On 2 February 2025, the first substantive obligations of the European Union’s Artificial Intelligence Act began to apply. Six months after the Regulation entered into force on 1 August 2024, two early provisions switched on: the prohibitions on certain AI practices set out in Article 5, and the AI-literacy duty in Article 4. This article describes what changed on that date. It is a news explainer, not legal advice.
What Article 5 prohibits
Article 5 lists categories of AI use that the EU considers incompatible with fundamental rights and Union values, and therefore bans from the EU market. According to the published text of the Regulation, the prohibited practices include:
- Manipulative or deceptive techniques that materially distort behaviour and cause significant harm.
- Exploitation of vulnerabilities linked to age, disability or a specific social or economic situation.
- Social scoring by public or private actors leading to detrimental or disproportionate treatment.
- Individual criminal-risk prediction based solely on profiling or personality traits.
- Untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases.
- Emotion recognition in workplaces and educational institutions, subject to narrow exceptions.
- Biometric categorisation inferring sensitive attributes such as race, political views or sexual orientation.
- Real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes, subject to limited, authorised exceptions.
These are bright-line prohibitions rather than risk-managed permissions. For a fuller treatment of how the Act’s tiers fit together, see our pillar overview of the EU AI Act.
The AI-literacy duty in Article 4
Alongside the bans, Article 4 introduced an obligation that applies far more broadly. Providers and deployers of AI systems must take measures to ensure, to their best extent, a sufficient level of AI literacy among staff and others operating systems on their behalf. The duty is framed proportionately: organisations must consider the technical knowledge, experience and training of the people involved, the context of use, and the individuals or groups the system is used on.
Unlike Article 5, the literacy duty is not limited to high-risk or prohibited systems. The European Commission has published questions and answers describing how the obligation is intended to operate. The terminology around AI systems, providers and deployers is defined in the Regulation itself; readers new to these distinctions may find our dictionary useful.
Why this date mattered
The 2 February 2025 milestone was the first point at which any part of the AI Act created direct, applicable obligations. It signalled the start of phased application that continues across subsequent years. The dates were fixed relative to entry into force: prohibitions and literacy at six months, general-purpose AI obligations at twelve months, and the bulk of high-risk requirements later still.
Scope and reach
The AI Act applies to providers placing systems on the EU market and to deployers using them within the Union, regardless of where the provider is established. This extraterritorial reach means organisations outside the EU can fall within scope where their systems are used in the Union. The Regulation positions itself as a product-safety-style framework layered on top of existing rights protections rather than a replacement for them.
How it relates to wider AI governance
The EU’s approach is binding law, but it sits within a broader landscape of voluntary frameworks that organisations use to structure internal governance. Many map their controls against instruments such as the NIST AI Risk Management Framework or the management-system standard ISO/IEC 42001. These do not satisfy EU legal obligations on their own, but they are widely referenced when firms operationalise principles such as risk assessment and human oversight.
The exceptions that shape the bans
Several of the Article 5 prohibitions are not absolute but carry carefully bounded carve-outs, and the detail matters. The ban on real-time remote biometric identification in public spaces for law enforcement, for example, is subject to narrow exceptions for specified objectives such as searching for certain victims of crime, preventing a substantial and imminent threat to life, or locating suspects of serious offences — and those uses are themselves wrapped in authorisation and safeguard conditions. Similarly, the emotion-recognition prohibition focuses on workplace and educational settings while leaving room for limited medical or safety purposes. Understanding the bans therefore means reading the qualifications alongside the headline category, which is one reason the Commission has issued supplementary guidance.
Guidelines on the prohibited practices
Recognising that the bans took effect before every boundary was self-evident, the European Commission published guidelines on the prohibited practices to help interpret Article 5. These materials work through the categories with examples and clarifications, addressing recurring questions such as how to distinguish lawful persuasion from prohibited manipulation, and where everyday biometric features end and prohibited biometric categorisation begins. The guidelines are not themselves binding law — the Regulation’s text governs — but they are an authoritative reference point for organisations interpreting scope.
What observers noted
Commentators highlighted that the prohibitions and literacy duty arrived before detailed guidance and harmonised standards for later stages were finalised, leaving organisations to interpret some boundaries using the legislative text and Commission materials. The Commission has continued to publish guidance to clarify scope as later phases approach. Analysts also noted the breadth of the literacy duty relative to the bans: while only a defined set of systems is prohibited, the literacy expectation touches almost any organisation that builds or uses AI, making it the more widely felt of the two early obligations in practice.
Penalties and enforcement architecture
The AI Act backs its prohibitions with a tiered penalty structure, and breaches of Article 5 sit at the most serious end, attracting the highest potential fines under the Regulation. Enforcement is allocated to national authorities designated by member states, coordinated at Union level through the European Artificial Intelligence Office and a board of member-state representatives. The phased application dates determine when each obligation becomes enforceable, which is why the February 2025 milestone — switching on the bans and literacy duty — was the first point at which any enforcement exposure under the Act could arise.
In summary
The 2 February 2025 date marked the point at which the EU AI Act stopped being purely prospective. Article 5’s prohibitions removed a defined set of AI uses from the EU market, and Article 4’s literacy duty placed a general, proportionate expectation on organisations that build or use AI. The official consolidated timeline is maintained on the European Commission’s digital-strategy site. Readers should treat this as a factual summary of the events and consult qualified advisers for application to their own circumstances.