IA 360
Regulatory Framework

EU's AI Act Now Bans 'Unacceptable Risk' AI Uses

As of this Sunday, the European Union can ban AI systems it deems to pose 'unacceptable risk' — social scoring, subliminal manipulation, or emotion detection at work. Fines can reach 7% of global revenue.

Admin IA360 7 min read Leer en español

As of this Sunday, February 2, European Union regulators can ban the use of artificial intelligence systems they consider to pose an "unacceptable risk." It's the first compliance deadline under the AI Act, the EU's sweeping AI regulation that the European Parliament finally passed last March after years of negotiation and that took effect on August 1. From now on, certain uses of the technology are flatly off-limits across the bloc.

The law is the first comprehensive AI regulation to come with real teeth. Companies caught using any of the banned applications inside the EU face fines of up to €35 million (roughly $36 million) or 7% of their global annual revenue from the previous fiscal year — whichever is higher. And the penalty applies no matter where the company is headquartered.

Four risk tiers

The AI Act classifies systems by how much danger they pose to people. At the bottom sits minimal risk — spam filters, for instance — which faces no oversight at all. Next comes limited risk, covering things like customer-service chatbots, subject to light-touch oversight. The third tier is high risk, such as AI that issues healthcare recommendations, which comes under strict scrutiny.

At the top is unacceptable risk — the focus of this month's new obligations. These uses aren't merely regulated; they're banned outright. The logic is simple: the EU considers the potential harm from these applications so severe that no amount of mitigation or safeguarding makes them acceptable.

What's now banned

Article 5 of the regulation spells out the prohibited uses. Among them:

  • Social scoring: systems that build risk profiles based on a person's behavior.
  • AI that manipulates a person's decisions subliminally or deceptively.
  • AI that exploits vulnerabilities tied to age, disability, or socioeconomic status.
  • Systems that attempt to predict criminal behavior based on physical appearance.
  • AI that uses biometric data to infer personal traits, such as sexual orientation.
  • Real-time biometric data collection in public spaces for law enforcement purposes.
  • Systems that try to infer emotions at work or in school.
  • AI that builds or expands facial recognition databases by scraping images from the internet or security cameras.

Taken together, the list draws a fairly clear map of Europe's red lines: mass biometric surveillance, social-credit-style citizen scoring, and systems that try to read minds or moods in settings with a built-in power imbalance, like the relationship between an employer and an employee, or a school and a student.

The fines aren't biting yet

Although the bans are technically in force now, enforcement will take longer to arrive. As Rob Sumroy, head of technology at British law firm Slaughter and May, told TechCrunch: "Organizations are expected to be fully compliant by February 2, but … the next big deadline that companies need to be aware of is in August."

By then, Sumroy added, "we'll know who the competent authorities are, and the fines and enforcement provisions will take effect." In other words, the rulebook already spells out what's forbidden, but the machinery to enforce and collect penalties is still being built.

That gap between what the law says and how it's actually applied is common in European regulation, but it leaves companies navigating a period of uncertainty — adapting to new rules without yet knowing exactly who will police them or how.

Early pledges and notable holdouts

In some ways, February 2 is a formality. Last September, more than 100 companies signed the EU AI Pact, a voluntary commitment to start applying the regulation's principles ahead of the legal deadline. Signatories included Amazon, Google, and OpenAI, all of which pledged to identify which of their systems might fall into the high-risk category.

Some heavyweights sat it out. Meta and Apple didn't sign the pact, and neither did French startup Mistral, one of the AI Act's fiercest critics. Not signing doesn't mean not complying, though: as Sumroy notes, given the nature of the prohibited use cases, most companies aren't engaging in those practices anyway. Few businesses are building social-scoring systems or tools that predict crime from someone's appearance.

The industry's real worry lies elsewhere. "A key concern around the EU AI Act is whether clear guidelines, standards, and codes of conduct will arrive in time — and crucially, whether they will provide organizations with clarity on compliance," Sumroy said. For now, he noted, the working groups are meeting their deadlines on the code of conduct for developers.

The exceptions

Several of the bans come with caveats. Biometric data collection in public spaces, for example, is permitted for law enforcement in specific circumstances: a "targeted search" for a kidnapping victim, say, or to prevent a "specific, substantial, and imminent" threat to life. That exception requires authorization from the relevant governing body, and the regulation is explicit that police can't make a decision that "produces an adverse legal effect" on a person based solely on what these systems output.

There's also a carve-out for systems that infer emotions at work or in school when there's a "medical or safety" justification — systems designed for therapeutic purposes, for instance.

The European Commission said it would publish additional guidelines in "early 2025," following a stakeholder consultation in November. Those guidelines still haven't materialized.

Not the only law in play

How the AI Act fits alongside the rest of Europe's legal framework remains an open question. Sumroy warns that AI regulation "doesn't exist in isolation." Other rules — the GDPR, the NIS2 cybersecurity directive, the DORA regulation on operational resilience in finance — will all interact with the new law, and friction is likely, particularly around incident-notification requirements that overlap in places.

"Understanding how these laws fit together will be just as crucial as understanding the AI Act itself," Sumroy said. Clarity, presumably, won't arrive until later in the year, as the August enforcement deadline draws closer.

With this first deadline, Europe is staking out its ground — putting in writing which AI uses it considers incompatible with its values before those technologies become the norm. What remains to be seen is whether the enforcement system can live up to the ambition of the law itself.

Share this article

This website uses cookies to improve the browsing experience. Cookie policy.