What are the EU AI Act prohibited practices?

The EU AI Act bans nine specific AI uses: manipulative AI, exploiting vulnerabilities, social scoring by authorities, predictive policing by profiling, untargeted facial recognition scraping, emotion recognition in workplaces and schools, biometric categorisation inferring sensitive attributes, real-time remote biometric identification in public spaces, and non-consensual AI-generated intimate imagery.

When did the EU AI Act prohibited practices take effect?

The original eight prohibited practices have been in force since 2 February 2025. The ninth — non-consensual intimate imagery — was added by the Omnibus agreement and takes effect 2 December 2026.

What is the penalty for EU AI Act prohibited practices?

Up to €35 million or 7% of total worldwide annual turnover, whichever is higher. This is the highest penalty tier in the regulation.

The 9 Things AI Is Now Banned From Doing in Europe

Europe didn't vaguely suggest that AI should be regulated. It banned nine specific uses of it. The prohibited practices have been in force since February 2025, and yet I keep meeting founders who have no idea what's on the list — or worse, assume it doesn't apply to them because their company is based in Texas.

So let's walk through all nine.

1. Manipulative AI that distorts behaviour

If your AI uses subliminal or deliberately manipulative techniques to distort someone's behaviour in a way that causes harm — banned. Your Spotify algorithm isn't the issue. An AI that psychologically manipulates vulnerable people into spending money they don't have is.

2. Exploiting vulnerabilities

The first ban's meaner cousin. If your AI specifically targets people because of age, disability, or economic situation and manipulates their behaviour harmfully — done.

3. Social scoring by public authorities

Europe looked at China's social credit system and said "absolutely not, thanks." General-purpose scoring of citizens by public bodies based on social behaviour — prohibited. A credit check for a specific loan is still fine.

4. Predictive policing based on profiling

You cannot point an algorithm at someone who has never committed a crime and say "but statistically, they probably will." AI that analyses crime patterns geographically is still permitted. The Minority Report approach is not.

5. Untargeted scraping for facial recognition databases

Building a facial recognition database by vacuuming up billions of photos from the internet or CCTV — prohibited. Aimed squarely at companies like Clearview AI.

6. Emotion recognition in workplaces and schools

Your employer cannot use AI to read your emotions at work. Your school can't assess your emotional state in the classroom. Narrow exceptions exist for safety (detecting a drowsy driver), but the general principle is clear.

7. Biometric categorisation inferring sensitive attributes

An AI that looks at someone and infers their race, religion, political opinions, or sexual orientation from biometric data — prohibited. The key word is "infer."

8. Real-time remote biometric identification in public spaces

No facial recognition surveillance cameras in public for law enforcement, with very narrow exceptions (kidnapping victims, imminent terrorism) requiring prior judicial authorisation.

9. Non-consensual intimate imagery generated by AI

The newest addition, from the May 2026 Omnibus agreement. Deepfake pornography of real people without consent is now explicitly a prohibited practice. Takes effect 2 December 2026.

The penalty for any of these?

Up to €35 million or 7% of global annual turnover — whichever is higher.

Here's what I find most interesting: at least three of these prohibited practices describe things actively happening in products available right now. The regulation doesn't care whether you knew you were breaking the rules. The clock isn't ticking. It's already ticked.