EU AI Act
Artificial Intelligence Act (Regulation (EU) 2024/1689)
The EU AI Act is the world's first comprehensive horizontal law governing artificial intelligence, using a risk-based approach that bans some uses outright, tightly regulates high-risk systems, and imposes transparency duties on others. It is especially relevant to identity because many of its strictest controls target biometric systems used to identify, categorize, or infer information about people. It entered into force on 1 August 2024 and applies in phases.
Who it applies to
Providers, deployers, importers, and distributors of AI systems placed on the market or used in the EU, including organizations outside the EU whose AI output is used within it. Biometric identification, biometric categorization, and emotion recognition systems are central targets.
Identity requirements
- Real-time remote biometric identification in publicly accessible spaces for law enforcement is prohibited except in narrowly defined, authorized situations
- Untargeted scraping of facial images from the internet or CCTV to build or expand facial recognition databases is banned
- Emotion recognition is prohibited in workplaces and schools, and biometric categorization inferring sensitive characteristics is banned
- Permitted biometric identification and categorization systems are high-risk and must meet risk management, data governance, logging, human oversight, accuracy, and conformity-assessment requirements
- Deployers of biometric and emotion recognition systems must inform affected individuals that such a system is in use
- High-risk biometric systems must keep automatic logs to support traceability and post-market monitoring
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Identity verification (KYC/proofing) | Biometric identification systems used to verify or recognize individuals are high-risk and must meet strict accuracy, data governance, and oversight obligations. |
| Authentication & MFA | Biometric authentication tools may fall under high-risk requirements depending on use, affecting how organizations deploy face or fingerprint access. |
| Customer identity & consent (CIAM) | Deployers must notify people when biometric or emotion recognition systems are used, shaping consumer-facing transparency in identity flows. |
| Audit, logging & accountability | High-risk biometric systems must maintain automatic logs and documentation to support traceability and regulatory oversight. |
Penalties
Violations of the prohibited-practices rules can incur fines of up to 35 million euros or 7 percent of total worldwide annual turnover, whichever is higher, with lower tiers for other breaches.
EU AI Act: frequently asked questions
- When do the EU AI Act's biometric rules take effect?
- The Act entered into force on 1 August 2024. The prohibitions on certain biometric and emotion recognition practices applied from 2 February 2025, while high-risk obligations for biometric systems phase in later, generally from 2 August 2026.
- Does the EU AI Act ban all facial recognition?
- No. It bans untargeted scraping of facial images to build recognition databases and restricts real-time remote biometric identification in public spaces by law enforcement to narrow authorized cases. Other biometric identification systems are allowed but regulated as high-risk.
- Is biometric authentication for login covered?
- One-to-one biometric verification can be treated differently from one-to-many identification, but biometric systems are heavily scrutinized, so organizations should assess whether a use is prohibited, high-risk, or subject to transparency duties.