Article 5 GuideEU AI Act

EU AI Act Article 5 Prohibited AI Practices

Use this page to screen an AI system against the eight Article 5 prohibited-practice categories before launch, procurement, integration, or material product change.

The focus is practical evidence: what the system does, who it affects, which Article 5 limb is relevant, and whether any narrow exception or condition is actually documented.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Article 5 of the EU AI Act prohibits specified AI practices rather than merely classifying them as high risk. A useful screening record should identify the AI system or planned use, test it against each Article 5 category, document any exception relied on, and preserve the product, data, legal, and approval evidence behind the conclusion.

Section 1

Article 5 categories to screen first

The Article 5 review should start with the eight prohibited-practice categories. Do not collapse them into a generic high-risk assessment: several categories turn on specific facts such as deception, vulnerability, biometric data, criminal-risk prediction, or law-enforcement use in a publicly accessible space.

For each category, record whether the system is placed on the EU market, put into service, or used in the Union, what function is enabled, what data is used, and which people or groups can be affected.

  • Manipulation or deception: AI systems using subliminal techniques or purposefully manipulative or deceptive techniques that materially distort behaviour and cause, or are reasonably likely to cause, significant harm.
  • Exploitation of vulnerabilities: AI systems exploiting age, disability, or a specific social or economic situation to materially distort behaviour in a way that causes, or is reasonably likely to cause, significant harm.
  • Social scoring: AI systems evaluating or classifying people or groups over time based on social behaviour or known, inferred, or predicted personal or personality characteristics where the score leads to unrelated, unjustified, or disproportionate detrimental treatment.
  • Criminal-offence risk assessment: AI systems assessing or predicting an individual's risk of committing a criminal offence based solely on profiling or personality traits and characteristics.
  • Untargeted facial-image scraping: AI systems that create or expand facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
  • Emotion inference in workplace or education settings, subject to the medical or safety exception stated in Article 5.
  • Biometric categorisation systems that categorise individuals based on biometric data to deduce or infer protected characteristics listed in Article 5.
  • Real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes, except within the narrow objectives and conditions stated in Article 5.
Sources for this answer
AI Act Service Desk - Article 5 prohibited AI practices
Provides the Article 5 text and summary used to list the prohibited-practice categories and their stated exceptions.
Regulation (EU) 2024/1689 (EU AI Act)
Official Journal source for Regulation (EU) 2024/1689, including Article 5 and the wider AI Act structure.
Section 2

Exceptions and conditions that need explicit evidence

Some Article 5 entries include carve-outs or conditions. Treat those as evidence requirements, not as informal risk arguments. The screening record should quote the relevant Article 5 limb, identify the specific exception being relied on, and show why the facts fit that exception.

The strictest evidence burden is for real-time remote biometric identification in publicly accessible spaces for law enforcement. Article 5 allows it only when strictly necessary for specified objectives and subject to safeguards, national-law conditions, fundamental-rights impact assessment, EU database registration, authorisation, notification, and reporting steps described in the Article.

  • Criminal-risk support exception: if the system supports a human assessment, keep the objective and verifiable facts directly linked to criminal activity; do not rely on profiling-only or personality-trait-only evidence.
  • Emotion inference exception: if workplace or education emotion inference is claimed for medical or safety reasons, keep the medical or safety purpose, deployment boundary, and approval evidence.
  • Biometric dataset handling: where labelling or filtering of lawfully acquired biometric datasets is relied on, keep the lawful acquisition basis, dataset purpose, and why the use is not deducing protected characteristics for individual categorisation.
  • Law-enforcement remote biometric identification: document the specific Article 5 objective, targeted individual, necessity and proportionality assessment, time, place, personal scope, prior authorisation or urgency basis, notification, and deletion outcome if authorisation is rejected.
Sources for this answer
AI Act Service Desk - Article 5 prohibited AI practices
Supports the Article 5 exceptions and conditions for criminal-risk support tools, medical or safety emotion inference, biometric dataset handling, and law-enforcement biometric identification.
Section 3

Evidence to keep for a prohibited-practice screening record

The most useful Article 5 record is short but factual. It should let a reviewer reconstruct the system purpose, user journey, data sources, affected persons, and exception analysis without interviewing the product team again.

Keep separate evidence for negative conclusions. A statement that Article 5 does not apply is weak unless it explains, for example, why a scoring feature is not social scoring, why biometric processing is not covered by the prohibited biometric categories, or why behavioural nudging does not meet the manipulation or vulnerability tests.

  • System description: intended purpose, provider or deployer role, EU market or use connection, affected users, affected groups, and release or procurement context.
  • Article 5 matrix: one row per prohibited category, with facts, conclusion, reviewer, source citation, and unresolved questions.
  • Data proof: source of facial images, biometric data, behavioural data, profiling inputs, vulnerability indicators, workplace or education context, and law-enforcement context where relevant.
  • Impact proof: evidence considered for significant harm, detrimental treatment, unrelated context, unjustified or disproportionate outcome, or impairment of informed decision-making.
  • Exception proof: medical or safety rationale, human-assessment facts, lawfully acquired dataset basis, targeted search basis, authorisation request, notification, and urgency record where relevant.
  • Change trigger: require re-screening when data sources, target population, user interface, scoring logic, law-enforcement use, biometric function, or supplier terms materially change.
Sources for this answer
AI Act Service Desk - Article 5 prohibited AI practices
Supports the evidence fields by naming the Article 5 facts that determine whether a prohibited practice or exception is present.
European Commission - AI Act regulatory framework
Explains the AI Act risk-based framework and identifies prohibited practices as the unacceptable-risk category.
Section 4

Article 5 screening questions for product, procurement, and model review

Use these questions before approving a feature, buying a vendor system, changing a data source, or enabling a biometric or profiling capability. A yes, unclear, or vendor-only answer should stop approval until the Article 5 record is completed.

The review should be repeated when the same AI model is embedded in a new workflow. Article 5 can turn on deployment context, especially workplace, education, law enforcement, public accessibility, vulnerable groups, and the consequences of a score or prediction.

  • Does the system intentionally influence decisions through subliminal, manipulative, or deceptive techniques, and could that cause significant harm?
  • Does the system target or rely on age, disability, or social or economic vulnerability to materially distort behaviour?
  • Does the system rank, score, classify, or otherwise evaluate people over time in a way that can lead to unrelated, unjustified, or disproportionate detrimental treatment?
  • Does any criminal-risk prediction rely solely on profiling or personality traits rather than objective and verifiable facts directly linked to criminal activity?
  • Does the system create or expand a facial recognition database from untargeted internet or CCTV scraping?
  • Does the system infer emotions in workplace or education settings, and if so, is the stated purpose medical or safety-related?
  • Does biometric categorisation deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation?
  • Is law enforcement using real-time remote biometric identification in a publicly accessible space, and if so, is every Article 5 condition documented before use or under a recorded urgency route?
Sources for this answer
AI Act Service Desk - Article 5 prohibited AI practices
Supports the screening questions by providing the specific Article 5 prohibited-practice wording.
Section 5

Practical checklist before approving an AI system

A prohibited-practices check is an approval gate. The output should be a dated screening record with category-by-category conclusions, not a general AI-risk memo.

If a category is potentially triggered, pause release or procurement until the legal, product, data, and operational owners have either removed the relevant function, narrowed the use case, or documented why the Article 5 exception and conditions are satisfied.

Does the EU AI Act ban every biometric AI system under Article 5?

No. Article 5 prohibits specific biometric uses, including certain biometric categorisation to deduce protected characteristics and real-time remote biometric identification in publicly accessible spaces for law enforcement unless strict Article 5 conditions are met. Other biometric systems may still need separate AI Act analysis, but they are not automatically Article 5 prohibited practices.

What should an EU AI Act Article 5 screening record prove?

It should prove which AI system and use case were reviewed, how each of the eight Article 5 categories was assessed, what data and user-impact evidence supported the conclusion, and whether any stated exception or condition was relied on.

  • Name the AI system, supplier, workflow, affected people, EU connection, and current approval request.
  • Complete the Article 5 matrix for all eight prohibited categories, including a clear no, yes, or unresolved conclusion for each.
  • Attach product screenshots, user journey notes, model cards or supplier documentation, data-source evidence, and testing records that support the conclusion.
  • For any exception, attach the exact Article 5 condition, the factual evidence, the approving owner, and the operational control that keeps use inside the exception.
  • Create a release block for unresolved Article 5 issues and a re-screening trigger for material changes in purpose, data, users, geography, biometric function, scoring logic, or law-enforcement use.
Sources for this answer
AI Act Service Desk - Article 5 prohibited AI practices
Supports the checklist structure by providing the Article 5 categories, conditions, authorisation requirements, and reporting elements.
European Commission - AI Act regulatory framework
Confirms that prohibited practices sit in the unacceptable-risk tier of the Commission's AI Act explanation.
Recommended next step

Turn Article 5 prohibited-practice checks into evidence

Sorena can help turn this Article 5 screening guide into a structured review record with category conclusions, source citations, owners, and release-blocking evidence gaps.

Research workflow
Open Research Copilot for EU AI Act

Ask source-linked questions about Article 5 categories, exceptions, and evidence needed for a prohibited-practices review.

Explore next step
Talk to Sorena
Talk through implementation

Review an AI system, supplier claim, or biometric use case against the EU AI Act Article 5 screening categories.

Explore next step
Primary sources

References and citations

AI Act Service Desk - Article 5 prohibited AI practices
ai-act-service-desk.ec.europa.eu
Referenced sections
  • Supports the checklist structure by providing the Article 5 categories, conditions, authorisation requirements, and reporting elements.
"No decision that produces an adverse legal effect"
European Commission - AI Act regulatory framework
digital-strategy.ec.europa.eu
Referenced sections
  • Confirms that prohibited practices sit in the unacceptable-risk tier of the Commission's AI Act explanation.
"All AI systems considered a clear threat"
Regulation (EU) 2024/1689 (EU AI Act)
eur-lex.europa.eu
Referenced sections
  • Official Journal source for Regulation (EU) 2024/1689, including Article 5 and the wider AI Act structure.
"laying down harmonised rules on artificial intelligence"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Article 73 serious incident FAQ
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
EU AI Act Compliance Checklist by Risk Class
A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents
Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide
Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act penalties and fines: Article 99 tiers and GPAI exposure
EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
EU AI Act post-market monitoring and serious incident reporting
Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
EU AI Act post-market monitoring FAQ for high-risk AI systems
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act serious incident reporting triage workflow: Article 73 and Article 55
Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
FAQ: EU AI Act conformity assessment procedures and notified body selection
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.