RatedWithAI

RatedWithAI

Accessibility scanner

AI RegulationJuly 3, 2026

EU AI Act for Staffing and Recruiting Agencies 2026: High-Risk Deployer Obligations

Most EU AI Act coverage for hiring is written for the software vendors building recruiting tools. Staffing and recruiting agencies are the ones actually running candidates through those tools every day — and they carry their own, separate set of obligations as "deployers" of high-risk AI.

Annex III
Recruitment and candidate-selection AI is explicitly classified high-risk
€15M / 3%
Maximum fine for high-risk obligation failures, whichever is higher
Deployer
Agencies have distinct legal obligations from the software vendor

Are Staffing and Recruiting Agencies Covered?

If your agency uses AI to screen resumes, rank candidates, score video interviews, or match applicants to open roles — and any of those candidates or roles are located in the EU — you are almost certainly covered. The EU AI Act's territorial scope reaches deployers wherever they're based, as long as the AI system's output is used within the EU.

This catches a lot of agencies that don't think of themselves as "AI companies" at all:

  • A US staffing firm placing contractors into EU client companies
  • A recruiting agency with EU-based candidates in its applicant pool, regardless of where the agency is incorporated
  • Any agency using an applicant-tracking system with built-in AI resume ranking or scoring, even as a default feature they didn't configure
  • Agencies using third-party AI video-interview or skills-assessment tools for EU candidates

Enforcement begins August 2026 for the high-risk obligations most relevant here. Agencies that haven't inventoried which of their recruiting tools use AI are the most exposed.

Provider vs. Deployer: Why Agencies Have Different Obligations

Most published EU AI Act guides for hiring are written from the provider's perspective — the company building or substantially modifying the recruiting software. Staffing and recruiting agencies are almost always deployers instead: they buy or license a tool and use it under their own authority to make real decisions about real candidates.

Provider (the software vendor)
Risk management system, technical documentation, conformity assessment, CE marking, quality management system, registration in the EU database.
Deployer (the staffing/recruiting agency)
Human oversight during use, monitoring for malfunction or unexpected outputs, informing affected candidates, maintaining usage logs, and in some cases a fundamental rights impact assessment.

Buying a compliant tool from a provider does not satisfy your deployer obligations. Those obligations attach to how your agency actually uses the tool day to day, and they can't be outsourced to the vendor's compliance paperwork.

The Deployer Obligations Checklist for Agencies

Work through each section. These are the deployer-side requirements — not the vendor's conformity assessment paperwork.

1. Tool Inventory and Risk Mapping
  • List every AI-enabled tool used anywhere in the candidate pipeline: sourcing, screening, ranking, interview scoring, offer prediction
  • Identify which tools touch candidates or roles connected to the EU
  • Confirm with each vendor whether their tool is classified high-risk under Annex III
  • Document the intended purpose the vendor registered for the system
2. Human Oversight
  • Assign a named human reviewer with authority to override or reject the AI's recommendation for every candidate decision
  • Ensure reviewers are trained on the tool's capabilities and limitations, not just how to click through it
  • Prohibit rubber-stamping — document that human review meaningfully changes outcomes at least some of the time
  • Keep records showing a human, not the algorithm alone, made the final placement decision
3. Candidate Transparency
  • Inform candidates before or at the point of screening that an AI system is being used to evaluate them
  • Explain in plain language what the system evaluates and how it influences the outcome
  • Provide a channel for candidates to ask questions or contest an automated result
4. Monitoring and Logging
  • Monitor the system's outputs for signs of malfunction, drift, or discriminatory patterns across candidate groups
  • Retain automatically generated logs for the period specified by the provider (minimum six months, longer if required)
  • Establish an internal process to pause use of the tool and notify the provider if serious incidents occur
5. Fundamental Rights Impact Assessment
  • Determine whether your agency qualifies as a body governed by public law or a private entity providing public services — these deployers must complete a fundamental rights impact assessment before first use
  • Even where not strictly mandatory, document a basic assessment of bias and rights risk as a defensive compliance practice
  • Notify the relevant market surveillance authority where the assessment is required
6. Vendor Contract Terms
  • Require vendors to confirm high-risk classification status and share the instructions for use
  • Require vendors to notify your agency of any updates that change the system's risk profile or intended purpose
  • Negotiate audit rights or documentation access needed to support your own deployer obligations

Cross-Border Placements: When a US Agency Gets Caught

Staffing agencies frequently underestimate how easily they trip the EU AI Act's territorial trigger. The test isn't where your company is headquartered — it's where the AI system's output is used.

  • Screening a candidate physically located in Germany for a remote US role — covered, because the output (the screening decision) is used on a person in the EU.
  • Placing a US-based contractor into a client's Dublin office — covered, because the role and the effect of the placement decision sit in the EU.
  • Running your entire candidate pipeline through one AI ranking tool globally, with no EU-specific configuration — the EU-covered candidates in that pipeline still trigger deployer obligations for however your agency uses the tool on them.

Agencies that operate a single global pipeline often find it simpler to apply EU-grade deployer practices — human oversight, disclosure, logging — across their whole candidate pool rather than trying to carve out an EU-only workflow.

Frequently Asked Questions

We license our applicant-tracking system from a vendor. Doesn't their compliance cover us?

No. The vendor's conformity assessment and technical documentation satisfy their provider obligations. Your agency still has separate deployer obligations — human oversight, candidate disclosure, monitoring, and logging — that only your agency can fulfill because they depend on how the tool is actually used, not how it was built.

Our AI tool just ranks resumes; a recruiter still makes the final call. Are we still high-risk?

Yes. Annex III classifies AI systems used to filter or evaluate applications as high-risk regardless of whether a human makes the ultimate decision. Human involvement downstream doesn't remove the classification — it's one of the deployer obligations (human oversight) you must implement and document, not an exemption.

What counts as a 'serious incident' we'd need to report?

A serious incident includes situations where the AI system causes or is likely to have caused a breach of fundamental rights protected under EU law, or where a malfunction leads to a significant impact on candidates' rights — for example, systematically screening out a protected group due to a bug or drifted model. Deployers must notify the provider and, in some cases, the market surveillance authority.

Do smaller staffing agencies get any exemption?

The EU AI Act does not exempt small staffing or recruiting agencies from deployer obligations based on size. Some support measures and simplified documentation exist for SMEs on the provider side, but deployer duties — oversight, disclosure, logging — apply regardless of agency headcount if the AI system and candidates are otherwise in scope.

Start With Your Tool Inventory

Deployer compliance starts with knowing exactly which tools in your candidate pipeline use AI, and which of those touch EU candidates or roles. Most agencies find at least one tool they'd never flagged as "AI" — a resume parser with built-in ranking, a video-interview platform with automated scoring — buried in a workflow nobody re-evaluated after it was first switched on.

Once the inventory exists, human oversight, disclosure, and logging are operational changes, not legal mysteries.

Related Reading