Skip to content
Confir.
Free trial
EU AI Act

Remote Biometric Identification under the EU AI Act

Definition3 June 2026· 9 min read· 1,912 words

Real-time RBI in public spaces is prohibited since Feb 2025. Post-event RBI is high-risk (Annex III). Article 3 definitions and Art 5(1)(h) exceptions.

Remote biometric identification (RBI) is one of the most tightly regulated categories in Regulation (EU) 2024/1689. Real-time RBI in public spaces for law enforcement is prohibited outright. Every other form — post-event identification, or identification outside a law-enforcement context — is classified as high-risk, carrying the Act's heaviest compliance obligations.

If you build, sell, or deploy a system that identifies people by matching their physical characteristics against a database without asking them to actively participate, read this page carefully.

The EU AI Act definition

Article 3 of Regulation (EU) 2024/1689 defines three interlocking concepts.

Remote biometric identification system (Article 3, point 41): an AI system whose purpose is identifying natural persons, without their active involvement, typically at a distance, by comparing a person's biometric data against a reference database. The term covers face recognition cameras in a train station, gait-analysis systems, iris-scan tunnels at border crossings — any system that looks at a person and resolves their identity by matching features to stored records. A 1-to-1 verification check (a phone unlocking when it recognises your face) is outside this definition: that is identity verification, not identification from a database.

The Act then splits remote biometric identification into two sub-types by timing:

Real-time remote biometric identification system (Article 3, point 42): capture and comparison happen without significant delay. Live video feeds at a stadium entrance queried against a watch-list in milliseconds is the paradigm case.

Post remote biometric identification system (Article 3, point 43): the biometric data is captured first; comparison against the database happens afterwards, not during the live event. Reviewing CCTV footage from a robbery and running the images through a face-recognition database two days later falls here.

The real-time / post distinction is the single most consequential classification decision in this area of the Act. It determines whether the system is outright prohibited or merely high-risk.

The Article 5(1)(h) prohibition on real-time RBI

Article 5 lists practices that the EU AI Act bans entirely. Article 5(1)(h) prohibits the use of real-time remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement — with a narrow set of exceptions.

The prohibition has been in force since 2 February 2025.

Scope of the ban. "Publicly accessible spaces" covers streets, transport hubs, shopping centres, stadiums, and any other location accessible to the general public, regardless of whether that space is publicly or privately owned. The prohibiting article applies when law-enforcement authorities use the system. Private security, employers, and retailers do not benefit from the exceptions but are also not the primary target: Article 5(1)(h) is aimed squarely at state actors exercising law-enforcement powers.

The three narrow exceptions. Even for law enforcement, real-time RBI in public spaces is lawful only in these situations (Article 5(1)(h), sub-points i–iii):

  1. Targeted search for specific victims or missing persons — including missing children. The system must be deployed to find a particular named individual, not to scan the crowd for unknown persons.
  2. Prevention of a specific and imminent threat to life or a terrorist attack. General threat-level monitoring does not satisfy this; the threat must be concrete, identified, and about to materialise.
  3. Localisation or identification of a suspect in relation to specific serious criminal offences listed or referenced in the Act — which covers terrorism, trafficking, sexual exploitation of children, murder, kidnapping, and a defined catalogue of other serious crimes.

Prior authorisation requirement. Even where one of these exceptions applies, deployment requires prior authorisation from a judicial or independent administrative authority of the member state. Emergency authorisation can be obtained after the fact, but use without any authorisation remains unlawful. Member states must also adopt national rules governing which authorities may grant authorisation and the procedural safeguards that apply.

Penalty exposure. A breach of Article 5(1)(h) — using real-time RBI outside the permitted exceptions, or without the required authorisation — attracts the top tier of fines under Article 99(3): up to €35,000,000 or 7% of total worldwide annual turnover, whichever is higher. For companies, the higher of those two numbers applies; for SMEs and start-ups, Article 99(6) caps the fine at the lower of the percentage or the fixed amount.

When RBI is high-risk instead

Not all remote biometric identification is prohibited. Two categories fall into the high-risk tier rather than the prohibited tier:

Post-event RBI by law-enforcement authorities. Because Article 5(1)(h) targets real-time use, post-event systems — where comparison happens after the fact, not during the live event — are not caught by the prohibition. They are, however, listed as high-risk in Annex III, area 1 of the Act (the biometrics heading), and the full high-risk obligation stack applies.

RBI outside law enforcement. A face-recognition system used by a bank to identify customers, a border-management system used by an immigration authority, or a time-and-attendance tool deployed by a large employer — none of these are law-enforcement uses, so Article 5(1)(h) does not apply. All of them are still high-risk under Annex III, area 1, because they fall squarely within the biometric identification category.

What high-risk classification means in practice. Providers of high-risk systems must, before placing a system on the market or putting it into service:

  • Build and operate a risk management system meeting Article 9 requirements.
  • Implement data governance procedures for training, validation, and testing data under Article 10.
  • Prepare and maintain technical documentation as set out in Article 11 and Annex IV.
  • Ensure logging and record-keeping under Article 12.
  • Provide instructions and information to deployers under Article 13.
  • Enable meaningful human oversight under Article 14.
  • Meet accuracy, robustness, and cybersecurity standards under Article 15.
  • Operate a quality management system under Article 17.
  • Register the system in the EU database under Article 49 (the database is established under Article 71).
  • Undergo conformity assessment before market placement under Article 43.

The conformity assessment route for Annex III, area 1 systems is stricter than for most other Annex III categories. Where a provider has not applied harmonised standards, or where such standards do not exist, the conformity assessment must follow the Annex VII notified-body procedure — meaning an accredited third-party body must assess and certify the system before it can be placed on the market. Most other Annex III categories allow the Annex VI internal self-assessment route; biometrics does not have that default.

The application deadline for these obligations under the Digital Omnibus (political agreement reached May 2026) is 2 December 2027 for stand-alone systems — deferred from the original 2 August 2026 date. That is breathing room, not a free pass: assembling a notified-body conformity file takes months, and demand for accredited bodies in the biometrics space is already building.

Article 50 transparency duties. Where a biometric identification system also involves real-time elements that fall short of the Article 5(1)(h) threshold, or where it is used in a consumer-facing setting, Article 50 transparency duties may apply from 2 August 2026. Article 50(3) specifically addresses disclosure obligations where AI systems are used to make inferences about biometric data.

How Confir helps

Confir's rule-based classification engine applies the Article 5 / Article 6 / Annex III logic automatically. When you register a biometric identification system, Confir asks structured intake questions about the system's purpose, real-time capability, deployment context, and the identity of the operator — then derives whether the system is prohibited, high-risk (Annex VII notified-body route), or another tier.

For high-risk systems, Confir generates the Article 11 / Annex IV technical documentation pack, runs the Article 27 Fundamental Rights Impact Assessment for qualifying deployers, and produces an immutable compliance audit log. The classification and every finding are deterministic and rule-based — the same intake always produces the same output, with the rule that fired shown in plain text. No inference, no hallucination, and no need for a consultant to interpret the result.

Confir starts at €600/year. Self-serve at confir.eu.

Frequently Asked Questions

Is facial recognition always prohibited under the EU AI Act?

No. The prohibition in Article 5(1)(h) targets real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes. Facial recognition used in real-time by law enforcement in public is prohibited except in the three defined emergency situations. Facial recognition used post-event, used outside public spaces, or used for non-law-enforcement purposes (border management, customer verification, access control) is not prohibited — but it is classified as high-risk under Annex III, area 1, and requires the Annex VII notified-body conformity assessment.

What does "without active involvement" mean?

It means the system identifies a person without requiring that person to present themselves, hold a pose, or otherwise cooperate with the identification process. Walking past a camera that queries a watch-list in the background qualifies. Asking a customer to look into a verification camera on a kiosk — where the person deliberately participates — may fall outside the definition if it is clearly a 1-to-1 verification exercise rather than a database search. The distinction matters because 1-to-1 verification is not classified as remote biometric identification under Article 3.

Does the prohibition on real-time RBI apply to private companies?

Article 5(1)(h) is directed at law enforcement, not at private actors. A retailer using live face recognition to identify known shoplifters, or a stadium using it to flag banned supporters, is not deploying the system "for the purpose of law enforcement." However, such private uses are still high-risk under Annex III, area 1, and must go through the full high-risk obligation chain including the Annex VII notified-body route. A private company cannot claim the Article 5(1)(h) law-enforcement exceptions.

What is the deadline to comply with high-risk RBI obligations?

Under the Digital Omnibus agreed in May 2026, stand-alone high-risk AI systems — including post-event RBI and non-law-enforcement RBI systems — must comply from 2 December 2027. The original date of 2 August 2026 has been deferred. The Article 5 prohibition on real-time RBI in public spaces for law enforcement applied from 2 February 2025 and is already in force.

Is a notified body always required for biometric identification systems?

Where a provider of an Annex III, area 1 system has applied harmonised EU standards (once adopted), a self-assessment route may be available. In the current period — before harmonised standards for biometric identification are published — the Annex VII notified-body route is the practical default for providers who cannot demonstrate standards compliance. The Act requires the notified-body route for biometric systems; this is stricter than the Annex VI internal self-assessment that applies to most other Annex III categories.

Can post-event RBI be used without any authorisation?

Post-event RBI is not covered by the Article 5(1)(h) prohibition, so there is no statutory pre-authorisation requirement equivalent to the one that applies to real-time law-enforcement use. However, post-event RBI systems used by law-enforcement or migration authorities are non-public entries in the EU database under Article 49. Member states may also impose additional procedural safeguards under national law. And across all high-risk uses, the deployer must comply with Article 26 obligations — including human oversight, log retention, and flagging of risks to the provider.

Related terms

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

EU AI Act Guide

EU AI Act: Real-Time Biometric Identification Ban (Article 5)

Article 5(1)(h) bans real-time remote biometric ID in public spaces for law enforcement. Three exceptions, prior authorisation required. Fine: €35M or 7%.

Annex Guide

EU AI Act Annex III: The High-Risk Use Cases, Explained

The 8 Annex III high-risk AI areas: biometrics, credit scoring, recruitment, law enforcement. Obligations, the Art 6(3) filter, and the 2 Dec 2027 deadline.

Annex Guide

EU AI Act Annex IV: What Goes in Your Technical Documentation File

Annex IV defines nine mandatory sections for high-risk AI technical docs under EU AI Act 2024/1689. Provider deadline: 2 Dec 2027. Penalties: €15M or 3%.