EU AI Act Article 5: The Eight Prohibited AI Practices

Article 5 of Regulation (EU) 2024/1689 draws a hard line. These are not AI applications that require extra documentation or a conformity assessment before launch — they are banned. Eight categories of AI practice are categorically off-limits, and the law has been in force since 2 February 2025. If your system falls into one of them, there is no remediation path, no compliance checklist that makes it acceptable. The only outcome is not deploying it.

The stakes match the absolute nature of the rule. Breach of Article 5 triggers the top penalty tier under Article 99(3): up to €35,000,000 or 7% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, the fine is capped at the lower of those two figures — but even a percentage of a small company's global revenue is not a minor risk. Enforcement sits with national market-surveillance authorities, and the European Commission published guidelines on prohibited practices in February 2025 to help national enforcers apply the provisions consistently.

This article walks through all eight prohibitions precisely, identifies who bears compliance responsibility, calls out the realistic traps for SMBs, and explains where the narrow exceptions apply.

---

Why Article 5 Matters Before Anything Else

The EU AI Act structures compliance as a sequence. Before you ask whether your system is high-risk, or what documentation you need, you first ask: does this system do any of the things Article 5 forbids? If yes, the analysis ends there.

In practice, most AI systems — including most AI tools deployed by SMBs — will not come close to Article 5. But several prohibited categories are more common in ordinary business than founders tend to assume. Emotion-recognition features built into HR software, dark-pattern recommendation engines, and internal tools trained on scraped facial images are three areas where well-intentioned products have drifted into prohibited territory without anyone realising it.

The Commission's February 2025 guidelines on prohibited practices make clear that national authorities are expected to enforce these provisions actively. Article 5 is not a future deadline. It applied from the first day EU AI Act prohibitions went live.

---

The Eight Prohibitions Under Article 5(1)

(a) Subliminal, manipulative, and deceptive techniques

Article 5(1)(a) prohibits AI systems that employ subliminal techniques, or other manipulative or deceptive techniques, to distort the behaviour of a person in a way that person would not have consented to, when that distortion causes or is likely to cause significant harm.

Three terms do different work here. Subliminal covers stimuli or influence operating below conscious perception — including algorithmic personalisation engineered to shape decisions without the person realising they are being steered. Manipulative captures systems designed to exploit psychological biases: artificial scarcity signals, false urgency, social-proof engineering, or dark patterns that suppress the user's deliberative capacity. Deceptive covers misrepresentation — of system identity, capabilities, or the nature of the content being presented.

Harm must be significant, and it need not have materialised; a likelihood of significant harm is sufficient.

The practical trap for product teams: a recommendation engine trained to maximise engagement metrics can drift into this territory if it learns that urgency cues or suppressed information lift clicks. That is not a hypothetical — it is the direction of travel for any unconstrained optimisation over behavioural outcomes. Design safeguards should be documented explicitly.

(b) Exploiting vulnerabilities due to age, disability, or situation

Article 5(1)(b) prohibits AI systems that exploit the specific vulnerabilities of a person or group arising from their age, disability, or a particular social or economic situation — where that exploitation distorts behaviour in a way that causes or is likely to cause significant harm.

This prohibition targets differential exploitation. A system that nudges all users equally through manipulative design may fall under (a); a system that specifically identifies and targets people who are elderly, economically precarious, or cognitively impaired — and applies more aggressive persuasion to them — falls under (b).

"Vulnerability" under the Act is contextual. Children under 18 are presumed vulnerable. Cognitive disabilities, mental health conditions, and severe financial distress all qualify. A payday-lending AI that applies harsher persuasion to applicants whose data profile signals financial desperation would be a clear case. So would a subscription-retention tool that routes elderly users to a more aggressive retention flow.

(c) Social scoring by public authorities

Article 5(1)(c) prohibits the evaluation or classification of natural persons or groups over a period of time based on their social behaviour or known, inferred, or predicted personal or personality characteristics — resulting in detrimental or unfavourable treatment that is either in an unrelated social context or disproportionate to the conduct that generated the score.

This provision targets the "social credit" model: aggregating behavioural data over time to produce a trustworthiness or social ranking that then gates access to services, opportunities, or rights in contexts disconnected from the original conduct. The prohibition applies explicitly to public authorities, though the principles run through the Act more broadly.

Two conditions define a violation: the treatment is either in a context unrelated to the social behaviour that generated the score, or it is disproportionate to that behaviour. A municipal authority that denies housing benefits to someone because their social media activity suggested political opposition to local government would satisfy both.

(d) Risk assessment predicting criminal offending based solely on profiling

Article 5(1)(d) prohibits AI systems that make risk assessments of natural persons, predicting the likelihood that a person will commit a criminal offence, based solely on profiling of that person or on the assessment of personality traits and characteristics.

The key word is solely. The prohibition is not an absolute ban on all predictive tools used by law enforcement. The Act carves out systems where the AI prediction supplements — rather than replaces — a human assessment grounded in objective, verifiable facts directly linked to criminal activity. But a system that generates a "recidivism score" or a "threat probability" from demographic data, behavioural patterns, or psychological trait inference — without any objective factual anchor — falls squarely within the prohibition.

This matters for legal-tech providers, court analytics tools, and any software sold to law enforcement that generates individual risk scores.

(e) Untargeted scraping of facial images to build recognition databases

Article 5(1)(e) prohibits the creation or expansion of facial recognition databases through the untargeted scraping of facial images from the internet or closed-circuit television footage.

"Untargeted" is the operative concept. The prohibition does not prevent lawful, targeted collection of biometric data for specific individuals in specific authorised contexts. What it bans is the mass harvesting of face images — crawling social media platforms, news archives, or CCTV networks to build or grow a searchable facial recognition database without any particular subject in mind. Several commercial facial recognition providers built their products on exactly this model before the Act applied.

The prohibition applies to whoever builds or expands the database — not necessarily the eventual user of the facial recognition service. A startup offering a face-search API should examine whether its training or index data came from untargeted internet scraping.

(f) Emotion recognition in the workplace and in education

Article 5(1)(f) prohibits AI systems that infer the emotional state of natural persons in the workplace and in educational institutions, except in cases where such use is motivated by medical or safety reasons.

This prohibition has immediate practical relevance for a wide range of deployed tools. Software that uses facial expression analysis, voice-tone detection, or physiological signals to assess employee engagement, detect distraction, or evaluate stress during video calls is prohibited — regardless of whether the employer thinks it is harmless or beneficial.

Educational technology that monitors student attention, detects boredom, or scores emotional engagement in online learning platforms falls under the same prohibition. The narrow exception is genuine: medical monitoring of physical safety risks (e.g., detecting signs of fatigue in safety-critical roles) or clinical care contexts. It does not extend to productivity monitoring, performance evaluation, or wellbeing dashboards.

If your product includes emotion-inference features and is sold into HR or EdTech markets, this is the provision that requires immediate review.

(g) Biometric categorisation inferring sensitive attributes

Article 5(1)(g) prohibits AI systems that categorise natural persons individually based on their biometric data to deduce or infer their race, political opinions, trade-union membership, religious or philosophical beliefs, sex life, or sexual orientation.

The prohibition targets inferential categorisation — using biometric signals (facial features, voice characteristics, gait) to derive sensitive attributes that the person has not disclosed. This is distinct from, say, using biometric verification to confirm a claimed identity. The concern is that biometric data can be used as a proxy to infer protected characteristics, enabling discrimination that bypasses direct questioning.

There is a narrow exception: biometric labelling or categorisation carried out in lawfully permitted contexts — for example, law enforcement databases where suspects' biometric data may need to be tagged with verified demographic information under criminal procedure law. This is not a broad carve-out; it is a specific, narrow, authorised use.

(h) Real-time remote biometric identification in public spaces for law enforcement

Article 5(1)(h) prohibits the use of AI systems for real-time remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement — subject to narrow exceptions with mandatory safeguards.

This is the most extensively structured prohibition in Article 5. "Real-time" means identification contemporaneously with data capture, not post-event analysis. "Publicly accessible spaces" includes streets, public transport, commercial areas, and any venue accessible to the general public, regardless of ownership. "Law enforcement purposes" is the use-case trigger — private sector use of real-time biometric identification in public spaces is covered separately by (e) and (g).

Article 5(3) and (4) establish the exceptions: real-time biometric identification by law enforcement is permitted only for targeted searches for specific missing persons (victims of kidnapping, trafficking, or sexual exploitation); prevention of specific, substantial, and imminent threat to life or a terrorist attack; and identification of persons suspected of serious criminal offences listed in Annex II. Each use requires prior judicial or independent administrative authorisation, except in cases of urgency where post-use review within 24 hours is mandated. Fundamental-rights impact assessments and registration with national supervisory authorities are also required.

The exception does not extend to general public-order monitoring, immigration enforcement, or the scanning of all individuals passing through a location.

---

Who Must Act on Article 5

The Article 5 prohibitions apply to providers (those who develop and place AI systems on the market) and deployers (those who use AI systems in a professional context). Both can be liable.

Providers must screen their systems before market placement. If your product incorporates an emotion-inference module, even as a configurable option, you need to assess whether that feature renders the system prohibited in the contexts where customers deploy it — particularly if HR or EdTech buyers are your target market.

Deployers must verify that a purchased system will not be used in a way that triggers Article 5. A deployer who activates emotion-recognition features in a call centre is not insulated by the fact that the provider built the capability. The deployment is the violation.

Importers and distributors bear verification duties: before placing a system on the EU market, they must confirm that the provider has conducted Article 5 screening and that no prohibited features are present.

Most SMBs sit in the deployer seat — buying and configuring third-party AI tools. That is the position where the emotion-recognition trap, in particular, is most commonly sprung.

One point that suppliers sometimes miss: Article 25 of the AI Act creates a role-escalation rule. A deployer who puts its own name on a third-party system, substantially modifies it, or changes its intended purpose to one not covered by the original conformity assessment becomes a provider for that version of the system. If your development team wraps a third-party emotion-inference model in your product and ships it to customers, you are the provider — with full Article 5 screening obligations, not merely deployer-level due diligence.

The same logic applies to fine-tuning: a model fine-tuned on new data for a new use case may acquire a different risk classification from the base model. If that fine-tuned use case is one of the eight prohibited categories, the fine-tuned model is prohibited regardless of the original model's status.

---

Three SMB Traps Worth Naming Explicitly

Emotion recognition in employee monitoring. A startling number of workforce-analytics and video-conferencing tools now offer attention or engagement scoring as a feature. Some platforms describe this as "wellbeing" or "productivity insights." Unless the purpose is a genuine medical or safety function, deploying this in your office or on your remote team is prohibited under Article 5(1)(f). The tool's marketing copy does not affect the legal status of the feature.

Dark-pattern AI in conversion optimisation. Recommendation engines, A/B testing tools, and email-optimisation systems trained on engagement metrics can converge on manipulative patterns — artificial urgency, suppressed opt-out paths, scarcity cues tied to no real scarcity. Article 5(1)(a) does not require intent. If the system operates through deceptive or manipulative mechanisms and the output causes or is likely to cause significant harm, the prohibition applies.

Facial-image databases built on scraped data. Any company building a face-search feature, photo-tagging system, or identity-verification product should audit where its facial image data originated. If the training set or index was assembled through internet scraping or unselective CCTV ingestion, Article 5(1)(e) is directly engaged — regardless of the intended application.

---

Article 5 and GDPR: Not the Same Obligation

Article 5 and the GDPR's restrictions on biometric data (Article 9 GDPR) address overlapping but distinct concerns. GDPR Article 9 imposes conditions on the processing of biometric data as a special category; EU AI Act Article 5 prohibits specific AI-enabled uses of biometric data regardless of whether the underlying processing might otherwise be permitted under GDPR.

A system might have a lawful basis under GDPR (say, explicit consent) and still be prohibited under Article 5. The prohibitions are additive, not alternatives. Compliance with GDPR is necessary but not sufficient.

This is worth making explicit to clients who assume their GDPR compliance programme covers the AI Act. For Article 5 purposes, there is no consent mechanism that converts a prohibited practice into a permitted one — the prohibitions are categorical.

The two frameworks do interact in one practical way: enforcement of an Article 5 violation involving biometric data is likely to trigger parallel GDPR enforcement by the relevant data protection authority. Dual proceedings, with separate fine structures, are a realistic outcome for a single prohibited deployment. That doubles the urgency of pre-launch screening, particularly for any system that processes facial images or other biometric data at scale.

---

How Confir Helps

Before any classification assessment begins, Confir runs your AI system through the Article 5 prohibited-practice checklist. This is a gate: if any of the eight prohibitions apply, Confir returns an "Unacceptable Risk" finding and the system is flagged as not deployable. No further assessment proceeds until that finding is resolved.

The checklist is rule-based and deterministic — the same intake always produces the same result, with the specific rule that fired shown in plain language. If you are a deployer evaluating a third-party tool, or a provider auditing a feature set before launch, this gives you an audit-defensible record of the Article 5 screening step.

If your system clears Article 5, Confir moves to Article 6 classification and Annex III scoping to determine whether it falls in the high-risk tier.

---

Enforcement in Practice

National market-surveillance authorities are responsible for Article 5 enforcement. These are the same authorities designated under Regulation (EU) 2019/1020 for product safety — in Germany, the Bundesnetzagentur and Länder-level authorities; in France, the DGCCRF; in the Netherlands, the ACM, among others.

Enforcement powers include unannounced inspections, document requests, interim suspension orders, corrective action requirements, and market withdrawal. The Commission's February 2025 guidelines encourage consistent application across member states and give authorities benchmarks for what constitutes a prohibited practice versus a high-risk system requiring assessment.

For most SMBs, the near-term enforcement risk from Article 5 is lower than the reputational and contractual risk. Enterprise customers — particularly those in regulated sectors — are already asking vendors for documentation of Article 5 compliance as part of procurement due diligence.

---

Frequently Asked Questions

When did Article 5 prohibitions start applying?

2 February 2025. These provisions applied from that date as part of the first phase of EU AI Act application. They are not subject to the Digital Omnibus deferral, which moved the high-risk deadline to 2 December 2027. Article 5 is already in force and enforceable.

What penalty applies for breaching Article 5?

Under Article 99(3), the fine ceiling is €35,000,000 or 7% of total worldwide annual turnover for the preceding financial year — whichever is higher. For SMEs and start-ups, the fine is capped at the lower of those two figures under Article 99(6). These are the highest penalties in the Act; high-risk violations carry a lower ceiling of €15 million or 3%.

Does Article 5 apply to deployers, or only to providers?

Both. A provider who places a prohibited system on the market and a deployer who uses one in their operations can each face enforcement action. Importers and distributors who place non-compliant systems on the EU market also bear liability. The supply-chain reach of Article 5 is intentionally broad.

Is there any exception for emotion recognition in the workplace?

Only for medical or safety reasons under Article 5(1)(f). A tool that monitors driver fatigue in commercial vehicles, or detects signs of physiological distress in a clinical setting, may qualify. Productivity monitoring, engagement scoring, and wellbeing dashboards do not. The exception is narrow and purposive — it does not open a general path for HR analytics.

Does consent make a prohibited practice lawful?

No. Article 5 prohibitions are categorical. There is no user consent, contractual arrangement, or business purpose that converts a prohibited practice into a permitted one. This contrasts with GDPR, where consent can be a lawful basis for processing sensitive data. Under the AI Act, the eight prohibitions are absolute (subject only to the narrow law-enforcement exceptions for Article 5(1)(h)).

How does the real-time biometric ID ban interact with border control?

Border control operated by law enforcement for the purpose of preventing serious criminal offences listed in Annex II may qualify for the narrow exception under Article 5(4). Routine passenger processing — scanning all travellers at an airport gate — does not qualify, because it is not targeted at specific individuals and does not meet the threshold of preventing a specific threat or locating a specific named person.

What should I do if a vendor tool includes emotion-recognition features?

Assess whether you intend to use those features in a workplace or educational setting. If yes, using them is prohibited under Article 5(1)(f), regardless of what your contract with the vendor says. Either ensure those features are disabled and cannot be activated, or select a different tool. Document your assessment in case national authorities later investigate your organisation's AI use.

---

Related guides

• EU AI Act compliance fundamentals
• AI risk classification framework
• SMB compliance requirements
• AI risk management compliance framework
• AI governance compliance platform
• EU AI Act compliance software comparison