EU AI Act Prohibited Practices: All 8 Bans Explained in Plain English

# The hardest line in the EU AI Act

The EU AI Act prohibited practices listed in Article 5 are not a grey zone. They are a flat ban. No risk assessment, no documentation, no conformity declaration makes them legal. If your organisation uses, procures, or deploys any system that falls into one of the eight categories below, you are exposed to the highest fine tier in the entire regulation: up to €35 million or 7% of global annual turnover, whichever is higher.

These prohibitions applied from 2 February 2025, six months after the Act entered into force. That deadline has already passed. So this is not theoretical preparation. It is current law.

Let's walk through each prohibition in Article 5(1) with workplace-relevant examples, because HR Directors and COOs are the ones most likely to encounter these systems in practice.

---

# (a) Subliminal manipulation

Systems that use techniques operating below the threshold of conscious awareness to materially distort behaviour in a way that causes harm are banned. Think audio or visual cues embedded in onboarding videos designed to make candidates feel anxious or compliant without realising it.

The key word is subliminal. Persuasive design that users can consciously recognise is not automatically caught here. But any system that exploits perception gaps to steer decisions is out.

# (b) Exploitation of vulnerabilities

This targets AI that exploits a specific group's vulnerabilities based on age, disability, or social or economic situation. A debt-collection chatbot that detects financial distress and applies escalating pressure tactics would fit squarely here. So would a workplace wellbeing app that identifies employees under personal stress and nudges them toward choices that benefit the employer rather than the employee.

For HR teams, the practical question is: does the tool you are procuring identify vulnerability signals and act on them in ways the person cannot reasonably resist?

# (c) Social scoring by public authorities

Public authorities are prohibited from running general-purpose social scoring systems that evaluate individuals over time and treat them differently based on that score in unrelated contexts. This mirrors concerns about practices seen outside Europe.

Most private-sector SMEs are not running government scoring infrastructure. But if you are a public-sector contractor operating on behalf of a government body, check carefully whether the system you operate on their behalf crosses this line.

# (d) Criminal risk prediction based on profiling

AI systems that assess the likelihood that a person will commit a crime based solely on profiling or personality traits are banned. Predictive profiling that uses demographic data, social media behaviour, or psychometric proxies to flag individuals as future offenders has no legal place in Europe.

In recruitment, this matters. Some pre-employment screening vendors have marketed tools that claim to identify "risk profiles" in candidates. If the underlying model is predicting antisocial or criminal behaviour from personality proxies, it is caught by this provision.

# (e) Untargeted facial-image scraping

Article 5(1)(e) bans the creation or expansion of facial recognition databases through untargeted scraping of the internet or CCTV footage. The prohibition hits the collection layer, not just use.

This is relevant if your organisation is considering building an internal identity verification database from photos scraped off LinkedIn or your own security camera archives. Even if the downstream use seems benign, the scraping method is prohibited.

# (f) Emotion recognition in workplaces and educational institutions

This one lands directly on HR. AI systems that infer the emotions of individuals in the workplace or in educational institutions are banned. Emotion AI, affect recognition, mood-detection software in video interviews or monitoring platforms. All of it.

The prohibition covers inference, not just measurement. A system that watches employees via webcam and flags those it classifies as "disengaged" or "stressed" is inferring emotional state. That is illegal under Article 5(1)(f).

If you are currently using a video interview platform that scores facial expressions, or a productivity monitoring tool that tracks emotional indicators, you need to review it now. Vendors sometimes bury emotion-detection features inside broader analytics packages. Ask explicitly: does this system infer or classify emotional states?

# (g) Biometric categorisation inferring sensitive characteristics

Systems that use biometric data to categorise individuals by race, political opinion, trade union membership, religious or philosophical beliefs, or sexual orientation are banned. This applies to real-time and retrospective analysis.

The concern here is not storing biometric data for identity verification. It is inferring protected characteristics from biometric signals. A system that analyses facial geometry to predict ethnicity or religious affiliation for any purpose is caught, regardless of the stated intent.

# (h) Real-time remote biometric identification in public spaces

Law enforcement use of real-time remote biometric identification in publicly accessible spaces is banned, with narrow exceptions for specific serious crimes. This provision is primarily aimed at police and security agencies.

Private employers are not law enforcement. But if you operate large public-facing venues and are considering deploying live face-matching against watchlists as people enter, the prohibition applies to the system itself, not just to law enforcement users of it.

---

# What counts as "using" a prohibited system?

You do not need to have built the system. Article 26 makes clear that deployers carry obligations. If you have licensed, configured, or put into service a system that falls under Article 5, your organisation is exposed, even if you bought it off the shelf.

This is a critical point for procurement. "The vendor told us it was compliant" is not a legal defence. You need to verify what the system actually does.

---

# The fine tier you really do not want

The EU AI Act enforcement framework places Article 5 violations at the top of the penalty scale. Tier 1 means €35 million or 7% of total worldwide annual turnover. For a 50-person company with €8 million in revenue, that is potentially €560,000. For a 150-person company with €30 million in revenue, you are looking at €2.1 million.

National market surveillance authorities are responsible for enforcement. In the Netherlands, that is the Rijksoverheid working alongside the Autoriteit Persoonsgegevens for cases that overlap with personal data. In Belgium, the APD/GBA plays a similar role. These bodies already have experience issuing significant GDPR fines and the institutional appetite to enforce hard rules.

---

# Three practical steps for SMEs right now

1. Audit your current AI tools for emotion-detection features. Ask every vendor directly: does this system infer or classify emotional states? Get the answer in writing.

2. Review any pre-employment screening or candidate-assessment tools that claim to assess personality, risk, or behavioural traits. Map what the model is actually predicting and from what input data.

3. Check your CCTV and access-control systems. If any facial recognition component was added, confirm it does not build a database through untargeted scraping or infer sensitive characteristics.

The EU AI Act's recitals explain the intent behind these prohibitions clearly: they exist to protect fundamental rights that the Union considers non-negotiable. The law is written to be interpreted broadly in favour of protection, not narrowly in favour of the operator.

Start with your existing tool inventory. One afternoon of honest review is all it takes to know whether you have an Article 5 problem. That is a much better position than discovering it when a complaint lands.

---

Not sure which of your current AI tools might cross an Article 5 line? The free 2-minute compliance check at comply.khairos.ai gives you an instant read on your exposure across the full EU AI Act, including the prohibited practices tier, with no legal jargon and no obligation.