Coming Soon European Union Identity Verification, Biometric Auth, Fintech

EU AI Act – Biometric Systems

EU Artificial Intelligence Act (Regulation 2024/1689) – High-Risk Biometric AI Provisions

Biometric identification systems used for verification are classified as high-risk AI. Providers must maintain conformity assessments, technical documentation, and register in the EU AI database.

Effective: August 2, 2026 Verified: July 2026 Official source

What this covers

The EU AI Act (Regulation 2024/1689) puts biometric identification systems in Annex III Category 1 – high-risk AI. That means the full Chapter III compliance framework applies: conformity assessments, technical documentation, human oversight requirements, and registration in the EU AI Office database.

The clock started when the Act entered into force on August 1, 2024. High-risk AI requirements (Annex III Category 1 obligations) become enforceable on August 2, 2026 – 24 months after entry into force. Vendors who haven't started their conformity assessment process are cutting it close.

The Act makes a hard distinction between post-hoc and real-time remote biometric identification in public spaces. Real-time use is banned for law enforcement except in narrow exceptions (Article 5). Post-hoc identification and commercial identity verification are regulated as high-risk but not prohibited.

For buyers, the practical question is whether your vendor will be ready by August 2026. Ask specifically about their Article 11 technical documentation, Article 17 quality management system, and whether they plan to self-assess or use a notified body.

Frequently asked questions

When does the EU AI Act apply to biometric systems?

High-risk AI system requirements (Chapter III) became enforceable on August 2, 2026 – 24 months after the Act's entry into force on August 1, 2024. Biometric identification systems listed in Annex III, Category 1 are covered.

What do biometric vendors need to do under the EU AI Act?

Providers must: (1) conduct a conformity assessment, (2) maintain technical documentation (Article 11), (3) implement a quality management system (Article 17), (4) register in the EU AI Act database before placing the system on the EU market.

Does the EU AI Act ban real-time biometric surveillance?

Yes. Real-time remote biometric identification in public spaces is prohibited except for specific law enforcement exceptions under Article 5. Post-hoc biometric identification is regulated as high-risk but not banned.