Agnes looks concerned at a row of AI systems, some marked with a red cross as prohibited under the EU AI Act

EU AI Act Prohibited AI Practices: What Is No Longer Allowed?

AI Act, Compliance

Since 2 February 2025, certain AI practices are prohibited in the European Union. Not "will soon be prohibited" or "may be prohibited." Prohibited. Now.

Article 5 of the EU AI Act (Regulation (EU) 2024/1689) lists AI practices considered unacceptable. The risk of these systems is judged so high that no safeguards can make them acceptable.

This article gives you a clear overview of those prohibitions with practical examples. And perhaps most importantly: what this means when your business uses AI tools from vendors.

The AI Act prohibitions are already in force - since February 2025

The EU AI Act was introduced in phases. The prohibitions in Article 5 were the first rules to take effect, on 2 February 2025. That is not a future date. It is the present.

Businesses still deploying a prohibited AI system face fines of up to EUR 35 million or 7% of global annual turnover (whichever is higher). That applies to the provider of the system and to the deployer using it.

Which AI applications are prohibited?

Article 5 of the EU AI Act describes seven categories of AI systems that may not be used. Here they are, with examples to make them concrete.

1. Manipulative or deceptive AI

AI systems that use subliminal techniques to manipulate people. Think of a webshop that uses AI to design the checkout process so you end up spending more without realising it. Or an app that analyses mood and language to nudge you into purchases you did not actually want.

2. Exploitation of vulnerabilities

AI that specifically exploits vulnerabilities of people based on their age, disability, or socioeconomic situation. Example: a lending platform that uses AI to offer more expensive contracts to people with low literacy, knowing they will not fully understand the terms.

3. Social scoring by public authorities

Governments may not use AI to build social scores based on behaviour or personal characteristics. This is the ban on a European version of the Chinese social credit system. Concrete case: a municipality that scores residents based on their social media activity, payment behaviour, and neighbourhood reports, then uses that score when granting permits.

4. Risk profiling for criminal behaviour

AI systems that predict whether someone will commit a crime, based purely on personality traits or profiling, are prohibited. A system that calculates your "criminal risk" based on your postcode, income, and education level is not allowed. AI that analyses security camera footage for actual suspicious behaviour is a different matter.

5. Biometric categorisation of sensitive characteristics

Classifying people based on biometric data to infer race, political opinion, religion, sexual orientation, or trade union membership is prohibited. Say a camera network scans faces and automatically categorises people by presumed ethnicity or religion. That is not allowed, regardless of the purpose.

6. Emotion recognition in the workplace or education

AI that recognises emotions of employees or students is prohibited, with very limited exceptions for safety (for example, detecting fatigue in a train driver). Example: call centre software that analyses employee emotions in real time to measure their "engagement." Or school software that uses the webcam to check whether students are paying attention.

7. Real-time remote biometric identification in public spaces

Facial recognition in real time in public places is prohibited, with very narrow exceptions for law enforcement (and only with judicial authorisation). A shopping centre that scans faces at the entrance and matches them against a database falls under this prohibition.

What does this mean for your SMB?

The chances are small that your company builds any of these systems. Most SMBs are not AI developers.

But that does not mean you are in the clear.

The AI tools your HR team, security team, or marketing department uses every day may contain features that fall under these prohibitions. Three real-world examples:

  • Call centre software with emotion detection. Some platforms advertise "sentiment analysis" of employees. If that amounts to recognising emotions of your workers, it falls under prohibition 6.
  • Biometric time registration that categorises. A time clock system that uses facial recognition for attendance is not automatically prohibited. But if the same system uses biometric data to categorise employees by ethnicity or other sensitive characteristics, that is prohibited (prohibition 5).
  • AI credit scoring with unlawful profiling. Does your business use an AI tool for customer credit assessment that profiles based on postcode, ethnicity, or social characteristics? That could fall under prohibition 2 or 4.

The practical lesson: include AI tools in your vendor assessments. Ask vendors explicitly about biometric and emotional recognition features. And register which AI systems you use, even when they come from a vendor.

This is a self-assessment tool, not legal advice.

How to check whether a vendor uses prohibited AI techniques

You do not need to be an AI expert to check this. Start with these five steps:

  1. Ask the vendor directly. Does the product use biometric identification, emotion recognition, or social scoring? A good vendor can answer this question clearly.
  2. Check the vendor's EU AI Act documentation. Serious providers now publish their AI Act compliance status. If that documentation is missing, that is a signal.
  3. Review the data processing agreement. Are there references to biometric processing, emotional analysis, or behavioural scoring? Read them carefully.
  4. Register the tool in your AI inventory. Note the vendor's compliance status and the AI category of the system. Use an AI system register to track this in a structured way.
  5. If in doubt, flag for legal review. Better to ask once too many times than to run a prohibited system in production.

Use vendor documentation to keep this process manageable. And with our AI Act compliance software you can assess the risk class of each system and immediately see whether it falls under a prohibition.

ComplianceHive warning for prohibited real-time biometric identification EU AI Act Art 5 ComplianceHive displays an explicit warning when real-time biometric identification in public spaces is flagged - this falls under the Article 5(1)(d) prohibition.

Frequently asked questions

Is facial recognition for access control prohibited?

Not automatically. Facial recognition for access to a closed building (not a public space) does not fall under the ban on real-time remote biometric identification in public spaces (Art. 5(1)(d)). But if the same system also categorises people by sensitive characteristics such as ethnicity, it may be prohibited under Art. 5(1)(g). Context and use determine whether it is allowed.

Can I use an AI tool that detects emotions in customer service?

Emotion detection aimed at customers by businesses does not fall under the specific prohibition for workplaces and educational settings (Art. 5(1)(f)). But GDPR transparency and consent requirements apply. If the same tool also analyses emotions of your employees, that part is prohibited.

What are the fines for using prohibited AI?

The maximum fine for deploying a prohibited AI system is EUR 35 million or 7% of total worldwide annual turnover, whichever is higher (Art. 99, Regulation (EU) 2024/1689). For SMBs and start-ups, proportionately lower caps may apply in some cases.

How do I know if a vendor uses prohibited AI techniques?

Ask the vendor directly for an AI Act compliance statement. Check whether their system includes biometric identification, emotion recognition, or scoring features. Review the data processing agreement for references to these functions. Register your findings in an AI system register. When in doubt, get legal review before deploying.

Is a recommendation engine like Spotify or Netflix prohibited?

No. Recommendation systems that suggest content, music, or products based on your preferences do not fall under the Article 5 prohibitions. They are not considered manipulative AI as long as they do not use subliminal techniques that harm users. Recommendation algorithms may fall under other AI Act categories such as limited or high risk, depending on their application.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free