Biometric AI Under the EU AI Act: Prohibited Uses, High-Risk Systems, and the Compliance Stack
EU AI Act biometric AI: Article 5 prohibitions, Annex III point 1 high-risk obligations, notified-body assessment under Art 43. Deadline 2 December 2027.
Article 5 of Regulation (EU) 2024/1689 bans the most harmful biometric practices outright. What survives the Article 5 filter lands in Annex III point 1 as high-risk AI — still lawful, but subject to the full obligation stack before deployment. Understanding which side of that boundary your system sits on is the first and most consequential step. The penalty difference is stark: Article 5 breaches attract fines of €35 million or 7% of worldwide turnover; high-risk non-compliance sits at €15 million or 3%.
The deadline for stand-alone Annex III systems is 2 December 2027 (deferred from August 2026 under the Digital Omnibus agreed May 2026). The Article 5 prohibitions are in force now — they have applied since 2 February 2025.
What Article 5 Prohibits: Banned, Not High-Risk
Four biometric practices are prohibited outright. They do not appear in Annex III because they are not high-risk — they are banned.
Article 5(1)(h) — real-time remote biometric identification in public spaces by law enforcement. Deploying live face-matching against a public-space camera feed is prohibited for law enforcement. Three narrow exceptions exist: searching for specific victims of abduction or trafficking; preventing a specific, substantial and imminent terrorist threat to life; and identifying a person suspected of committing a serious crime listed in Annex II. Each exception requires prior judicial or independent administrative authorisation, except where genuine urgency prevents it. Post-event processing of previously recorded footage — matching archived CCTV against a database — is not covered by this prohibition. That falls in Annex III point 1(a).
Article 5(1)(g) — biometric categorisation inferring sensitive attributes. Any AI system that infers race, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, or health status from biometric data is prohibited. This applies to private-sector systems as much as public authorities. There is no exception pathway. A recruitment tool that reads facial geometry to infer political affiliation is unlawful today.
Article 5(1)(f) — emotion recognition in workplaces and educational institutions. Deploying emotion recognition on employees or students is prohibited, except where the purpose is medical or safety-related. A driver-fatigue system in a vehicle cabin survives; an office productivity monitor does not.
Article 5(1)(e) — untargeted facial-image scraping. Building or expanding biometric databases by harvesting facial images from the internet or from CCTV footage without targeted collection criteria is prohibited.
These bans applied from 2 February 2025. No compliance programme, documentation package, or notified-body assessment makes a prohibited system lawful.
What Annex III Point 1 Covers: High-Risk, Not Prohibited
After Article 5 removes the worst practices, the residual biometric tier is Annex III point 1. It has three sub-categories:
Point 1(a) — remote biometric identification systems. Post-event identification — searching recorded footage or stored images against a database to determine who someone is — is high-risk, not prohibited. A financial institution matching a claimant photograph against its customer database, a law enforcement agency analysing robbery footage after the fact, a border agency verifying a traveller's identity against a passport register: these are Annex III point 1(a) systems.
What is not high-risk at all: one-to-one biometric verification that merely confirms "this is who they claim to be" against a single enrolled template — phone face-unlock, fingerprint door access. That is verification, not identification. It is outside Annex III point 1(a).
Point 1(b) — biometric categorisation for permitted purposes. Categorisation that does not infer the Article 5(1)(g) sensitive attributes remains high-risk. Age-band grouping for age-gating, anonymous audience analytics by broad demographic category: these are high-risk Annex III systems. Operators must stay well clear of the Article 5(1)(g) list.
Point 1(c) — emotion recognition for permitted purposes. Emotion recognition outside workplaces and educational institutions — clinical monitoring, in-vehicle safety alerts, security screening in specific regulated contexts — is high-risk under Annex III point 1(c).
The Article 6(3) filter. An Annex III system is not high-risk if it performs a narrow procedural task, does not profile natural persons, or merely supports a previously completed human activity. In practice, biometric identification systems almost always profile natural persons, so the filter rarely applies. Providers claiming the exemption must document the assessment and register the system regardless.
Providers: The Full Obligation Stack
Providers develop, train, and place biometric AI systems on the market or put them into service under their own name (Article 16). They carry the heaviest burden.
Article 9 — risk management system. A continuous, lifecycle-spanning process that identifies and evaluates known and reasonably foreseeable risks to health, safety, and fundamental rights under both intended use and foreseeable misuse. For biometric identification: false match rates across demographic groups, spoofing vulnerabilities, function creep, data breach scenarios. The risk management system runs from design through decommissioning.
Article 10 — data and data governance. Training, validation, and test datasets must be relevant, representative of the deployment population, and assessed for biases that could affect health, safety, or fundamental rights. For a facial recognition system trained predominantly on European faces, Article 10 demands a direct question: how does it perform across other demographic groups? Performance variance must be measured, documented, and addressed. Note: Article 10 covers data governance, not staff training. Staff competence sits in Article 4 (AI literacy), which has applied since 2 February 2025.
Article 11 / Annex IV — technical documentation. Complete documentation must exist before market placement: system architecture, training data composition and sources, performance metrics by demographic group, testing protocols (including edge cases and adversarial scenarios), human oversight procedures, and the risk register. The documentation must be kept current throughout the system's operational life and accessible to national competent authorities on request.
Article 12 — record-keeping and logging. Providers of biometric AI systems must design the system to generate automatic event logs for every processing operation within the provider's control. Deployers retain those logs for at least six months under Article 26.
Article 13 — transparency to deployers. Providers must give deployers clear information about capabilities, limitations, performance metrics disaggregated by relevant subgroups, and residual risks — enough for the deployer to implement meaningful oversight.
Article 14 — human oversight by design. High-risk biometric systems must be designed so that operators can understand outputs, detect failures, and override the system. This is a design obligation: the system must make human oversight possible, not merely technically permitted.
Article 15 — accuracy, robustness, cybersecurity. Systems must achieve appropriate accuracy for their intended purpose and resist adversarial manipulation. "Robustness" is the statutory term from Article 15. For biometric systems this means liveness detection, resilience to demographic performance drift, and resistance to spoofing attacks.
Article 43 — conformity assessment. Before market placement, providers must conduct a conformity assessment. For most Annex III categories, the Annex VI internal-control route — provider self-assessment with documented evidence — is available. Biometrics under Annex III point 1 is an exception. Article 43(1) requires a conformity assessment involving a notified body (the Annex VII third-party procedure) unless the provider applies harmonised standards that cover all applicable requirements. As of mid-2026, no harmonised standard fully covers biometric AI systems, which means a notified body is generally required. This distinguishes biometric AI from most other Annex III categories — a third-party accredited assessor audits your technical file, reviews your risk management system, and issues a conformity assessment report before you can place the system on the market.
Article 47 / Article 48 — Declaration of Conformity and CE marking. After successful conformity assessment, the provider issues the EU Declaration of Conformity and affixes the CE mark.
Article 49 — registration. High-risk biometric AI systems must be registered in the EU AI database before market placement. This is Article 49 — not Article 51, which covers GPAI systemic-risk classification.
Article 72 — post-market monitoring. Providers must establish a proactive post-market monitoring system that collects performance data from deployed systems, flags performance degradation, identifies emerging risks, and feeds corrections back into the risk management system and technical documentation.
Article 73 — serious incident reporting. Providers must report serious incidents — system failures with significant consequences, systematic discrimination findings, security breaches involving biometric data — to national competent authorities.
Deployers: Obligations That Do Not Transfer
Most organisations using a third-party biometric AI tool are deployers under Article 26. Provider compliance does not discharge deployer obligations.
Use within intended purpose (Article 26). Deployers must use the system for its documented intended purpose and follow the provider's instructions. Using a system outside its intended purpose — a face-verification access tool repurposed for suspect identification — can shift the deployer to provider status under Article 25.
Human oversight in operation (Articles 14 / 26(2)). Deployers must ensure that the oversight capability the provider built into the system is actually exercised. Qualified, trained staff must review identification decisions with genuine authority to override. Logs showing 99.7% approval without variation signal rubber-stamping, not oversight. Operators must understand the system's failure modes and exercise independent judgment for consequential decisions.
Logging (Article 26). Deployers must retain the automatic logs generated by the system for at least six months. Law enforcement and border-control contexts may face longer national requirements.
Incident reporting (Article 73). Serious incidents — a misidentification leading to wrongful detention, systematic bias discovered in deployment, unauthorised access to biometric records — must be reported to the competent authority and to the provider.
Fundamental Rights Impact Assessment — Article 27 FRIA. Deployers that are public bodies, or that provide public services, must complete a FRIA before first deployment of a high-risk AI system. A law enforcement agency using post-event RBI is squarely within Article 27 scope. A private company deploying biometric access control for its own premises is generally outside mandatory FRIA scope, though documenting the fundamental rights analysis remains sensible practice.
Inform data subjects (Article 13). Unless a legal exemption applies — specific law enforcement operations with judicial authorisation are the main case — deployers must inform individuals that biometric identification is being used, explain the purpose, and advise on their rights.
The GDPR Article 9 Layer
Biometric data is special-category personal data under GDPR Article 9. Processing it requires a lawful basis under Article 9(2) — explicit consent, employment law necessity, vital interests, or another listed ground — in addition to any ordinary Article 6 GDPR basis. For law enforcement, Directive 2016/680 governs biometric processing with its own necessity and proportionality requirements.
EU AI Act compliance does not satisfy GDPR. A biometric system with a valid Article 43 conformity assessment but no GDPR Article 9 lawful basis remains unlawful. Run the two analyses in parallel.
Worked Example: Post-Event Facial Matching at a Regional Lender
A Spanish regional lender (80 staff) uses a third-party post-event facial-matching tool to verify claimant identity before processing insurance payouts. The system compares a selfie submitted by the claimant against the lender's existing customer photo database.
The system is Annex III point 1(a) high-risk: it identifies natural persons using biometric data against a reference database. It is not prohibited — it is post-event, it is not law enforcement, and it does not infer sensitive attributes.
The provider (the third-party SaaS company supplying the tool) must: complete Article 11 technical documentation; conduct a conformity assessment via a notified body under Annex VII (because no harmonised standard applies); register the system under Article 49; and provide the lender with Article 13 information about system performance by demographic group and residual risks.
The lender as deployer must: follow the provider's instructions; assign a compliance officer to review every flagged match before any payout is denied — with genuine authority to override; retain logs for six months; report any serious misidentification incident under Article 73; confirm a GDPR Article 9(2) lawful basis (likely Article 9(2)(f) — defence of legal claims — or explicit consent); and establish whether its status as a financial services provider triggers an Article 27 FRIA obligation.
Deadline for both: 2 December 2027. The lender should not wait until 2027 to start: notified-body scheduling alone typically adds three to six months to the provider's compliance timeline, and the deployer needs the provider's conformity documentation before it can finalise its own obligations.
Penalties
| Breach | Maximum fine |
|---|---|
| Article 5 prohibitions (real-time RBI, sensitive-attribute categorisation, workplace emotion recognition) | €35,000,000 or 7% of worldwide annual turnover (Art 99(3)) |
| High-risk obligations — Annex III provider/deployer duties | €15,000,000 or 3% of worldwide annual turnover (Art 99(4)) |
| Incorrect or misleading information to authorities or notified bodies | €7,500,000 or 1% of worldwide annual turnover (Art 99(5)) |
For SMEs and start-ups, Article 99(6) caps the fine at the lower of the percentage or the fixed amount. The Article 5 prohibition penalties have applied since the prohibitions entered force on 2 February 2025. High-risk penalties apply from 2 December 2027.
How Confir Helps
Three things Confir's rule-based engine does for this topic:
-
Boundary classification. The intake questionnaire applies the Article 5 vs. Annex III point 1 boundary in explicit rule logic — identifying whether your system is in the prohibited tier (a stop-deployment finding) or the high-risk tier (a compliance programme finding). The rule that fired is shown in plain text.
-
Notified-body readiness documentation. For high-risk biometric systems, Confir generates the Article 11 / Annex IV technical documentation pack structured for notified-body review — data governance (Article 10), performance metrics (Article 15), risk register (Article 9), and human oversight procedures (Article 14). Deterministic, reproducible, audit-defensible.
-
FRIA workflow (Article 27). For deployers within Article 27 scope, Confir runs the structured seven-section Fundamental Rights Impact Assessment before first deployment.
Pricing from €600/year, self-serve at confir.eu.
Frequently Asked Questions
What is the difference between prohibited and high-risk biometric AI?
Prohibited biometric AI (Article 5) may not be placed on the market or used: real-time RBI in public spaces by law enforcement (outside three narrow Article 5(1)(h) exceptions); biometric categorisation inferring sensitive attributes such as race, sexual orientation, or political opinion (Article 5(1)(g)); and emotion recognition in workplaces or educational institutions (Article 5(1)(f)). These bans apply since 2 February 2025. High-risk biometric AI (Annex III point 1) is lawful but requires the full obligation stack — risk management, technical documentation, human oversight, notified-body conformity assessment, and registration — before deployment.
Is one-to-one face verification high-risk under Annex III?
Not in most cases. Annex III point 1(a) targets remote biometric identification — searching across a database to determine who someone is. One-to-one verification that confirms a claimed identity against a single enrolled template (phone face-unlock, door access reader) is biometric verification, not identification. It generally falls outside the high-risk category. The distinction matters: providers of identification systems face notified-body conformity assessment; providers of simple verification tools typically do not.
Why does biometric AI require a notified body rather than self-certification?
Most Annex III categories allow the Annex VI internal-control route — the provider self-certifies with documented evidence. Article 43(1) makes Annex III point 1 biometric systems an exception: a notified body is required unless harmonised standards covering all applicable requirements are in place. As of mid-2026, no such harmonised standards exist for biometric AI. This means an accredited third-party assessor must audit your technical file and risk management system before you can place the system on the market — a meaningfully higher bar than self-declaration.
When does the Article 27 FRIA apply to biometric deployers?
Article 27 requires a Fundamental Rights Impact Assessment from deployers that are public-sector bodies or provide public services when deploying high-risk AI. A law enforcement agency running post-event facial matching, a border authority verifying travel documents, a social services department using biometric identity checks: all within scope, FRIA mandatory before first deployment. A private company deploying biometric access control for its own employees is generally outside the mandatory Article 27 scope — though documenting the fundamental rights analysis is good practice.
What is the deadline and does it affect the Article 5 prohibitions?
Under the Digital Omnibus (political agreement May 2026), stand-alone Annex III systems comply from 2 December 2027. High-risk AI in Annex I regulated products: 2 August 2028. The Article 5 prohibitions are unaffected — they applied from 2 February 2025. The Digital Omnibus deferred the high-risk obligation stack; it did not touch the prohibited-practices regime.
Can biometric categorisation by age or hair colour be high-risk rather than prohibited?
Yes. Article 5(1)(g) prohibits categorisation that infers sensitive or specially protected attributes — race, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, health. Categorisation that stays outside that list — age banding, hair colour, anonymous audience analytics — is high-risk under Annex III point 1(b), not prohibited. The full obligation stack applies, but the practice is lawful. Providers must document clearly that their categorisation logic does not touch the Article 5(1)(g) attributes, because the line between permitted categorisation and prohibited sensitive-attribute inference can be narrow.
Related guides
- high-risk AI classification requirements
- Article 6 high-risk classification
- Article 43 conformity assessment requirements
- Annex III high-risk AI use cases
- EU AI Act compliance requirements
- Article 9 risk management requirements
- Article 3 key definitions
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →