EU AI Act Prohibited Practices Finale 2026: Complete Assessment Framework & SaaS Compliance Checklist
Post #5 (Finale) in the sota.io EU AI Prohibited Practices 2026 Series
The EU AI Act's Article 5 prohibition deadline is August 2, 2026. Every SaaS product that uses AI — recommendation engines, HR tools, customer analytics, content moderation, identity verification — needs to pass a structured compliance audit before that date. This finale post brings together everything from our four-part series into a single, actionable assessment framework.
If you have not read the earlier posts, they cover: Art.5 overview and scope, biometric surveillance bans, emotion recognition prohibitions, and social scoring and manipulation bans. This post assumes familiarity with those areas and focuses on the unified compliance framework.
The Six Art.5 Prohibited Practices — Complete Reference
Article 5 of the EU AI Act lists practices so harmful to fundamental rights that no risk management or conformity assessment can make them lawful. They are banned outright.
Practice 1: Subliminal Manipulation (Art.5(1)(a))
What is banned: AI techniques that operate below the threshold of conscious awareness to distort a person's free will. This includes exploiting cognitive biases, deploying nudge architectures that remove meaningful choice, and using dark patterns in conversational AI interfaces.
SaaS scope: Recommendation engines, notification systems, engagement optimization tools, push notification personalization, A/B testing frameworks that optimize for addictive behavior rather than stated user goals.
Key distinction: The manipulation must be subliminal (below conscious perception) AND must cause or be likely to cause significant harm. If your system is transparent about how it influences choices, it may fall outside this prohibition — but you must be able to demonstrate that transparency.
Practice 2: Exploitation of Vulnerabilities (Art.5(1)(b))
What is banned: AI that exploits specific vulnerabilities of persons or groups due to age, disability, or social/economic situation in ways that distort behavior and cause or are likely to cause significant harm.
SaaS scope: Targeting algorithms that deliberately segment users by vulnerability indicators (age over 75, unemployment, low credit score, mental health indicators) for purposes that harm those users. Debt collection AI. Predatory pricing engines. "Dark" retention tools for subscription products used by vulnerable populations.
Key distinction: The prohibition applies when vulnerabilities are exploited — your system must affirmatively use the vulnerability to circumvent rational agency. Age-appropriate UX adjustments or accessibility features are not prohibited.
Practice 3: Social Scoring by Public Authorities (Art.5(1)(c))
What is banned: General-purpose social scoring — evaluating natural persons based on their social behavior or personal characteristics across unrelated contexts, producing detrimental or disproportionate treatment. Specifically applies to public authorities.
SaaS scope: B2G products sold to government agencies. Risk scoring systems that feed into government benefit decisions. Law enforcement analytics that aggregate behavior across contexts.
Key distinction: This prohibition applies primarily to public authority use. Private-sector credit scoring, fraud detection, and behavioral analytics are regulated under other provisions (high-risk classification under Annex III) but are not categorically prohibited under Art.5(1)(c).
Practice 4: Real-Time Biometric Identification in Public Spaces (Art.5(1)(d))
What is banned: Real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes, with limited exceptions for specific criminal investigations.
SaaS scope: Video analytics platforms with live facial recognition. Smart city surveillance feeds. Retail loss prevention AI with real-time face matching. Event security systems with live biometric scanning.
Key distinction: The prohibition is on real-time identification in public spaces for law enforcement purposes. Post-event forensic use, private workplace access control, and voluntary biometric authentication are handled under different rules.
Practice 5: Emotion Recognition in Workplace and Education (Art.5(1)(e) — Omnibus addition)**
What is banned: AI systems that infer emotions of natural persons in the context of workplaces and educational institutions. This was strengthened by the 2026 Omnibus amendment.
SaaS scope: HR platforms with sentiment analysis of video interviews, meeting recordings, or chat messages. Employee wellness tools that classify emotional states. EdTech platforms that infer student engagement through facial or voice analysis.
Key distinction: The prohibition covers inference from biometric or behavioral signals. Voluntary emotion input (users explicitly rating their mood) is not prohibited. The Omnibus clarification: even anonymized or aggregated emotion data inference falls within scope if the source is workplace or educational context.
Practice 6: AI-Generated NCII (Art.5(1)(f) — Omnibus addition)
What is banned: AI systems specifically designed to generate non-consensual intimate imagery (NCII) of real persons. Prohibition took effect on December 2, 2025 (earlier enforcement window).
SaaS scope: Image/video generation APIs. Content moderation bypass tools. Avatar creation platforms without consent verification.
Key distinction: The prohibition targets systems designed for NCII. General-purpose image generation models used for NCII may trigger liability under other provisions (platform liability, CSAM regulations) but the Art.5 prohibition specifically addresses purpose-built NCII tools.
The 47-Point Self-Assessment Checklist
Use this checklist before your August 2, 2026 compliance audit. Each item maps to a specific Art.5 prohibition. A "Yes" answer on any shaded item indicates potential non-compliance requiring immediate review.
Section A: Subliminal Manipulation Audit (Art.5(1)(a))
| # | Question | Risk |
|---|---|---|
| A1 | Does any AI system optimize for engagement metrics in ways that were not disclosed to users? | HIGH |
| A2 | Do recommendation systems use techniques specifically designed to reduce users' ability to disengage? | HIGH |
| A3 | Are push notification timing or content algorithms tuned to exploit identified psychological moments of weakness? | HIGH |
| A4 | Does any AI feature use variable reward schedules (slot machine patterns) without user awareness? | HIGH |
| A5 | Are users informed in plain language what their AI-personalized experiences are optimizing for? | MEDIUM |
| A6 | Can users disable AI personalization entirely and receive a non-personalized baseline experience? | MEDIUM |
| A7 | Do A/B tests that involve AI-driven UI changes require ethics review before deployment? | MEDIUM |
| A8 | Are "dark patterns" in AI-driven onboarding flows documented and reviewed against Art.5(1)(a) criteria? | HIGH |
Section B: Vulnerability Exploitation Audit (Art.5(1)(b))
| # | Question | Risk |
|---|---|---|
| B1 | Does any system deliberately segment users by age (especially over 70), disability status, or financial stress indicators for targeting purposes? | HIGH |
| B2 | Are vulnerability-indicating signals (unemployment status, mental health keywords, debt indicators) used to adjust pricing, content, or features in ways that harm those users? | HIGH |
| B3 | Do retention mechanisms apply more aggressively to users identified as having fewer alternatives (low income, limited digital literacy)? | HIGH |
| B4 | Are there documented guardrails preventing AI from recommending high-cost products to users showing financial stress signals? | MEDIUM |
| B5 | Does your product have a defined list of protected user characteristics that cannot be used for exploitative targeting? | MEDIUM |
| B6 | Are customer support AI routing systems designed to de-prioritize vulnerable users (e.g., routing complaints from elderly users to automated responses)? | MEDIUM |
Section C: Social Scoring Audit (Art.5(1)(c))
| # | Question | Risk |
|---|---|---|
| C1 | Is your product sold to or used by public authorities for risk classification of citizens? | HIGH |
| C2 | Does any scoring system aggregate user behavior across unrelated contexts to produce a single trustworthiness or risk score? | HIGH |
| C3 | Are scores from your system used to determine access to government services, public spaces, or employment in the public sector? | HIGH |
| C4 | Do B2G contracts specify that AI-derived scores cannot be used for decisions disproportionate to the original data collection purpose? | MEDIUM |
| C5 | Is there a documented scope limitation preventing your scoring system from expanding to new contexts without re-assessment? | MEDIUM |
Section D: Biometric Surveillance Audit (Art.5(1)(d))
| # | Question | Risk |
|---|---|---|
| D1 | Does any product feature perform real-time facial recognition or biometric identification in publicly accessible spaces? | HIGH |
| D2 | Are video analytics systems capable of live person identification deployed in retail, transport, or event contexts? | HIGH |
| D3 | Is there a documented technical architecture confirming that no real-time biometric matching occurs in public-space deployments? | MEDIUM |
| D4 | Are third-party video analytics integrations reviewed for Art.5(1)(d) compliance before enablement? | MEDIUM |
| D5 | Do terms of service for video analytics APIs prohibit law enforcement use without explicit compliance review? | MEDIUM |
| D6 | Is workplace biometric access control clearly scoped to private premises with documented consent? | LOW |
Section E: Emotion Recognition Audit (Art.5(1)(e))
| # | Question | Risk |
|---|---|---|
| E1 | Does any HR, recruiting, or performance management feature analyze facial expressions, voice tone, or physiological signals to infer emotional states? | HIGH |
| E2 | Do video meeting tools infer attendee engagement, attention, or sentiment from video feeds? | HIGH |
| E3 | Are EdTech features that track "student engagement" using computer vision or voice analysis deployed without explicit exemption review? | HIGH |
| E4 | Do AI writing assistants or productivity tools analyze keyboard patterns or mouse movements to infer emotional state in workplace contexts? | HIGH |
| E5 | Is there documented evidence that any emotion-inference capability has been disabled for workplace and educational use cases? | MEDIUM |
| E6 | Are all emotion-adjacent analytics (sentiment, tone, engagement) clearly scoped to exclude workplace and educational deployment contexts? | MEDIUM |
Section F: Content Generation Controls (Art.5(1)(f))
| # | Question | Risk |
|---|---|---|
| F1 | Does any image or video generation capability include specific prompting or fine-tuning for realistic human likeness without consent mechanisms? | HIGH |
| F2 | Are generation APIs deployed without content filtering specifically targeting NCII patterns? | HIGH |
| F3 | Are user-identity-conditioned generation models (creating images of named or identifiable persons) deployed with explicit consent verification? | HIGH |
| F4 | Do terms of service for generation capabilities explicitly prohibit NCII creation and include enforcement mechanisms? | MEDIUM |
| F5 | Are generation model outputs logged and reviewable for compliance purposes? | LOW |
The Enforcement Architecture: What Violations Actually Cost
Penalty Structure
The EU AI Act establishes three penalty tiers for prohibited practices:
Tier 1 (Art.5 violations): Up to €35,000,000 or 7% of total annual worldwide turnover, whichever is higher. This is the maximum penalty tier — the same ceiling that applies to GDPR violations under Art.83(5).
Tier 2 (Other AI Act violations): Up to €15,000,000 or 3% of global turnover.
Tier 3 (Incorrect information): Up to €7,500,000 or 1% of global turnover.
For Art.5 prohibited practices, there is no tiered approach based on severity — the violation ceiling is the same whether a company unknowingly deployed a borderline feature or intentionally built a prohibited system. The determining factor for actual penalty amount is the seriousness, duration, and scale of the infringement.
Enforcement Bodies
Each EU member state must designate a national competent authority (NCA) for AI Act enforcement. As of mid-2026, the enforcement landscape is:
- Germany: Bundesnetzagentur (Federal Network Agency) leading, with sector-specific authorities
- France: CNIL has announced AI enforcement collaboration with Autorité de la concurrence
- Netherlands: Autoriteit Persoonsgegevens extended to AI Act enforcement
- Ireland: Data Protection Commission (critical for US tech companies with EU HQ in Dublin)
The EU AI Office (established under the Omnibus) handles enforcement for GPAI providers and cross-border cases. It has direct enforcement powers for Art.5 violations involving general-purpose AI.
Timeline of Enforcement
| Date | Event |
|---|---|
| 2025-02-02 | Art.5 prohibitions entered into force (6 months after OJEU publication) |
| 2025-08-02 | GPAI provider obligations, codes of practice |
| 2026-05-27 | CADA: EU tech sovereignty enforcement begins |
| 2026-08-02 | Full Art.5 enforcement by national authorities begins |
| 2026-12-02 | Remaining provisions (high-risk AI in Annex I, transparency obligations) |
| 2027-08-02 | High-risk AI in Annex III (HR, education, finance) fully enforceable |
The August 2, 2026 date is the primary enforcement trigger for most SaaS companies. After this date, NCAs can initiate investigations, request information, conduct audits, and impose penalties.
Compliance Architecture: What to Build vs. What to Disable
The Decision Tree
For every AI feature in your product:
1. Does it involve any of the 6 Art.5 prohibitions?
└── YES → Can it be scoped out of the prohibited context?
├── YES → Implement hard technical scope limit + document
└── NO → DISABLE the feature before 2026-08-02
2. Does it process biometric or sensitive personal data?
└── YES → DPIA required + check Annex III classification
3. Does it influence decisions with significant impact on persons?
└── YES → High-risk AI assessment required
Technical Controls That Demonstrate Compliance
For Emotion Recognition Prohibition:
- Feature flags that disable emotion inference when
deployment_context == "workplace" || "educational" - Documented API contract: emotion endpoints return HTTP 403 for workplace tenant configurations
- Audit log showing no emotion inference events in workplace deployments post-August 2026
For Manipulation Prohibition:
- Objective function documentation: what each recommendation system maximizes
- User-accessible explanation of personalization goals
- Kill switch: one-click disablement of AI personalization to neutral baseline
For Biometric Prohibition:
- Technical architecture diagram showing no real-time person identification data flow
- API-level prohibition on live biometric matching in public-space deployment modes
- Third-party audit certification of non-real-time processing architecture
For Vulnerability Exploitation:
- Documented negative list: protected signals that cannot influence targeting
- Regular adversarial audit: test whether model outputs exploit vulnerability patterns
- Output monitoring for disparate impact on protected demographic groups
EU-Native Stack for Compliant AI Deployment
The fundamental challenge with Art.5 compliance is not just what your AI does — it is whether you can prove what your AI does not do. That requires complete observability of your AI pipeline, including model behavior, data flows, and decision outputs.
US-hosted AI infrastructure creates a second-order compliance risk: even if your AI features are Art.5-compliant, data processed by US providers is subject to CLOUD Act requests. European authorities increasingly treat CLOUD Act exposure as a GDPR Art.46 transfer risk.
Compliant EU-Native Options
AI Model Serving:
- Mistral AI (France SAS, no CLOUD Act exposure) — text generation, classification, embeddings
- Aleph Alpha (Germany, Heidelberg) — enterprise-grade LLMs with EU data residency
- Scaleway AI — Mistral and other models on EU infrastructure
ML Infrastructure:
- Hetzner (Germany) — compute for self-hosted models
- OVHcloud GPU instances — training and inference
- Exoscale (Switzerland) — Kubernetes clusters for ML workloads
Vector Databases:
- Qdrant Cloud EU region (Germany, Qdrant GmbH Berlin)
- Weaviate Cloud EU deployment
- Milvus/Zilliz EU region
AI Observability and Auditing:
- Langfuse (Germany, open-source core) — LLM observability and evaluation
- Aim (self-hosted) — ML experiment tracking
- MLflow on EU infrastructure — model registry and lifecycle management
Content Moderation (for NCII prohibition compliance):
- Hive Moderation EU API
- Amazon Rekognition EU West-1 region (Irish entity — check CLOUD Act exposure)
- Self-hosted Llava/CLIP models on Hetzner for maximum control
The 2026-08-02 Readiness Checklist
30 Days Before Deadline (July 3, 2026)
- Complete the 47-point self-assessment checklist above
- Document all AI features with their Art.5 compliance analysis
- Identify any features requiring disablement or scoping changes
- Begin technical implementation of necessary feature flags or disablements
- Commission external legal review if any Art.5 borderline cases identified
14 Days Before Deadline (July 19, 2026)
- All prohibited features disabled or scoped to compliant contexts
- Technical controls implemented and tested
- Audit logs enabled for all AI decision points
- Staff training on Art.5 compliance completed
- Supplier and third-party AI service compliance verification received
7 Days Before Deadline (July 26, 2026)
- Final compliance documentation assembled
- Legal sign-off on all Art.5 analyses
- Incident response plan for potential NCA inquiries drafted
- Customer-facing compliance documentation published
- Internal point of contact for AI Act compliance designated
August 2, 2026
- All prohibited practices disabled
- Compliance documentation complete and signed
- Monitoring in place for any post-deadline feature creep
- Board-level awareness of ongoing compliance obligations
What Comes After August 2, 2026
Art.5 compliance is the floor, not the ceiling. After the prohibited practices enforcement date:
2026-12-02 — GPAI and transparency obligations: General-purpose AI providers must publish model cards, usage policies, and training data summaries. Watermarking requirements for AI-generated content take effect.
2027-08-02 — High-risk AI (Annex III) full enforcement: HR, education, critical infrastructure, and financial services AI systems face full conformity assessment requirements, CE marking, and registration in the EU AI database.
2028-08-02 — Embedded AI systems in Annex I products: AI in medical devices, vehicles, safety components requires full AI Act compliance in addition to sector-specific regulations.
The investment you make in Art.5 compliance infrastructure — observability, feature flags, documentation practices, audit logs — directly reduces the cost of subsequent compliance phases.
Series Summary: EU AI Act Prohibited Practices 2026
This five-part series covered the complete Art.5 landscape:
-
Overview and Scope — What Art.5 is, who it applies to, and why August 2, 2026 is the primary trigger date for SaaS developers.
-
Biometric Surveillance — Real-time facial recognition and biometric identification in public spaces: what is banned, what is permitted, and how to architect compliant video analytics.
-
Emotion Recognition — Workplace and educational emotion inference: the Omnibus expansion, affected SaaS categories, and compliant alternatives.
-
Social Scoring and Manipulation — Dark patterns, subliminal optimization, vulnerability exploitation, and social scoring: the four practices most likely to affect consumer-facing SaaS products.
-
This post — The complete assessment framework, 47-point checklist, enforcement architecture, and EU-native compliance stack.
Deploy on EU Infrastructure for Baseline Compliance
Your AI compliance journey is only as reliable as your infrastructure's observability. Running on US-hosted infrastructure means your compliance evidence — logs, model outputs, decision records — may be subject to CLOUD Act disclosure without your knowledge or consent.
sota.io is EU-native managed PaaS running on Hetzner Germany. No US parent company, no CLOUD Act exposure, no question about where your AI pipeline data resides. Deploy your Art.5-compliant AI stack on infrastructure where sovereignty is a technical guarantee, not a contractual promise.
Git-deploy in minutes. EU data residency by default. From €9/month.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.