EU AI Act Article 5: the eight prohibited AI practices explained
Article 5 of the EU AI Act prohibits eight specific AI practices outright. Unlike high-risk obligations (which require compliance work but allow the system to operate), Article 5 prohibitions are absolute. No conformity assessment, no documentation, no safeguard can make a prohibited practice lawful. Penalty ceiling is €35M or 7% of global turnover - the highest in the Act. Article 5 took effect on 2 February 2025, so it is already enforced.
The eight prohibitions
Article 5(1)(a): subliminal techniques beyond a person's consciousness, or purposefully manipulative or deceptive techniques, with the objective or effect of materially distorting behaviour, causing or likely to cause significant harm.
Article 5(1)(b): exploitation of vulnerabilities due to age, disability, or specific social or economic situation, with the objective or effect of materially distorting behaviour, causing significant harm.
Article 5(1)(c): biometric categorization of natural persons to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation.
Article 5(1)(d): social scoring by public authorities or on their behalf, leading to detrimental or unfavourable treatment in contexts unrelated to data collection or that is unjustified or disproportionate.
Article 5(1)(e): risk assessment of natural persons to predict criminal offences based solely on profiling or personality traits (predictive policing without other evidence).
Article 5(1)(f): untargeted scraping of facial images from the internet or CCTV footage to create or expand facial recognition databases.
Article 5(1)(g): inferring emotions in workplaces or educational institutions, except for medical or safety reasons.
Article 5(1)(h): real-time remote biometric identification in publicly accessible spaces by law enforcement, except in specific narrow circumstances.
Which prohibitions hit SaaS
Most SaaS will never trigger Articles 5(1)(d), (e), (f), or (h) - these apply primarily to public-sector AI. The prohibitions that catch commercial SaaS are 5(1)(a) (manipulation), 5(1)(b) (vulnerability exploitation), 5(1)(c) (biometric categorization inferring protected attributes), and 5(1)(g) (workplace or school emotion recognition).
Common SaaS proximity cases
Common cases that sit close to Article 5 prohibitions: dynamic pricing engines that learn impulse-buy signals and trigger urgency pressure (5(1)(a) territory); ad-targeting algorithms that identify and exploit financial-distress signals (5(1)(b)); voice analysis tools that infer emotion or sentiment from customer service calls in workplaces (5(1)(g)); HR-tech tools that classify candidates by personality dimensions inferred from biometric features like voice tone (5(1)(c) and 5(1)(g) overlap). Each requires careful design review.
Enforcement and penalties
Article 5 prohibitions enforce since 2 February 2025. Penalty ceiling under Article 99(3): €35M or 7% of global turnover, whichever is higher. SME proportionality applies but rarely brings the fine below €100,000 for material violations. National authorities can also order immediate cessation of the prohibited practice, market withdrawal, and corrective publicity. Criminal liability is possible in some member states for severe or repeated violations.
Practical compliance
For SaaS, run a formal Article 5 review once a year and after every major product change. Document each feature against each prohibition with a written rationale. Keep the review file in your compliance archive for regulator request. If a feature sits close to a prohibition, redesign or add safeguards (explicit opt-in, age gating, vulnerability detection). If you cannot bring the feature out of proximity, consult outside compliance review - the penalty exposure is severe enough that legal opinion is warranted.
Frequently asked questions
When did Article 5 take effect?
2 February 2025 - Article 5 is already enforced.
What is the penalty for Article 5 violations?
Up to €35M or 7% of global turnover, whichever is higher. Plus immediate cessation orders and possible market withdrawal.
Does Article 5 apply to commercial SaaS?
Yes - particularly 5(1)(a) manipulation, 5(1)(b) vulnerability exploitation, 5(1)(c) biometric categorization, and 5(1)(g) workplace emotion recognition.
Are there exceptions to Article 5(1)(g)?
Yes - medical or safety reasons are exempt. A workplace stress-monitoring system used as part of an occupational health programme can be lawful; the same system used to evaluate employee performance is not.
Can I get a fine waiver if I cease the prohibited practice?
Cessation reduces ongoing exposure but does not eliminate fines for past conduct. National authorities have discretion to reduce fines for cooperation and prompt remediation.
Sources
Last updated: 2026-05-28