EU AI Act Prohibited Practices and Compliance Deadline Approaches

The EU AI Act's first enforcement phase prohibiting specific AI practices approaches its February 2025 deadline. Organizations deploying AI systems in EU markets must ensure no systems fall within prohibited categories including social scoring, subliminal manipulation, exploitation of vulnerabilities, and certain biometric identification applications. Non-compliance penalties reach up to €35 million or 7% of global turnover. Organizations should complete AI system audits and remediate any prohibited practices before enforcement begins.

Prohibited AI practices overview

The EU AI Act Article 5 establishes prohibited AI practices representing unacceptable risk to fundamental rights. These prohibitions apply broadly to AI systems placed on the market, put into service, or used in the EU. Extraterritorial application extends prohibitions to organizations outside the EU whose systems affect EU persons.

Social scoring systems that evaluate natural persons based on social behavior or personal characteristics are prohibited. Systems generating scores affecting access to services, opportunities, or treatment based on behavioral profiling violate this prohibition. The prohibition targets government and private sector social scoring alike.

Subliminal manipulation techniques deploying AI to materially distort behavior without user awareness face prohibition. Systems using techniques beyond conscious awareness to influence decision-making violate this provision. The prohibition addresses manipulation undermining autonomous decision-making.

Exploitation of vulnerabilities through AI targeting specific groups due to age, disability, or social circumstances is prohibited. Systems designed to exploit vulnerable populations face categorical prohibition. The provision protects those less able to resist manipulative techniques.

Biometric identification restrictions

Real-time remote biometric identification in publicly accessible spaces faces general prohibition with limited law enforcement exceptions. The prohibition addresses mass surveillance concerns from facial recognition and similar technologies. Limited exceptions require judicial authorization and specific threat conditions.

Biometric categorization systems inferring sensitive characteristics from biometric data face prohibition. Systems categorizing individuals by race, political opinions, religious beliefs, or sexual orientation through biometric inference violate this provision. The prohibition prevents discriminatory profiling through biometric analysis.

Emotion recognition systems in workplace and educational contexts face significant restrictions approaching prohibition. Systems inferring emotional states for employment or educational decisions require careful assessment. Legitimate safety applications may remain permissible under specific conditions.

Facial recognition database creation through untargeted scraping of internet or CCTV imagery is prohibited. The prohibition addresses databases created through mass collection without consent. Law enforcement databases created through targeted collection may remain permissible.

Compliance assessment process

AI system inventory provides the foundation for prohibited practices assessment. Organizations must identify all AI systems deployed, developed, or procured. thorough inventory enables systematic compliance evaluation.

Purpose and function analysis determines whether systems fall within prohibited categories. System purposes, techniques employed, and affected populations inform categorization. Technical characteristics alone do not determine prohibition; purpose and effect matter.

Legal assessment applies AI Act provisions to identified systems. Regulatory interpretation guidance from the AI Office informs assessment. Legal counsel should participate in determinations for borderline cases.

Remediation planning addresses systems identified as potentially prohibited. Options include system modification, purpose limitation, or discontinuation. Remediation timelines must accommodate February 2025 enforcement.

Enforcement and penalties

Member state market surveillance authorities will enforce prohibited practices provisions. National authorities designate specific bodies for AI Act enforcement. Organizations should understand relevant national enforcement authorities.

Maximum penalties for prohibited practices violations reach €35 million or 7% of global annual turnover, whichever is higher. The penalty scale indicates regulatory priority for prohibited practices compliance. Penalty magnitude justifies significant compliance investment.

Enforcement will likely prioritize clear violations and significant harm scenarios initially. Borderline cases may receive guidance before enforcement action. However, reliance on enforcement discretion creates risk.

Repeat violations and intentional non-compliance face enhanced penalties. Demonstrated compliance efforts may mitigate penalties for good-faith violations. Organizations should document compliance efforts supporting potential mitigation.

Industry-specific considerations

Financial services organizations should assess credit scoring and fraud detection systems. Systems affecting financial service access based on behavioral profiling require careful analysis. Legitimate credit assessment differs from prohibited social scoring.

Marketing and advertising technology face manipulation provision scrutiny. Personalization systems influencing behavior through psychological profiling require assessment. Distinction between persuasion and manipulation requires careful analysis.

Human resources technology including candidate screening and employee monitoring warrants review. Systems affecting employment based on characteristics beyond job requirements face scrutiny. Emotion recognition in workplace contexts receives particular attention.

Security and surveillance technology faces biometric identification provisions. Public space surveillance with facial recognition requires law enforcement authorization where permitted. Private sector deployment faces broader prohibition.

Implementation guidance status

EU AI Office implementation guidance continues development. Guidelines addressing specific prohibition interpretations assist compliance assessment. Organizations should monitor guidance publication and incorporate into assessment.

National implementation measures vary across member states. Transposition legislation and regulatory authority designation proceed at different paces. Organizations operating across member states must track national implementation.

Standardization activities support technical implementation. Harmonized standards will provide compliance pathways. Current standards development informs preparation but final standards remain pending.

Codes of practice for general-purpose AI providers address some overlapping concerns. Foundation model providers face both prohibited practices and GPAI-specific requirements. Coordinated compliance addresses both sets of obligations.

Risk mitigation strategies

Documentation of AI system purposes and limitations supports compliance demonstration. Clear purpose statements distinguishing permitted from prohibited applications provide evidence. Documentation should be contemporaneous with system development and deployment.

Technical controls limiting system capabilities to permitted purposes reduce violation risk. Purpose limitation through technical measures supplements policy controls. Technical controls demonstrate commitment to compliance boundaries.

Ongoing monitoring ensures systems remain within permitted boundaries. System behavior evolution through learning may create compliance drift. Monitoring mechanisms detect changes requiring reassessment.

Vendor assessment addresses third-party AI system compliance. Organizations using vendor-provided AI remain responsible for prohibited practices compliance. Vendor contracts should address AI Act compliance obligations.

Cross-border coordination

Organizations operating across EU member states face coordinated compliance requirements. Lead supervisory authority concepts may emerge similar to GDPR approaches. Establishment-based authority allocation requires understanding.

Non-EU organizations with EU market exposure face extraterritorial application. Systems affecting EU persons regardless of operator location fall within scope. EU representative requirements parallel other EU regulations.

US-EU coordination on AI regulation continues through bilateral dialogs. Coordination influences enforcement approaches and potential mutual recognition. Organizations should track coordination developments.

International AI governance frameworks provide additional context. OECD principles and other international instruments influence regulatory interpretation. Global AI governance evolution affects compliance landscapes.

60-day priority list

• Complete thorough AI system inventory including third-party and embedded AI.
• Conduct prohibited practices assessment for all identified AI systems.
• Engage legal counsel for borderline system categorization determinations.
• Develop remediation plans for potentially prohibited systems.
• Implement system modifications or discontinuations before February deadline.
• Document compliance assessment process and determinations.
• Monitor EU AI Office guidance publication for implementation updates.
• Brief leadership on prohibited practices compliance status and any remediation requirements.

Bottom line

EU AI Act prohibited practices provisions create urgent compliance requirements as the February 2025 deadline approaches. Organizations must complete assessment and remediation activities within the remaining timeframe. Significant penalties for non-compliance justify priority attention to prohibited practices requirements.

Compliance assessment requires systematic AI system inventory and purpose analysis. Technical characteristics alone do not determine prohibition; system purpose and effect drive categorization. Legal assessment should inform determinations for borderline cases.

Industry-specific applications warrant particular attention. Financial services, marketing technology, HR systems, and security applications face potential prohibited practices exposure. Sector-specific assessment ensures thorough compliance.

Implementation guidance continues evolving requiring ongoing monitoring. Organizations should incorporate published guidance while proceeding with assessment based on statutory text. Guidance updates may affect assessment conclusions.

This analysis recommends organizations treat prohibited practices compliance as urgent priority. The combination of approaching deadline, significant penalties, and categorical prohibition nature requires immediate action for organizations with potentially affected systems.

Similar analysis

Additional analysis covering similar themes.

Policy · Credibility 94/100 · January 21, 2026

EU AI Act General-Purpose AI Codes of Practice Enter Final Drafting Phase

The European AI Office has entered the final drafting phase for Codes of Practice governing general-purpose AI models under the EU AI Act. These codes will establish concrete compliance requirements for GPAI providers…

Policy · Credibility 73/100 · May 23, 2023

European Parliament Approves EU AI Act Risk-Based Framework

The European Parliament passes the EU AI Act with 499 votes in favor, establishing full risk-based regulation for artificial intelligence systems. The legislation prohibits certain high-risk AI applications, regulates…

Policy · Credibility 93/100 · November 19, 2025

EU AI Act Compliance Update: Implementation Timelines and Simplification Proposals

EU AI Act compliance continues to evolve with additional guidance from the AI Office. Keep tracking implementation updates, FAQ publications, and enforcement precedents. AI compliance is a moving target.

Policy · Credibility 93/100 · December 25, 2025

Critical Infrastructure Cybersecurity Requirements Expand for 2026

Federal agencies finalized multiple critical infrastructure cybersecurity regulations in late 2025 with compliance deadlines across 2026. CISA's sector-specific requirements, TSA pipeline directives, and EPA water system…

Policy · Credibility 94/100 · November 7, 2025

EU AI Act serious-incident reporting consultation closes

EU AI Act serious incident reporting policy requires AI system providers to notify authorities when systems cause harm. Death, serious injury, or significant property damage triggers mandatory reporting. Document your…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

December 4, 2025

Coverage pillar

Policy

Source credibility

93/100 — high confidence

Topics

EU AI Act · Prohibited AI Practices · AI Regulation · Biometric Identification · Social Scoring · Compliance

Sources cited

3 sources (eur-lex.europa.eu, digital-strategy.ec.europa.eu, europarl.europa.eu)

Reading time

6 min

Further reading

1. EU AI Act Official Text — eur-lex.europa.eu
2. EU AI Office Implementation Guidance — ec.europa.eu
3. AI Act Prohibited Practices Legal Analysis — europarl.europa.eu