RatedWithAI

RatedWithAI

Accessibility scanner

AI RegulationJune 21, 2026

EU AI Act for HR Software 2026: What Recruiting and Hiring AI Must Comply With

HR tech is explicitly listed as high-risk in the EU AI Act. If your recruiting software, ATS, or performance management platform uses AI to influence employment decisions affecting EU workers, enforcement is weeks away — and the compliance bar is high.

High-Risk
Classification for all hiring and employment AI under Annex III
Aug 2026
EU AI Act enforcement begins for new high-risk deployments
€15M
Max fine for high-risk compliance violations (or 3% global revenue)

Why HR AI Is Explicitly High-Risk

Most industries were left to figure out their AI Act risk classification based on general principles. HR software wasn't. Annex III of the EU AI Act explicitly names employment and worker management as a high-risk domain. The exact language covers AI used for:

  • Recruitment or selection of natural persons, including CV sorting, screening, and ranking
  • Making decisions on promotion and termination of work-related contractual relationships
  • Allocating tasks based on individual behavior or assessing performance and behavior
  • Monitoring and evaluating persons in employment, including their performance

This is nearly every AI feature in modern HR software. Resume parsers that rank candidates. Interview intelligence platforms that analyze speech patterns. Performance tools that generate ratings from productivity data. If any of these touch EU workers or job applicants, the EU AI Act's highest compliance tier applies to your product.

Who Is Responsible: Vendor or Employer?

The EU AI Act distinguishes between providers (companies that develop and place AI systems on the market) and deployers (organizations that use AI systems for their intended purpose). HR software vendors are providers. Companies using that software to make hiring decisions are deployers.

Both face obligations — but they're different:

HR Software Vendors (Providers)
  • Register system in EU AI Act database
  • Issue EU Declaration of Conformity
  • CE-mark the system
  • Conduct conformity assessment
  • Maintain technical documentation
  • Implement quality management system
  • Conduct bias and data quality audits
  • Provide instructions for deployers
Companies Using HR AI (Deployers)
  • Verify system is registered/compliant
  • Implement human oversight measures
  • Inform workers about AI monitoring
  • Conduct Data Protection Impact Assessment
  • Maintain logs of AI decisions
  • Designate responsible person for AI
  • Report serious incidents to authorities
  • Allow workers to request human review

The 7 Core Compliance Requirements for High-Risk HR AI

Article 9 through 15 of the EU AI Act set out what high-risk AI systems must do. Here's how each requirement applies specifically to HR software:

1

Risk Management System

Vendors must implement and document an ongoing risk management process that identifies, analyzes, and mitigates risks throughout the AI system's lifecycle. For HR AI, this means documenting known failure modes (false negatives in resume screening, demographic bias in interview scoring) and having mitigation measures in place before deployment.

2

Data Governance and Bias Audits

Training data must be 'relevant, sufficiently representative, and to the best extent possible, free of errors.' For hiring AI, this requires documented bias audits across protected characteristics — gender, age, ethnicity, disability. The Act doesn't mandate third-party audits but requires vendors to demonstrate they've tested for disparate impact.

3

Technical Documentation

A comprehensive technical file must describe the system design, development methodology, training data characteristics, performance metrics, and risk mitigation measures. This documentation must be provided to EU market surveillance authorities on request. It's not a summary — it's a detailed technical dossier.

4

Automatic Logging (Record-Keeping)

High-risk HR AI systems must automatically log events to enable auditability. For HR applications this includes logging which candidates were scored, what scores were assigned, what data inputs were used, and what the system recommended — with timestamps. Logs must be retained for at least 6 months (or longer for public sector deployers).

5

Transparency to Deployers

Vendors must provide deployer organizations with clear instructions covering: the system's intended purpose and scope, performance levels and accuracy metrics, known limitations and failure modes, and what human oversight measures deployers must implement. Deployers using the system outside its documented scope become liable for that misuse.

6

Human Oversight

High-risk HR AI may not operate fully autonomously on consequential decisions. Deployers must be able to: understand and monitor system outputs, detect and intervene when the system behaves unexpectedly, and override or disregard AI recommendations. Fully automated reject decisions without any human review are prohibited for high-risk systems.

7

Accuracy and Robustness

Systems must meet appropriate accuracy levels for their intended use, perform consistently across different demographic groups, and be resilient against errors. Vendors must declare performance metrics in technical documentation — and those metrics must be measured on representative test populations, not just favorable subsets.

What HR AI Is Prohibited Outright

Beyond the high-risk tier, certain HR AI practices are outright prohibited under Article 5 of the EU AI Act — these prohibitions have been in force since February 2025:

  • Social scoring systems: AI that evaluates or classifies employees based on social behavior or personality traits to assign scores that determine employment outcomes is prohibited.
  • Real-time biometric categorization in workplaces: Using live AI analysis of facial expressions, voice sentiment, or emotional state to make real-time employment assessments is banned.
  • Subliminal manipulation: AI that influences employees below the level of their conscious awareness to affect their behavior or decisions is prohibited.
  • Exploitation of vulnerabilities: Systems designed to exploit employee vulnerabilities (financial stress, health conditions) to influence behavior are banned.

Some "workplace wellness" and "employee engagement" AI products in the market may violate these prohibitions if they use emotional state detection or behavioral scoring to influence HR decisions. If your HR tech vendor uses any of these techniques, this is a compliance risk you carry as the deployer.

Worker Notification and Transparency Rights

The EU AI Act intersects with GDPR and existing EU labor law on worker transparency. Under the Act, deployers (employers) must inform workers that AI is being used to monitor, evaluate, or make decisions affecting them. This notification obligation applies to:

  • Performance monitoring AI (productivity tracking, output measurement)
  • AI-assisted performance reviews or ratings
  • AI tools used to make promotion or compensation recommendations
  • Scheduling AI that affects working conditions

Workers in the EU already have rights under GDPR's Article 22 to request human review of purely automated decisions that significantly affect them. The EU AI Act strengthens this by requiring the technical capability for human override to be built into the system — not just promised in a policy document.

Compliance Timeline for HR Software

Feb 2025
Prohibited AI practices ban in force. Social scoring, biometric emotional analysis prohibited now.
Aug 2025
GPAI (general-purpose AI model) obligations for foundation model providers began.
Aug 2026
High-risk AI obligations enforceable for new deployments. HR AI vendors must have conformity assessments, documentation, and registration complete.IMMINENT
Aug 2027
Existing high-risk AI systems (deployed before Aug 2026) must also comply. Deadline for legacy HR AI in production.

HR AI Compliance Checklist

Use this checklist whether you're an HR software vendor or a company deploying HR AI:

For HR Software Vendors

  • Classify your AI features against Annex III
  • Conduct conformity assessment for high-risk systems
  • Complete EU AI Act database registration
  • Issue EU Declaration of Conformity
  • Document training data sources and bias testing
  • Implement automatic event logging in system
  • Write deployer instructions covering oversight requirements
  • Establish incident reporting process
  • Appoint EU-based authorized representative

For Companies Using HR AI

  • Verify all HR AI vendors are EU AI Act compliant
  • Request vendor's technical documentation and conformity declaration
  • Conduct DPIA for all HR AI processing
  • Update employee privacy notices to disclose AI use
  • Implement human review process for AI-flagged decisions
  • Train HR staff on AI system limitations
  • Establish override procedures — document when humans must review
  • Maintain logs of HR AI decisions for 6+ months
  • Designate AI compliance contact within HR team

What Happens If You Don't Comply

Fines for high-risk AI system violations under the EU AI Act reach €15 million or 3% of global annual turnover, whichever is higher. For a US HR tech company doing $50M in annual revenue, that's up to $1.5M per violation.

Beyond fines, non-compliant HR AI systems can be ordered off the EU market entirely — meaning any product features not meeting compliance requirements must be disabled for EU users. Given that most modern HR platforms serve global customers, an EU market ban is effectively a product liability crisis.

The first enforcement targets will likely be high-profile uses of automated hiring AI where documented bias or lack of human oversight caused discriminatory outcomes. HR tech is already under scrutiny from EU data protection authorities — the AI Act gives regulators a second, overlapping enforcement lever.

Frequently Asked Questions

Does the EU AI Act apply if we only use AI for US hires but the HR software is from a US vendor?

If the hiring decisions affect only US-based applicants and employees, and EU residents are never screened or evaluated, the EU AI Act does not apply to that specific use. However, if your company has any EU operations, offices, or remote EU workers being evaluated through the same system, those uses fall in scope.

We use LinkedIn Recruiter and resume screening tools. Are those covered?

AI-powered resume screening and candidate ranking tools fall under Annex III. LinkedIn, Indeed, and other platforms that use AI to surface or rank candidates for EU roles are subject to EU AI Act requirements as providers. As a deployer, you should verify these platforms' compliance status before August 2026.

What about AI tools that just schedule interviews or send automated emails?

Scheduling AI and automated communications tools (calendaring, email sequences) are generally not high-risk if they don't involve evaluating or ranking candidates or employees. They may still have GDPR implications, but the EU AI Act's high-risk obligations don't apply to pure scheduling automation.

Our HR AI was built internally, not purchased from a vendor. Who is responsible?

When a company builds AI systems for internal use, they are simultaneously the provider and deployer. All provider obligations — documentation, conformity assessment, registration, bias testing — apply to your internal team. Internal HR AI built and used by the same organization does not get a pass on compliance.

HR Tech Compliance Is Urgent

The EU AI Act's high-risk requirements aren't aspirational guidance — they're enforceable law as of August 2026. HR software vendors selling into EU markets and companies with EU employees both face legal exposure if their AI systems don't meet the requirements.

Review the AI tools in your HR stack now. Ask vendors for their EU AI Act compliance documentation. If they can't provide it, that's a liability you're absorbing by continuing to use their product for EU hiring decisions.