Article 5 of the EU AI Act outright bans 8 categories of AI practice. Unlike the high-risk obligations (which apply from August 2026), these prohibitions have been enforceable since February 2025 — over a year ago.
Already enforceable. The Article 5 prohibited practices came into effect on 2 February 2025, when the prohibition chapter of the EU AI Act became applicable — not the August 2026 date that applies to high-risk AI obligations. If your business is using any of the 8 prohibited practices today, enforcement action is already possible.
Article 5 of the EU AI Act creates an absolute prohibition on certain AI practices — not a risk management framework, not a transparency requirement, but a hard ban. These are AI applications that the EU legislature concluded carry risks so fundamental that no safeguard, no documentation, and no risk assessment makes them acceptable.
The eight prohibitions cover: AI systems that manipulate or exploit people psychologically, government social scoring, criminal risk profiling, facial recognition database scraping, emotion monitoring at work and school, biometric categorisation of protected characteristics, and (with narrow exceptions) real-time biometric identification by law enforcement in public spaces.
The prohibitions apply to both providers (businesses that build AI systems) and deployers (businesses that use AI systems in their operations). You cannot use a prohibited AI system even if you did not build it.
AI that uses techniques operating below conscious awareness or that deliberately deceive or manipulate people in ways that cause them harm.
SMB relevance: Most standard marketing AI (email segmentation, ad targeting, product recommendations) is not covered here unless it is specifically designed to exploit psychological weaknesses and causes demonstrable harm.
AI that specifically targets and exploits people who are vulnerable due to age, disability, or social and economic hardship, in ways that cause them harm.
SMB relevance: The key element is exploitation for harm. Building accessible products or protective safeguards for vulnerable groups is not prohibited — only using their vulnerability against them.
Government or public authority systems that rate individuals based on social behaviour and then use those ratings to restrict rights or access to services.
SMB relevance: This prohibition applies to public authorities, not private businesses. If you are a private company — even one that processes citizen data for government clients — this specific prohibition does not directly apply to you as deployer. However, your government clients may not be permitted to use outputs in the way Article 5(1)(c) describes.
AI that assesses or predicts the likelihood of an individual committing a crime based solely on their profiling or personal characteristics, rather than objective facts about actual behaviour.
SMB relevance: This primarily affects law enforcement and justice-related systems. Private businesses running fraud detection, insurance pricing, or credit risk tools need to ensure their models do not reduce to demographic profiling, but most well-designed fraud/risk tools operate on case-specific evidence rather than group characteristics.
Building or expanding facial recognition databases by scraping facial images from the internet or CCTV feeds without the knowledge or consent of the people in those images.
SMB relevance: If you are developing or using any kind of face matching technology, this prohibition is highly relevant. The ban covers the act of building such databases, not just deploying them. Verify that any face dataset you use was lawfully obtained and did not involve mass scraping.
AI systems that infer the emotional states of employees or students through analysis of biometric signals, video, audio, or behavioural patterns.
SMB relevance: This is one of the most immediately relevant prohibitions for SMBs. Remote work monitoring tools and AI-enhanced hiring platforms are specifically in scope. If your business uses any software that analyses employee video, voice, or behaviour to infer emotional states, review it carefully against this prohibition.
AI that processes biometric data to categorise individuals according to sensitive protected characteristics: race, ethnicity, political opinions, religious beliefs, trade union membership, sex life, or sexual orientation.
SMB relevance: This prohibition overlaps strongly with GDPR special category data protections. Most SMBs are not operating facial analysis systems at this level, but SaaS tools you deploy might include such capabilities. Review any vendor-supplied identity or analytics tooling carefully.
Live identification of individuals in publicly accessible spaces using biometric data (primarily facial recognition) by law enforcement authorities. This is prohibited except for specific, narrowly defined purposes.
SMB relevance: This prohibition applies specifically to law enforcement use in publicly accessible spaces. Private businesses operating standard access control or customer-facing identity verification are in a different regulatory category. However, if you build or sell technology to law enforcement, this provision applies to your customers and may affect your contracting and compliance obligations.
National competent authorities (NCAs) in each EU member state are responsible for enforcement. Most are still designating their NCAs and building enforcement capacity. The European AI Office oversees GPAI model compliance at EU level.
Violations of Article 5 (prohibited practices) attract the highest tier of fines: up to €35,000,000 or 7% of global annual turnover, whichever is higher. SMBs receive proportional consideration, but there is no guaranteed exemption. See the full fines guide →
GDPR enforcement was slow in its first 1–2 years, then accelerated significantly. The EU AI Act will likely follow a similar pattern: limited enforcement initially, but building as NCAs gain experience and as high-profile cases establish precedents. Acting now rather than waiting reduces your exposure window.
Employees, customers, or competitors can file complaints with their national NCA. Unlike regulatory own-initiative investigations, complaint-triggered reviews can move faster. Workplace monitoring tools and consumer-facing AI manipulation are natural complaint triggers.
Run through these checks for your current AI systems and vendor tools.
The prohibited practices in Article 5 are the most extreme end of the spectrum. Our free risk classifier covers all four risk levels and tells you your specific obligations — including whether any of your systems raise Article 5 concerns.
Run the Free Risk ClassifierThe EU AI Act entered into force on 1 August 2024. Article 5 (prohibited practices) became enforceable six months later, on 2 February 2025. This means these prohibitions are already live — they are not part of the August 2026 deadline. If your business is currently using any of these AI practices, it is already potentially subject to enforcement.
Each EU member state is required to designate a national competent authority (NCA) responsible for supervising and enforcing the EU AI Act. These authorities can investigate, require remediation, and impose fines. The European AI Office handles enforcement against general-purpose AI model providers at EU level.
Yes. The EU AI Act places obligations on both providers (those who build AI systems) and deployers (those who use them in their business). If you deploy an AI system that falls under Article 5 — even one purchased from a third-party vendor — you can still be in violation. Review the AI tools your business actually uses.
The EU AI Act applies wherever the AI system's output is used within the EU, or where the business deploying it is targeting EU users. A non-EU company deploying prohibited AI to EU users is still in scope. If your business has EU customers or employees, assume the Act applies to you.
Article 5(1)(f) specifically exempts emotion recognition used for "safety" reasons — for example, detecting driver fatigue or monitoring a patient's distress levels for clinical reasons. This exception is narrow and purpose-specific. Using it as a general cover for employee surveillance monitoring is not how regulators will interpret it.
Prohibitions 1, 2, 6, and 7 are the most likely to be relevant to SMBs through third-party tooling. Specifically: AI-enhanced hiring or proctoring platforms (prohibition 6), customer analytics tools that use emotional inference (prohibition 1), or biometric verification tools that categorise protected traits (prohibition 7). Run through the checklist below and review your key AI vendors.
Article 5 violations carry the highest fine tier (€35M / 7% turnover). Understand how enforcement works and how amounts are determined.
Systems that are not prohibited may still be high-risk. See the full Annex III list with obligations that apply from August 2026.
A practical step-by-step checklist covering all obligations by deadline, including Article 5 checks.
Using general-purpose AI tools in your business? Understand your deployer obligations and what you actually need to do.
This guide provides general information about the EU AI Act for educational purposes only. It does not constitute legal advice. The interpretation of Article 5 will be shaped by regulatory guidance and enforcement decisions as the Act is applied. For advice specific to your business, consult a qualified legal professional. Last updated June 2026.