The EU AI Act (Regulation (EU) 2024/1689) is the European Union's horizontal law on artificial intelligence, and it reaches surveillance directly because video analytics — especially biometric ones — are squarely in scope. It takes a risk-based approach: some uses are prohibited outright, some are "high-risk" and heavily regulated, and the rest carry lighter transparency duties. For a surveillance designer it adds a second legal layer on top of data-protection law.
Two parts matter most. Article 5 prohibits certain practices, including, with narrow law-enforcement exceptions, real-time remote biometric identification of people in publicly accessible spaces — the prohibitions have applied since 2 February 2025. Separately, many biometric and surveillance analytics are classified as high-risk (Annex III), bringing obligations around risk management, data governance, logging, human oversight, and conformity assessment; the high-risk obligations phase in later, with the biometric high-risk timeline tied to dates in 2026–2027 that have been subject to adjustment. Because these dates move, a current design should verify the latest status rather than rely on a remembered date.
The pitfall is treating GDPR compliance as sufficient and ignoring the AI Act. A face-recognition or biometric-categorisation feature can satisfy data-protection paperwork yet still be prohibited or high-risk under the AI Act, which governs the AI system itself, not just the personal data. Identify whether an analytic is prohibited or high-risk before building it, design in the human-oversight and logging the Act requires, and track the phase-in dates as they are confirmed. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
