Skip to content
Klarvo
Start free

EU AI Act · Article 5

Prohibited AI practices — Article 5, plain English

Article 5 lists eight AI practices that are simply illegal in the EU — no risk-management plan can rescue them. They've been enforceable since 2 February 2025. Most SMEs will never touch any of them, but it's worth a 10-minute read to be sure.

The eight prohibitions, in plain English

1. Subliminal or manipulative techniques (5(1)(a))

AI that uses subliminal or deliberately manipulative techniques beyond a person's awareness, distorting their behaviour in a way that causes (or is likely to cause) significant harm. Aimed at dark-pattern AI, not at standard advertising or product design.

2. Exploiting vulnerabilities (5(1)(b))

AI that exploits vulnerabilities tied to age, disability, or socioeconomic situation to distort behaviour and cause significant harm. Targets predatory designs aimed at children, people with cognitive impairments, or people in financial distress.

3. Social scoring by public authorities (5(1)(c))

AI that classifies natural persons over time based on social behaviour or inferred personal characteristics, where the scoring leads to detrimental treatment in unrelated contexts or treatment that is unjustified or disproportionate. Inspired by Chinese-style citizen-scoring systems. Does not block legitimate credit scoring (that's regulated separately as high-risk).

4. Predictive policing of individuals (5(1)(d))

AI used solely on the basis of profiling or personality traits to predict the risk of an individual committing a criminal offence. Doesn't block AI used in support of an investigation triggered by other evidence.

5. Untargeted facial-image scraping (5(1)(e))

AI systems that create or expand facial-recognition databases through the untargeted scraping of facial images from the internet or CCTV.

6. Emotion recognition in workplaces and education (5(1)(f))

AI to infer emotions of natural persons in the areas of workplace and education institutions. There's a narrow carve-out for medical and safety reasons. This catches a real category of "employee-wellness" SaaS products and certain proctoring tools.

7. Biometric categorisation by sensitive attributes (5(1)(g))

Biometric categorisation systems that categorise natural persons based on their biometric data to deduce race, political opinions, trade-union membership, religious or philosophical beliefs, sex life, or sexual orientation. Law-enforcement carve-outs exist but are narrow.

8. Real-time remote biometric identification in public spaces (5(1)(h))

Use of real-time remote biometric identification (essentially live facial recognition) in publicly accessible spaces for law-enforcement purposes — with three narrow exceptions (specific missing-person searches, prevention of an imminent terror attack, identification of suspects of certain enumerated serious crimes).

For SMEs: the practical takeaway. The seven of these that don't involve law enforcement are about specific predatory or manipulative uses of AI. If you sell or buy AI tools that do any of them, the answer is "stop." For everything else, Article 5 is a clean bill — and the rules that bite you are Article 50 (transparency) and possibly Annex III (high-risk).

How to know if you're in scope

The questions to ask of every AI system you operate:

  • Does it infer emotional state of workers or students from any signal?
  • Does it group customers by inferred sensitive characteristics (race, religion, sexual orientation, political opinion)?
  • Does it score people across unrelated life contexts and influence treatment outside the original scope?
  • Was its training data assembled by scraping faces from the open web?

A "no" to all four is the safe outcome — and most SMEs land there.

Run the Prohibited Practices Screener →

Klarvo organises and explains EU AI Act compliance. It is not legal advice. For specific legal situations, consult a qualified professional.

Frequently asked

Are any common SaaS tools actually prohibited? +

A small but real list. Sentiment-based 'employee wellness' tools that infer emotion at work fall under 5(1)(f). Retail loyalty programmes that group customers by inferred protected characteristics and steer pricing per group risk 5(1)(g). Generic chatbots, content tools, and analytics are not prohibited.

What's the penalty? +

Up to €35 million or 7% of global turnover, whichever is higher. For SMEs the cap is the lower of the two — Article 99(6). Article 5 is the only tier with this penalty band.

Are these rules already in force? +

Yes. Article 5 has been enforceable since 2 February 2025. The European Commission published clarifying guidance the same month. The other obligations (transparency, high-risk) phase in later.

Is workplace facial recognition prohibited? +

Facial recognition for time-and-attendance is not prohibited by Article 5, but it triggers GDPR Article 9 (biometric processing) plus Article 50(3) transparency if it categorises people biometrically. Workplace emotion recognition via facial expression IS prohibited under 5(1)(f).

Screen every AI system you use in five minutes.

Klarvo's free tier runs every system you add through the Article 5 screener as part of classification — and tells you cleanly if anything is at risk.

Start free See pricing

Free tier · Full KlarvoEngine classification · No credit card