EU AI Act prohibited practices: what's banned under Article 5

Article 5 of the EU AI Act lists the AI practices that are prohibited outright. These are not heavily regulated; they are illegal. An AI system that falls within these categories cannot be placed on the market, put into service, or used in the EU, regardless of safeguards, intent, or how good your conformity assessment is.

The prohibitions came into force on 2 February 2025, six months after the rest of the Act. They apply to providers, deployers, importers, distributors and any natural or legal person putting one of these systems into service or using one, irrespective of where the entity is established, as long as the use takes effect in the EU.

This article walks through each of the eight prohibited categories with the actual text of what's banned, what kinds of systems fall in, and the carve-outs the Act allows. It is intentionally non-exhaustive — Article 5 is dense, the recitals add interpretive detail, and you should never decide a borderline case from a guide. But this gives you the operating picture.

What Article 5 actually prohibits

The Act prohibits the placing on the market, putting into service, or use of AI systems in any of the following categories. Each category has its own conditions and exceptions; the practical test is whether your system, as actually used, falls within the description.

1. Subliminal, manipulative or deceptive techniques

An AI system that deploys subliminal techniques beyond a person's consciousness, or purposefully manipulative or deceptive techniques, with the objective or effect of materially distorting behaviour by appreciably impairing the ability to make an informed decision, thereby causing significant harm.

This catches AI that hides its persuasive intent and steers people to choices they would not otherwise have made, in a way that causes real-world harm. A targeted advertisement is not prohibited; an AI system that subliminally nudges someone with a known gambling addiction toward a betting site, causing financial harm, is.

The threshold "significant harm" is doing work here. The recitals clarify it covers harm to health (physical or mental) and financial harm. Ordinary marketing nudges that influence preference without distorting informed decision-making are outside the prohibition.

2. Exploitation of vulnerabilities

An AI system that exploits vulnerabilities of a natural person or specific group due to age, disability, or specific social or economic situation, with the objective or effect of materially distorting behaviour and causing or being reasonably likely to cause significant harm.

Same harm threshold as (1), but targeted at vulnerability rather than at the population at large. Toys with embedded AI that encourage children toward dangerous behaviour, debt-collection systems that exploit known financial distress, or systems targeting people with cognitive disabilities all fall here.

The carve-out is implicit: legitimate inclusion features that accommodate vulnerability (e.g. accessibility tools that personalise for older users) are not prohibited because they do not distort behaviour to cause harm.

3. Social scoring by public authorities

An AI system that evaluates or classifies natural persons or groups of natural persons over a certain period of time based on their social behaviour or known, inferred or predicted personality characteristics, with a social score leading to either or both of the following:

• Detrimental or unfavourable treatment of persons or groups in social contexts that are unrelated to the contexts in which the data was originally generated or collected.
• Detrimental or unfavourable treatment that is unjustified or disproportionate to the social behaviour or its gravity.

This is the headline ban. The clearest example is a single government-wide score that follows a person across unrelated contexts and is then used to deny them housing, transport, or services. It is narrower than people sometimes assume: it does not ban all scoring, only social-context-spanning scoring with detrimental consequences. Credit scoring, which uses financial-behaviour data to make financial decisions, is high-risk (Annex III area 5) not prohibited, because data and decision contexts are the same domain.

The recitals are explicit that the prohibition applies to public authorities or on their behalf. Private-sector loyalty programmes are not prohibited; private-sector scoring used in unrelated contexts to discriminate would fall under other parts of EU law (GDPR Article 22, discrimination law) rather than Article 5 of the AI Act.

4. Predictive policing based solely on profiling

An AI system that conducts risk assessments of natural persons to assess or predict the likelihood of a person committing a criminal offence, based solely on the profiling of a natural person or on assessing personality traits and characteristics.

The qualifier "solely" matters. The prohibition is against pure profile-based crime prediction with no specific objective fact about the person. It does not prohibit AI tools that support assessments grounded in objective and verifiable facts directly linked to a criminal activity (e.g. flagging anomalous transaction patterns in fraud detection).

5. Untargeted scraping for facial-recognition databases

An AI system that creates or expands facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage.

This explicitly catches Clearview-style operations. "Untargeted" is the operative word — the prohibition is on the bulk, indiscriminate collection. A targeted investigation that uses a specific, identifiable image set is not within this prohibition (though it may face other regulatory constraints).

6. Emotion recognition in workplaces and educational institutions

An AI system to infer emotions of a natural person in the areas of workplace and educational institutions, except where the use of the AI system is intended to be put in place or into the market for medical or safety reasons.

This is a focused prohibition. It does not ban emotion recognition generally; it bans it in workplaces and schools. The carve-out is for medical use (e.g. an AI system that detects emotional distress as part of a clinical mental-health pathway) and safety use (e.g. a fatigue detection system in a vehicle). Sentiment analysis of public reviews is unaffected; an AI system that monitors customer-service workers' tone during calls to evaluate "engagement" is within the prohibition.

7. Biometric categorisation by sensitive attributes

An AI system that categorises individual natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation.

The prohibition is on categorisation that infers protected attributes from biometric features (face, voice, gait). It is not a prohibition on biometric categorisation in general (some forms are high-risk under Annex III area 1). The exception in the Act allows labelling or filtering of lawfully acquired biometric datasets, including images, based on biometric data, or categorisation in the area of law enforcement carried out in accordance with EU and national law.

8. Real-time remote biometric identification in public spaces for law enforcement

This is the longest and most-debated entry. The prohibition is on the use of real-time remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement.

"Real-time" is defined narrowly: identification happens without significant delay between the capture of biometric data and its comparison to a reference database. "Remote" means without active involvement of the person being identified (no kiosk, no consented unlock).

The Act sets out three exceptions under which Member States may authorise this use. All three require prior authorisation by a judicial authority or independent administrative authority (with very narrow allowance for urgent retroactive authorisation), and a prior fundamental rights impact assessment:

• (a) Targeted search for specific victims of abduction, trafficking in human beings, or sexual exploitation, and search for missing persons.
• (b) Prevention of a specific, substantial and imminent threat to the life or physical safety of natural persons, or a genuine and present or genuine and foreseeable threat of a terrorist attack.
• (c) Localisation or identification of a person suspected of having committed one of the criminal offences referred to in Annex II of the Act and for which the offence is punishable in the relevant Member State by a custodial sentence or a detention order of at least four years.

Even within the exceptions, the system must be limited to confirming the identity of the specifically targeted person, take into account the seriousness, probability and scale of the harm, and respect proportionality. Several Member States have legislated tighter restrictions than the Act allows, which is permitted: the Act is a floor, not a ceiling, in this area.

A separate provision (Article 26) imposes obligations on deployers, including notification to the national market surveillance authority and data protection authority. Use of these systems outside the law-enforcement context (e.g. by a private security company at a stadium entrance) is not covered by these exceptions; it is high-risk under Annex III area 1.

What is not prohibited (and is commonly assumed to be)

Several things look like they should be prohibited and aren't. Knowing the edge is useful:

• General-purpose generative AI. Producing synthetic content, including deepfakes, is not prohibited under Article 5. It carries transparency obligations under Article 50 (label AI-generated content; clearly mark deepfakes) but is not banned.
• AI chatbots that influence users. Not banned unless the influence rises to "materially distorting behaviour" with "significant harm." Ordinary persuasion is outside the prohibition; transparency under Article 50 applies (users must know they are interacting with AI).
• Targeted advertising. Not prohibited. Falls under GDPR and the Digital Services Act, not Article 5.
• Credit scoring. High-risk (Annex III area 5), not prohibited. Credit-context data, credit-context decision.
• Healthcare diagnosis AI. High-risk via Annex I (medical devices regulation) and Annex III area 5 (essential services). Not prohibited.
• Workplace performance management. High-risk (Annex III area 4), with the specific exception of emotion recognition which is prohibited under (6).

The pattern: most "scary" AI uses are heavily regulated as high-risk, not banned. The prohibitions are a short list of practices the EU has decided are incompatible with fundamental rights regardless of safeguards.

What to do if you might be in scope

If anything in your AI system roadmap falls close to one of the eight categories, you have one job: get to a clear answer before deployment. The cost of getting this wrong is high. Article 5 breaches are the top-tier fine band: up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher. See the penalties article for the full structure.

The practical steps:

1. Write down the system's intended purpose in one sentence. Test it against each of the eight prohibitions in turn. Document the conclusion and the reasoning.
2. If you rely on a carve-out (medical/safety use for emotion recognition, law-enforcement exception for real-time biometric ID, lawful-dataset exception for biometric categorisation), document the carve-out and the conditions you meet.
3. If you are close to a prohibition but believe you are not within it, get external legal advice. The grey area between "manipulative technique that materially distorts behaviour" and "ordinary persuasion that influences preference" is exactly the kind of judgement call regulators second-guess.
4. If you conclude you are within a prohibition, redesign or do not deploy. Mitigations like "we will only use it carefully" are not available. The prohibition attaches to the system, not to the user.

Article 5 is short. The risk of misreading it is large. When in doubt, treat the prohibitions as the bright line they are intended to be.