Skip to content
← Back to blog
7 min read

Emotion Recognition and the EU AI Act: When It's Banned, When It's High-Risk, and When You Just Disclose It

Key takeaways

  • -Emotion recognition in the workplace and in education institutions is already prohibited under Article 5(1)(f) — in force since February 2, 2025, with only narrow medical and safety exceptions. This is a live ban, not a future deadline.
  • -Emotion recognition and biometric categorisation in other, permitted contexts are high-risk under Annex III point 1, carrying the full Article 8-15 obligations (now due December 2, 2027 after the Digital Omnibus).
  • -On top of that, Article 50(3) requires you to inform anyone exposed to an emotion recognition or biometric categorisation system, regardless of risk tier, starting August 2, 2026.

Emotion AI is quietly everywhere. Call centres score customer sentiment in real time. Hiring tools claim to read candidate engagement. Ad-tech categorises faces by mood or demographic. Proctoring software watches students for signs of stress. It all gets sold under friendly names, sentiment analysis, engagement scoring, audience insights.

Under the EU AI Act, the same underlying technology has three completely different fates depending on where and how you point it. In one setting it's outright illegal. In another it's high-risk with a full compliance regime. In a third you just have to tell people it's running. Most vendors selling this stuff aren't telling you which one you're in. Here's the map.

The same tech, three fates

The reason emotion AI is confusing under the Act is that it appears in three different places in the law at once: the prohibited list (Article 5), the high-risk list (Annex III), and the transparency rules (Article 50). Which one governs you is decided almost entirely by context, and the three even have three different dates. So the first question is never "is this allowed?" It's "where am I using it?"

Fate 1: banned (and this one's already in force)

Article 5(1)(f) prohibits AI systems that infer the emotions of a person in the workplace and in education institutions based on biometric data. Not high-risk. Not disclose-and-proceed. Prohibited.

Two things make this the most important paragraph in this post. First, the exceptions are narrow: only medical or safety reasons, and both are read strictly. "Medical" means approved medical devices, not general wellbeing or stress monitoring of staff. "Safety" has to be strictly necessary, limited in time and scale, and safeguarded. General "let's monitor team morale with AI" does not qualify.

Second, and this trips people up constantly: this ban is already in force. The Article 5 prohibitions became applicable on February 2, 2025. Unlike the transparency and high-risk deadlines that everyone is counting down to, this one passed over a year ago. If you are running emotion recognition on employees or students in the EU right now, you are not preparing for a future obligation. You are likely non-compliant today.

Check your HR and edtech stack first

The workplace and education ban catches companies that never thought of themselves as "emotion AI" companies. An interview tool that scores candidate enthusiasm, a productivity suite that gauges focus, a proctoring system that flags anxious students. If a tool infers emotions from biometric data in those settings, the question isn't how to disclose it. It's whether you can use it at all.

A close cousin lives here too. Article 5(1)(g) prohibits biometric categorisation that infers sensitive attributes like race, political opinions, religious beliefs, or sexual orientation. So categorising people by protected characteristics from their biometrics is banned outright, wherever you do it.

Fate 2: high-risk

Outside the workplace and education, emotion recognition isn't banned, but it isn't free either. Annex III, point 1 lists as high-risk:

  • Emotion recognition systems in contexts other than the prohibited ones (Annex III(1)(c)).
  • Biometric categorisation that is permitted but still sorts people by attributes (Annex III(1)(b)) — the residual category left after the Article 5 ban.
  • Remote biometric identification systems (Annex III(1)(a)).

High-risk means the full Article 8-15 regime: risk management, data governance, technical documentation, logging, human oversight, accuracy and robustness testing, and a conformity assessment before you go to market. This is the heavy track, and thanks to the Digital Omnibus its deadline is now December 2, 2027. So if your emotion AI lands here, you have time, but it's a genuine documentation programme, not a checkbox.

Fate 3: you must disclose it (August 2)

Here's the one with the nearest deadline, and the one almost nobody is talking about. Article 50(3) says that deployers of an emotion recognition system or a biometric categorisation system must inform the people exposed to itthat it's operating.

The details that matter:

  • It applies regardless of risk tier. Even if your system somehow isn't high-risk, if it recognises emotion or categorises biometrically, you owe the disclosure.
  • People must be informed at the latest at the time of first exposure — including children.
  • There's no mandated format. Writing, a standardised icon, spoken notice, or a combination, whatever fits the context.
  • The one carve-out is for systems permitted by law to detect, prevent, or investigate criminal offences, with safeguards.

And crucially: this obligation starts August 2, 2026.It was not touched by the Omnibus. So the call-centre sentiment tool that isn't banned and isn't clearly high-risk still owes callers a disclosure in a matter of weeks. See our Article 50 transparency checklist for the rest of the disclosure obligations landing on the same date.

Three fates, three dates

Banned (workplace and education): in force since February 2, 2025. Transparency disclosure: August 2, 2026. High-risk obligations: December 2, 2027. The same technology, three different clocks. Which ones apply to you depends on where you deploy it.

The GDPR layer on top

None of this replaces GDPR. Biometric data is special-category data, so emotion recognition and biometric categorisation almost always trigger GDPR obligations too: a lawful basis, usually explicit consent, a data protection impact assessment, and the rest. The AI Act's Article 50(3) disclosure is separate from and additional to GDPR consent. Satisfying one does not satisfy the other. If you were relying on a GDPR consent banner to cover your AI Act duties, it doesn't.

How to tell which applies to you

Work it in this order, because the order is what keeps you out of the worst outcome:

  • First, ask where you deploy it. Workplace or education institution, inferring emotion from biometrics? Stop. That's the prohibited path, and it's already live. You need to establish whether a narrow exception applies or pull the feature.
  • Then check what you're categorising. Inferring sensitive attributes like race or political views from biometrics? Also prohibited, everywhere.
  • If it's permitted, classify it. Emotion recognition and permitted biometric categorisation are high-risk under Annex III. Scope the Article 8-15 work toward December 2027. A free classification confirms the tier.
  • Either way, plan the disclosure. If it's permitted at all, Article 50(3) applies from August 2, 2026. Build the notice into first exposure.
  • Layer in GDPR. Lawful basis, consent, DPIA for the biometric data itself.

The uncomfortable summary for a lot of teams: the emotion AI feature your vendor is still happily selling may be one you're not allowed to use the way you're using it. Start with where you point it, not with how to comply, because in the workplace and in the classroom the answer isn't "comply," it's "don't." For the broader biometric picture, our guide to biometric AI covers facial recognition and the rest of the category.

The deadlines aren't moving. Get updates that matter.

Get EU AI Act updates, enforcement news, and compliance guides delivered to your inbox. No spam — unsubscribe any time.

Check your AI system's risk level for free

Our classifier maps your AI system against the EU AI Act in under 60 seconds. No signup required.

Classify Your AI System