Prohibited AI Practices: Every Article 5 Ban Under the EU AI Act
The prohibited AI practices in Article 5 of the EU AI Act represent the hardest line in European AI regulation: the practices the EU has decided are simply incompatible with fundamental rights, regardless of the benefit claimed. Unlike the rest of the Act, which regulates how AI may be used, Article 5 prohibitions are outright bans. There is no conformity assessment that can clear them, no exception for legitimate purposes in most cases, and no proportionality calculation. The penalty for violating them is the highest in the regulation — up to €35 million or 7% of worldwide annual turnover, whichever is higher. This guide covers every current prohibition, the narrow exceptions that exist, the two new bans the Omnibus adds from December 2026, and what organisations providing AI anywhere in the EU supply chain need to check right now.
Prohibited AI practices under Article 5: the complete list
The original Article 5 list has been enforceable since 2 February 2025. Each prohibition targets a specific harm, and enforcement does not require a formal high-risk classification process — the act of placing these systems on the market or deploying them is the violation.
1. Subliminal and manipulative techniques causing significant harm
AI systems that deploy subliminal techniques — those operating below the threshold of a person’s consciousness — or other manipulative techniques that exploit psychological weaknesses or biases, with the objective or effect of materially distorting a person’s behaviour in a way that causes or is likely to cause significant harm to that person or another person. This is the broadest prohibition in scope. It targets AI designed to persuade, manipulate or influence people through means they cannot perceive or defend against — covering everything from hidden audio or visual signals to dark-pattern-level psychological exploitation embedded in AI recommendations.
2. Exploitation of vulnerabilities of specific groups
AI systems that exploit specific vulnerabilities of individuals arising from their age (particularly children), disability, or socio-economic situation in a way that distorts their behaviour and causes or is likely to cause significant harm. The harm threshold and the requirement that the distortion arise from the exploited vulnerability distinguish this from ordinary persuasion. A children’s app that uses AI to drive addictive engagement by targeting developmental vulnerabilities, or a financial AI that exploits cognitive limitations in elderly users, falls squarely within this prohibition.
3. Social scoring by or for public authorities
AI systems used by or on behalf of public authorities for the evaluation or classification of natural persons or groups based on their social behaviour or known, inferred or predicted personal or personality characteristics, in a way that leads to either detrimental or unfavourable treatment that is unrelated to the contexts in which the data was originally generated, or treatment that is unjustified or disproportionate to the social behaviour. This ban targets state-operated “social credit” systems and their functional equivalents. It is explicitly limited to public authorities and those acting on their behalf — private-sector customer scoring is regulated under other provisions but not prohibited by this specific Article 5 ban.
4. Real-time remote biometric identification in public spaces by law enforcement
This is the most nuanced prohibition, because it is not absolute. The use of real-time remote biometric identification (RTBID) systems in publicly accessible spaces by law enforcement is banned — with three narrowly defined exceptions that require prior judicial or independent administrative authorisation (except in cases of justified urgency):
- Targeted searches for specific victims of crime including missing children, and victims of trafficking or sexual exploitation;
- Prevention of a specific, substantial and imminent threat to life or a real and foreseeable terrorist attack;
- The identification or prosecution of a suspect of a serious criminal offence as listed in the Act.
The exception is narrow by design: it covers named individuals for specific purposes under strict authorisation, not mass surveillance or broad population monitoring. RTBID without meeting these conditions is prohibited outright.
5. Biometric categorisation inferring sensitive attributes
AI systems that categorise natural persons individually based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation. This prohibition covers the use of facial features, gait, iris patterns or other biometric data as proxies for protected characteristics. The Commission’s position is that such inference — regardless of claimed accuracy — is incompatible with fundamental rights because it automates discrimination on grounds the EU treats as requiring the highest protection.
6. Untargeted facial image scraping
The creation or expansion of facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage. “Untargeted” is the operative word: systems that harvest faces indiscriminately to build or expand recognition databases are prohibited. Targeted searches of existing lawfully held records for specific named individuals in narrow law enforcement contexts are addressed separately and remain possible under strict conditions.
7. Emotion recognition in workplaces and educational institutions
AI systems used for emotion recognition in the workplace and in educational institutions. This prohibition applies regardless of the stated purpose (productivity monitoring, student engagement detection, mental health screening) and regardless of whether the system is accurate. The EU legislature’s view is that monitoring workers’ or students’ emotional states by AI creates a power imbalance incompatible with dignity and autonomy in these settings. Note that emotion recognition in other contexts — such as law enforcement or border management — may qualify as high-risk under Annex III rather than prohibited, depending on how it is used.
8. AI-assisted individual criminal risk profiling from personal characteristics
AI systems used by or on behalf of law enforcement to make individual risk assessments of natural persons for the purpose of predicting the likelihood of a person committing a crime, based solely on profiling of the person or assessment of their personality traits and characteristics — rather than on objective, verifiable facts directly linked to criminal activity. This targets predictive policing tools that score individuals based on demographic proxies, movement patterns unconnected to criminal acts, or inferred personality characteristics rather than concrete behavioural evidence.
The two new bans from the Omnibus: effective 2 December 2026
9. Non-consensual intimate imagery (“nudifiers”)
AI systems that generate or manipulate realistic depictions of an identifiable natural person’s intimate parts, or of an identifiable person engaged in sexually explicit activities, without that person’s freely given, specific, informed, unambiguous and explicit consent. The prohibition applies in three configurations: placing such a system on the EU market for this purpose; placing it on the market without reasonable technical safeguards preventing such generation; and deployers using it for this purpose. The ban was directly triggered by the Grok deepfake incident in early 2026, in which millions of non-consensual intimate images were generated using X’s AI tools, and was pushed through by both Parliament and Member States in the final trilogue despite not being in the Commission’s original proposal.
A critical practical implication: the prohibition covers not just AI systems designed to generate this content, but systems that fail to implement sufficient safeguards to prevent it. General-purpose image generation models, multimodal AI, and any downstream AI application capable of producing such output must either be clearly out of scope, have documented state-of-the-art guardrails, or be withdrawn from the EU market. There is a compliance grace period until 2 December 2026, but the work needed — technical safeguards, risk assessment, documentation — takes months to do properly.
10. AI-generated child sexual abuse material (CSAM)
AI systems that generate or manipulate child sexual abuse material within the meaning of Directive 2011/93/EU. A narrow carve-out applies where generating such material is permitted under national law implementing the directive (primarily law enforcement use for detection and investigation). The same safeguard logic applies as for the nudifier ban: systems that do not implement adequate preventive controls are within scope even if CSAM generation is not their primary purpose. Providers of general-purpose AI and image-generation tools must assess their exposure and document their safeguards before 2 December 2026.
Article 5 vs high-risk: what’s the difference?
| Article 5 prohibited | Annex III high-risk |
|---|---|
| Outright ban — no conditions permit use | Permitted with compliance obligations |
| In force since 2 February 2025 (original list) | Obligations deferred to December 2027 / August 2028 |
| Tier 1 fine: €35M or 7% of worldwide turnover | Tier 2 fine: €15M or 3% of worldwide turnover |
| No conformity assessment — no path to compliance | Conformity assessment required before market launch |
| Enforcement already active — Commission investigations in early 2026 | Enforcement begins at application dates 2027/2028 |
Some conduct sits at the edge. Emotion recognition is prohibited in workplaces and educational institutions but classified as high-risk when used in law enforcement or border management contexts. Real-time biometric ID is prohibited for law enforcement in public spaces except under strict exceptions, but post-event biometric identification in targeted investigations is high-risk, not prohibited. The distinction matters enormously: a prohibited system has no compliance path, while a high-risk system has a demanding but traversable one.
Who the prohibitions apply to
Article 5 applies to providers placing these systems on the EU market, deployers putting them into service in the EU, and in some cases distributors and importers. The nudifier and CSAM prohibitions specifically name both providers and deployers as potentially liable. The Act’s extraterritorial scope means that a company based outside the EU whose AI system is used or whose outputs affect people in the EU is subject to these prohibitions regardless of where it is incorporated.
The prohibition on real-time biometric identification is the one most limited in its scope: it applies specifically to law enforcement authorities and those acting on their behalf, not to all actors. Private-sector use of real-time biometric identification in public spaces may be addressed under GDPR or other instruments but does not fall under this specific Article 5 ban.
Enforcement: already under way
The prohibited practices have not sat on paper since February 2025. The European Commission launched its first formal investigations into potential Article 5 violations in early 2026 — focused particularly on social scoring and manipulative AI techniques. The AI Office has direct enforcement authority over GPAI model providers, and national market surveillance authorities are responsible for other cases. Complaints from affected individuals and civil society organisations have been the primary trigger for early enforcement actions, mirroring the pattern of early GDPR enforcement. For the full picture on fines and how enforcement works, see our complete Article 99 penalties guide.
What organisations need to do now
- Audit your AI for Article 5 exposure today. The original eight prohibitions have been enforceable since February 2025. If any system in your product or procurement stack touches subliminal manipulation, social scoring, untargeted facial scraping, workplace emotion recognition, or biometric categorisation of protected characteristics — you have live enforcement risk, not a future deadline.
- For GPAI providers: assess your nudifier and CSAM exposure now. The 2 December 2026 compliance date sounds distant; the technical safeguards required are not. Documenting the risk, designing guardrails, and testing their effectiveness takes months. Act before summer 2026 to have adequate runway.
- Review your Terms of Service against your technical reality. The Commission’s position on classification applies equally to prohibitions: a terms-of-service clause excluding prohibited uses does not substitute for technical safeguards that prevent them.
- Procurement due diligence. If you are a deployer buying AI from a provider, verify that the systems you are deploying are not prohibited. Deployer liability under Article 5 means you cannot outsource the compliance check to your vendor.
- Document any RTBID exceptions carefully. If you are a law enforcement authority claiming an exception to the real-time biometric ID prohibition, ensure the prior authorisation requirements are met, the purpose is within scope, and the use is logged and auditable.
Frequently asked questions
When did Article 5 prohibited practices come into force?
The original eight prohibitions have applied since 2 February 2025. The two new prohibitions added by the Digital Omnibus (nudifiers and CSAM generation) apply from 2 December 2026, once the Omnibus is published in the Official Journal.
Is real-time facial recognition in public spaces completely banned?
For law enforcement in publicly accessible spaces, yes — except in three narrowly defined cases: targeted searches for specific crime victims, prevention of a specific imminent terrorist threat, and identification of suspects of serious listed criminal offences. These exceptions require prior authorisation. Private-sector use is not addressed by this specific Article 5 prohibition but is regulated by GDPR and other instruments.
Does the nudifier ban apply to all AI image generation?
Not if you have robust safeguards. The ban applies to systems placed on the market for this purpose, or placed on the market without reasonable technical safeguards preventing such generation. A general-purpose image model with documented, state-of-the-art guardrails against generating non-consensual intimate imagery is not automatically prohibited — but if those guardrails are absent or inadequate, the system falls within scope regardless of its primary purpose.
What is the fine for violating Article 5?
Up to €35 million or 7% of total worldwide annual turnover, whichever is higher — the highest tier in the regulation. For SMEs, the cap is the lower of the two figures rather than the higher. See our AI Act for SMEs guide for the SME fine calculation in detail.
Can you get a conformity assessment that allows a prohibited practice?
No. Article 5 prohibitions are absolute bans — there is no conformity assessment path, no CE marking process, and no derogation available to providers or deployers. The only path is to not build or deploy the prohibited system.
Key takeaways
- Article 5 prohibited practices are outright bans, not regulated uses — they carry the Act’s highest fine tier (€35M/7%) and have been enforceable since 2 February 2025, with enforcement already active.
- The eight original prohibitions cover subliminal manipulation, exploitation of vulnerability, social scoring, RTBID in public spaces by law enforcement (with narrow exceptions), biometric categorisation inferring protected attributes, untargeted facial scraping, workplace/education emotion recognition, and predictive criminal profiling from personal characteristics.
- The Digital Omnibus adds two new prohibitions from 2 December 2026 (pending OJ publication): AI systems generating non-consensual intimate imagery (“nudifiers”) and AI generating CSAM — covering systems without adequate safeguards, not just those designed for these purposes.
- GPAI providers and image-generation model providers must assess their nudifier and CSAM exposure and implement technical safeguards well before December 2026 — the engineering work takes months.
- Deployers are liable alongside providers for Article 5 violations — procurement due diligence is essential.
