Crime Prediction AI and the EU AI Act: Prohibited or High-Risk?

The same label — "predictive policing AI" — can describe a prohibited system or a high-risk one. Which side of that line your system sits on depends entirely on its design: specifically, whether it generates an individual offending prediction from profiling alone, or whether it supports a human assessment already grounded in objective, verifiable facts. Getting this wrong is not a documentation failure. Deploying a prohibited system carries a fine ceiling of €35 million or 7% of worldwide annual turnover under Article 99(3), and has been enforceable since 2 February 2025.

This article draws that line precisely, explains what Annex III point 6 covers for systems that clear the prohibition, and sets out what compliance looks like in practice for deployers — almost always public authorities — and their providers.

---

The prohibition: Article 5(1)(d)

Article 5(1)(d) bans AI systems that make risk assessments of natural persons to assess or predict the likelihood of a person committing a criminal offence, based solely on profiling or on assessing personality traits and characteristics.

The language is specific and the word "solely" carries legal weight. A system that generates an individual recidivism score or a "will-offend" probability by feeding demographics, behavioural data, social-network proximity, or inferred personality traits into a model — with no prior human assessment grounded in objective, verifiable facts directly linked to a criminal activity — is prohibited. It does not matter how accurate the model is. It does not matter whether the output is labelled a "recommendation" rather than a decision. The prohibition targets the risk-assessment design itself.

The narrow statutory exception: the prohibition does not apply where the AI system merely supports a human assessment that is already based on objective and verifiable facts directly linked to a criminal activity. In that framing, the human assessment comes first and is grounded in actual evidence; the AI tool then helps evaluate that evidence. That is a fundamentally different system architecture from one that scans a population and outputs ranked offending probabilities from demographic or behavioural proxies.

What the prohibition covers in practice

A recidivism scoring tool that takes an individual's age, prior contact history, residential postcode, employment status, and social-network data and outputs a risk band — with no prior evidentiary basis for the assessment — falls squarely within Article 5(1)(d). So does a tool that analyses personality profiles, facial features correlated with criminal propensity claims, or writing style to predict future offending. These systems have been prohibited since 2 February 2025. They cannot be made compliant through a human review layer added after the fact; the prohibition is on the AI's design, not on the deployment workflow.

Deploying or placing such a system on the market exposes providers and deployers to Article 99(3): up to €35 million or 7% of total worldwide annual turnover, whichever is higher. This is the highest penalty tier in the Regulation.

---

The high-risk category: Annex III point 6

Systems that clear the Article 5(1)(d) prohibition sit in a different legal space. Annex III point 6 lists law-enforcement AI as high-risk, covering systems used by competent authorities in the course of detection, investigation, and prosecution of criminal offences or execution of criminal penalties, including:

• AI that assesses the risk of a natural person becoming a victim of criminal offences
• AI used to evaluate the reliability of evidence in a criminal investigation
• AI used for profiling of natural persons in the course of detection or investigation — where that profiling supports, rather than replaces, a human assessment grounded in objective facts directly linked to a criminal activity

The distinction from the Article 5 prohibition is structural. An Annex III point 6 system does not generate standalone offending predictions from profiling alone. It operates within an investigative process already anchored in concrete facts, helping investigators evaluate evidence, prioritise leads, or assess victimisation risk.

A practical example: a system that analyses digital evidence from a seized device to flag potentially relevant communications, presented alongside that evidentiary context to a trained investigator who makes all findings — that is high-risk, not prohibited. Another: a risk model that assesses the likelihood of re-victimisation for known domestic abuse complainants, based on documented incident reports — that supports victim-protection decision-making on an existing factual record. High-risk, not prohibited.

Place-based predictive crime mapping

Area-based systems that predict where crime is statistically likely to concentrate — using historical incident data aggregated by location — do not generate individual offending predictions and are not caught by Article 5(1)(d)'s ban. They target places, not people. However, they may still fall within Annex III point 6 if law enforcement uses them to direct investigative or patrolling resources, and they raise independent concerns under GDPR Article 22 and general fundamental-rights frameworks where their use funnels enforcement attention onto particular communities in ways that compound historical bias. That is a design and governance question, not an AI Act prohibition question.

---

The Article 6(3) filter: when an Annex III system might not be high-risk

A system falling within Annex III point 6 is not automatically high-risk if it passes the Article 6(3) filter: the provider may document that the system poses no significant risk of harm to health, safety, or fundamental rights — for instance, because it performs a narrow procedural task, improves the result of a previously completed human activity, or does preparatory work without influencing human assessment.

In practice, this exemption path is narrow for law-enforcement tools. Any system that profiles natural persons is explicitly always high-risk under Article 6(3) — the Act carves out that case expressly. Systems used in the course of criminal investigations are, by definition, capable of affecting individual liberty and privacy in material ways. Providers claiming the Article 6(3) exemption must document the assessment and still register the system in the EU database under Article 49.

---

Obligations for high-risk systems under Annex III point 6

Once a system is confirmed high-risk (and the provider has not credibly claimed the Article 6(3) exemption), the full Chapter III stack applies.

For providers (the vendor or developer placing the system on the market):

• Article 9 — establish and maintain a documented risk management system throughout the system's lifecycle. For law-enforcement tools, this means identifying the risk that training data encodes historical enforcement disparities, specifying mitigation measures, and documenting residual risks that cannot be eliminated.
• Article 10 — implement data governance over training, validation, and test datasets, including documentation of data sources, demographic coverage, and known limitations.
• Article 11 / Annex IV — prepare the technical documentation pack before market placement. This includes model architecture, training data specifications, performance metrics disaggregated by relevant group, test results, and the risk management record. Keep it for ten years (Article 18).
• Article 14 — design the system to enable meaningful human oversight: an investigator must be able to understand the system's output, identify its limitations, and override it. A system architected to produce outputs that officers accept without scrutiny fails this requirement.
• Article 15 — ensure adequate accuracy, robustness, and cybersecurity appropriate to the system's purpose.
• Article 43 — complete the conformity assessment. For Annex III systems not in the biometrics category (point 1), the standard route is the Annex VI internal control procedure. The provider then issues the Article 47 EU Declaration of Conformity and, where applicable, affixes CE marking (Article 48).
• Article 49 — register the system in the EU database before deployment. For law-enforcement AI, Article 49(2) provides that registration details accessible to the public are limited; sensitive operational details can be restricted.

For deployers — almost always public authorities:

• Article 26 — monitor the system in use, follow the provider's instructions, ensure human oversight is actually exercised (not just structurally available), and keep logs of automated outputs for at least six months under Article 26. If anything goes wrong, inform the provider under Article 26; if there is a serious incident, the provider reports to the market-surveillance authority under Article 73.
• Article 27 — conduct a Fundamental Rights Impact Assessment (FRIA) before deployment. Public bodies and bodies exercising public powers are required to run a FRIA for high-risk AI systems listed in Annex III. The FRIA maps the system's likely effects on liberty, privacy, non-discrimination, and procedural fairness; it identifies safeguards and documents residual impacts. The completed FRIA is submitted to the market-surveillance authority at their request and registered in the EU database.
• Article 49 — non-public law-enforcement AI registration: Article 49(4) addresses systems used exclusively by law-enforcement or border-management authorities, providing a specific registration channel that protects operationally sensitive information.

The deadline for these obligations is 2 December 2027 for stand-alone high-risk AI systems under Annex III, under the Digital Omnibus agreed in May 2026 (pushing back the original 2 August 2026 date). That extension is breathing room for documentation assembly — not a signal that compliance can wait. A FRIA alone takes months to commission, run, and validate.

---

The classification decision in a table

---

How Confir helps

Classifying a law-enforcement AI system correctly — prohibited versus high-risk — is the most consequential decision a compliance team makes on this topic. Confir's rule-based Article 5 / Article 6 checklists walk you through the key design questions: Does the system generate an individual offending prediction? If so, is it based solely on profiling or assessed personality traits? Does any prior human assessment grounded in objective facts precede the AI output? The classification engine is deterministic — same inputs, same finding, with the rule that fired readable in plain English. That reproducibility matters when a supervisory authority asks you to justify your risk-tier conclusion.

If your system clears the prohibition and sits in the Annex III high-risk tier, Confir runs the Article 27 FRIA workflow for deployer organisations and generates the Article 11 / Annex IV technical documentation pack for providers.

---

Frequently Asked Questions

Is all predictive policing AI banned under the EU AI Act?

No, but the distinction is narrow. Article 5(1)(d) prohibits AI that predicts an individual's likelihood of offending based solely on profiling or assessed personality traits and characteristics. Systems that instead support a human investigator's assessment already grounded in objective, verifiable facts linked to a criminal activity are not prohibited — they are high-risk under Annex III point 6. The architecture of the system, not its label, determines which category applies.

What does "based solely on profiling" mean in Article 5(1)(d)?

It means the system derives its individual risk prediction from inferred attributes — demographics, behavioural patterns, social-network data, personality scores — without a prior factual basis in evidence directly connected to a specific criminal activity. If the AI is the primary or sole source of the risk signal, with no prior human assessment grounded in concrete facts, the prohibition applies. Adding a nominal human review step after the AI output does not change the design and does not move the system out of the prohibition.

When does a law-enforcement AI system qualify as high-risk under Annex III point 6 rather than prohibited?

When it operates within an investigative process already based on objective facts linked to a criminal activity, and its function is to support — not replace — the human assessment. Examples include: evaluating the reliability of specific pieces of evidence, assessing victimisation risk for individuals already known to law enforcement on the basis of documented incidents, or profiling within a live investigation where the factual basis pre-exists the AI input. The AI adds analytic capacity to an existing evidential picture; it does not generate the picture itself.

Does place-based predictive mapping fall under the Article 5(1)(d) prohibition?

No. Area-based systems that aggregate historical crime data by location to predict where offences are statistically likely to concentrate do not generate individual offending predictions and are not caught by Article 5(1)(d). They may still fall within Annex III point 6 depending on how law enforcement uses them, and they raise independent concerns about enforcement disparities under GDPR and fundamental-rights frameworks — but the prohibition's ban on individual criminal-risk profiling does not apply.

Who must conduct a Fundamental Rights Impact Assessment for a predictive policing tool?

The deployer does, under Article 27 — and in this context the deployer is almost always a public authority (police force, prosecutorial authority, or equivalent). The FRIA must be completed before deployment. It assesses impacts on liberty, privacy, non-discrimination, and procedural fairness, identifies safeguards, and documents residual effects. It is submitted to the market-surveillance authority on request and registered in the EU database. The provider bears separate documentation obligations under Articles 9, 11, and 43; the FRIA is specifically the deployer's obligation.

What is the penalty for deploying a prohibited crime-prediction AI system?

Article 99(3) sets the ceiling at €35 million or 7% of total worldwide annual turnover for the preceding financial year, whichever is higher. The Article 5 prohibitions have applied since 2 February 2025 — they are not subject to the Digital Omnibus deferral that pushed the high-risk deadline to 2 December 2027. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the percentage or the fixed amount, but that proportionality protection does not eliminate the prohibition itself.

What is the compliance deadline for high-risk law-enforcement AI under Annex III point 6?

2 December 2027, for stand-alone high-risk AI systems under Annex III — under the Digital Omnibus agreed in May 2026. The original date of 2 August 2026 has been deferred. This applies to provider obligations (Articles 9, 11, 14, 43, 47, 49) and deployer obligations including the Article 27 FRIA. Note that the prohibition under Article 5(1)(d) was not deferred — it has applied since 2 February 2025.

Related guides

• Article 6 high-risk classification
• Annex III high-risk use cases
• high-risk AI obligations and documentation
• assess your AI system's risk level
• Article 9 risk management requirements
• Article 8 compliance obligations
• risk classification framework overview