Article 98: Administrative Fines on Union Institutions, Bodies, Offices and Agencies

Article 98 closes a gap that would otherwise exempt EU institutions from the AI Act's fine regime. Just as Article 99 empowers national authorities to fine private actors and just as the GDPR's counterpart (Regulation 2018/1725) subjects EU institutions to data protection enforcement, Article 98 ensures that EU-level public bodies face financial consequences for AI Act non-compliance.

Two fine tiers:

| Infringement | Maximum fine | |---|---| | (a) Prohibited practices under Article 5 | EUR 1,500,000 | | (b) Non-compliance with any other AI Act provision | EUR 750,000 |

Key design choices: - The EDPS acts as the sole enforcement authority — not national market surveillance authorities. - Fine ceilings are substantially lower than those for private actors under Article 99 (EUR 35M / EUR 15M / EUR 7.5M), reflecting that EU institutions operate on public budgets. - The EDPS must consider mitigating and aggravating criteria analogous to Article 99(7): nature, gravity, and duration of the infringement; intentional or negligent character; actions taken to mitigate; cooperation with the investigation; and previous infringements.

• Article 5 — Prohibited practices: Tier (a) fines under Article 98 target violations of these prohibitions by EU bodies.
• Article 99 — Penalties on private actors: Article 98 is the parallel regime for Union bodies, using the same criteria structure but lower ceilings.
• Article 100 — GPAI model fines: a separate regime for general-purpose AI model providers; Article 98 covers EU institutions acting as deployers or providers of application-level AI.
• Regulation (EU) 2018/1725 (EUDPR) — The EDPS already oversees data protection compliance by EU institutions; Article 98 extends this oversight to AI Act compliance.
• Article 113 — Application dates: Article 98 applies from 2 August 2026, but Article 5 prohibitions have applied since 2 February 2025.

EU institutions deploying AI systems should treat Article 98 as a signal that the AI Act applies to them with real financial teeth:

1. Audit current AI use — Inventory all AI systems used by the institution, classify them under the AI Act's risk tiers, and check for any Article 5 prohibited practices. 2. Appoint an AI compliance function — Coordinate with the institution's Data Protection Officer (who liaises with the EDPS on EUDPR matters) to cover AI Act obligations. 3. Complete fundamental rights impact assessments — As deployers, EU institutions using Annex III high-risk systems must comply with Article 27 (FRIA) requirements. 4. Register in the EU database — Article 49 requires deployers of high-risk systems to register; EU institutions are not exempt. 5. Establish cooperation channels with the EDPS — Proactive engagement and self-reporting are mitigating factors under the criteria the EDPS must apply. 6. Budget for compliance — While EUR 1.5M may seem modest compared to private-sector fines, it is material for public bodies and signals institutional failure.

Article 98

Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Recitals 164–165 explain the rationale for subjecting EU institutions to the fine framework. They emphasise institutional accountability — EU bodies should not be exempt from the rules they impose on private actors. The recitals also note the coordination with the EUDPR (Regulation 2018/1725), under which the EDPS already supervises EU institutions' data processing activities. Article 98 extends this oversight model to AI Act compliance.

Use the official preamble on EUR-Lex to read the recitals in full.