Skip to content
Confir.
Free trial
Risk Classification

Article 5(1)(a) EU AI Act: Subliminal and Manipulative AI Prohibited

High-Risk Use Case23 May 2026· 12 min read· 2,452 words

Article 5(1)(a) bans subliminal and manipulative AI since 2 Feb 2025. Penalty ceiling: €35M or 7%. Learn what crosses the line and what does not.

Article 5(1)(a) of the EU AI Act bans AI systems that use subliminal techniques beyond a person's consciousness — or purposefully manipulative or deceptive techniques — to materially distort behaviour in a way that causes, or is reasonably likely to cause, significant harm. This is not a high-risk classification. It is an outright prohibition, in force since 2 February 2025. There is no conformity assessment that legalises a prohibited system. There is no documentation package that substitutes for withdrawal.

This article explains what Article 5(1)(a) and the closely related Article 5(1)(b) actually prohibit, where the line sits between unlawful manipulation and lawful persuasion, why ordinary product teams face genuine exposure they may not have spotted, and how Confir's Article 5 checklist gates your system before it ever reaches a classification question.

What Article 5(1)(a) Prohibits — and Why the Line Is Harder to Draw Than It Looks

The statutory text of Article 5(1)(a) bans AI that:

  1. deploys subliminal techniques beyond a person's consciousness, or
  2. deploys purposefully manipulative or deceptive techniques,

in either case with the objective or effect of materially distorting the behaviour of a person or group of persons, by appreciably impairing their ability to make an informed decision, causing them to take a decision they would not otherwise have taken, in a manner that causes or is reasonably likely to cause significant harm.

Three elements must align: the technique, the impairment of informed decision-making, and the significant harm. All three must be present. That structure matters — it is what separates the prohibition from an ordinary persuasion ban.

The Commission's February 2025 guidelines on prohibited AI practices clarify the scope. Subliminal techniques include anything that bypasses conscious awareness: audio below the threshold of perception, visual stimuli too brief to register consciously, or algorithmic nudges embedded in a user interface in ways that are deliberately concealed from the user. Manipulative techniques include false urgency, manufactured scarcity, and design patterns that exploit cognitive biases — what consumer-protection law has long called dark patterns — when those patterns impair the user's ability to make an informed decision and the resulting harm is significant.

The lawfulness boundary matters here. Advertising that is persuasive but does not impair informed decision-making is not banned. Personalisation that improves relevance without bypassing rational agency is not banned. The Act targets the combination: impaired cognition plus significant harm. A product that shows a pop-up saying "Only 2 left!" when stock is genuinely low is a commercial claim. A recommender system that manufactures artificial scarcity signals, sustains compulsive engagement patterns in adolescents, and causes financial or psychological harm is a different matter.

Article 5(1)(b): The Vulnerability Exploitation Prohibition

Article 5(1)(b) is a companion provision. It bans AI that exploits vulnerabilities arising from a person's age, disability, or specific social or economic situation to materially distort behaviour and cause significant harm. The structure is parallel to 5(1)(a) but the trigger is different: instead of subliminal or manipulative technique, the wrong is targeting a known vulnerability in a way that distorts behaviour and causes harm.

A debt-collection chatbot calibrated to apply pressure on users the system has identified as financially distressed crosses 5(1)(b). A recommendation engine tuned to maximise watch-time in children identified as showing compulsive engagement patterns raises serious 5(1)(b) questions. The age variable is explicit in the text; the Commission guidelines treat online platforms and gaming services as particularly exposed.

Where Ordinary Product Teams Are Actually Exposed

The realistic trap is not the cartoonish bad actor running subliminal advertising. It is three product patterns that have legitimate commercial purpose but can drift across the Article 5(1)(a) line without anyone deciding to cross it.

Engagement-maximising recommender systems. A recommender optimised for session length accumulates users. If the system exploits known psychological mechanisms — variable reward schedules, social comparison triggers, loss-aversion nudges — and the result is compulsive use that causes the user financial or psychological harm, the "objective or effect" test in Article 5(1)(a) is engaged. The algorithm did not need to intend harm; the effect is enough if harm is reasonably foreseeable.

Dark patterns in conversion and checkout flows. Confirmshaming ("No thanks, I prefer paying more"), pre-ticked add-on subscriptions, countdown timers that reset, or deliberately buried cancellation paths are design techniques that bypass rational evaluation. When these combine to impair informed decision-making and the user ends up in a contract they would not otherwise have signed, the significant-harm threshold is reachable — particularly if the amounts involved are material or the user is financially vulnerable.

Persuasion-engineering pipelines in ad tech. Programmatic advertising that uses psychographic profiling to identify and target users whose susceptibility to a particular message has been modelled by the system, and delivers that message without disclosing the targeting basis, is operating in contested territory. The Commission guidelines signal that AI systems that model individual psychological states for persuasion purposes attract close scrutiny under 5(1)(a), especially where the products advertised carry inherent harm potential (credit products, gambling, dietary supplements).

None of these scenarios requires a single engineer to have bad intent. They emerge from objective-function choices made under commercial pressure. That is why the prohibition applies to objective or effect.

What Is Not Prohibited

The prohibition has a defined boundary, and it is worth stating explicitly, because overcorrection is also a compliance failure.

Personalisation based on stated preferences or interaction history, without impairment of informed decision-making, is not prohibited. An e-commerce site that learns a user prefers running gear and surfaces it is not manipulating. A news aggregator that delivers articles matching reading history is not suppressing rational agency. A pricing algorithm that adjusts offers based on demand signals, disclosed to the user, does not meet the subliminal-technique element.

Persuasive communication — advertising, marketing claims, calls to action — that a reasonable person can evaluate and refuse is not banned. The test is whether the technique operationally bypasses evaluation, not whether it influences the outcome.

Article 5(1)(a) targets the mechanism, not the persuasion outcome. Lawful persuasion influences choices. Prohibited manipulation impairs the capacity to make them.

What the February 2025 Commission Guidelines Say

The Commission published guidance on prohibited AI practices in February 2025, timed to coincide with Article 5 coming into force. On Article 5(1)(a), the guidelines make three points worth internalising.

First, the "beyond a person's consciousness" formulation covers both techniques operating below conscious perception (genuinely subliminal in the neuroscientific sense) and techniques that are technically visible but designed to exploit automatic, non-deliberative processing — the System 1 exploits of behavioural economics. The provision is not limited to hidden stimuli.

Second, the "objective or effect" test means the system does not need to have been built with harmful intent. A recommendation engine optimised for a commercial objective that produces population-level harm through mechanism-based behavioural distortion can satisfy the effect limb without any designer having intended that outcome.

Third, significant harm is interpreted by reference to the severity, reversibility, and breadth of the harm, not just its probability. Financial harm that is difficult to reverse, psychological harm affecting daily functioning, or harm affecting a large number of people can each satisfy the threshold independently. Teams should assess harm potential across these dimensions, not just ask whether harm is likely.

Enforcement: In Force Since 2 February 2025

Article 5 prohibitions have applied across the EU since 2 February 2025 — the first substantive obligations under Regulation (EU) 2024/1689 to take effect. There is no grace period, no phased implementation, and no Digital Omnibus deferral relevant here. (The Digital Omnibus, agreed in May 2026, deferred the high-risk Annex III regime to 2 December 2027 for stand-alone systems; it did not touch Article 5.)

The penalty ceiling for breach of Article 5 is €35,000,000 or 7% of total worldwide annual turnover, whichever is higher — the highest tier in the Act, set by Article 99(3). For SMEs and start-ups, Article 99(6) caps the fine at the lower of the percentage or the fixed sum, but that is a ceiling adjustment, not a substantive exemption. The fine can still represent a material fraction of turnover.

Competent national market-surveillance authorities, coordinated by the EU AI Office, are the enforcement bodies. The AI Office itself holds enforcement jurisdiction over GPAI models. A serious incident that triggers a market-surveillance investigation will reach Article 5 exposure within the first audit sweep.

The Compliance Question Your Team Needs to Answer First

Before classifying a system under Article 6, before assembling technical documentation, before scoping Annex III obligations, every AI system must pass an Article 5 gate. The question is not "what risk tier does this system sit in?" The question is "does this system employ a technique that materially distorts behaviour by impairing informed decision-making, in a manner that causes or is reasonably likely to cause significant harm?"

That assessment requires three inputs: a clear-eyed description of the techniques the system actually uses (not the intended use, the operational mechanism); a realistic analysis of the population the system reaches and whether vulnerable sub-groups are within scope; and a harm analysis — what decisions does the system influence, and what does it mean for a person to make the wrong one?

If the answer is yes, the system is prohibited and cannot be deployed in the EU. No CE marking remedies it. No risk management system mitigates it. The obligation is to withdraw or redesign.

If the answer is genuinely no, the system proceeds to classification under Article 6. That is a separate, subsequent question.

How Confir Helps

Confir's Article 5 prohibited-practice checklist is the first gate in every classification flow. The intake puts plain-English scenarios to the operator — does the system use design patterns that suppress the user's ability to evaluate options? does it target known psychological vulnerabilities? does it operate on mechanisms below conscious awareness? — and maps the answers against the four Article 5(1) prohibitions deterministically. A system that clears all checklist criteria proceeds to classification under Article 6. One that flags on the manipulation or vulnerability-exploitation questions is held as unacceptable risk, with a plain-language explanation of which criterion was triggered and why.

The engine is rule-based. The same intake produces the same output; the rules that fire are human-readable. For a compliance finding under a provision that carries €35M/7% exposure, that is exactly what "reproducible and audit-defensible" means.

Frequently Asked Questions

Does Article 5(1)(a) ban all persuasion in AI systems?

No. The prohibition is targeted at techniques that impair a person's ability to make an informed decision and cause significant harm as a result. Advertising, personalisation, and marketing communications that a user can evaluate and refuse do not cross the threshold. The line is between influencing a decision (lawful) and impairing the capacity to make it (prohibited). The Commission's February 2025 guidelines on prohibited AI practices describe the boundary in detail and should be read by any team operating recommendation, ad-targeting, or conversion-optimisation systems.

Our recommender system maximises engagement — does that automatically trigger Article 5(1)(a)?

Not automatically. The prohibition requires three elements together: the technique (subliminal or manipulative), the impairment of informed decision-making, and significant harm. An engagement-maximising recommender that operates transparently, does not exploit psychological vulnerabilities, and does not cause harm sits outside the prohibition. The exposure arises when the system uses variable reward schedules, social comparison mechanics, or manufactured urgency in ways that impair rational evaluation, and users suffer financial or psychological harm as a result. Your legal team should assess the specific mechanisms, not just the optimisation objective.

We use dark patterns in our checkout flow. Is that covered?

Dark patterns such as confirmshaming, pre-ticked subscriptions, countdown timers that reset, or buried cancellation paths are design techniques that impair informed decision-making. Whether they trigger Article 5(1)(a) depends on whether the resulting harm is significant. Consumer-protection authorities across the EU have already been pursuing dark-pattern enforcement under existing consumer law; Article 5(1)(a) adds an AI-specific prohibition where the pattern is AI-driven. If your checkout or subscription flow uses an AI system to optimise or personalise these patterns, the risk is real.

What is the difference between Article 5(1)(a) and Article 5(1)(b)?

Article 5(1)(a) prohibits subliminal, manipulative, or deceptive techniques that materially distort behaviour and cause significant harm — the mechanism is the wrong. Article 5(1)(b) prohibits exploiting vulnerabilities arising from a person's age, disability, or specific social or economic situation to materially distort behaviour and cause significant harm — the targeting of a known vulnerability is the wrong. Both require the material distortion and significant-harm elements. A system can engage both: a recommender that uses a manipulative mechanism AND targets users identified as financially vulnerable fails on both counts.

When did Article 5 come into force, and what are the penalties?

Article 5 prohibitions have applied since 2 February 2025. There is no grace period and no deferral under the Digital Omnibus (which deferred Annex III high-risk obligations only). The penalty ceiling for breach is €35 million or 7% of total worldwide annual turnover, whichever is higher (Article 99(3) of Regulation (EU) 2024/1689). SMEs and start-ups have their fines capped at the lower of the two figures under Article 99(6).

If our system is prohibited, can we fix it and re-deploy?

Yes, if you redesign the system so it no longer employs the prohibited technique and no longer meets all three elements of the ban. A prohibited system cannot be remediated through documentation or risk management alone — the prohibited technique must be removed. Once redesigned, the system must be reassessed under Article 5 before re-deployment. If the redesign also changes the system's function materially, Article 3(23)'s substantial-modification rules may make the redesigned system a new system for classification purposes.

How does Article 5 relate to Annex III high-risk classification?

Article 5 and Annex III are different legal instruments. Article 5 prohibits certain AI practices outright — the system cannot be placed on the EU market at all. Annex III imposes requirements on systems that are high-risk (Articles 9–15, 43, 47–49, 72–73) but permits their deployment when those requirements are met. The Article 5 gate comes first: a system that fails it is prohibited regardless of whether it would also be high-risk under Annex III. A system that passes it proceeds to classification. Many systems will pass Article 5 and then face Annex III obligations based on what the system does (e.g., a recruitment screener or creditworthiness scorer).

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Complete Guide

EU AI Act Risk Classification: The 4 Tiers Explained (2026)

EU AI Act risk tiers explained: Art 5 bans, Annex III high-risk (deadline 2 Dec 2027), Art 50 transparency, minimal-risk. Art 6(3) exemption filter covered.

Guide

AI Chatbot Risk Classification Under the EU AI Act

Classify your chatbot under the EU AI Act: limited-risk (Article 50, Aug 2026), high-risk (Annex III), or prohibited (Article 5). Penalties included.

Template

EU AI Act Risk Classification: Step-by-Step Decision Tree

Six-node decision tree to classify any AI system under EU AI Act Article 6. Prohibited, high-risk, limited, or minimal — with deadlines and penalties.