EU AI Act . Enforcement Live Since Feb 2, 2025

Don't Risk €35M Fines . Master the 8 Prohibited AI Practices Now

The EU AI Act bans specific AI practices outright , with penalties up to €35 million or 7% of global annual turnover. These rules are already enforceable. Here's exactly what's prohibited and how to assess your organization's exposure before regulators do.

Get the free compliance checklist , instant PDF download

No sales call required. No credit card. Instant PDF download.

Priverion gave us complete visibility across our subsidiaries , we went from chasing business units for updates to having automated recertification running in the background. Our compliance team finally focuses on strategy, not spreadsheets.

Data Protection Officer, Aircraft manufacturer

60% reduction in compliance admin time within 6 months

€35M

Maximum fine per violation

EU AI Act, Article 99(3)

7%

Of global annual turnover

Whichever is higher , EU AI Act, Article 99(3)

Feb 2, 2025

Enforcement already active

EU AI Act, Article 113 , prohibited practices timeline

Trusted by compliance teams at Aircraft manufacturer, Zurzach Care, Medtec, and organizations across 15+ European jurisdictions. Swiss-built. Swiss-hosted. ISO 27001 certified.

Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Why This Can't Wait

Why EU AI Act Prohibited AI Practices Demand Immediate Attention

Your board is asking, "Are we exposed?" These three realities explain why the answer is almost certainly yes , and why the window for reactive compliance has already closed.

Feb 2, 2025

EU AI Act Article 5 enforcement start date , Official Journal of the EU, Regulation 2024/1689

The Deadline Already Passed

Unlike high-risk AI obligations arriving in August 2026, Article 5 prohibited practices took effect on February 2, 2025. This is not a future compliance exercise . it is a current legal obligation. Organizations that haven't audited their AI inventory against these eight prohibitions are operating outside the law right now.

Result: Zurzach Care achieved 100% vendor risk assessment coverage by auditing third-party AI tools across their care network , the same approach required to surface prohibited practices hiding in vendor software.

Zurzach Care, vendor assessment program , Priverion customer data

€35M

Maximum fine per infringement, or 7% of global annual turnover , EU AI Act Article 99(3)

The Scope Is Broader Than You Think

Prohibited practices include AI systems many organizations don't recognize they're using. Emotion recognition in video conferencing tools. Social scoring embedded in HR platforms. Biometric categorization in hiring software. These aren't edge cases , they're features buried in third-party vendor tools your teams procured without compliance review.

Result: Medtec saved 200+ hours in ISO 27001 preparation by using structured compliance workflows to surface risks across their technology stack , the same systematic approach needed to identify prohibited AI embedded in vendor tools.

Medtec, ISO 27001 preparation , Priverion customer data

12+

Average subsidiaries in Priverion customer organizations managing cross-entity compliance

Multi-Entity Groups Face Compounded Risk

If you operate across subsidiaries, each entity deploying or procuring AI systems must be assessed independently. A prohibited practice in one subsidiary creates liability for the entire group. Managing this across spreadsheets is how Aircraft manufacturer once spent 60% of compliance admin time on manual ROPA updates , before they automated it.

Result: Aircraft manufacturer reduced compliance admin time by 60% in their first 6 months , freeing their DPO to focus on strategic work like AI Act readiness instead of chasing business units across subsidiaries.

Aircraft manufacturer, first 6 months , Priverion customer data

Download the Free Prohibited Practices Checklist

No sales call required. Instant PDF download.

200+

Hours saved on ROPA management

Medtec , hours redirected from manual ROPA updates to ISO 27001 preparation in first year

60%

Lower cost vs. legacy platforms

Aircraft manufacturer , reduction in compliance admin costs compared to prior OneTrust-class tooling, first 6 months

3 mo.

Ahead of schedule on ISO 27001

Medtec , accelerated ISO 27001 audit readiness using Priverion's evidence packages and automated documentation

All metrics verified with named customers. Pricing-based on company count and org size , no per-user expansion traps.

Comparison

Why Mid-Market Companies Switch from OneTrust to Priverion for AI Act Compliance

Enterprise platforms built for Fortune 500 budgets leave mid-market teams overpaying for features they'll never use , while still scrambling to cover the EU AI Act. Here's what changes when you choose a platform built for your reality.

Typical Enterprise Platform

Data hosted across global regions

Data may reside in the US or other jurisdictions. Post-Schrems II, this creates ongoing legal exposure for cross-border data transfers , especially for AI systems processing personal data under Article 10 of the EU AI Act.

Complexity designed for 10,000+ employees

Enterprise UX means months of implementation, dedicated admin teams, and consultant fees before you run your first prohibited practices assessment. Mid-market compliance teams don't have that runway.

Per-user, per-module pricing

Adding the AI governance module? That's a separate line item. Adding subsidiaries or new team members? Costs scale unpredictably. CFOs lose visibility on total compliance spend.

AI capabilities with opaque data handling

Many platforms market AI features without disclosing how customer data is processed. For organizations managing prohibited AI practice assessments, this creates a trust paradox , using opaque AI to evaluate AI compliance.

Fragmented coverage across privacy and AI

GDPR in one module, AI Act in another, vendor risk somewhere else. Teams toggle between disconnected workflows, making it harder to see how prohibited AI practices intersect with existing data protection obligations.

Priverion

Guaranteed Swiss data sovereignty

All data processed and hosted within Swiss infrastructure. European data residency by default , not as an add-on tier. In a post-Schrems II world, this isn't a marketing checkbox; it's a legal requirement for cross-border data transfers.

Operational in weeks, not months

Designed for compliance teams of 1–15, not departments of 50. Medtec saved 200+ hours in ISO 27001 preparation alone , time that could be redirected to AI Act readiness before the February 2025 prohibited practices deadline.

Medtec , ISO 27001 preparation, measured during onboarding

Predictable pricing, no expansion traps

Pricing based on number of companies and organizational size , not per-user or per-module. The AI Register for EU AI Act compliance is included, not upsold. Add subsidiaries and team members without surprise invoices.

AI-assisted with full transparency

AI assists with DPIA drafting, risk scoring, and regulatory mapping , but every output is reviewed by your team before it becomes a compliance record. No customer data is used for model training. AI assists, humans decide.

Unified privacy and AI governance

ROPA management, DPIAs, vendor risk, incident response, and the AI Register , all in one platform with group-wide visibility. Zurzach Care achieved 100% vendor risk assessment coverage across entities without toggling between tools.

Zurzach Care , vendor risk assessment coverage across group entities

Start with the free prohibited practices checklist , then see the platform that operationalizes it.

Download the Free Prohibited Practices Checklist

No sales call required. No email gate.

What we don't do

Priverion doesn't cover ESG reporting, ethics hotlines, or cookie consent management. We don't offer 200 shallow integrations , we integrate deeply with the systems that matter for privacy workflows: HR, procurement, and IT asset management. And we're not built for single-entity companies. Our strength is group-wide privacy program management across multiple subsidiaries and jurisdictions.

Ready to stop managing compliance in spreadsheets?

See how group-wide privacy management actually works

In 30 minutes, we'll walk through your specific multi-entity setup , whether that's 5 subsidiaries or 50 , and show you exactly how automated recertification, cross-entity data mapping, and AI-assisted DPIAs work in practice. No slides. No sales pitch. Just the platform.

60%

less compliance admin time

Aircraft manufacturer, first 6 months

200+

hours saved on ISO 27001 prep

Medtec

100%

vendor risk assessment coverage

Zurzach Care

Book a 30-minute walkthrough

No sales call required. See the platform with your own data scenarios.

Swiss-built and Swiss-hosted . Predictable pricing, no per-user traps . Operational in weeks, not months

Your trusted partner for a smarter, more efficient approach to data privacy management.
Product
Priverion Platform System Status
about us
About Priverion Careers
© 2024 Priverion
Imprint Privacy Notice Terms of Service Refund Policy
OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].