Skip to content

Prohibited practices and transparency obligations

This page covers two operative regimes of the EU AI Act that are routinely conflated with the 'pyramid' framing but that the Regulation treats separately and that apply independently of high-risk classification:

  • Article 5 — prohibited practices. Eight categorical bans. No compliance route — you must not place on the market, put into service, or use the prohibited practice (subject to the express Article 5 carve-outs).
  • Article 50 — transparency obligations. Four duties applied to specific deployments (chatbots, synthetic-content generation, emotion recognition or biometric categorisation, deepfakes). These apply whether or not the system is high-risk.

Neither regime is a 'tier'. A high-risk AI system can be subject to Article 50 transparency duties. A non-high-risk AI system can be Article 5 prohibited and therefore unlawful.

Quick decision

  • You provide a chatbot, voice assistant, or any AI system intended to interact directly with natural persons → Article 50(1) interaction-disclosure duty applies to the provider by design. Build the disclosure in before placing on the market.
  • You are a provider of an AI system generating synthetic audio, image, video, or text content → Article 50(2) machine-readable marking duty applies to the provider, unless an Article 50(2) exception applies (assistive editing / no substantial alteration / law-enforcement). Deployer-side Article 50(4) is separate: it applies when the generated image / audio / video constitutes a deep fake, and an additional Article 50(4) duty covers AI-generated text published to inform the public on matters of public interest.
  • You deploy an emotion-recognition or biometric-categorisation system on workers, students, or the public → Article 50(3) deployer-side disclosure applies. Workplace and education emotion recognition is also Article 5(1)(f) prohibited (with medical and safety exceptions) — re-check the prohibition first.
  • You use AI for individual criminal-offence risk prediction, untargeted facial-image scraping, or social scoring → Article 5(1)(d), (e), (c) prohibitions apply categorically. There is no compliance route.
  • You use real-time remote biometric identification in publicly accessible spaces for law enforcement → Article 5(1)(h) prohibits this except for the exhaustive 5(1)(h)(i)–(iii) objectives, subject to the Article 5(2)–(7) authorisation regime (FRIA + EU-database registration under 5(2); prior judicial / independent administrative authorisation under 5(3); notification under 5(4); national-law detailed rules and stricter Member State laws under 5(5); annual reporting under 5(6)–(7)). This is a narrow conditional exception, not a general "compliance route" for RBI.

TL;DR

  • Article 5(1)(a)–(h) lists eight categorical bans (ten once the adopted Omnibus is in force and its NCII and CSAM prohibitions apply from 2 December 2026). The duty is that you must not place on the market, put into service, or use the prohibited practice (subject to the express Article 5 carve-outs). Not 'highest-risk tier' — there is no tier here.
  • Article 5 has been applicable since 2 February 2025 (Article 113(a)).
  • Article 50 imposes four transparency duties by deployment type: provider-side AI-interaction disclosure (50(1)); provider-side synthetic-content marking (50(2)); deployer-side emotion / biometric notification (50(3)); deployer-side deepfake disclosure (50(4)).
  • Article 50 applies from 2 August 2026; on entry into force, the adopted Digital Omnibus on AI will give only providers of synthetic-content systems already on the market before that date the Article 111(4) grace for Article 50(2) (provider-side machine-readable marking) until 2 December 2026. Deployer-side Article 50(4) is not extended.
  • Article 5 and Article 50 are independent of high-risk classification under Article 6. They can apply to non-high-risk systems and they can stack on top of high-risk obligations.
  • On entry into force, the adopted Digital Omnibus on AI will add two new prohibited practices — Article 5(1)(ba) (NCII) and (bb) (CSAM) — applicable from 2 December 2026.

Digital Omnibus on AI (adopted June 2026)

Status: adopted June 2026, not yet in force

The Digital Omnibus on AI is adopted. The European Parliament approved the agreed text on 16 June 2026 (legislative resolution P10_TA(2026)0198, 423 to 57 with 174 abstentions) and the Council formally adopted it on 29 June 2026 (Procedure 2025/0359(COD); Commission proposal COM(2025) 836 of 19 November 2025). It is not yet in force; on entry into force it will amend Regulation (EU) 2024/1689, and it will enter into force on the third day after publication in the Official Journal. See the Digital Omnibus hub section for the full provision detail.

Relevant to this page:

  • New prohibitions on AI-generated NCII and CSAM — new Article 5(1)(ba) (NCII) and 5(1)(bb) (CSAM); once in force, applicable from 2 December 2026 (Article 113(a)).
  • Article 50(2) grace period of four months for legacy synthetic-content systems — once in force, providers of synthetic-content AI systems placed on the EU market before 2 August 2026 will have until 2 December 2026 to retrofit the Article 50(2) machine-readable marking (provider-side only; new Article 111(4)). Deployer-side Article 50(4) disclosure is not extended.

Primary source

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 — EUR-Lex CELEX 32024R1689 · OJ L, 12.7.2024 · Articles 5 and 50. Verbatim quotes on this page reflect the OJ-published text. The Digital Omnibus on AI statements reflect the adopted text — European Parliament position P10_TA(2026)0198 of 16 June 2026 (procedure 2025/0359(COD); Council adoption 29 June 2026), based on the Commission proposal of 19 November 2025 — not yet in force; it will enter into force on the third day after Official Journal publication.

Article 5 — prohibited AI practices

Article 5(1) lists eight categorical prohibitions (ten once the adopted Omnibus is in force and its NCII and CSAM prohibitions apply from 2 December 2026). They are bans, not strict-compliance tiers. There is no conformity-assessment route to legalise a prohibited practice.

The following AI practices shall be prohibited:

— Article 5(1) chapeau, Regulation (EU) 2024/1689

Article 5(1)(a) — subliminal, manipulative or deceptive techniques

(a) the placing on the market, the putting into service or the use of an AI system that deploys subliminal techniques beyond a person's consciousness or purposefully manipulative or deceptive techniques, with the objective, or the effect of materially distorting the behaviour of a person or a group of persons by appreciably impairing their ability to make an informed decision, thereby causing them to take a decision that they would not have otherwise taken in a manner that causes or is reasonably likely to cause that person, another person or group of persons significant harm;

— Article 5(1)(a), Regulation (EU) 2024/1689

The prohibition has three operative elements that must all be present: a manipulative / deceptive / subliminal technique; material distortion of behaviour that impairs informed decision-making; significant harm (or reasonable likelihood of significant harm).

Article 5(1)(b) — exploitation of vulnerabilities

(b) the placing on the market, the putting into service or the use of an AI system that exploits any of the vulnerabilities of a natural person or a specific group of persons due to their age, disability or a specific social or economic situation, with the objective, or the effect, of materially distorting the behaviour of that person or a person belonging to that group in a manner that causes or is reasonably likely to cause that person or another person significant harm;

— Article 5(1)(b), Regulation (EU) 2024/1689

Article 5(1)(c) — social scoring

(c) the placing on the market, the putting into service or the use of AI systems for the evaluation or classification of natural persons or groups of persons over a certain period of time based on their social behaviour or known, inferred or predicted personal or personality characteristics, with the social score leading to either or both of the following: (i) detrimental or unfavourable treatment of certain natural persons or groups of persons in social contexts that are unrelated to the contexts in which the data was originally generated or collected; (ii) detrimental or unfavourable treatment of certain natural persons or groups of persons that is unjustified or disproportionate to their social behaviour or its gravity;

— Article 5(1)(c), Regulation (EU) 2024/1689

The prohibition applies whether the operator is public or private; the Commission's original proposal had been narrower to public authorities only.

Article 5(1)(d) — individual criminal-offence risk prediction

(d) the placing on the market, the putting into service for this specific purpose, or the use of an AI system for making risk assessments of natural persons in order to assess or predict the risk of a natural person committing a criminal offence, based solely on the profiling of a natural person or on assessing their personality traits and characteristics; this prohibition shall not apply to AI systems used to support the human assessment of the involvement of a person in a criminal activity, which is already based on objective and verifiable facts directly linked to a criminal activity;

— Article 5(1)(d), Regulation (EU) 2024/1689

The carve-out is narrow: the AI system can support an already-grounded human assessment based on objective and verifiable facts. Predictive policing built on profiling alone is prohibited.

Article 5(1)(e) — untargeted facial-image scraping

(e) the placing on the market, the putting into service for this specific purpose, or the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage;

— Article 5(1)(e), Regulation (EU) 2024/1689

Article 5(1)(f) — emotion recognition in workplace and education

(f) the placing on the market, the putting into service for this specific purpose, or the use of AI systems to infer emotions of a natural person in the areas of workplace and education institutions, except where the use of the AI system is intended to be put in place or into the market for medical or safety reasons;

— Article 5(1)(f), Regulation (EU) 2024/1689

The exceptions are exhaustive: medical reasons or safety reasons. Workplace-engagement and productivity-monitoring emotion-recognition are prohibited; interview-screening emotion-recognition is prohibited where it is used in the workplace or education-institution context and no medical or safety exception applies.

Article 5(1)(g) — biometric categorisation inferring sensitive attributes

(g) the placing on the market, the putting into service for this specific purpose, or the use of biometric categorisation systems that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation; this prohibition does not cover any labelling or filtering of lawfully acquired biometric datasets, such as images, based on biometric data or categorizing of biometric data in the area of law enforcement;

— Article 5(1)(g), Regulation (EU) 2024/1689

The carve-out for law-enforcement labelling/filtering and dataset categorisation is narrow and limited to lawfully acquired biometric datasets.

Article 5(1)(h) — real-time remote biometric identification in publicly accessible spaces

(h) the use of 'real-time' remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, unless and in so far as such use is strictly necessary for one of the following objectives: (i) the targeted search for specific victims of abduction, trafficking in human beings or sexual exploitation of human beings, as well as the search for missing persons; (ii) the prevention of a specific, substantial and imminent threat to the life or physical safety of natural persons or a genuine and present or genuine and foreseeable threat of a terrorist attack; (iii) the localisation or identification of a person suspected of having committed a criminal offence, for the purpose of conducting a criminal investigation or prosecution or executing a criminal penalty for offences referred to in Annex II and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least four years.

— Article 5(1)(h), Regulation (EU) 2024/1689

The exceptions in Article 5(1)(h)(i)–(iii) are exhaustive. Article 5(2)–(7) sets the authorisation regime around them and must be read paragraph-by-paragraph:

  • Article 5(2) — RBI for any of the 5(1)(h) objectives may only be deployed to confirm the identity of the specifically targeted individual; account must be taken of the nature of the situation and the consequences; use is subject to necessary and proportionate safeguards and conditions in national law (temporal, geographic and personal limitations). A prior fundamental-rights impact assessment under Article 27 and registration of the deployment in the EU database under Article 49 are pre-conditions (with a duly justified urgency exception allowing delayed registration).
  • Article 5(3) — each individual use is subject to prior authorisation granted by a judicial authority or by an independent administrative authority whose decision is binding, on a reasoned request and in accordance with detailed rules of national law. In a duly justified situation of urgency, use may begin without authorisation provided that the authorisation is requested without undue delay (and within 24 hours at the latest); if refused, the use is stopped with immediate effect and all data deleted. The prior authorisation must be granted only where there are objective evidence or clear indications justifying that the use is necessary for, and proportionate to, achieving one of the 5(1)(h) objectives.
  • Article 5(4) — each use is notified to the relevant market-surveillance authority and national data-protection authority of the Member State concerned, excluding sensitive operational data.
  • Article 5(5) — Member States may decide to provide for the possibility of fully or partially authorising RBI for 5(1)(h) purposes, within the limits and conditions of 5(1)(h), 5(2) and 5(3), and shall lay down in their national law the necessary detailed rules. Member States may decide on stricter national laws than the AI Act framework.
  • Article 5(6) — national market-surveillance authorities and data-protection authorities of the notified Member States shall submit annual reports to the Commission on the use of RBI systems for the 5(1)(h) purposes, with aggregated data on the number of decisions and the outcomes.
  • Article 5(7) — the Commission shall publish annual reports on the use of RBI systems for law-enforcement purposes in the Union, based on the Member State data submitted under Article 5(6). Reports do not include sensitive operational data of the related law-enforcement activities.

Article 50 — transparency obligations

Article 50 imposes four transparency duties on specific deployments. They apply independently of high-risk classification under Article 6 — a non-high-risk chatbot is subject to Article 50(1); a high-risk AI system that generates synthetic content is subject to Article 50(2) on top of its Articles 8–15 obligations.

Article 50(1) — provider-side AI-interaction disclosure

Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect, taking into account the circumstances and the context of use. This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate or prosecute criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties, unless those systems are available for the public to report a criminal offence.

— Article 50(1), Regulation (EU) 2024/1689

This is a design obligation on the provider — the disclosure mechanism must be built into the system before it is placed on the market.

Article 50(2) — provider-side synthetic-content marking

Providers of AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content, shall ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated. Providers shall ensure their technical solutions are effective, interoperable, robust and reliable as far as this is technically feasible, taking into account the specificities and limitations of various types of content, the costs of implementation and the generally acknowledged state of the art, as may be reflected in relevant technical standards. This obligation shall not apply to the extent the AI systems perform an assistive function for standard editing or do not substantially alter the input data provided by the deployer or the semantics thereof, or where authorised by law to detect, prevent, investigate or prosecute criminal offences.

— Article 50(2), Regulation (EU) 2024/1689

The machine-readable requirement is the operative technical hook (watermarking, content credentials, C2PA-style attestations). The "assistive function" exception is narrow — basic grammar correction and standard-editing assistance may qualify where they do not substantially alter the input data or its semantics; full-content generation does not.

Article 50(3) — deployer-side emotion-recognition / biometric-categorisation disclosure

Deployers of an emotion recognition system or a biometric categorisation system shall inform the natural persons exposed thereto of the operation of the system, and shall process the personal data in accordance with Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680, as applicable. This obligation shall not apply to AI systems used for biometric categorisation and emotion recognition, which are permitted by law to detect, prevent or investigate criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties, and in accordance with Union law.

— Article 50(3), Regulation (EU) 2024/1689

Note the GDPR / law-enforcement-directive overlay: the same processing is subject to Regulation (EU) 2016/679 (GDPR) or Directive (EU) 2016/680 (Law Enforcement Directive) in parallel. Recall that emotion recognition in workplace and education is prohibited under Article 5(1)(f) — Article 50(3) applies to permitted contexts.

Article 50(4) — deployer-side deepfake disclosure (+ AI-generated text on matters of public interest)

Deployers of an AI system that generates or manipulates image, audio or video content constituting a deep fake, shall disclose that the content has been artificially generated or manipulated. This obligation shall not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offences. Where the content forms part of an evidently artistic, creative, satirical, fictional or analogous work or programme, the transparency obligations set out in this paragraph are limited to disclosure of the existence of such generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work.

Deployers of an AI system that generates or manipulates text which is published with the purpose of informing the public on matters of public interest shall disclose that the text has been artificially generated or manipulated. This obligation shall not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offences or where the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content.

— Article 50(4), Regulation (EU) 2024/1689

Article 50(4) has two limbs:

  1. Deepfake image / audio / video disclosure — the first sub-paragraph. Carve-outs: law-enforcement authorisation; artistic / satirical / fictional context (disclosure form is limited but not eliminated).
  2. AI-generated text on matters of public interest — the second sub-paragraph. Carve-outs: law-enforcement authorisation; human-review / editorial-control carve-out where a natural or legal person holds editorial responsibility. The carve-out is targeted: it does not exempt a publisher from disclosure where the text was published without human review or editorial control.

The artistic / satirical carve-out on the image / audio / video limb reduces the form of disclosure but does not eliminate it. The editorial-responsibility carve-out on the text limb does eliminate the disclosure — but conditional on actual human review and editorial responsibility.

Article 50(1) vs Article 50(2) — different addressees

Article 50(1) is a provider-side design duty (the AI system must be built to disclose). Article 50(2) is also provider-side but applies to a different system class (synthetic-content generators, covering audio, image, video, or text). Article 50(3) and 50(4) are deployer-side disclosure duties. A provider of a deepfake generator has Article 50(2); a deployer using the system has Article 50(4). Both apply to the same artefact at different stages of the value chain.

Article 50(5) — timing and accessibility

The information referred to in paragraphs 1 to 4 shall be provided to the natural persons concerned in a clear and distinguishable manner at the latest at the time of the first interaction or exposure. The information shall conform to the applicable accessibility requirements.

— Article 50(5), Regulation (EU) 2024/1689

Article 50(5) is the timing + format rule that anchors all four 50(1)–50(4) duties. The disclosure must be at the first interaction or exposure and meet accessibility requirements under EU accessibility law (Directives (EU) 2016/2102 and (EU) 2019/882).

How Article 5 and Article 50 interact with high-risk classification

The frequent error is to treat Article 5, Article 50 and Article 6 as tiers on a single scale. They are independent regimes that can stack:

ScenarioArticle 5Article 6 + Annex IIIArticle 50
A workplace emotion-recognition AI used for productivity scoringProhibited under 5(1)(f) — stop(not applicable)(not applicable)
A consumer chatbot built on a GPT-style model(not applicable)(probably not Annex III)50(1) interaction disclosure; 50(2) synthetic-content marking (covers synthetic audio, image, video, or text)
A CV-screening AI used in recruitmentScreen 5(1)(f) first — recruitment emotion recognition is workplace use, often prohibitedAnnex III(4)(a) — high-risk50(3) only after the 5(1)(f) screen, if emotion / biometric categorisation remains
A deepfake generator used in advertising(not applicable unless 5(1)(a))(not applicable unless Annex III(8))50(2) provider + 50(4) deployer disclosure
A medical-device AI that interacts with patients(not applicable; carve-out for medical safety in 5(1)(f) — but 5(1)(f) is workplace/education only)Annex I if a safety component of a medical device50(1) if directly interacting with patients

The point: there is no single decision tree. Run each regime check independently against the system's intended purpose and deployment context.

How to operationalise Articles 5 and 50 in Modulos

The Article 5 prohibited-practice screening and the Article 50 transparency duties map directly to MFF-1 (per-AI-system) requirements:

RequirementDescriptionOJ Article
MRF-119Prohibited AI PracticesArticle 5
MRF-54Post-Remote Biometric ID Authorisation and ReportingArticle 26(10) (post-remote biometric identification; separate from the Article 5(1)(h) real-time RBI regime)
MRF-44Transparent Interaction with Natural PersonsArticle 50(1)
MRF-45Computer-Generated Works MarkingArticle 50(2)
MRF-58Transparency of Biometric CategorisationArticle 50(3)
MRF-59Transparency of Emotion RecognitionArticle 50(3)
MRF-60Transparency of DeepfakesArticle 50(4) (image / audio / video limb)
MRF-61Transparency of Computer-Generated ReportingArticle 50(4) (text-on-matters-of-public-interest limb)

Operating rules:

  • Article 5 prohibited-practice screening (MRF-119) is the per-system gate: the applicability rationale, the supporting evidence and any Article 5(2)–(7) authorisation regime artefacts (for 5(1)(h) real-time RBI cases) are recorded as control-level evidence linked to this requirement. Modulos does not provide a dedicated "prohibited-practice gate" workflow.
  • Article 50 transparency duties each have a dedicated MFF-1 requirement: design evidence for provider-side duties (MRF-44 / MRF-45) and deployer-policy evidence for deployer-side duties (MRF-58 / MRF-59 / MRF-60 / MRF-61). The transparency notice itself is stored as control-level evidence — there is no dedicated transparency-notice UI surface.

Platform Article-numbering caveat: MRF-44, MRF-45, MRF-58MRF-61 reference Article 52 internally (the pre-renumbering label). The final OJ-published Article is 50; the docs use the OJ number, the platform field uses the legacy label.

Go deeper: Operationalizing in Modulos.

Cross-framework mapping (preview)

EU AI ActAdjacent provision
Article 5(1)(a) manipulative techniquesUCPD 2005/29/EC (unfair commercial practices); DSA Article 25 dark-patterns prohibition
Article 5(1)(c) social scoringGDPR Article 22 (no solely-automated decisions with legal effect); equality directives
Article 5(1)(e) untargeted facial-image scrapingGDPR Articles 5, 6, 9 (lawful basis, special-category); GDPR Article 14 information duty
Article 5(1)(h) RBI for law enforcementLED 2016/680; ECHR Article 8
Article 50(2) synthetic-content markingDSA Article 35 systemic-risk mitigation for large platforms; voluntary C2PA standard
Article 50(3) emotion / biometric notificationGDPR Article 13/14 information duty; GDPR Article 9 special-category processing

Source attribution

Regulation (EU) 2024/1689 — Articles 5 and 50 — is published in the Official Journal of the European Union L of 12 July 2024 (CELEX 32024R1689). Verbatim blockquotes on this page reflect the OJ-published text. The Digital Omnibus amending Regulation, on entry into force, will amend Regulation (EU) 2024/1689 by adding Article 5(1)(ba), 5(1)(bb), 5(1a) and 5(1b), and by inserting Article 111(4), a transitional grace period for legacy Article 50(2) systems.

Disclaimer

This page is for general informational purposes and does not constitute legal advice.