Biometric Identification — EU AI Act Classification and Obligations
Definition
Biometric identification in AI systems refers to the automated recognition of individuals based on their biological or behavioral characteristics — including facial geometry, fingerprints, iris patterns, gait, voice, or combinations thereof. Under the EU AI Act, AI-based biometric identification is among the most tightly regulated AI applications, straddling the boundary between permitted high-risk systems and absolutely prohibited practices.
The regulation distinguishes between remote biometric identification in real time (capturing biometric data from individuals at a distance without their knowledge, such as facial recognition in live video feeds) and post-remote biometric identification (processing previously captured biometric data). Real-time remote biometric identification by law enforcement in publicly accessible spaces is prohibited under Article 5, with narrow exceptions. Biometric verification systems — one-to-one matching that confirms an individual’s claimed identity — are treated differently from identification systems — one-to-many matching that identifies an individual from a database.
Biometric categorisation systems that infer sensitive characteristics (political opinions, religious beliefs, sexual orientation, race) from biometric data are prohibited under Article 5 regardless of context.
Why it matters operationally
Biometric identification matters because it is the AI application category with the highest regulatory sensitivity in the EU AI Act. Misclassification of a biometric system — treating a prohibited real-time identification system as a permitted high-risk system — exposes organizations to the regulation’s highest fine tier: up to 35 million euros or 7% of global annual turnover.
For enterprise buyers, the biometric classification question is not always obvious. A security access system using facial recognition to verify employee identity (one-to-one, consent-based, on-premises) is a high-risk system subject to conformity assessment obligations, not a prohibited practice. A retail analytics system using facial recognition to identify individuals from a customer database without their knowledge would be prohibited. The distinction requires careful regulatory analysis, not assumption.
Regulatory framework
| Framework | Biometric identification requirements |
|---|---|
| EU AI Act — Art. 5 | Real-time remote biometric identification by law enforcement in publicly accessible spaces is prohibited with very narrow exceptions. Biometric categorization systems inferring sensitive characteristics are prohibited without exceptions. |
| EU AI Act — Annex III | Non-prohibited biometric identification systems are high-risk systems subject to mandatory conformity assessment. |
| GDPR | Biometric data is a special category under GDPR Art. 9. Processing requires enhanced legal basis (explicit consent or specific exception) and additional security measures. |
| ISO/IEC 42001 | Biometric systems within AIMS scope must be documented, risk-assessed, and subject to governance controls. |
How Zertia evaluates it
Zertia’s EU AI Act Assessment includes biometric system classification as a priority item: determining whether a biometric system falls within prohibited practices (Article 5), high-risk requirements (Annex III), or other regulatory treatment. The High-Risk AI Systems Audit evaluates whether biometric systems classified as high-risk have the conformity assessment evidence, technical documentation, and governance controls required by the regulation.
[EU AI Act Assessment] · High-Risk AI Systems Audit
Definitions that hold up under audit.
Does this term apply to your certification project? Let's talk 30 minutes, no commercial pressure.
