⚠ Update, 17 July 2026: the Digital Omnibus on AI got final Council approval on 29 June 2026 (after Parliament's 16 June vote: 423 for, 57 against, 174 abstentions), but as of today it still has not been published in the EU Official Journal (OJEU). Until published, it changes nothing. In Spain, the Organic Law bill on the proper use and governance of AI (121/000096) closed its amendment period on 30 June 2026 and remains in committee: it is not law yet. This article separates what is enforceable today from what depends on unfinished procedures.

"Fines of up to €35 million" is the headline the EU AI Regulation has generated most, and also the worst explained. The AI Act's penalty regime is not a single switch that flips on 2 August 2026: it has pieces active since 2025, pieces with a date that can still move, and a national piece — who enforces in Spain, and how — that today is still a bill, not a law.

This article breaks down the three fine tiers of Article 99, the SME rule under Article 99.6, what AESIA can enforce right now, and the real, source-verified status — not the "expected" date — of both the Digital Omnibus and Spain's organic law. If you want to know which compliance rules apply to you overall (AI Act, GDPR, NIS2, ENS), the "Which regulation applies to me?" wizard answers it in two minutes.

In brief: the AI Act (Regulation (EU) 2024/1689, Art. 99) sets three fine tiers: up to €35M or 7% of global turnover for prohibited practices, up to €15M or 3% for breaching operator obligations (including Article 50 transparency), and up to €7.5M or 1% for giving false information to the authority. For SMEs, Article 99.6 applies the lower of the two figures, not the higher — the opposite of the GDPR. The penalties chapter is applicable from 2 August 2025, except Article 101 (Commission fines on GPAI providers), which waits until 2 August 2026. In Spain, AESIA has existed since 2023 and runs the regulatory sandbox, but its sanctioning power under the AI Act still lacks full domestic legal grounding: the Organic Law that grants it remains in parliamentary process, with no approval date. The Digital Omnibus, approved by the Council on 29 June 2026, remains pending publication in the OJEU.

How much can AI Act fines actually cost?

Article 99 of Regulation (EU) 2024/1689 sets three tiers. The applicable amount is always the higher figure between the fixed euro amount and the percentage of global turnover from the previous financial year — unless the company is an SME, which reverses the rule (next section).

Tier (Art. 99)Maximum amountWhat it penalises
Art. 99.3€35,000,000 or 7% of global annual turnover, whichever is higherUse of prohibited AI systems (Art. 5): social scoring, subliminal manipulation, real-time biometric identification in public spaces, etc.
Art. 99.4€15,000,000 or 3% of global annual turnover, whichever is higherBreaching provider, deployer, importer, distributor or notified body obligations — including Article 50 transparency (chatbots, deepfakes) and high-risk requirements.
Art. 99.5€7,500,000 or 1% of global annual turnover, whichever is higherSupplying incorrect, incomplete or misleading information to a notified body or the national competent authority.

These are not indicative figures. Article 99.3's literal text sets the fine at "up to EUR 35 000 000 or, if the offender is an undertaking, up to 7% of its total worldwide annual turnover for the preceding financial year, whichever is higher" [1]. The same "whichever is higher" pattern repeats at the €15M/3% and €7.5M/1% tiers. Anyone breaching the Article 4 AI literacy duty, or failing to disclose AI-generated content, typically falls under the 99.4 tier.

Not sure which risk category your AI system falls into — and so which fine tier could reach you? The AI Act risk classifier answers it free in under two minutes, no signup.

When can the AI Act actually start fining companies?

This is the question almost nobody answers precisely, and it explains why "everything starts on 2 August 2026" is a misleading simplification. Article 113 sets the general application date at 2 August 2026, but point (b) brings forward Chapter XII — penalties, Articles 99 to 101 — to 2 August 2025, together with Chapter V (GPAI) and Chapter VII (governance), with an exception inside the exception: Article 101 — fines the Commission imposes directly on GPAI providers — is carved out and waits for the general 2026 date [2].

In practice, the Article 99 framework has been formally applicable since August 2025, a year earlier than usually repeated. What decides whether a specific fine is enforceable is not that date itself, but whether the underlying obligation breached was already in force when the infringement occurred: Article 5 (prohibited practices), since February 2025; Chapter V (GPAI), since August 2025; but Article 50 (transparency) and Annex III are not required until August 2026, so there is no enforceable breach of those specific obligations before then.

There is also a procedural requirement many analyses overlook: each Member State had to have its national penalty regime operational and notified to the Commission by that same August 2025 date (Art. 99.1). Several states — Spain among them, according to available legal analysis — did not meet it with the domestic legal basis fully in place [3]. That is the gap covered next.

Do SMEs get a reduction? The lower-amount rule (Art. 99.6)

The AI Act includes an explicit safeguard for SMEs and startups with no literal GDPR equivalent, and it works opposite to what intuition suggests. Article 99.6 states: for SMEs, including startups, "each fine referred to in this Article shall be up to the percentages or amount referred to in paragraphs 3, 4 and 5, whichever thereof is lower" [4]. While a large company faces the higher figure between the fixed amount and the turnover percentage, an SME faces the lower one. A micro-enterprise with €500,000 in annual turnover, in the prohibited-practices tier, does not face "€35 million or 7%, whichever is higher" — that would be absurd — but 7% of its own turnover.

It is worth comparing this with the GDPR, because the two are structurally different. Article 83 GDPR sets two tiers — up to €10M or 2% (first group of infringements) and up to €20M or 4% (second, more serious) — and in both cases the higher figure applies [5]. The GDPR has no clause equivalent to Art. 99.6: company size is, at most, a mitigating factor within the same ceiling, not a different ceiling. To see this in euros and compare your exposure under both regimes, the GDPR fine calculator is the most direct starting point.

What is AESIA, and what can it actually do in July 2026?

The Spanish AI Supervision Agency (AESIA) is the EU's first state agency dedicated exclusively to AI oversight. It was created by Royal Decree 729/2023 of 22 August (BOE-A-2023-18911), based in A Coruña [6]. It runs the EU's first regulatory AI sandbox — supervised testing without sanctioning exposure during the trial period — and has published compliance guidance from that pilot sandbox, today the most complete interpretive source on the AI Act in Spanish.

There is, however, a real difference between "AESIA exists and operates" and "AESIA holds today the full sanctioning power the AI Act envisages for the national competent authority." The Regulation requires each Member State to formally designate a market surveillance authority and equip it with a penalty regime precise enough to satisfy the lex certa principle of administrative sanctioning law: an agency existing is not enough — a domestic norm must define infringements and penalties with sufficient detail. That norm is the Organic Law still pending in Congress; until it passes, available legal analysis flags an incomplete coverage gap [3]. The AEPD, for its part, has already stated it can act today against prohibited AI systems that process personal data, relying on the GDPR regardless of the AI Act's calendar [7] — a real exposure route while the AI Act-specific one is resolved.

What stage is Spain's AI governance law at?

The Council of Ministers approved the Organic Law bill on the proper use and governance of AI on 26 May 2026 and sent it to Parliament. It was formally admitted on 8 June, published in the official parliamentary bulletin (BOCG-15-A-97-1) on 12 June, and the amendment period in the Economy, Trade and Digital Transformation Committee closed on 30 June 2026 [8]. As of this article, it remains in committee, with no scheduled report or plenary date. The Senate stage and the final return vote in Congress are still ahead: it is a bill, with no legal force yet.

The bill, as tabled, adapts the AI Act to Spanish law: it designates AESIA as the lead authority (with the AEPD and the CGPJ in their sectoral domains), gives legal grounding to the mandatory sandbox, requires the public sector to inventory its AI use, and sets a national penalty regime in three categories: minor, up to €500,000 or 0.5% of turnover; serious, up to €15M or 3%; and very serious, up to €35M or 7%, aligned with the EU Article 99 ceilings [9]. These are the tabled bill's figures, subject to amendment: they are not applicable law until the text clears the plenary, the Senate and the Official Gazette (BOE).

What can really happen from 2 August 2026 — and what can't?

With both pieces clear, the August 2026 calendar reads without alarmism and without understating it. What does activate on 2 August 2026: Article 50 transparency becomes enforceable, and its breach enters the €15M/3% tier; Article 101 comes into application, so the Commission can start fining systemic-risk GPAI providers directly; and, unless the Digital Omnibus is published first, Annex III (CV screening, credit scoring, biometrics) becomes fully subject to the high-risk regime.

What does not change: prohibited systems under Article 5 have been sanctionable since February 2025; and GPAI obligations under Chapter V — except the already-noted Art. 101 — have been applicable since August 2025. The Digital Omnibus, finally approved by the Council on 29 June 2026 after Parliament's 16 June green light (423 for, 57 against, 174 abstentions), would push Annex III to December 2027 and Annex I to August 2028, in force three days after publication [10]. But that publication has not happened. Until it does, the date that binds remains August 2026: planning against an unpublished postponement is exactly the kind of shortcut that costs dearly in an inspection.

For the full date-by-date breakdown, the AI Act calendar and Digital Omnibus guide covers it with sources. If your system might fall under Annex III, confirm it with the AI Act risk classification guide; if you need to know your role — provider, deployer, importer — before calculating your exposure, it's covered in AI Act obligations by role. And if you run a chatbot or generate AI content, check Article 50 transparency before 2 August; if you use ChatGPT, Gemini or Claude and aren't sure whether that makes you a downstream operator, the GPAI and general-purpose models guide clears it up.

Reducing your exposure starts with knowing exactly which category each AI system you use falls into: the AI Act risk classifier answers it free in two minutes. If you also handle cybersecurity or continuity obligations, the compliance hub for SMEs maps AI Act, GDPR, NIS2 and ENS in one place.

If you'd rather review your actual exposure together — which systems you use, which tier they'd fall into, and how much room Article 99.6 gives you as an SME — book a diagnostic session and we'll look at your specific data, not generic assumptions. You can also learn about the AI Act compliance consultancy service for ongoing support.

Frequently asked questions about AI Act penalties and AESIA

How much can AI Act fines actually cost?

Article 99 sets three ceilings: up to €35 million or 7% of global turnover for prohibited practices, up to €15 million or 3% for breaching operator obligations (including Article 50 transparency), and up to €7.5 million or 1% for giving false information to the authority. In all three cases the higher of the two figures applies, unless the company is an SME.

Do SMEs get a reduction on AI Act fines?

Yes. Article 99.6 reverses the general rule for SMEs and startups: instead of the higher figure between the fixed amount and the turnover percentage, the lower one applies. This is an explicit safeguard the GDPR does not have in equivalent form — the GDPR always applies the higher figure, regardless of company size.

What is AESIA and what does it actually do?

The Spanish AI Supervision Agency (AESIA) is the body designated to oversee AI Act compliance in Spain, based in A Coruña, created by Royal Decree 729/2023. It runs the regulatory sandbox and publishes compliance guidance. Its full sanctioning power under the AI Act depends on the Organic Law still going through Congress, not yet passed.

What stage is Spain's AI governance law at?

The Organic Law bill for the proper use and governance of AI (121/000096) was approved by the Council of Ministers on 26 May 2026 and sent to Congress. The amendment period in the Economy, Trade and Digital Transformation Committee closed on 30 June 2026; the text remains in committee, with no plenary date. It is not yet law.

Does the Digital Omnibus change the penalty regime's dates?

The Digital Omnibus on AI postpones high-risk obligations (Annex III to December 2027, Annex I to August 2028), but does not touch the Article 99 fine tiers or Article 50 transparency. The Council gave final approval on 29 June 2026, but publication in the EU Official Journal is still pending: until then, it is not in force and the original dates apply.

Sources:

  1. Regulation (EU) 2024/1689, Article 99(3)–(5) (fine tiers) — EUR-Lex, consolidated text.
  2. Regulation (EU) 2024/1689, Article 113 (entry into force and application, point (b): Chapter XII applicable from 2 August 2025, excluding Article 101) — EUR-Lex.
  3. Legal analysis of the gap between EU applicability and Spain's domestic legal grounding — LAW21, "Gobernanza de la IA en España".
  4. Regulation (EU) 2024/1689, Article 99.6 (SME lower-amount rule) — EUR-Lex.
  5. Regulation (EU) 2016/679 (GDPR), Article 83(4)–(6) (€10M/2% and €20M/4% tiers) — EUR-Lex.
  6. Royal Decree 729/2023 of 22 August, approving AESIA's Statute — BOE-A-2023-18911.
  7. AEPD press release on its power to act against prohibited AI systems processing personal data — AEPD.
  8. Organic Law bill 121/000096, on the proper use and governance of AI (BOCG-15-A-97-1) — Congreso de los Diputados.
  9. Analysis of the Spanish bill's penalty tiers (minor/serious/very serious) — Cuatrecasas.
  10. Council of the EU press release on the final approval of the Digital Omnibus on AI (29 June 2026) — Consilium.