Article 5 Prohibited Practices: The EU AI Act's Unacceptable-Risk Tier
Article 5 of the EU AI Act bans 8 AI practices since 2 Feb 2025. Fines reach €35M or 7% of turnover. Learn what's prohibited and where the traps lie.
Eight categories of AI practice are banned outright under Article 5 of Regulation (EU) 2024/1689. Not regulated. Not subject to a conformity assessment or a risk-management plan. Banned. The prohibition has applied across every EU Member State since 2 February 2025, and there is no compliance pathway — no safeguard, no operational restriction, no governance structure that converts a prohibited system into a lawful one.
Breaches sit at the top of the penalty hierarchy under Article 99(3): €35 million or 7% of total worldwide annual turnover, whichever is higher. For companies within the SME definition, Article 99(6) caps the fine at the lower of the two figures — but that ceiling still runs to tens of millions for any firm with meaningful revenue.
Understanding which systems fall inside Article 5 is the first gate in any EU AI Act compliance programme. Most companies will never build or deploy one of these systems. The realistic exposure lies in two places: emotion recognition tools aimed at employees, and dark-pattern design baked into persuasive digital products. Both are covered below.
What Article 5 Actually Prohibits
Article 5(1) lists eight sub-paragraphs, lettered (a) through (h). Each is a distinct prohibition; a system can fall into more than one.
(a) Subliminal, manipulative, or deceptive techniques
AI systems that deploy techniques operating below conscious perception, or that use psychological manipulation or deception to distort behaviour in ways that cause or are likely to cause significant harm. The harm threshold matters: an irritating dark-pattern alone may not trigger Article 5(1)(a), but combine it with AI-driven persuasion that erodes a user's autonomous decision-making and causes financial or psychological harm, and the line is crossed. Investment apps, gambling products, and subscription-trap interfaces are the realistic risk area here.
(b) Exploiting vulnerabilities of specific groups
AI systems that exploit vulnerabilities arising from age, disability, or socioeconomic circumstances to cause or likely cause significant harm. The key word is "exploit" — the system must target or take advantage of the vulnerability, not merely reach a vulnerable audience. A recruitment tool that surfaces deliberately obscured terms to applicants in economically precarious regions is the kind of use case this provision addresses.
(c) Social scoring by public authorities
AI systems used by or on behalf of public authorities to evaluate or classify natural persons based on their social behaviour or personal characteristics, where that scoring results in detrimental treatment in social contexts unrelated to the context in which the data was generated. This is the "Chinese social credit" provision. It applies to public bodies; private loyalty scoring or creditworthiness assessment is not covered here (creditworthiness systems land in Annex III as high-risk, not prohibited).
(d) Predicting criminal offending from profiling or personality traits
AI systems used for risk assessments of natural persons to predict the risk of them committing a criminal offence, where those assessments are based solely on profiling or on assessing personality traits. This does not prohibit all recidivism risk tools — it prohibits tools that draw conclusions from traits and profiles alone, without evidence of actual conduct. The line between high-risk law-enforcement AI (Annex III, point 6) and this prohibition depends on whether the prediction is trait-based or evidence-based.
(e) Untargeted facial-image scraping for facial-recognition databases
AI systems that create or expand facial-recognition databases by scraping facial images from the internet or CCTV footage without targeted justification. The word "untargeted" carries the prohibition: building a facial-recognition training set by bulk-harvesting images of the public is banned. Targeted, lawful collection for specific investigative purposes under national law is a different matter.
(f) Emotion recognition in the workplace and educational institutions
AI systems that infer or detect the emotional state of natural persons in the context of the workplace or educational institutions. The exceptions are narrow: emotion recognition is permitted where it is necessary for medical reasons, or for safety reasons where the context genuinely demands it (for example, monitoring pilot alertness). Outside those carved-out cases, the prohibition applies regardless of what the inferred emotional data is subsequently used for.
This is the prohibition most likely to catch mid-market companies off guard. HR-technology vendors that offer "engagement monitoring," proctoring tools that analyse student facial expressions during exams, or call-centre quality tools that score agent emotional tone — these all fall squarely in Article 5(1)(f). The fact that the vendor markets the product as a wellness or performance feature does not change the legal character of the underlying inference.
(g) Biometric categorisation to infer sensitive attributes
AI systems that categorise natural persons based on biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. This applies to the inference itself, not just to discriminatory downstream use. A retail analytics system that analyses facial features to estimate religious affiliation for marketing segmentation violates Article 5(1)(g) whether or not it acts on the inference.
(h) Real-time remote biometric identification in publicly accessible spaces for law enforcement
AI systems used by law enforcement authorities in real time in publicly accessible spaces to identify natural persons using remote biometric identification. Three narrow exceptions apply, each requiring prior judicial or administrative authorisation:
- Targeted searches for specific missing persons, victims of trafficking, or victims of sexual exploitation.
- Prevention of a specific, substantial, and imminent threat to life or of a foreseeable terrorist attack.
- Detection, localisation, identification, or prosecution of suspects in serious criminal offences (as defined by national law, referencing the European Arrest Warrant framework).
These exceptions do not authorise continuous surveillance or exploratory mass identification. Each deployment must be authorised, time-limited, and proportionate. This prohibition binds law-enforcement authorities, not private actors — private real-time biometric identification in public spaces is addressed (but not prohibited outright) under the high-risk biometrics category in Annex III, point 1.
The Structural Difference Between Article 5 and Article 6
The EU AI Act uses a four-tier architecture. Article 5 is the absolute floor. Article 6, read with Annex III, is the regulated tier above it: high-risk systems can be placed on the market if the provider completes a conformity assessment under Article 43, builds a risk-management system under Article 9, maintains technical documentation under Article 11, ensures human oversight under Article 14, and satisfies the remaining obligations in Articles 8–15.
None of that applies to Article 5. There is no conformity assessment that authorises a prohibited system. A company that wants to offer emotion-recognition functionality in a workplace product cannot comply its way to lawfulness — it must remove the feature or restrict it to the medical/safety exceptions.
Limited-risk systems (chatbots, deepfakes, AI-generated content) sit under Article 50 and carry transparency obligations only. Minimal-risk systems have no mandatory obligations under the Act.
The Penalties in Full
| Tier | Breach | Maximum fine (Art 99) |
|---|---|---|
| 1 | Article 5 prohibitions | €35,000,000 or 7% of worldwide annual turnover |
| 2 | Most other obligations (high-risk requirements, deployer/provider duties, Art 50) | €15,000,000 or 3% of worldwide annual turnover |
| 3 | Supplying incorrect or misleading information to authorities or notified bodies | €7,500,000 or 1% of worldwide annual turnover |
Each tier applies "whichever is higher." For companies within the EU's SME definition, Article 99(6) caps the fine at the lower of the fixed amount or the percentage — a genuine proportionality protection, though the absolute ceiling remains substantial.
Penalties under Article 99 have applied since 2 August 2025. The high-risk compliance deadlines — 2 December 2027 for stand-alone Annex III systems, 2 August 2028 for AI embedded in regulated products under Annex I (per the Digital Omnibus agreement of May 2026) — are irrelevant to Article 5. The Article 5 prohibitions are already in force.
How Confir Helps
Confir's Article 5 checklist is the first gate in the classification workflow. Before a system reaches the high-risk assessment track, the rule-based engine works through each of the eight prohibitions. It asks plain-English questions about the system's intended function, data inputs, deployment context, and affected population. If any of the eight prohibited patterns are present, the system is flagged unacceptable risk — the finding is deterministic and reproducible, not a probabilistic recommendation.
For most companies the Article 5 gate takes minutes. The realistic traps — emotion inference in HR products, manipulative design in consumer-facing apps — are the questions worth spending time on.
Realistic Risk Map for Deployers
Most companies building or deploying AI will never encounter Article 5 in practice. The prohibitions target practices that are either fringe (untargeted facial scraping, social scoring by governments) or the province of law enforcement (real-time public biometric ID). Two areas warrant genuine scrutiny for commercial operators:
Emotion recognition (Article 5(1)(f)): Any tool that analyses facial expressions, voice tone, physiological signals, or behavioural patterns to infer emotional state — and deploys that in a workplace or educational setting — is prohibited. This includes proctoring software, engagement monitoring tools, call-centre quality platforms, and interview-analysis products. The prohibition is function-based, not label-based. "Cognitive engagement scoring" that infers emotional state is prohibited even if the vendor avoids the word "emotion."
Dark patterns with AI-driven persuasion (Article 5(1)(a)): Consumer-facing products that combine AI-generated content with interface design intended to override user decision-making are in scope if the combination causes or is likely to cause significant harm. The harm threshold provides some headroom, but companies in financial services, online gaming, and social media should audit their persuasive design features carefully.
Social scoring under Article 5(1)(c) binds public bodies, not private firms. Private creditworthiness and insurance-risk AI falls under high-risk Annex III, points 5(b) and 5(c), not Article 5.
Related guides
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →