EU AI Act: What the Prohibited-Practices Ban Covers

On February 2, 2026, the EU AI Act’s Chapter II took effect, making it the first binding legal instrument anywhere in the world to prohibit entire categories of AI systems outright — not regulate them, prohibit them. Understanding what that actually covers, and what the first enforcement signals look like, matters both for companies operating in EU markets and for policymakers in jurisdictions watching whether the prohibitions stick.

The eight prohibitions

The Act bans AI systems that fall into eight categories defined in Article 5. They are worth stating precisely, because the public conversation often conflates them.

1. Subliminal manipulation. AI systems that deploy techniques beyond a person’s consciousness — subliminal stimuli — to materially distort behavior in a way that causes or is likely to cause physical or psychological harm. This is not a ban on persuasive AI; it is a ban on manipulation below the threshold of conscious awareness causing demonstrable harm.

2. Exploiting vulnerabilities. Systems that exploit vulnerabilities of a specific group — defined by age, disability, or social or economic situation — to materially distort behavior in a way that causes or is likely to cause harm. This provision has direct implications for predatory pricing algorithms, addiction-by-design platforms, and debt-collection automation targeting economically distressed users.

3. Social scoring by public authorities. AI systems used by public authorities to evaluate or classify natural persons based on their social behavior or personal characteristics, where that scoring leads to detrimental or unfavorable treatment in social contexts unrelated to the context in which the data was generated, or treatment that is disproportionate to the gravity of the social behavior. The framing is deliberately narrow: it targets state social-credit-style systems, not private-sector credit scoring, which is handled elsewhere under high-risk provisions.

4. Predictive policing based solely on profiling. Risk assessments of individuals’ likelihood of committing a criminal offense based solely on profiling or personality trait assessment — without actual individual behavior as an input — where those assessments are used in criminal enforcement decisions.

5. Untargeted facial-recognition scraping. Creating or expanding databases of facial recognition data by untargeted scraping from the internet or CCTV footage. This directly targets the business model of Clearview AI and similar services.

6. Emotion recognition in workplace and education. AI systems that infer emotions of natural persons in the workplace or educational settings, subject to narrow exceptions for safety applications (e.g., detecting drowsiness in transport workers). The prohibition is on the inference itself, not just the use of the inferences.

7. Real-time biometric categorization in public spaces. AI systems that categorize natural persons in publicly accessible spaces in real time based on sensitive attributes — race, political opinions, trade union membership, religion, sexual orientation. This is distinct from identification; it is categorization by attribute.

8. Real-time remote biometric identification in public spaces. AI systems used by law enforcement for live facial recognition in public spaces — with narrow, specific exceptions for targeted searches for missing children, imminent terrorist threat prevention, and locating or identifying suspects of listed serious crimes. The exceptions are conditional and require judicial or administrative authorization before deployment.

Where the enforcement gaps are

The prohibitions are in force, but several structural problems complicate enforcement.

Market surveillance authority fragmentation. Enforcement under the EU AI Act is split between the newly established European AI Office (which handles GPAI models and cross-border cases) and national market surveillance authorities (MSAs) designated by each member state. As of early 2026, many member states had not yet formally designated their MSAs. The Commission published guidance in early April encouraging expedited designation, but the gap means a prohibited-practices violation occurring in a member state without a functional MSA has an unclear enforcement path.

The “solely or predominantly for extraterritorial use” problem. Facial-recognition scraping services incorporated outside the EU — whose databases are marketed to non-EU clients but whose scraping bots index EU-resident face data — present jurisdictional questions the text does not fully answer. The Act applies to “providers placing AI systems on the Union market” and to systems “whose outputs are used in the Union,” but enforcement against non-EU providers with no EU establishment requires a level of cross-border regulatory cooperation that does not yet exist at scale.

The emotion-recognition exception ambiguity. The workplace and education prohibition on emotion recognition exempts systems deployed “for safety purposes.” Several vendors offering driver-monitoring, operator-fatigue, and industrial safety applications have structured their products to argue within the exception. The European AI Office has not yet published binding guidance on how narrow the exception is, which creates a window for rebranding.

First enforcement signals

The European AI Office, established under the Act and now operationally staffed, published in March 2026 its first batch of guidance documents for the prohibited-practices provisions. These are not enforcement actions; they are interpretive clarifications. The clearest signals:

• The Office indicated that social scoring prohibition applies to systems that aggregate behavioral data across contexts even when no single data point is government-sourced. A municipal platform that purchases commercially derived behavior scores and applies detrimental treatment based on them is within scope.
• On predictive policing: the Office’s guidance paper drew a hard line between systems that incorporate individual behavioral history (potentially permissible under high-risk provisions, with authorization) and systems that use population-level statistical profiles mapped onto demographic proxies. The latter falls squarely within Article 5(1)(d), no matter how the technical documentation frames it.
• On emotion recognition: the Office signaled it will interpret the “safety purposes” exception narrowly to systems where the emotional inference is a direct input to an active safety intervention (cutting power, halting machinery, overriding a driver control), not to HR-adjacent applications that assess employee wellbeing, engagement, or stress levels.

What this means for product compliance

For teams building or selling into EU markets, the prohibited-practices provisions are not aspirational guidance — they are hard prohibitions with penalties that start at €35 million or 7% of global annual turnover, whichever is higher.

Three immediate actions:

Inventory your training data pipelines. If any pipeline ingests face data scraped without individual consent — whether for building a recognition model, enriching a person database, or fine-tuning a foundation model — that pipeline potentially violates Article 5(1)(e) regardless of what the output product is used for.

Document the safety-exception argument if you use emotion inference. If you sell into industrial safety or transport and your product includes emotion or fatigue inference, the Office’s March guidance suggests you need to be able to show the inference directly triggers a safety action — not just logs to an HR dashboard, and not just feeds an engagement score.

Map your social-context scoring. If your platform produces user-level scores or tiers used in treatment decisions — eligibility gates, pricing tiers, service-access decisions — review whether the scoring draws on behavior in one context to drive consequences in a different social context. That is the prohibited-practices definition’s core logic, not the state/private distinction.

The full text of Article 5, with recitals 42 through 51 providing interpretive context, is the primary source. The recitals are not binding, but they are the best available record of legislative intent and will guide how the AI Office reads the operative provisions.

Sources

• EU AI Act — Regulation (EU) 2024/1689, full text (EUR-Lex) ↗ — the primary legal text; Articles 5 and 6, with Recitals 42–51, cover the prohibitions.
• European AI Office (European Commission Digital Strategy) ↗ — official guidance and interpretive documents from the enforcement body.
• EDPB Opinion 05/2023 on facial recognition (European Data Protection Board) ↗ — the data-protection layer intersecting with Article 5’s biometric provisions.
• Linklaters: EU AI Act compliance timeline guide ↗ — outside-counsel timeline summary mapping which provisions apply when.