EU AI Act Prohibited Practices: 8 Banned AI Systems Explained

Key Takeaways

Eight categories of AI systems are banned outright under Regulation (EU) 2024/1689 (the EU AI Act), Art. 5. These are not future obligations. They have been enforceable since 2 February 2025.
Violations carry the highest penalty tier: up to EUR 35 million or 7% of global annual turnover, whichever is higher.
The European Commission published non-binding guidelines on 4 February 2025 with practical examples.
Grey zones are real. Loyalty scoring, nudging algorithms, employee sentiment tools, and building-access facial recognition all require careful analysis against Art. 5.
No formal Art. 5 enforcement actions have been taken yet (as of April 2026), but GDPR-based precedents — including a EUR 20 million fine against Clearview AI for biometric scraping — signal how regulators will act.

What Are the 8 EU AI Act Prohibited Practices?

Eight categories of AI systems are banned under Art. 5 of the EU AI Act. Every person and organization placing, making available, or using AI systems in the EU must comply. There are no sector exemptions and no grace period remaining.

1. Subliminal manipulation — Art. 5(1)(a)
AI systems that deploy techniques operating beyond a person’s conscious awareness to materially distort their behaviour, causing or likely to cause significant harm. The key test is whether the technique works below the threshold of what a person can detect and resist. A recommendation engine that surfaces content you can see and evaluate is not subliminal. An interface that uses imperceptible audio frequencies or visual flickers to alter your decisions could be.

2. Exploitation of vulnerability — Art. 5(1)(b)
AI systems that exploit specific vulnerabilities of a person or group due to their age, disability, or social or economic situation. This targets systems designed to manipulate people who cannot effectively protect themselves. Marketing AI that specifically targets elderly users with confusing financial products, or children with compulsive spending mechanics, falls here.

3. Social scoring — Art. 5(1)(c)
AI systems used by public authorities (or on their behalf) to evaluate or classify people based on social behaviour or personal characteristics, where the resulting score leads to detrimental treatment in unrelated contexts. The prohibition also extends to private actors when scoring leads to unjustified or disproportionate outcomes. A credit score used only for lending decisions is not social scoring. A government system that restricts access to public services based on a person’s online behaviour is.

4. Individual criminal risk prediction — Art. 5(1)(d)
AI systems that assess the risk of a person committing a criminal offence based solely on profiling or personality traits. The critical word is “solely.” Systems that incorporate objective, verifiable factual information alongside profiling may not be prohibited, though they would likely qualify as high-risk under Annex III.

5. Untargeted facial recognition scraping — Art. 5(1)(e)
AI systems that create or expand facial recognition databases by scraping images from the internet or CCTV footage without targeted authorization. This is the Clearview AI prohibition. Italy’s Garante fined Clearview EUR 20 million in 2022 under GDPR before the AI Act existed. Art. 5(1)(e) now provides a direct legal basis for banning this practice.

6. Emotion recognition in workplaces and schools — Art. 5(1)(f)
AI systems that infer emotions of people in workplace and educational settings. Narrow exceptions exist for safety-critical and medical purposes — a fatigue detection system for truck drivers or a tool monitoring epilepsy patients may be permissible. But employee engagement tools that use cameras or microphones to gauge mood during meetings are not.

7. Biometric categorization by sensitive attributes — Art. 5(1)(g)
AI systems that categorize people based on biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation. Note: categorization for lawful law enforcement purposes based on biometric data acquired lawfully is carved out.

8. Real-time remote biometric identification in public spaces — Art. 5(1)(h)
AI systems used for real-time biometric identification of people in publicly accessible spaces for law enforcement purposes. This is the most debated prohibition and the one with the most exceptions. We cover those below.

When Did These Bans Take Effect?

February 2, 2025. Not August 2026.

The EU AI Act uses a phased enforcement timeline. Art. 5 prohibited practices were the first obligations to become enforceable — six months after the Act entered into force on 1 August 2024. Most media coverage focuses on the August 2026 deadline for high-risk AI systems, which creates a dangerous blind spot. Organizations that have not yet audited their AI systems against Art. 5 are already operating in a live enforcement environment.

The Commission published its guidelines on prohibited practices two days after the enforcement date, on 4 February 2025. These guidelines are non-binding but represent the Commission’s interpretation and include practical examples. Courts and national authorities will likely reference them.

Where Are the Grey Zones?

The eight categories sound extreme. Social scoring and subliminal manipulation are easy to condemn in the abstract. But the boundaries matter for real products that millions of people use every day. Five scenarios illustrate where legitimate business tools approach the prohibition line.

Does My Loyalty Program Count as Social Scoring?

Not if the score stays within its original context. A retailer using purchase history to offer discounts is scoring customers for a specific commercial purpose. Art. 5(1)(c) targets scoring that leads to “detrimental or unfavourable treatment” in “social contexts that are unrelated to the context in which the data was originally generated.”

The risk arises when scoring systems aggregate data across contexts. An insurer that denies coverage based on a loyalty program’s behavioural data is using a score outside its original purpose. Our view: Organizations operating multi-service platforms — where customer data flows between divisions — should audit whether scores generated in one context affect treatment in another.

When Does Personalisation Become Subliminal Manipulation?

The legal test has two parts: the technique must operate “beyond a person’s conscious awareness,” and it must “materially distort” behaviour in a way that causes or is likely to cause “significant harm” (Art. 5(1)(a)). A product recommendation you can see and ignore is not subliminal. Engagement optimization that exploits cognitive biases through interface design occupies a greyer space.

The Commission guidelines reference techniques like “imperceptible visual or auditory stimuli.” Dark patterns on e-commerce platforms — countdown timers, fake scarcity, hidden opt-outs — are manipulative, but the question is whether they operate “beyond conscious awareness.” Most dark patterns are visible if you look. The line likely falls at techniques that are genuinely imperceptible, not merely deceptive. Deceptive practices may violate the Unfair Commercial Practices Directive or the Digital Services Act instead.

Is My Employee Wellbeing Tool Banned?

It depends on how it works. Art. 5(1)(f) bans “emotion recognition” in workplaces and educational institutions. A pulse survey where employees type responses is not emotion recognition — it processes text input, not biometric signals. A camera system that reads facial expressions during video calls to score employee engagement is.

The exception is narrow: safety and medical purposes. A drowsiness detection system for long-haul drivers processes emotion-adjacent signals (eye closure, head position) for safety. This is likely permissible. An AI tool that analyses tone of voice during performance reviews to flag “disengaged” employees is not.

Our view: Any tool that processes biometric data (face, voice, gait, physiological signals) to infer emotional or psychological states in a workplace or school setting should be treated as presumptively prohibited unless it clearly falls within the safety/medical exception.

Does Facial Recognition for Building Access Trigger Art. 5?

Art. 5(1)(h) bans real-time remote biometric identification in “publicly accessible spaces” for law enforcement. Two distinctions matter. First: the space must be publicly accessible. A private office with badge-controlled entry is not a publicly accessible space. A shopping mall entrance, airport terminal, or building lobby open to the public may be. Second: the ban applies to law enforcement use. A private company using facial recognition for its own employee access control is not using it “for law enforcement.”

However, biometric categorization that infers sensitive attributes (Art. 5(1)(g)) applies to all actors, not just law enforcement. If your access system infers race, religion, or sexual orientation as a byproduct of facial processing, that function is prohibited regardless of who operates it.

Where Is the Line on Predictive Policing?

Art. 5(1)(d) prohibits assessing criminal risk “based solely on profiling.” The word “solely” does all the work. A system that combines profiling data with objective, verifiable factual information about criminal activity in a specific area is not prohibited under Art. 5, though it would be high-risk under Annex III, Area 6 (law enforcement). The US system COMPAS, which generated risk scores based primarily on demographic and behavioural profiles, would likely fall on the prohibited side under Art. 5(1)(d).

What Exceptions Exist for Law Enforcement?

Art. 5(2) through 5(4) carve out narrow exceptions to the real-time biometric identification ban. Law enforcement may use real-time remote biometric ID in public spaces only for three purposes:

Searching for specific victims — abducted children, trafficking victims, missing persons
Preventing imminent threats — a specific, substantial, and imminent terrorist attack
Locating suspects — persons suspected of offences listed in Art. 83(1) TFEU (terrorism, trafficking, sexual exploitation, murder, and other serious crimes)

Each use requires prior judicial authorization (or administrative authorization with 24-hour judicial review), geographic and temporal limits, a fundamental rights impact assessment, and notification to the relevant market surveillance authority and data protection authority. Member States must adopt national legislation to activate these exceptions. Without national enabling law, the exception does not apply.

How Do Prohibited Practices Differ from High-Risk Classification?

Prohibited practices (Art. 5) and high-risk classification (Art. 6 + Annex III) are not a spectrum. They are two distinct regulatory categories with different consequences. Prohibited means banned. High-risk means allowed with obligations.

The boundary matters because systems that fall just below the prohibition threshold are often high-risk. Three examples:

Emotion recognition in a retail setting (not workplace, not school) — not prohibited under Art. 5(1)(f), but high-risk under Annex III Area 1 (biometrics)
Post-facto biometric identification — not “real-time,” so not prohibited under Art. 5(1)(h), but high-risk under Annex III Area 1
Predictive policing with objective data inputs — not “solely” profiling, so not prohibited under Art. 5(1)(d), but high-risk under Annex III Area 6 (law enforcement)

Organizations that audit their systems against Art. 5 and conclude “we’re not prohibited” should immediately check whether they are high-risk instead. The compliance obligations for high-risk systems are substantial — conformity assessment, technical documentation, risk management, and human oversight.

What Happens If You Deploy a Prohibited AI System?

The penalty is the AI Act’s highest tier: up to EUR 35 million or 7% of global annual turnover, whichever is higher (Art. 99).

No formal enforcement actions have been taken under Art. 5 as of April 2026. The enforcement infrastructure is still being established at the national level. A European Parliament assessment published March 18, 2026 identified capacity gaps at national market surveillance authorities and coordination challenges between the AI Office and Member State bodies.

But pre-AI Act enforcement under GDPR provides the clearest signal of how regulators will approach Art. 5. Italy’s Garante fined Clearview AI EUR 20 million in 2022 for scraping facial images — the exact practice now explicitly prohibited by Art. 5(1)(e). Italy also fined OpenAI EUR 15 million in December 2024 for GDPR violations related to ChatGPT. France’s CNIL and Spain’s AEPD have issued guidance on AI training data and agentic AI, respectively.

The Future of Privacy Forum analysis (February 2026) identified a critical practical issue: enforcement of prohibited practices is “highly scattered and decentralized” across multiple national authorities, some overlapping with data protection authorities. Organizations may face enforcement from both their national market surveillance authority and their DPA for the same system.

How Do Other Countries Handle AI Bans?

Jurisdiction	Approach	Comparison to EU Art. 5
China	Social credit system is government policy. No prohibition on social scoring — the opposite approach. GenAI and algorithm regulations require registration, not bans.	Philosophical opposite on social scoring
United States	No federal AI ban. State-level restrictions: Illinois BIPA (biometric consent), NYC Local Law 144 (automated employment decisions), proposed facial recognition moratoriums in several cities.	Fragmented, sector-specific, no comprehensive ban
United Kingdom	No outright AI bans. AI Safety Bill focuses on safety evaluation for frontier models, not prohibition of specific practices. Sector regulators (ICO, FCA, Ofcom) set boundaries within existing mandates.	Principles-based, not prohibition-based
Brazil	PL 2338/2023 proposes an “excessive risk” category with banned practices similar to Art. 5, including social scoring and subliminal manipulation. Bill passed Senate Dec 2024; awaiting Chamber vote.	Most similar to EU, but not yet law

What Should You Do This Week?

Five steps, starting today:

Inventory your AI systems. List every AI system your organization develops, deploys, or procures. Include tools embedded in third-party software — your vendor’s AI is your compliance problem if you deploy it in the EU.
Screen each system against the 8 Art. 5 categories. Use the categories above as a checklist. For each system, ask: does this manipulate, exploit, score, scrape, categorize, identify, infer emotions, or predict criminal risk?
Flag grey-zone systems for legal review. Loyalty programs with cross-context scoring. Employee tools that process biometric signals. Access systems in publicly accessible spaces. Personalization engines with behavioural nudging. These need professional legal analysis, not self-assessment.
Document your analysis. Record why each system is or is not prohibited. This documentation serves two purposes: compliance evidence if challenged, and input for the conformity assessment you will need for any high-risk systems by August 2026.
Sunset non-compliant systems. If a system is clearly prohibited and has no applicable exception, decommission it. The enforcement date has passed. Continued operation is a violation carrying fines up to EUR 35 million or 7% of turnover.

This content is for informational purposes only and does not constitute legal advice. Organizations should seek qualified legal counsel for compliance decisions. Reg Intel is not a law firm and does not provide legal services.

Last verified: 8 April 2026

How Other Jurisdictions Handle Prohibited AI

The EU is not alone in banning specific AI uses. South Korea’s AI Basic Act includes criminal penalties for violations — see our Korea vs EU comparison. Vietnam’s AI Law also defines prohibited systems within its three-tier risk classification.

For related guidance, see our standards crisis article.

Sources

Official Sources

European Union, Regulation (EU) 2024/1689 (EU AI Act), Art. 5 — Prohibited AI Practices. EUR-Lex. Last accessed 8 April 2026.
European Commission, “Guidelines on Prohibited Artificial Intelligence Practices,” 4 February 2025. Digital Strategy. Last accessed 8 April 2026.
European Union, Regulation (EU) 2024/1689, Art. 99 — Penalties. Full text. Last accessed 8 April 2026.
European Parliament Think Tank, “Enforcement of the AI Act,” 18 March 2026. EP Think Tank. Last accessed 8 April 2026.

Analysis & Commentary

Future of Privacy Forum, “Red Lines under the EU AI Act: Understanding Prohibited AI Practices and their Interplay with the GDPR, DSA,” 17 February 2026. FPF. Last accessed 8 April 2026.
DLA Piper, “European Commission publishes guidelines on Prohibited AI Practices,” 6 February 2025. DLA Piper. Last accessed 8 April 2026.
Orrick, “EU Commission Publishes Guidelines on the Prohibited AI Practices under the AI Act,” April 2025. Orrick. Last accessed 8 April 2026.

Data Sources

Italy Garante per la Protezione dei Dati Personali, Clearview AI decision (EUR 20M fine), 2022.
Italy Garante per la Protezione dei Dati Personali, OpenAI/ChatGPT decision (EUR 15M fine), December 2024.