national AI authorities: the Agency for Digital Italy (AgID), with notification functions, and the National Cybersecurity Agency (ACN), with supervision and enforcement functions. Sector authorities keep their powers.

The one you are most likely to meet is the data protection authority, which is already competent whenever an AI system processes personal data — and a chatbot talking to customers processes personal data by definition. That is the channel through which challenges actually arrive: not from the AI Act in the abstract, but from a complaint about how someone's data was handled.

So what does an e-commerce really risk?

Honestly: it is unlikely that an authority opens proceedings against an online shop because its chatbot does not declare itself an AI. That is not where enforcement resources are going.

But the penalty is not the only risk. The failure is visible to anyone who opens your site — a competitor, an unhappy customer, a journalist. It becomes an aggravating factor the day a complaint arrives for some entirely different reason. And it is one of the few things that can be fixed in hours. A small, cheaply-eliminated risk is simply a risk not worth running.

Frequently asked questions

From when can Article 50 be enforced?

From 2 August 2026. Before that date the transparency obligation is not yet applicable and cannot be penalised.

Do penalties apply to micro-enterprises too?

Yes, but with the lower cap: for SMEs, including start-ups, the applicable ceiling is the lower of the percentage of turnover and the fixed amount. Article 99's proportionality factors also take the operator's size into account.

If I fix things after being challenged, does it help?

Measures taken to mitigate harm are an express factor in setting the penalty. Fixing it afterwards beats not fixing it. Fixing it beforehand costs less and requires explaining nothing to anyone.

Find out if you are exposed, before someone else does

The free check tells you which obligations you are missing and which articles impose them. No email, no sign-up.

Check your chatbot

Sources

This page is informational and does not constitute legal advice. The authoritative texts are Regulation (EU) 2024/1689 and Italian Law no. 132 of 23 September 2025. We are engineers: we know how transparency is implemented in an AI system — we do not replace your lawyer. For hard cases, consult a qualified professional.