Appearance
Prohibited practices and transparency obligations
This page covers two operative regimes of the EU AI Act that are routinely conflated with the 'pyramid' framing but that the Regulation treats separately and that apply independently of high-risk classification:
- Article 5 — prohibited practices. Eight categorical bans. No compliance route — the duty is don't deploy.
- Article 50 — transparency obligations. Four duties applied to specific deployments (chatbots, synthetic-content generation, emotion recognition or biometric categorisation, deepfakes). These apply whether or not the system is high-risk.
Neither regime is a 'tier'. A high-risk AI system can be subject to Article 50 transparency duties. A non-high-risk AI system can be Article 5 prohibited and therefore unlawful.
Quick decision
- You operate a chatbot, voice assistant, or any AI system that interacts directly with users → Article 50(1) interaction-disclosure duty applies to the provider by design. Implement before placing on the market.
- You generate synthetic audio, image, video, or text content (any GenAI deployment) → Article 50(2) machine-readable marking duty applies to the provider of the synthetic-content generator. Article 50(4) deployer-side deepfake disclosure applies when the generated image / audio / video constitutes a deep fake; an additional Article 50(4) duty applies when AI-generated text is published to inform the public on matters of public interest.
- You deploy an emotion-recognition or biometric-categorisation system on workers, students, or the public → Article 50(3) deployer-side disclosure applies. Workplace and education emotion recognition is also Article 5(1)(f) prohibited (with medical and safety exceptions) — re-check the prohibition first.
- You use AI for individual criminal-offence risk prediction, untargeted facial-image scraping, or social scoring → Article 5(1)(d), (e), (c) prohibitions apply categorically. There is no compliance route.
- You use real-time remote biometric identification in public spaces for law enforcement → Article 5(1)(h) prohibits this except for the exhaustive 5(1)(h)(i)–(iii) objectives, subject to the Article 5(2)–(7) authorisation regime (FRIA + EU-database registration under 5(2); prior judicial / independent administrative authorisation under 5(3); notification under 5(4); national-law detailed rules and stricter Member State laws under 5(5); annual reporting under 5(6)–(7)). This is a narrow conditional exception, not a general "compliance route" for RBI.
TL;DR
- Article 5(1)(a)–(h) lists eight categorical bans. The duty is don't deploy. Not 'highest-risk tier' — there is no tier here.
- Article 5 has been applicable since 2 February 2025 (Article 113(a)).
- Article 50 imposes four transparency duties by deployment type: provider-side AI-interaction disclosure (50(1)); provider-side synthetic-content marking (50(2)); deployer-side emotion / biometric notification (50(3)); deployer-side deepfake disclosure (50(4)).
- Article 50 applies from 2 August 2026 for new systems. The provisional Omnibus agreement, if adopted, would give providers of synthetic-content systems already on the market a four-month grace period until 2 December 2026 to comply with Article 50(2) only (provider-side machine-readable marking). Deployer-side Article 50(4) is not extended.
- Article 5 and Article 50 are independent of high-risk classification under Article 6. They can apply to non-high-risk systems and they can stack on top of high-risk obligations.
- The provisional Omnibus deal would add a new NCII / CSAM prohibited practice. Not adopted yet — Article 5 as published in OJ L of 12 July 2024 remains the binding list.
AI Omnibus provisional agreement (May 2026)
Status: provisional political agreement, pending formal adoption
On 7 May 2026 the Council presidency and European Parliament negotiators reached a provisional political agreement on the Digital Omnibus on AI (originally proposed by the Commission on 19 November 2025, part of the 'Omnibus VII' simplification package). The deal must still be formally endorsed by the Council and the Parliament and undergo legal/linguistic revision before adoption. This framework page will be updated once the Omnibus is formally adopted. Until then, the existing EU AI Act text remains legally binding.
Relevant to this page:
- New prohibition on AI-generated NCII and CSAM — co-legislators agreed to add a new prohibited practice covering AI systems used to generate non-consensual sexual or intimate content or child sexual abuse material. Placement within the prohibited-practices article to be confirmed in the consolidated text.
- Article 50(2) grace period of four months for legacy synthetic-content systems — providers of synthetic-content AI systems placed on the EU market before 2 August 2026 would have until 2 December 2026 to retrofit the Article 50(2) machine-readable marking obligation (provider-side only). Deployer-side Article 50(4) disclosure is not extended by the compromise. The Commission's November 2025 proposal had offered six months; the co-legislators reduced it to four.
Until adopted, the published 2024/1689 prohibitions and obligations remain the binding reference.
Primary source
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 — EUR-Lex CELEX 32024R1689 · OJ L, 12.7.2024 · Articles 5 and 50. Verbatim quotes on this page reflect the OJ-published text. The AI Omnibus provisional-agreement statements draw on the Council compromise text ST 9247/26 of 13 May 2026, the Council press release of 7 May 2026 and the Commission Digital Omnibus on AI proposal of 19 November 2025; none is legally binding until adoption.
Article 5 — prohibited AI practices
Article 5(1) lists eight categorical prohibitions. They are bans, not strict-compliance tiers. There is no conformity-assessment route to legalise a prohibited practice.
The following AI practices shall be prohibited:
— Article 5(1) chapeau, Regulation (EU) 2024/1689
Article 5(1)(a) — subliminal, manipulative or deceptive techniques
(a) the placing on the market, the putting into service or the use of an AI system that deploys subliminal techniques beyond a person's consciousness or purposefully manipulative or deceptive techniques, with the objective, or the effect of materially distorting the behaviour of a person or a group of persons by appreciably impairing their ability to make an informed decision, thereby causing them to take a decision that they would not have otherwise taken in a manner that causes or is reasonably likely to cause that person, another person or group of persons significant harm;
— Article 5(1)(a), Regulation (EU) 2024/1689
The prohibition has three operative elements that must all be present: a manipulative / deceptive / subliminal technique; material distortion of behaviour that impairs informed decision-making; significant harm (or reasonable likelihood of significant harm).
Article 5(1)(b) — exploitation of vulnerabilities
(b) the placing on the market, the putting into service or the use of an AI system that exploits any of the vulnerabilities of a natural person or a specific group of persons due to their age, disability or a specific social or economic situation, with the objective, or the effect, of materially distorting the behaviour of that person or a person belonging to that group in a manner that causes or is reasonably likely to cause that person or another person significant harm;
— Article 5(1)(b), Regulation (EU) 2024/1689
Article 5(1)(c) — social scoring
(c) the placing on the market, the putting into service or the use of AI systems for the evaluation or classification of natural persons or groups of persons over a certain period of time based on their social behaviour or known, inferred or predicted personal or personality characteristics, with the social score leading to either or both of the following: (i) detrimental or unfavourable treatment of certain natural persons or groups of persons in social contexts that are unrelated to the contexts in which the data was originally generated or collected; (ii) detrimental or unfavourable treatment of certain natural persons or groups of persons that is unjustified or disproportionate to their social behaviour or its gravity;
— Article 5(1)(c), Regulation (EU) 2024/1689
The prohibition applies whether the operator is public or private; the Commission's original proposal had been narrower to public authorities only.
Article 5(1)(d) — individual criminal-offence risk prediction
(d) the placing on the market, the putting into service for this specific purpose, or the use of an AI system for making risk assessments of natural persons in order to assess or predict the risk of a natural person committing a criminal offence, based solely on the profiling of a natural person or on assessing their personality traits and characteristics; this prohibition shall not apply to AI systems used to support the human assessment of the involvement of a person in a criminal activity, which is already based on objective and verifiable facts directly linked to a criminal activity;
— Article 5(1)(d), Regulation (EU) 2024/1689
The carve-out is narrow: the AI system can support an already-grounded human assessment based on objective and verifiable facts. Predictive policing built on profiling alone is prohibited.
Article 5(1)(e) — untargeted facial-image scraping
(e) the placing on the market, the putting into service for this specific purpose, or the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage;
— Article 5(1)(e), Regulation (EU) 2024/1689
Article 5(1)(f) — emotion recognition in workplace and education
(f) the placing on the market, the putting into service for this specific purpose, or the use of AI systems to infer emotions of a natural person in the areas of workplace and education institutions, except where the use of the AI system is intended to be put in place or into the market for medical or safety reasons;
— Article 5(1)(f), Regulation (EU) 2024/1689
The exceptions are exhaustive: medical reasons or safety reasons. Workplace-engagement, productivity-monitoring, or interview-screening emotion-recognition is prohibited.
Article 5(1)(g) — biometric categorisation inferring sensitive attributes
(g) the placing on the market, the putting into service for this specific purpose, or the use of biometric categorisation systems that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation; this prohibition does not cover any labelling or filtering of lawfully acquired biometric datasets, such as images, based on biometric data or categorizing of biometric data in the area of law enforcement;
— Article 5(1)(g), Regulation (EU) 2024/1689
The carve-out for law-enforcement labelling/filtering and dataset categorisation is narrow and limited to lawfully acquired biometric datasets.
Article 5(1)(h) — real-time remote biometric identification in public spaces
(h) the use of 'real-time' remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, unless and in so far as such use is strictly necessary for one of the following objectives: (i) the targeted search for specific victims of abduction, trafficking in human beings or sexual exploitation of human beings, as well as the search for missing persons; (ii) the prevention of a specific, substantial and imminent threat to the life or physical safety of natural persons or a genuine and present or genuine and foreseeable threat of a terrorist attack; (iii) the localisation or identification of a person suspected of having committed a criminal offence, for the purpose of conducting a criminal investigation or prosecution or executing a criminal penalty for offences referred to in Annex II and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least four years.
— Article 5(1)(h), Regulation (EU) 2024/1689
The exceptions in Article 5(1)(h)(i)–(iii) are exhaustive. Article 5(2)–(7) sets the authorisation regime around them and must be read paragraph-by-paragraph:
- Article 5(2) — RBI for any of the 5(1)(h) objectives may only be deployed to confirm the identity of the specifically targeted individual; account must be taken of the nature of the situation and the consequences; use is subject to necessary and proportionate safeguards and conditions in national law (temporal, geographic and personal limitations). A prior fundamental-rights impact assessment under Article 27 and registration of the deployment in the EU database under Article 49 are pre-conditions (with a duly justified urgency exception allowing delayed registration).
- Article 5(3) — each individual use is subject to prior authorisation granted by a judicial authority or by an independent administrative authority whose decision is binding, on a reasoned request and in accordance with detailed rules of national law. In a duly justified situation of urgency, use may begin without authorisation provided that the authorisation is requested without undue delay (and within 24 hours at the latest); if refused, the use is stopped with immediate effect and all data deleted. The prior authorisation must be granted only where there are objective evidence or clear indications justifying that the use is necessary for, and proportionate to, achieving one of the 5(1)(h) objectives.
- Article 5(4) — each use is notified to the relevant market-surveillance authority and national data-protection authority of the Member State concerned, excluding sensitive operational data.
- Article 5(5) — Member States may decide to provide for the possibility of fully or partially authorising RBI for 5(1)(h) purposes, within the limits and conditions of 5(1)(h), 5(2) and 5(3), and shall lay down in their national law the necessary detailed rules. Member States may decide on stricter national laws than the AI Act framework.
- Article 5(6) — national market-surveillance authorities and data-protection authorities of the notified Member States shall submit annual reports to the Commission on the use of RBI systems for the 5(1)(h) purposes, with aggregated data on the number of decisions and the outcomes.
- Article 5(7) — the Commission shall publish annual reports on the use of RBI systems for law-enforcement purposes in the Union, based on the Member State data submitted under Article 5(6). Reports do not include sensitive operational data of the related law-enforcement activities.
Article 50 — transparency obligations
Article 50 imposes four transparency duties on specific deployments. They apply independently of high-risk classification under Article 6 — a non-high-risk chatbot is subject to Article 50(1); a high-risk AI system that generates synthetic content is subject to Article 50(2) on top of its Articles 8–15 obligations.
Article 50(1) — provider-side AI-interaction disclosure
Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect, taking into account the circumstances and the context of use. This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate or prosecute criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties, unless those systems are available for the public to report a criminal offence.
— Article 50(1), Regulation (EU) 2024/1689
This is a design obligation on the provider — the disclosure mechanism must be built into the system before it is placed on the market.
Article 50(2) — provider-side synthetic-content marking
Providers of AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content, shall ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated. Providers shall ensure their technical solutions are effective, interoperable, robust and reliable as far as this is technically feasible, taking into account the specificities and limitations of various types of content, the costs of implementation and the generally acknowledged state of the art, as may be reflected in relevant technical standards. This obligation shall not apply to the extent the AI systems perform an assistive function for standard editing or do not substantially alter the input data provided by the deployer or the semantics thereof, or where authorised by law to detect, prevent, investigate or prosecute criminal offences.
— Article 50(2), Regulation (EU) 2024/1689
The machine-readable requirement is the operative technical hook (watermarking, content credentials, C2PA-style attestations). The "assistive function" exception is narrow — autocomplete and grammar correction qualify; full-content generation does not.
Article 50(3) — deployer-side emotion-recognition / biometric-categorisation disclosure
Deployers of an emotion recognition system or a biometric categorisation system shall inform the natural persons exposed thereto of the operation of the system, and shall process the personal data in accordance with Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680, as applicable. This obligation shall not apply to AI systems used for biometric categorisation and emotion recognition, which are permitted by law to detect, prevent or investigate criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties, and in accordance with Union law.
— Article 50(3), Regulation (EU) 2024/1689
Note the GDPR / law-enforcement-directive overlay: the same processing is subject to Regulation (EU) 2016/679 (GDPR) or Directive (EU) 2016/680 (Law Enforcement Directive) in parallel. Recall that emotion recognition in workplace and education is prohibited under Article 5(1)(f) — Article 50(3) applies to permitted contexts.
Article 50(4) — deployer-side deepfake disclosure (+ AI-generated text on matters of public interest)
Deployers of an AI system that generates or manipulates image, audio or video content constituting a deep fake, shall disclose that the content has been artificially generated or manipulated. This obligation shall not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offence. Where the content forms part of an evidently artistic, creative, satirical, fictional or analogous work or programme, the transparency obligations set out in this paragraph are limited to disclosure of the existence of such generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work.
Deployers of an AI system that generates or manipulates text which is published with the purpose of informing the public on matters of public interest shall disclose that the text has been artificially generated or manipulated. This obligation shall not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offences or where the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content.
— Article 50(4), Regulation (EU) 2024/1689
Article 50(4) has two limbs:
- Deepfake image / audio / video disclosure — the first sub-paragraph. Carve-outs: law-enforcement authorisation; artistic / satirical / fictional context (disclosure form is limited but not eliminated).
- AI-generated text on matters of public interest — the second sub-paragraph. Carve-outs: law-enforcement authorisation; human-review / editorial-control carve-out where a natural or legal person holds editorial responsibility. The carve-out is targeted: it does not exempt a publisher from disclosure where the text was published without human review or editorial control.
The artistic / satirical carve-out on the image / audio / video limb reduces the form of disclosure but does not eliminate it. The editorial-responsibility carve-out on the text limb does eliminate the disclosure — but conditional on actual human review and editorial responsibility.
Article 50(1) vs Article 50(2) — different addressees
Article 50(1) is a provider-side design duty (the AI system must be built to disclose). Article 50(2) is also provider-side but applies to a different system class (synthetic-content generators, covering audio, image, video, or text). Article 50(3) and 50(4) are deployer-side disclosure duties. A provider of a deepfake generator has Article 50(2); a deployer using the system has Article 50(4). Both apply to the same artefact at different stages of the value chain.
Article 50(5) — timing and accessibility
The information referred to in paragraphs 1 to 4 shall be provided to the natural persons concerned in a clear and distinguishable manner at the latest at the time of the first interaction or exposure. The information shall conform to the applicable accessibility requirements.
— Article 50(5), Regulation (EU) 2024/1689
Article 50(5) is the timing + format rule that anchors all four 50(1)–50(4) duties. The disclosure must be at the first interaction or exposure and meet accessibility requirements under EU accessibility law (Directives (EU) 2016/2102 and (EU) 2019/882).
How Article 5 and Article 50 interact with high-risk classification
The frequent error is to treat Article 5, Article 50 and Article 6 as tiers on a single scale. They are independent regimes that can stack:
| Scenario | Article 5 | Article 6 + Annex III | Article 50 |
|---|---|---|---|
| A workplace emotion-recognition AI used for productivity scoring | Prohibited under 5(1)(f) — stop | (not applicable) | (not applicable) |
| A consumer chatbot built on a GPT-style model | (not applicable) | (probably not Annex III) | 50(1) interaction disclosure; 50(2) synthetic-content marking (covers synthetic audio, image, video, or text) |
| A CV-screening AI used in recruitment | (not applicable unless manipulative) | Annex III(4)(a) — high-risk | Possibly 50(3) if it includes emotion/biometric categorisation |
| A deepfake generator used in advertising | (not applicable unless 5(1)(a)) | (not applicable unless Annex III(8)) | 50(2) provider + 50(4) deployer disclosure |
| A medical-device AI that interacts with patients | (not applicable; carve-out for medical safety in 5(1)(f) — but 5(1)(f) is workplace/education only) | Annex I if a safety component of a medical device | 50(1) if directly interacting with patients |
The point: there is no single decision tree. Run each regime check independently against the system's intended purpose and deployment context.
How to operationalise Articles 5 and 50 in Modulos
The Article 5 prohibited-practice screening and the Article 50 transparency duties map directly to MFF-1 (per-AI-system) requirements:
| Requirement | Description | OJ Article |
|---|---|---|
MRF-119 | Prohibited AI Practices | Article 5 |
MRF-54 | Post-Remote Biometric ID Authorisation and Reporting | Article 26(10) (linked to Article 5(1)(h) regime) |
MRF-44 | Transparent Interaction with Natural Persons | Article 50(1) |
MRF-45 | Computer-Generated Works Marking | Article 50(2) |
MRF-58 | Transparency of Biometric Categorisation | Article 50(3) |
MRF-59 | Transparency of Emotion Recognition | Article 50(3) |
MRF-60 | Transparency of Deepfakes | Article 50(4) (image / audio / video limb) |
MRF-61 | Transparency of Computer-Generated Reporting | Article 50(4) (text-on-matters-of-public-interest limb) |
Operating rules:
- Article 5 prohibited-practice screening (
MRF-119) is the per-system gate: the applicability rationale, the supporting evidence and any Article 5(2)–(7) authorisation regime artefacts (for 5(1)(h) real-time RBI cases) are recorded as control-level evidence linked to this requirement. Modulos does not provide a dedicated "prohibited-practice gate" workflow. - Article 50 transparency duties each have a dedicated MFF-1 requirement: design evidence for provider-side duties (
MRF-44/MRF-45) and deployer-policy evidence for deployer-side duties (MRF-58/MRF-59/MRF-60/MRF-61). The transparency notice itself is stored as control-level evidence — there is no dedicated transparency-notice UI surface.
Platform Article-numbering caveat: MRF-44, MRF-45, MRF-58–MRF-61 reference Article 52 internally (the pre-renumbering label). The final OJ-published Article is 50; the docs use the OJ number, the platform field uses the legacy label.
Go deeper: Operationalizing in Modulos.
Cross-framework mapping (preview)
| EU AI Act | Adjacent provision |
|---|---|
| Article 5(1)(a) manipulative techniques | UCPD 2005/29/EC (unfair commercial practices); DSA Article 25 dark-patterns prohibition |
| Article 5(1)(c) social scoring | GDPR Article 22 (no solely-automated decisions with legal effect); equality directives |
| Article 5(1)(e) untargeted facial-image scraping | GDPR Articles 5, 6, 9 (lawful basis, special-category); GDPR Article 14 information duty |
| Article 5(1)(h) RBI for law enforcement | LED 2016/680; ECHR Article 8 |
| Article 50(2) synthetic-content marking | DSA Article 35 systemic-risk mitigation for large platforms; voluntary C2PA standard |
| Article 50(3) emotion / biometric notification | GDPR Article 13/14 information duty; GDPR Article 9 special-category processing |
Related pages
High-risk AI systems
Article 6 + Annex I / III routing; Articles 8–15 obligations
General-purpose AI models
Chapter V model-level regime — separate from system-level Article 50
Roles and responsibilities
Provider-side (50(1), 50(2)) vs deployer-side (50(3), 50(4)) duties
EU AI Act overview
The four obligation regimes and common misreadings
Operationalizing in Modulos
OFF-1 + MFF-1 rollout, scoping, evidence
Commission guidance on prohibited practices
Per-prohibition Commission interpretation (C(2025) 5052 final, 29 July 2025) — soft law, not binding
EU AI Act vs GDPR
Where Article 5 and Article 50 interact with GDPR
Source attribution
Regulation (EU) 2024/1689 — Articles 5 and 50 — is published in the Official Journal of the European Union L of 12 July 2024 (CELEX 32024R1689). Verbatim blockquotes on this page reflect the OJ-published text. The AI Omnibus consolidated text, when published, will supersede where it amends Article 5 (NCII / CSAM addition) or Article 50 (legacy-systems grace period).
Disclaimer
This page is for general informational purposes and does not constitute legal advice.