Prohibited AI Practices Under Article 5 of the EU AI Act: The Complete List
Article 5 of the EU AI Act bans eight categories of AI practices outright — no exemptions, no compliance pathway. This article provides the complete list with concrete examples and the key exceptions you need to know.
Article 5 of the EU AI Act is unlike anything else in the regulation. While most of the AI Act creates compliance requirements — documentation to prepare, assessments to conduct, processes to implement — Article 5 draws a hard line. The AI practices it lists are simply banned. There is no compliance pathway, no conformity assessment, no documentation that makes them lawful. They have been prohibited in the EU since 2 February 2025.
This article provides a complete explanation of each prohibition, what it covers in practice, and — where they exist — the narrow exceptions that apply.
The Structure of Article 5
Article 5 prohibits eight categories of AI systems and practices. They are organised into three broad themes:
- Manipulation and exploitation — AI that subverts human autonomy
- Social control — AI that classifies or scores people for social purposes
- Biometric surveillance — AI that identifies or categorises people based on biological or behavioural characteristics
The fines for developing, placing on the market, or using prohibited AI systems are the highest in the AI Act: up to €35 million or 7% of global annual turnover, whichever is higher.
Prohibition 1: Subliminal Manipulation
What Article 5(1)(a) bans: AI systems that deploy subliminal techniques beyond a person's consciousness to materially distort their behaviour in a way that causes or is likely to cause significant harm.
The key elements:
- The technique must be subliminal — operating below the threshold of conscious awareness
- The distortion of behaviour must be material
- The outcome must cause or be likely to cause significant harm to the person
Concrete examples: An AI recommendation system that uses psychoacoustic frequencies inaudible to users to induce purchase impulses. An AI content platform that presents images at speeds below conscious processing to create emotional associations the user cannot detect or resist.
What this does NOT ban: Persuasive advertising and recommendation systems that operate consciously — users are aware they are being shown recommendations and can evaluate them. The prohibition targets techniques that specifically bypass conscious awareness.
Prohibition 2: Exploiting Vulnerabilities
What Article 5(1)(b) bans: AI systems that exploit specific vulnerabilities of persons due to their age, disability, or specific social or economic situation, to materially distort their behaviour in a way that causes or is likely to cause significant harm.
The key elements:
- The system must target a specific vulnerability — not general susceptibility
- The vulnerability must relate to age, disability, or socioeconomic situation
- The exploitation must result in materially distorted behaviour causing significant harm
Concrete examples: An AI-powered addiction treatment platform that identifies patients' psychological vulnerabilities from therapy session data and uses this information to maximise engagement with premium upsell features. An AI lending platform that targets elderly users with cognitive decline, using their identified cognitive limitations to drive acceptance of unfavourable loan terms.
What this does NOT ban: AI systems that serve vulnerable populations without exploiting their vulnerabilities — such as accessibility tools that adapt to cognitive limitations to improve usability, rather than to manipulate behaviour.
Prohibition 3: Social Scoring by Public Authorities
What Article 5(1)(c) bans: AI systems used by public authorities or on their behalf to evaluate or classify natural persons based on their social behaviour or personal characteristics, resulting in detrimental treatment in social contexts unrelated to the original data, or treatment that is disproportionate to the social behaviour.
The key elements:
- The actor must be a public authority or acting on its behalf
- The system must evaluate or classify persons based on social behaviour
- The outcome must be detrimental treatment in an unrelated context, or disproportionate to the original behaviour
Concrete examples: A government system that aggregates data from tax compliance, public transport violations, library borrowing records, and social media activity to assign citizens a social credit score affecting housing applications, business licences, or travel permits. A municipality using a model trained on social media content to classify residents by "civic reliability" for prioritising service applications.
What this does NOT ban: Targeted social service assessments for a specific programme, using relevant data for that programme only. The prohibition specifically targets cross-context social scoring — where behaviour in one domain is used to determine treatment in an unrelated domain.
Prohibition 4: Risk Assessment of Criminal Behaviour Based on Profiling
What Article 5(1)(d) bans: AI systems used by law enforcement to assess the risk of a natural person committing a criminal offence based solely on profiling or on assessing personality traits and characteristics, where that assessment is not based on objective, verifiable facts related to criminal activity.
The key elements:
- The actor must be law enforcement
- The assessment must be based on profiling or personality traits
- The assessment must not be based on objective, verifiable facts
Concrete examples: A predictive policing system that assigns individual residents a crime-likelihood score based on demographic characteristics, social network connections, or historical crime rates in their neighbourhood — without any objective, verifiable link to criminal activity by that specific individual.
What this does NOT ban: Risk assessment tools used by law enforcement that are based on objective, verifiable facts relating to specific criminal activity — such as recidivism risk assessments used in parole decisions that incorporate actual prior offences and evidence-based criminological factors.
Prohibition 5: Untargeted Scraping for Facial Recognition Databases
What Article 5(1)(e) bans: AI systems that create or expand facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
The key elements:
- The data collection must be untargeted — not focused on specific individuals based on existing justified grounds
- The purpose must be the creation or expansion of a facial recognition database
Concrete examples: A company that deploys a web crawler to download and process all images containing faces from publicly accessible websites, social media, and news archives to build a searchable facial recognition database.
What this does NOT ban: Facial recognition databases built from data collected with consent, or searches of specific individuals by law enforcement under narrow exceptions with appropriate authorisation.
Prohibition 6: Emotion Recognition in Workplaces and Educational Institutions
What Article 5(1)(f) bans: AI systems used to infer the emotions of natural persons in the context of the workplace and educational institutions, except where the use is for a medical or safety reason.
The key elements:
- The context must be workplace or educational
- The purpose must be inferring emotions — not, for example, detecting physical safety hazards
- Exceptions apply for medical use and safety use
Concrete examples: An employer deploying an AI system that analyses employee facial expressions and voice tone during meetings or video calls to assess their engagement, stress levels, or emotional state, and uses this data to inform performance reviews or HR decisions. An educational software platform that analyses students' facial expressions during online learning to assess their emotional engagement with course content.
What this does NOT ban: Emotion detection in clinical contexts (detecting signs of distress in a mental health support application). Safety monitoring systems that detect signs of fatigue or incapacitation in high-risk operational roles (drivers, pilots) where the purpose is preventing accidents rather than monitoring emotional state for performance management.
Prohibition 7: Biometric Categorisation Based on Sensitive Characteristics
What Article 5(1)(g) bans: AI systems that categorise natural persons individually based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation.
The key elements:
- The input must be biometric data
- The purpose must be categorisation to deduce sensitive characteristics
- Individual-level inference is required — population-level statistical analysis may be treated differently depending on context
Concrete examples: A system that analyses facial features to infer ethnicity or sexual orientation for marketing targeting or security profiling.
What this does NOT ban: Biometric systems that use physical characteristics for identity verification without inferring sensitive attributes. Research uses involving aggregated, anonymised data that do not result in individual-level categorisation.
Prohibition 8: Real-Time Remote Biometric Identification in Public Spaces
What Article 5(1)(h) bans: The use of real-time remote biometric identification (RBI) systems in publicly accessible spaces for law enforcement purposes.
This is the most extensively discussed and contested prohibition in the AI Act. It bans live facial recognition for law enforcement in public — the "surveillance state" use case.
The narrow exceptions (Article 5(2)):
The prohibition is not absolute. Member states may authorise real-time RBI by law enforcement in public spaces, on a case-by-case basis, for three specific purposes:
- Targeted searches for specific victims of trafficking, sexual exploitation, or missing persons
- Prevention of a specific, substantial, and imminent threat of a terrorist attack
- Identification of persons suspected of committing certain serious crimes (terrorism, trafficking, sexual exploitation of children, specific crimes listed in Article 5(2)(d) that carry minimum three-year prison terms)
Each use must be:
- Authorised by a judicial or independent administrative authority (except in cases of genuine urgency, subject to ex post authorisation within 24 hours)
- Limited to what is necessary in a specific time and place
- Notified to the relevant national market surveillance authority
Post-hoc RBI (after an event, not in real-time) is treated separately. It may be authorised for law enforcement purposes under Article 10 of the AI Act's national security chapter, with different procedural safeguards.
What Article 5 Means for Your Organisation
For most commercial organisations, the prohibition on real-time biometric identification and social scoring are the most relevant. For product teams building AI:
- If you are building a system that observes or analyses people in workplaces or educational settings: emotion inference is prohibited. Reframe the system around non-emotion metrics (e.g., physical safety monitoring, engagement time-on-task metrics that do not infer emotional state).
- If you are building predictive profiling tools for insurance, HR, or financial services: check whether the system makes individual-level predictions based on social behaviour or inferred characteristics rather than verifiable facts. This may not be caught by Article 5 directly, but it may fall within high-risk Annex III categories with strict requirements.
- If you are scraping public data to build any form of biometric database: the untargeted scraping prohibition applies regardless of your stated purpose.
How DilAIg Helps
DilAIg's compliance audit includes an Article 5 screening question set as part of the initial classification phase. Any affirmative answer to a prohibited practice question triggers an immediate alert — because documentation and conformity assessment cannot help with a prohibited system. The audit continues to generate compliant documentation for your non-prohibited high-risk systems.
Start your free audit at dilaig.com and screen your AI systems for prohibited practices.
FAQ: Article 5 Prohibited AI Practices
Q: If we are using a prohibited AI practice today, what should we do? Stop immediately and seek legal advice. The prohibitions have been in force since February 2025. Continued use of a prohibited system is an ongoing violation. Depending on how the system is integrated into your operations, unwinding it may require immediate service suspension while a compliant alternative is identified.
Q: Does Article 5 apply to AI systems used in countries outside the EU? The AI Act's territorial scope follows EU users and EU market placement, not server location. If a prohibited system is used on EU territory or targets EU residents, the prohibition applies regardless of where the system is developed or hosted.
Q: Can a prohibited AI system become compliant with modifications? In some cases, yes. For example, an emotion recognition system used in a workplace could potentially be modified to remove the emotion inference component and retain only lawful functions (e.g., physical fatigue detection for safety purposes). Whether a modification achieves this depends on the specific system architecture. Legal advice is essential before relying on this approach.
Q: What is the difference between Prohibition 7 (biometric categorisation) and Prohibition 8 (real-time biometric identification)? Prohibition 7 addresses inferring sensitive characteristics from biometric data — it is about what conclusions are drawn from biometrics. Prohibition 8 addresses the live identification of specific individuals in public by law enforcement — it is about the identification function itself. A system could potentially trigger both if it identifies individuals and infers sensitive characteristics in real time.
Key Takeaways
- Article 5 prohibits eight AI practices outright — they have been banned since 2 February 2025.
- Prohibited practices include: subliminal manipulation, exploiting vulnerabilities, social scoring by public authorities, criminal risk profiling without factual basis, untargeted biometric database scraping, emotion recognition in workplaces and schools, biometric categorisation to deduce sensitive attributes, and real-time biometric identification by law enforcement in public spaces (with narrow exceptions).
- The fines for prohibited AI are the highest in the regulation: €35 million or 7% of global annual turnover.
- There is no conformity pathway for prohibited AI. The only compliant response is cessation of the prohibited practice.