AI Act — Prohibited practices (Art. 5): the Commission’s 2025 clarifications

Summary — On 4 February 2025, the European Commission issued guidelines on “prohibited AI practices” (Article 5 AI Act), confirming the immediate ban on eight uses and fines up to €35m or 7% of global turnover.

The case

The Commission released “Guidelines on prohibited artificial intelligence practices” to clarify the application of Article 5 of Regulation (EU) 2024/1689, the AI Act. These non-binding yet prescriptive guidelines detail the eight prohibited practices and provide concrete examples. They accompany the entry into application of the AI Act’s first rules on 2 February 2025, confirmed by the press release “First rules of the Artificial Intelligence Act are now applicable” on 3 February 2025. See: Commission — Guidelines on prohibited AI practices and the 3 Feb 2025 press release. Legal text on Eur‑Lex: Regulation (EU) 2024/1689. For general context, see our AI Act overview.

As for penalties, Article 99 sets maximum fines up to €35,000,000 or 7% of global turnover for violations of the prohibitions. Ref.: AI Act, Arts. 5 and 99. In its 20 May 2026 report under Article 112 AI Act, the Commission reiterates that Chapter II has applied since 2 February 2025 and that the February 2025 guidelines are the first common reference: COM(2026) 234.

Legal reasoning

• Core rule: Article 5 bans systems/uses whose harm is “inherent,” deemed to seriously infringe fundamental rights. Example: Art. 5(1)(a) prohibits subliminal/manipulative/deceptive techniques that materially distort decision-making and cause significant harm. See Eur‑Lex Art. 5.
• Biometrics: prohibition on creating/expanding facial recognition databases via untargeted scraping (Art. 5(1)(e)) and on emotion inference at work/school (Art. 5(1)(f)). Recitals 43–44 cover “mass surveillance” concerns and scientific limits of “emotion recognition.” See recitals and Art. 5(1)(e)-(f).
• Social scoring: ban on social evaluation by public/private actors across multi-context datasets leading to disproportionate adverse treatment (Recital 31 + Art. 5). See Recital 31.
• Penalties: Art. 99(3) sets the €35m/7% cap for prohibited practices; other infringements face lower tiers. See Art. 99.
• Timeline: prohibitions applicable from 2 February 2025; enforcement tooling ramping up through 2026; potential updates to the Art. 5 list via Art. 112. See COM(2026) 234.

The 2025 guidelines turn these norms into operational practice (definitions, materiality tests, banned/tolerated examples) for authorities and companies: Commission — Guidelines page.

What it concretely changes in Luxembourg

For executives, DPOs, CISOs and legal teams in Luxembourg, some AI ideas/projects are no longer “negotiable” via DPIA plus mitigations: they are outright banned ab initio. Embed these constraints in AI usage policies, vendor selection and internal controls. For structured support, see our AI governance and compliance.

• HR and retail: ban any “emotion recognition” to assess candidates, employees or in-store customers. Even with notice/consent, use at work/school is prohibited (Art. 5(1)(f)). See Eur‑Lex.
• Marketing/insurance/credit: avoid cross-context scoring reusing multi-context behavioural data that results in out-of-context or disproportionate adverse treatment — a hallmark of prohibited social scoring (Recital 31 + Art. 5). See Eur‑Lex.
• Security/loss prevention: do not build or “enrich” facial databases from untargeted Internet/CCTV captures for identification — explicitly banned (Art. 5(1)(e)). See Eur‑Lex.
• GDPR compliance: the AI Act is lex specialis for these practices, but GDPR still applies to other use cases (Art. 6 legal bases, Art. 9 special data, Art. 22 ADM). CNPD will assess GDPR in parallel. For local requirements, see GDPR in Luxembourg.

Expect cross-checks by CNPD and the AI competent authority from 2026–2027, with particular scrutiny for financial entities (CSSF) and NIS 2 operators.

Common pitfalls

1. “We anonymise afterwards”: believing a facial recognition pipeline based on untargeted scraping is acceptable if images are later blurred. The ban targets the creation/extension of the database itself, regardless of downstream steps. See Art. 5(1)(e).
2. “Magic” consent at work: employee consent does not lift the prohibition on emotion inference at work/school (Art. 5(1)(f)). See Art. 5(1)(f).
3. Internal “reputational” scoring: aggregating multi-source signals into a “reliability score” used out of context may fall under prohibited social scoring. Cross-check with the Commission’s guidelines: Guidelines.
4. Verification vs. identification: 1:1 biometric verification (authentication) is not prohibited by Art. 5; remote 1:N biometric identification in public spaces is, subject to narrow law enforcement exceptions. See biometric definitions.

Official sources

• Regulation (EU) 2024/1689 (AI Act) — Art. 5, Art. 99, recitals
• Commission — Guidelines (04/02/2025)
• Commission — Press release (03/02/2025)
• COM(2026) 234 — Art. 112 report

In practice

Formalise “AI red lines” now, update procurement clauses and use-case registers to explicitly exclude the eight practices, and request vendor attestations of absence of Art. 5-prohibited features. For hands-on support, visit our AI compliance and AI Act page.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.