EU AI Act — Art. 5 enters application: eight prohibited practices in the EU from 2 February 2025

On 2 February 2025 the first set of obligations under Regulation (EU) 2024/1689 (AI Act) enters application. Two real things happen that day: the Art. 5 prohibitions (Chapter II) become enforceable, and the AI literacy duty of Art. 4 kicks in. We covered the Regulation when it entered into force in August 2024; this post unpacks the first step with real product affected, not OJ paraphrase.

Two days later, on 4 February, the Commission publishes the Guidelines on prohibited artificial intelligence (AI) practices — non-binding interpretive document, available in the 24 official languages, designed to give operational criteria to market surveillance authorities and deployers. On 6 February the Commission also adopts complementary guidelines on the definition of “AI system” under Art. 3(1). Together: for the first time AI Act obligations trigger fines.

Reading: work based on the consolidated text of the Regulation on EUR-Lex and the Guidelines published on 4 February 2025. For binding decisions one must go to the Regulation text; what follows is operational triage for CISO/DPO.

The date and why it matters

Art. 113 of the Regulation sets the application calendar. Prohibitions and AI literacy are the first enforceable articles: 6 months from entry into force on 1 August 2024.

Penalising Art. 5 is not theoretical: Art. 99 sets the highest tier, up to €35 million or 7 % of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, the lower amount (Art. 99.6). It is the only AI Act category with a sanctions regime equivalent to GDPR’s prohibition-grade penalties, not just a duty of diligence.

The eight prohibited practices, one by one

Art. 5(1) lists eight categories. For each, what the text says, what the Commission’s Guidelines of 4 February interpret, and which real product or feature lands inside.

5(1)(a) — Subliminal or manipulative techniques

Systems that deploy subliminal techniques beyond a person’s consciousness, or purposefully manipulative or deceptive techniques, with the effect or objective of materially distorting the behaviour of a person or group, impairing their ability to make an informed decision, causing them to take a decision they would not have otherwise taken, and causing or being reasonably likely to cause significant harm.

Four cumulative elements: (1) subliminal technique or purposeful manipulation, (2) material behavioural distortion, (3) impairment of informed decision-making, (4) significant harm (physical, psychological, financial or economic) reasonably likely. The burden on the regulator is high — all four tests must pass — but the chilling effect is broad.

The Commission’s Guidelines distinguish between “legitimate persuasion” (transparent advertising, non-deceptive personalised recommendations) and “prohibited manipulation” (AI-amplified dark patterns, deepfakes with intent to deceive on material decisions, chatbots generating artificial emotional dependency in vulnerable users). The “subliminal” bar is read technically: images or audio below the conscious threshold. Visible dark patterns fall rather under (a) as purposeful manipulation, not as subliminal.

Real product affected: hyper-personalised “companionship” chatbots that escalate anxiety or dependency to force purchases or subscriptions; dynamic pricing systems detecting the customer’s emotional state (voice, writing) to raise prices at moments of low decision-making capacity.

5(1)(b) — Exploitation of vulnerabilities

Systems that exploit any vulnerability of a person or group due to their age, disability or specific social or economic situation, with the effect or objective of materially distorting behaviour, causing or being reasonably likely to cause significant harm.

Analogous to (a) but with a specific target: the practice exploits a concrete vulnerability. The difference from (a) is that here proof of “subliminal” or “purposefully manipulative” is not required — it is enough that the system exploits the vulnerability. The Guidelines cite as examples: systems detecting a user’s economic precariousness to push abusive-cost credit products, systems targeted at minors with engagement patterns exploiting developmental impulsivity, systems targeted at people with cognitive deterioration in care homes.

Real product affected: online casino and lottery chatbots driven by profiling at users with problem-gambling patterns (the UK Gambling Commission is already looking at this under its own legislation, now adds AI Act); ad networks segmenting on indirect markers of cognitive disability or poverty to serve predatory offers.

5(1)(c) — Social scoring by public or private entities

Systems for the evaluation or classification of natural persons over a certain period of time, based on their social behaviour or known, inferred or predicted personal characteristics, where the social score leads to:

(i) detrimental or unfavourable treatment in social contexts unrelated to those in which the data were originally generated or collected, or

(ii) detrimental or unfavourable treatment that is unjustified or disproportionate to the gravity of the social behaviour.

Two conditions, connected by or: one is enough. (i) blocks the “your social media behaviour determines whether you get a bank loan” model; (ii) blocks the “you have €200 of phone bill arrears, no access to public healthcare” model. Scope is public and private alike — this isn’t only the “Chinese system”, it applies to any cross-context corporate scoring.

Real product affected: platforms aggregating employment, online behaviour and credit data into a single score then sold to sectors unrelated to the source; tenant screening systems penalising tenants on social media activity; “reliability” indices of gig workers that mix client rating with irrelevant markers of offline behaviour.

5(1)(d) — Predictive policing by profiling

Systems to carry out risk assessments of natural persons to assess or predict the risk of committing a crime, based solely on profiling the person or assessing personality traits and characteristics.

Exception: this prohibition does not apply to AI systems used to support human assessment of a person’s involvement in a criminal activity, where such assessment is already based on objective and verifiable facts directly linked to a criminal activity.

The line: prohibited the predictive risk score based on who you are (socio-economic profile, place of residence, general behaviour); permitted the system supporting a human investigator when objective facts against the person already exist.

The Guidelines dwell on the adverb solely: if the system combines profiling with specific criminal-activity data, it leaves the prohibition but enters as high-risk under Annex III point 6 (law enforcement) — different category, different regime, not prohibition.

Real product affected: PredPol/CompStat-style geographic risk maps classifying individuals by neighbourhood + demographic profile (dubious category, depends on how the output is used); credit risk systems applied to criminal investigation (clearly prohibited); early intervention scoring on minors to predict future criminality (clearly prohibited).

5(1)(e) — Indiscriminate facial scraping

Systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage.

The prohibition is direct. No need to prove harm, no conditional. If the method of building the face database is untargeted scraping, it is prohibited. This follows the line of the Clearview AI proceedings before European authorities — the Spanish AEPD fined Clearview in 2024 — and sets it as a prohibition against any provider.

Real product affected: Clearview AI, PimEyes and the like. Any service offering reverse face search against a database built from aggregated Instagram/LinkedIn/CCTV images without filter is out of the EU market. The open question: databases built before 2 February 2025 — Art. 5 has no explicit transitional clause; the majority reading is that the system itself remains prohibited even if the database was built earlier.

5(1)(f) — Emotion inference at work and in education

Systems to infer emotions of a natural person in workplace and educational institution contexts, unless the system is used for medical or safety purposes.

Bounded scope: work and education. Outside those contexts, emotion inference is not prohibited — it falls under Art. 50 (transparency) where applicable. Exceptions are specific: medical (therapy, diagnosis) or safety (fatigue detection in professional transport drivers, for example).

The Guidelines clarify that “workplace” covers both the worker on the job and during job interviews and selection processes. “Educational institutions” covers everything from early childhood to university. Scope is broad.

Real product affected: emotion analytics systems on calls in call centres (measuring agent frustration for performance management); educational proctoring measuring engagement, attention or stress during online exams; interview AI scoring enthusiasm/sincerity of candidates from video. All those in the EU market must withdraw or reconfigure the feature.

5(1)(g) — Biometric categorisation by sensitive categories

Biometric categorisation systems that classify natural persons individually based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation.

Exception: lawful labelling or filtering of legally acquired biometric datasets, or biometric categorisation by law enforcement within the framework of applicable Union and national law.

The list of sensitive categories mirrors Art. 9 GDPR. A system inferring “this person is Muslim”, “this person is lesbian”, “this is a unionised worker” from biometric data is prohibited. The exception covers two cases: technical dataset cleaning (e.g., balancing a dataset for training) and use by law enforcement under legal framework.

Real product affected: systems inferring sexual orientation from facial analysis (the 2017 Stanford “gaydar” would be the boundary case — prohibited now if deployed as product); retail systems classifying shoppers by ethnicity to serve differentiated advertising.

5(1)(h) — Real-time remote biometric identification in publicly accessible spaces for law enforcement

Real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes, save when strictly necessary for:

(i) targeted search for specific victims of abduction, trafficking or sexual exploitation, or search for missing persons;

(ii) prevention of a specific, substantial and imminent threat to the life or physical safety of natural persons, or a genuine and present or genuine and foreseeable threat of a terrorist attack;

(iii) localisation or identification of a person suspected of having committed a crime, for the purpose of conducting a criminal investigation, prosecution or execution of a penalty, for crimes from Annex II carrying a custodial sentence of at least four years.

The exceptions of Art. 5(2)–(7) are the procedural regime for the three cases:

• Art. 5(2): each use must be limited to confirming the identity of a specific target, consider gravity and likelihood of harm, and apply safeguards.
• Art. 5(3): prior authorisation from a judicial authority or an independent administrative authority of the Member State, based on reasoned request. Emergency use allowed without prior authorisation, but requested within 24 hours; if denied, immediate halt and data destruction.
• Art. 5(4): notification to the market surveillance authority and the national data protection authority.
• Art. 5(5): Member States may authorise use within limits set by national law, notified to the Commission within 30 days. They may adopt stricter laws.

The interpretation that will get litigated in 2025: what counts as “remote”, what counts as “real-time” (the Guidelines say post-event with significant delay falls under high-risk Annex III, not prohibition), and what counts as “publicly accessible space” (metro stations, airports, hospitals?).

Real product affected: real-time face recognition deployments by municipal or national police against an expanded watchlist. Spain must transpose into national law the conditions of Art. 5(5) if it wants to allow any of the three exceptions — as of end of January 2025 there is no public draft.

The general Art. 2 exemptions — what falls outside the Regulation

Before running the inventory against the prohibitions, check Art. 2. Four material exemptions worth noting:

• Art. 2(3) — exclusively military, defence or national security purposes. The AI Act does not apply. Any system with dual use falls under the AI Act for its civil part.
• Art. 2(4) — public authorities of third countries and international organisations acting within international agreements on police and judicial cooperation with the EU or Member States, subject to equivalent safeguards.
• Art. 2(6) — AI systems or models, including their output, developed and put into service for the sole purpose of scientific research and development. Research is outside; the market moment puts it inside.
• Art. 2(8) — research, testing and development activity prior to market placement, with the exception of real-world testing (which does fall within scope).
• Art. 2(10) — non-professional personal use. A system an individual uses for themselves, without commercial activity, falls outside the Regulation.

There is also a specific exemption for free and open-source licensed systems released before applicability, provided they are not GPAI and not placed on the market as a product.

Extraterritoriality — Art. 2(1)

The AI Act has three connection points triggering applicability:

• Art. 2(1)(a): providers placing on the market or putting into service AI systems in the EU, regardless of country of establishment.
• Art. 2(1)(b): deployers with their place of establishment or location in the EU.
• Art. 2(1)(c): providers and deployers established in a third country where the system output is used in the EU.

(c) is the hard extraterritorial clause. A US provider operating a chatbot accessible from the EU whose responses are consumed by EU users falls within the regime. The burden is on the provider — designate an EU representative under Art. 22 if certain thresholds are exceeded, demonstrate conformity with applicable prohibitions and obligations.

What that means operationally: a US SaaS product cannot simply “not be available in the EU” if outputs cross the border. If the output is used in the EU — a medical diagnosis, an HR decision, a financial recommendation — the Regulation applies. The Guidelines do not resolve edge cases (tourists, VPN, transitive output) but make clear substance matters more than form.

AI literacy — Art. 4 (also in application on 2 Feb)

Alongside the prohibitions, Art. 4 enters application:

Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.

No specific Art. 4 penalty under Art. 99, but it is an enforceable provision — AESIA can inspect Art. 4 compliance and derive administrative consequences. The “sufficient” level depends on context, the person’s prior training, type of system deployed. For an organisation deploying customer-service chatbots, the bar is modest; for one deploying credit risk classifiers, the bar rises.

Withdrawal table

Run each system in the inventory against the Art. 5 list. What falls out of the EU market on 2 February 2025:

For existing deployments, no transition clause — the Regulation applies to the system regardless of when it was deployed. Operational note: the withdrawal deadline is the date of applicability, not an additional grace period.

Operational triage

1. AI inventory closed before 2 Feb. If the answer to “what AI systems do we use” is still “we don’t know”, the problem is governance, not the Regulation.
2. Triage against Art. 5 system by system. For each, document (i) applicable category or none, (ii) whether any Art. 2 exemption applies, (iii) decision: withdraw, reconfigure, or keep.
3. Withdrawal or reconfiguration of systems landing inside. When the system is from an external provider (SaaS), contractual notification to the provider + migration plan.
4. Documentation of the decision — especially for cases where a prohibition is deemed not to apply (e.g., in-person exam proctoring without emotion recognition, kept as permitted). The reasoned criterion is procedural defence against the market surveillance authority.
5. Art. 4 literacy plan — minimum internal training for staff operating or supervising AI. No mandatory format; it must be documentable.
6. EU representative designation (Art. 22) if the organisation is a provider established outside the EU and operates output used in the EU.

What stays open

• Case-by-case interpretation of “purposeful manipulation” in (a). The “significant harm” bar is the piece that will determine where the line is cut. The first market surveillance authority decisions in Q2–Q3 2025 will set precedent.
• Coordination between prohibition (5.1.d) and high-risk (Annex III, point 6). Police investigation support systems with profiling elements fall under high-risk, not prohibition, but the boundary depends on how much of the scoring comes from profile vs concrete facts.
• AESIA and market surveillance authorities. Spain designates AESIA as the national applying authority. As of end of January 2025, AESIA has not published Spanish-specific guidelines; it is aligning with the 4 February Commission ones. Royal Decree 729/2023 creating AESIA sets its seat in La Coruña and operations from June 2024.
• Sanctions regime in Spain. The Regulation is directly applicable, but the procedural sanctions regime and inter-authority coordination (AESIA, AEPD, CNMC, sectoral authorities) are still draft. The draft AI governance law was approved by the Council of Ministers in March 2025; parliamentary trajectory continues.
• GPAI on 2 August 2025. Next step of the Regulation — obligations for foundation models. We will cover it when it lands.

References

• Official Regulation (EU) 2024/1689 text (OJEU 12 Jul 2024): https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• Art. 5 (Prohibited practices): https://artificialintelligenceact.eu/article/5/
• Art. 2 (Scope): https://artificialintelligenceact.eu/article/2/
• Art. 4 (AI literacy): https://artificialintelligenceact.eu/article/4/
• Art. 99 (Sanctions): https://artificialintelligenceact.eu/article/99/
• European Commission, Commission publishes the Guidelines on prohibited artificial intelligence (AI) practices, as defined by the AI Act (4 Feb 2025): https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act
• AESIA — Spanish AI Supervision Agency: https://aesia.digital.gob.es/
• Previous IRONHACKERS post: EU AI Act in force: Regulation (EU) 2024/1689 and the operational calendar