AI used in recruitment and workforce management is classified as high risk under Annex III of the EU AI Act. From August 2, 2026, employers that use such tools carry concrete duties as deployers: follow the provider's instructions, assign trained human oversight, monitor the system, keep logs, and inform workers before the tool is used on them.
EU AI Act and HR: Rules for Recruitment and Workplace AI (FAQ)
Why Hiring AI Is Treated as High Risk
The EU AI Act, Regulation (EU) 2024/1689, sorts AI uses into risk levels and reserves its strictest rules for a defined list of high-risk uses set out in Annex III. Employment sits near the top of that list. The reasoning is straightforward: decisions about who gets a job, who gets promoted, and who gets dismissed shape people's livelihoods, and the data these systems learn from can carry historical bias. A tool that quietly downgrades applicants from a particular postcode or age group can do damage at a scale no single biased manager ever could. So the law does not ban hiring AI. It allows it, but wraps it in requirements designed to keep a qualified human meaningfully in charge.
What Annex III Point 4 Actually Covers
Point 4 of Annex III lists two clusters of employment-related AI. The first cluster covers recruitment and selection: systems used to place targeted job advertisements, to analyse and filter applications, and to evaluate candidates. The second cluster covers the working relationship itself: systems used to make or materially influence decisions on promotion or termination, to allocate tasks based on individual behaviour or personal traits, and to monitor or evaluate the performance and behaviour of people at work.
| Cluster | Examples in plain terms |
|---|---|
| Recruitment and selection | CV-screening software, AI that ranks applicants, video-interview analysis tools, targeted job-ad placement systems |
| Work management | AI that scores employee performance, allocates shifts or deliveries based on behaviour, or feeds into promotion and dismissal decisions |
Notice how wide the second cluster is. A logistics platform that assigns routes based on each driver's measured behaviour, or a call-centre tool that scores agents and feeds those scores into reviews, falls inside the high-risk category just as surely as a CV screener does.
When the Rules Start to Apply
The obligations for Annex III high-risk systems apply from August 2, 2026. Two related duties arrived earlier and already apply: since February 2, 2025, organisations must ensure a sufficient level of AI literacy among staff who operate AI systems, and the outright bans in Article 5 are in force. One of those bans matters directly to HR: AI that infers the emotions of people in the workplace is prohibited, except for narrow medical or safety purposes. An employer using emotion-reading software on staff or candidates is not facing a future compliance gap; it is breaching a rule that applies today.
Your Duties as an Employer Under Article 26
Most employers do not build hiring AI; they buy it. In the language of the Act that makes the employer a deployer, and Article 26 sets out what deployers of high-risk AI must do. The list is demanding but practical. You must use the system in accordance with the provider's instructions for use. You must assign human oversight to people who have the necessary competence, training, and authority, which means the person reviewing the AI's shortlist must genuinely be able to question and override it. To the extent you control the input data, you must make sure it is relevant and sufficiently representative for the system's purpose. You must monitor the system's operation, suspend use and inform the provider if you have reason to think it presents a risk, and report serious incidents. You must keep the logs the system generates, for at least six months unless other law requires longer. And where the system helps make decisions about people, you must be ready to tell those people that high-risk AI was involved; under Article 86, a person affected by a significant decision is entitled to a clear and meaningful explanation of the role the AI played.
Telling Workers Before You Switch It On
Article 26 contains a duty that surprises many employers: before putting a high-risk AI system into service in the workplace, deployers who are employers must inform the affected workers and their representatives that they will be subject to it. This is not a vague transparency aspiration; it is a notification duty that comes before first use. Practically, this means the rollout plan for any AI-driven performance or scheduling tool needs a worker communication step, and in companies with works councils or unions, that conversation should happen early. National labour law may add its own consultation requirements on top.
What Your Vendor Must Do, and What to Ask Them
The heaviest obligations fall on the provider, the company that built the tool or sells it under its own name. Providers of high-risk systems must run a risk management process, meet data-quality requirements, prepare technical documentation, build in logging and human-oversight features, complete a conformity assessment, affix CE marking, and register the system in the EU database. Your job as a buyer is to verify, not to redo, that work. Sensible questions for any HR-tech vendor: Do you classify this product as high risk under Annex III point 4? When will your conformity assessment be complete? Where are the instructions for use and the human-oversight features documented? Will the system be registered in the EU database before August 2, 2026? A vendor that cannot answer these by now is a risk in itself. Be careful with one trap: if you put your own name on a third-party tool or substantially modify it, you can be treated as the provider and inherit the full provider obligations.
How Common HR Tools Are Likely Classified
| Tool | Likely position under the Act |
|---|---|
| CV screening and candidate ranking | High risk, Annex III point 4 |
| Performance scoring that feeds reviews | High risk, Annex III point 4 |
| Emotion recognition on staff or candidates | Prohibited in the workplace, with narrow exceptions |
| Payroll calculation software | Generally not AI, or minimal risk |
| Grammar checker used to polish job ads | Minimal risk, no new obligations |
| Internal HR chatbot answering policy questions | Limited risk, transparency duty under Article 50 |
One nuance worth knowing: a system that performs a narrow procedural task, or merely supports human assessment without replacing it, may fall outside high risk under the exception in Article 6. But that exception must be documented and defended, not assumed, and it never applies where the system profiles individuals.
What Non-Compliance Costs
Breaching the prohibition on emotion recognition in the workplace can draw fines of up to 35 million euros or 7 percent of worldwide annual turnover, whichever is higher. Breaching the deployer duties in Article 26 can draw fines of up to 15 million euros or 3 percent of turnover. Supplying misleading information to authorities carries up to 7.5 million euros or 1 percent. For small and medium-sized enterprises, the lower of the fixed amount and the percentage applies. Beyond fines, an unexplained AI-driven rejection or dismissal invites discrimination claims under existing employment law, which the AI Act does not replace.
Where GDPR Adds Its Own Layer
Hiring AI almost always processes personal data, so the AI Act lands on top of obligations employers already carry under the General Data Protection Regulation. GDPR's rules on automated individual decision-making give candidates and employees the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, with limited exceptions, and a data protection impact assessment is typically expected for systematic evaluation of people by automated means. The two regimes reinforce each other rather than duplicate: GDPR governs the data flowing through the tool, the AI Act governs the tool as a product and its use. The practical consequence is helpful for teams that built GDPR discipline after 2018, because the same habits transfer. Records of processing become the seed of your AI inventory. Vendor due diligence questionnaires gain a handful of AI Act questions. The impact assessment you would run for a new screening tool anyway becomes the place where human oversight, candidate communication, and the Article 86 explanation duty are designed in. Treating the two laws as one combined project for each HR tool is cheaper and faster than running parallel workstreams that ask the same vendor the same questions twice.
A Realistic Preparation Plan
Start with an inventory: list every tool in recruiting and people management that uses AI, including features buried inside your applicant tracking system. Classify each against Annex III point 4. For each high-risk tool, identify the provider, request their compliance documentation, and confirm their timeline. Name the humans who will exercise oversight and train them. Draft the worker notification. Set up log retention. None of these steps requires deep technical skill, but together they take months, and the deadline is fixed. The employers in the best position in August 2026 will be the ones who treated this as an ordinary operational project, not a last-minute scramble.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.