Official Sync:2026-03-15

Biometric Authentication Compliance

EN 301 549 Clause 5.3 requires that any system using biometric authentication must also provide a fully functional non-biometric alternative. Use this tool to check compliance and explore authentication method options.

What is this?

This tool maps which biometric authentication methods (fingerprint, face ID, voice, iris) meet EAA requirements, and what alternative authentication must be provided for users who cannot use a given biometric.

When do I need this?

Use this if your product uses biometric authentication as a primary or secondary login method.

Applies to:Apps and services using fingerprint, face recognition, voice authentication, or iris scanning.

1
Select the biometric methods your product uses — Choose from the list: fingerprint, face ID, voice recognition, iris scan, vein pattern.
2
Review the accessibility requirements for each — The matrix shows which disabilities are excluded by each method and what alternatives are legally required.
3
Check your alternative provision — For each biometric method, confirm you offer a fully accessible alternative that doesn't require that biometric.
4
Note any gaps — Record any biometric methods where your alternative provision is missing or inadequate.
5
Export your assessment — Download the matrix for your Technical File.

EN 301 549 §5.3 — Mandatory Requirement

"Where ICT uses biological characteristics, it shall not rely on the use of a particular biological characteristic as the only means of user identification or for control of ICT."

This requirement applies to websites, mobile apps, ATMs, kiosks, and any ICT product in scope of the EAA (Directive 2019/882).

Answer each question to assess your product's Clause 5.3 compliance. Questions unlock progressively.

Does your product or service use any biometric authentication method (fingerprint, face, voice, iris)?

EN 301 549 §5.3 — Scope trigger

For self-service kiosks or ATMs: is the interface operable without requiring the user to look at, touch, or present a body part to the device?

EN 301 549 §5.3 + §8.3.2 — Physical accessibility

EU AI Act Article 5 — scope clarification

This tool covers EN 301 549 §5.3 accessibility requirements for biometric authentication — the obligation to provide non-biometric fallbacks. It does not assess compliance with the EU AI Act (Regulation 2024/1689), which introduces separate prohibitions for certain biometric AI systems. Key distinctions:

Article 5(1)(d): Real-time remote biometric identification in publicly accessible spaces is prohibited for law enforcement purposes (with narrow, court-authorised exceptions). This does not automatically apply to commercial operators.
Commercial operators deploying biometric authentication (e.g. device unlock, app login, workplace access) are generally not covered by Art 5(1)(d) but may be deploying a high-risk AI system under Annex III, Category 1 (biometric identification and categorisation of natural persons), which requires a conformity assessment before deployment in the EU.
Facial recognition systems used for marketing, emotion recognition in workplaces, and social scoring are subject to additional prohibitions under Article 5(1)(a)–(c) regardless of whether the operator is a law enforcement authority.

Consult your DPO and legal counsel for a full EU AI Act assessment. This tool addresses accessibility compliance only.

Export as evidence

Answer questions or select methods to enable export

Anonymous · Download only

Assessment name (optional — groups records in the vault)

Operator notes (optional, max 2000 chars)

0/2000

Legal basis:EAA Act — Annex I →

Every export includes a legal-evidence metadata footer with the audit ID, generation date, tool version, EN 301 549 clauses, and the standard disclaimer. Legal-grade evidence — not legal advice.

Important Legal Disclaimer

This tool is a self-assessment aid only and does not constitute legal advice or a formally certified compliance assessment. Outputs — including reports, scores, checklists, and accessibility statements — are for internal use and should be reviewed by a qualified legal representative or independent accessibility auditor before being relied upon for regulatory, procurement, or public-disclosure purposes. All assessment risk lies with the internal assessor. accessibilityref, its developers, and staff accept zero liability for losses arising from use of or reliance on these outputs. Always verify against official sources: the W3C WCAG 2.2 Recommendation, the European Accessibility Act (Directive 2019/882), and your national enforcement authority.