Transparency rules in2 Aug 2026
Library / Guide

Biometric AI under the Act

Biometrics are the one area that touches every tier of the Act at once. Some uses are banned, some are high-risk, and some only need disclosure. Here is the map.

Why biometrics are treated carefully

Because they identify people, and infer things about them, from their bodies, biometric systems can affect rights quickly and at scale, and they are hard to opt out of. A face is not a password you can change.

That is why the Act spreads biometrics across every tier, from banned to high-risk to transparency. Where a particular use lands depends closely on exactly what it does.

The banned uses

Several biometric uses are prohibited outright under Article 5: untargeted scraping of faces to build recognition databases, emotion recognition in workplaces and schools, and biometric categorisation that infers sensitive traits like race, beliefs, or sexual orientation.

Real-time remote identification in public spaces for law enforcement is also banned, except in narrow, tightly controlled cases. For a business, the practical message is that anything reading emotion or sorting people by sensitive traits is likely over the line.

The high-risk uses

Remote biometric identification systems, and the biometric categorisation and emotion recognition uses that are not outright banned, generally fall into Annex III as high-risk, carrying the full deployer duties.

So even where a biometric use is allowed, it is rarely low-stakes. If you are running one, expect human oversight, record-keeping, and documentation to apply.

The transparency layer

Where you operate an allowed emotion recognition or biometric categorisation system, you generally have to inform the people exposed to it, under Article 50. People should know when a system is reading their biometrics.

This transparency duty sits on top of, not instead of, any high-risk duties the same use carries.

For a typical business

Most never run biometric identification at all. But two everyday cases are worth a careful look: face or fingerprint access control, and any analytics that claim to read emotion or infer traits about staff or customers.

Classify these carefully, and anywhere near the Article 5 line, check with counsel before going ahead. Biometrics is an area where a feature that sounds clever can quietly be prohibited.

Placeholder

This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.

Put it into practice

Classify your AI systems against the Act and generate the documents this guide describes.

A note on cookies

We use strictly necessary cookies to run the site and keep it secure. With your OK, we also use privacy-respecting, EU-hosted analytics to see how Veillo is used. No advertising, no third-party trackers. Read our cookie policy.