EU AI Act: Prohibited practices for Nigerian developers

Introduction

The European Union Artificial Intelligence Act (“the EU AI Act” or “the Act”) entered into force on August 1, 2024. establishing the world’s first comprehensive legal framework for regulating artificial intelligence. Critically, the Act has extraterritorial reach: any developer whose AI system produces output used within the EU falls within its regulatory scope, regardless of the developer’s physical location.

Nigerian AI developers increasingly build products serving global users across fintech, edtech, health tech, and security, many of which directly target European markets or have users within the EU. For these developers, compliance with the EU AI Act is a commercial and legal imperative. This article examines the eight prohibited AI practices under Article 5, analyses their practical implications for Nigerian developers, and outlines a route toward compliance.

The EU AI Act: A Brief Overview

The Act adopts a risk-based approach, classifying AI systems into four tiers: unacceptable risk (prohibited), high risk (heavily regulated), limited risk (transparency obligations), and minimal risk (largely unregulated). The key actors are “providers” (those who develop or bring AI systems to market) and “deployers” (those who use AI systems professionally). Both providers and deployers outside the EU are subject to the Act where the output of their AI systems is used within the Union.

The Eight Prohibited AI Practices Under Article 5

Article 5 establishes eight categories of AI practices that pose an unacceptable risk and are entirely prohibited. These prohibitions took effect on 2 February 2025, and the European Commission has issued guidelines clarifying their scope.

a. Subliminal, Manipulative, and Deceptive AI Systems: The Act prohibits AI systems that deploy subliminal techniques or purposely manipulative or deceptive techniques with the objective or effect of materially distorting behaviour and impairing informed decision-making, thereby causing, or being reasonably likely to cause, significant harm. For Nigerian developers, this encompasses marketing automation tools that use dark patterns, betting platforms that exploit behavioural data to encourage compulsive wagering, and recommendation engines designed to maximise addictive usage.

b. Exploitation of Vulnerabilities: AI systems that exploit vulnerabilities arising from age, disability, social or economic circumstances to materially distort behaviour in a manner causing or likely to cause significant harm are prohibited. A lending application targeting financially distressed individuals with predatory loan offers would likely violate this provision.

c. Social Scoring Systems: AI systems that evaluate or classify persons based on social behaviour or personal characteristics are prohibited where such scoring leads to detrimental treatment in unrelated social contexts, or treatment that is unjustified or disproportionate. A fintech developer whose algorithm aggregates social media activity and spending habits to generate a “trustworthiness score” affecting access to housing or employment would operate in prohibited territory.

d. Predictive Criminal Profiling: The Act prohibits AI systems that assess or predict the risk of criminal offending based solely on profiling or personality assessments. However, AI systems supporting human assessment based on objective, verifiable facts directly linked to criminal activity remain permissible. Nigerian developers building security solutions must ensure their systems do not cross into speculative profiling.

e. Untargeted Facial Image Scraping: The creation or expansion of facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage is prohibited. Nigerian developers building identity verification platforms must ensure their training data is lawfully acquired and that their systems do not engage in mass, untargeted collection of facial images.

f. Emotion Recognition in Workplaces and Educational Settings: AI systems that infer the emotions of persons in workplace and educational settings are prohibited, except where the system serves medical or safety purposes. This directly affects Nigerian edtech developers who incorporate engagement-tracking features and HR technology firms that use AI to assess employees’ emotional states.

g. Biometric Categorisation for Sensitive Attributes: AI Systems that categorise persons based on biometric data to deduce or infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation are prohibited. Nigerian developers working on biometric solutions must ensure their systems do not classify individuals based on these characteristics.

h. Real-Time Remote Biometric Identification in Public Spaces: Real-time remote biometric identification in publicly accessible spaces for law enforcement is generally prohibited, subject to narrow exceptions requiring prior judicial or administrative authorisation. Nigerian developers providing such solutions to law enforcement agencies within the EU must be aware of these constraints.

 

Practical Implications for Nigerian AI Developers

Several common Nigerian AI use cases carry a real risk of non-compliance. In fintech, credit scoring algorithms that incorporate social media behaviour or psychometric assessments may constitute social scoring, while lending platforms targeting vulnerable populations risk engaging in exploitation. In edtech, platforms incorporating emotion detection to measure student engagement are directly caught by the emotion recognition prohibition. In recruitment technology, AI tools that assess candidates through personality profiling or emotional analysis may violate multiple prohibitions simultaneously. In security and surveillance, facial recognition systems trained on scraped internet images and predictive policing tools fall squarely within the prohibited categories.

 

Enforcement and Penalties

Violations of Article 5 attract administrative fines of up to EUR 35 million, or up to 7% of the offending undertaking’s total worldwide annual turnover, whichever is higher. Enforcement authorities may also order the withdrawal of non-compliant AI systems from the market. The AI Office within the European Commission exercises overarching supervisory functions, while national competent authorities handle domestic enforcement. For small and medium-sized enterprises, the Act provides that penalties must be proportionate, taking into account economic viability, though this does not eliminate the risk but merely modulates its quantum.

 

Intersection with the Nigerian Regulatory Framework

Nigerian AI developers do not operate in a regulatory vacuum domestically. The Nigeria Data Protection Act 2023 shares conceptual ground with the GDPR and certain principles underpinning the EU AI Act. The Federal Ministry of Communications, Innovation and Digital Economy, working with NITDA, has published a National Artificial Intelligence Strategy. Sector-specific regulators, including the Central Bank of Nigeria for fintech and the Nigerian Communications Commission for telecommunications, impose obligations that intersect with AI governance. A holistic compliance framework addressing both jurisdictions is more efficient than treating each regime in isolation.

 

A Compliance Roadmap for Nigerian Developers

Nigerian AI developers seeking compliance with the Act’s prohibited practices provisions should consider several key steps: conducting an AI system audit against Article 5 criteria, mapping each system’s functionality against the eight prohibited categories; embedding compliance at the design stage through legal review during development and testing; maintaining documentation of AI systems’ intended purposes, technical specifications, and training data sources; monitoring EU market exposure by tracking whether systems or outputs are consumed within the Union; and engaging legal and compliance expertise to navigate the Act’s interaction with existing data protection and sector-specific regulations.

 

Conclusion

The EU AI Act represents a paradigm shift in AI governance. Its extraterritorial reach ensures that Nigerian AI developers cannot treat it as a foreign concern. The eight prohibited practices under Article 5 establish clear boundaries, and the penalties for violation are severe. For Nigerian developers, however, the Act should be viewed not merely as a compliance burden but as a competitive opportunity. Developers who align their products with its requirements will be better positioned to access the European market, attract international investment, and build global trust.

Notably, compliance with a foreign regulatory framework is not substitute for homegrown governance. Nigeria must move toward a coherent, enforceable AI framework of its own. The Nigeria Data Protection Act 2023 and the National AI Strategy 2024 provide a foundation, but neither addresses the full spectrum of risks that AI systems pose to Nigerian consumers, businesses, and public institutions.

What Nigeria requires is a legal framework that draws on international best practices while remaining responsive to Nigeria’s unique economic realities and institutional capacity.

The cost of inaction is that Nigeria’s rapidly growing technology sector will be governed by rules written elsewhere, for contexts other than its own.

Okechukwu Ekweanya, Partner; Elizabeth Aghaulor, and Olusola Odeku, Associates are counsel at KENNA.