EU AI Act: What HR and Recruitment AI Tools Must Comply With

HR AI Is High-Risk. There Is No Ambiguity.

Annex III §4 of the EU AI Act places AI systems used in employment, worker management, and access to self-employment directly in the high-risk category. This is not a grey area that depends on how the system is positioned or marketed.

If your AI system filters CVs, scores candidates, analyses interview videos, monitors employee performance, recommends promotions, or informs termination decisions — it is a high-risk AI system. The obligations that follow are substantial, and the deadline is 2 August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement).

This matters for two distinct groups:

HR tech vendors who build and sell these tools — they are providers with full conformity obligations
Employers who purchase and deploy these tools — they are deployers with their own independent obligations

Both groups must act. Neither can rely on the other's compliance to satisfy its own.

What Annex III §4 Covers Exactly

The regulation is specific. The following AI systems are classified as high-risk under Annex III §4:

Recruitment and selection:

AI systems used to place targeted job advertisements
AI systems that analyse and filter job applications — including CV parsing, ranking, and shortlisting
AI systems used to evaluate candidates — including video interview analysis, psychometric scoring, and competency assessment

Work-related decisions:

AI systems used to make decisions affecting promotion or termination of work-related contractual relationships
AI systems used to allocate tasks based on individual behaviour or personal traits or characteristics
AI systems used to monitor and evaluate the performance and behaviour of persons in work contexts

Scope clarification: The key question is whether the AI system makes or significantly influences a decision about a person's employment. A scheduling tool that assigns shifts based on availability is generally not high-risk. A performance monitoring tool whose outputs feed into performance reviews or bonus decisions is.

Who Is Affected

HR Tech Vendors — You Are Providers

If you build an ATS with AI scoring, a video interview analysis tool, a workforce analytics platform, or a performance management system with AI-driven insights — and you sell or license it to employers in the EU — you are a provider of a high-risk AI system.

This applies regardless of where you are incorporated. A US-based HR tech company whose tool is used by a German employer to screen candidates in Germany is subject to the EU AI Act (Article 2(1)(c)).

Employers — You Are Deployers

If you use any of the above tools to make or inform employment decisions about people in the EU, you are a deployer of a high-risk AI system. You have independent obligations under Article 26 that exist regardless of your vendor's compliance.

This includes companies using:

AI-powered ATS platforms (Workday, SAP SuccessFactors, Greenhouse with AI scoring, etc.)
Video interview analysis tools (HireVue, Pymetrics, and similar)
AI-driven performance management platforms
Workforce optimisation tools that use individual behavioural data

Provider Obligations: What HR Tech Vendors Must Do

Providers of high-risk HR AI systems must complete the following before placing their system on the EU market or making it available to EU customers:

1. Risk Management System (Article 9)

Implement a documented, continuous process to identify and mitigate risks throughout the system's lifecycle. For HR AI, this specifically requires assessing risks of discriminatory outcomes — the risk that the AI perpetuates or amplifies bias against protected groups (gender, age, race, disability, etc.).

The risk management system must be reviewed and updated whenever the system is substantially modified or evidence of new risks emerges.

2. Data Governance (Article 10)

Training, validation, and test data must be:

Relevant to the intended purpose
Representative of the population the system will be applied to
Free from errors and complete
Examined for bias — the AI Act explicitly requires that training data be assessed for possible biases that could affect people with protected characteristics

For hiring AI, this means your training data cannot over-represent historical hiring patterns that reflect past discrimination. If your model was trained on historical "successful hire" data from a company with documented diversity gaps, that training data itself may make the system non-compliant.

3. Technical Documentation (Article 11, Annex IV)

Prepare and maintain a full technical dossier including:

System architecture and design choices
Training data sources and methodology
Evaluation results, including performance metrics disaggregated by demographic groups
Known limitations and foreseeable misuse scenarios
Instructions for appropriate use

This documentation must be available to the AI Office and national authorities upon request, and must be kept for 10 years after market placement.

4. Transparency and Instructions for Use (Article 13)

Provide deployers (employers) with clear instructions for use covering:

The system's intended purpose and limitations
Level of accuracy and performance metrics, including variations across demographic groups
How to implement appropriate human oversight
Foreseeable circumstances in which the system might fail or produce unreliable outputs

Hiding performance gaps across demographic groups in the instructions for use is not compliant — and is likely to be an area of active regulatory scrutiny.

5. Human Oversight by Design (Article 14)

The system must be designed so that deployers can meaningfully monitor, understand, and override its outputs. "Human in the loop" must be substantive — the system must enable humans to:

Detect when the system is operating outside its intended parameters
Override individual outputs
"Switch off" the system if necessary

6. Accuracy, Robustness, Cybersecurity (Article 15)

Document accuracy metrics across the intended use population. For HR AI, this must include disaggregated metrics — performance broken down by gender, age, and other relevant protected characteristics. A system that performs well on average but has significantly worse accuracy for a protected group may not meet Article 15 requirements.

7. Conformity Assessment, EU Declaration, Registration (Articles 43, 47, 49)

Conduct an internal conformity assessment demonstrating the system meets Articles 9–15
Draw up an EU Declaration of Conformity
Register the system in the EU database for high-risk AI systems before placing it on the EU market

For most Annex III §4 systems, self-assessment is permitted. Third-party assessment by a notified body is not required unless the system also involves biometric identification.

Deployer Obligations: What Employers Must Do

Employers using AI hiring and people management tools are deployers under Article 26. Independent of their vendor's compliance, they must:

1. Use the System Within Its Intended Purpose

Deploy the system only for the purposes described in the provider's instructions for use. Using an AI interview scoring tool to make decisions it was not validated for — or in a context it was not assessed for — can shift liability to the employer.

2. Assign Trained Human Oversight Personnel

Designate HR professionals or managers who:

Understand what the AI system can and cannot do
Have authority to override AI-generated recommendations
Have received training specific to the system

3. Ensure Input Data Quality

Where employers control the data fed into the system (e.g., job descriptions, candidate records), they must ensure that data is relevant and representative of the role and population being assessed.

4. Retain Logs for Minimum 6 Months

Keep the system-generated logs for at least 6 months. These logs are essential evidence in the event of a discrimination complaint or regulatory investigation.

5. Notify Workers Before Deployment

Before using any high-risk AI system to monitor, evaluate, or inform decisions about workers, employers must inform:

The workers affected
Workers' representatives (unions, works councils) where applicable

This must happen before the system is deployed — not after.

6. Disclose AI Use to Candidates and Employees

Employers must inform individuals that they are subject to an AI-driven assessment or decision process. This applies to:

Job candidates assessed by AI tools during recruitment
Employees subject to AI-driven performance monitoring

7. Monitor Performance and Report Serious Incidents

Employers must monitor the AI system's operation and report serious incidents — outputs that cause harm, produce discriminatory results, or otherwise pose risks to health, safety, or fundamental rights — to the provider and to authorities without undue delay.

The Specific Risk: Discriminatory AI in Hiring

The EU AI Act intersects directly with EU anti-discrimination law in the employment context. AI systems used for hiring or people management that produce discriminatory outcomes — even unintentionally — create liability under both the AI Act and the EU Employment Equality Directive (2000/78/EC) and Gender Equality Directives.

Key risk scenarios:

Training data bias: A model trained on historical hiring data from a male-dominated industry may systematically score women lower
Proxy discrimination: A model using features correlated with protected characteristics (postcode, university name, gaps in employment) may indirectly discriminate
Lack of transparency: A system that cannot explain why a candidate was rejected may violate both AI Act transparency requirements and candidates' rights under GDPR Article 22

The AI Act does not create new anti-discrimination law — but it requires providers to document their systems' performance across protected groups and deployers to maintain human oversight that can catch discriminatory patterns.

Key Dates

Date	Milestone
2 February 2025	AI literacy obligations in force
2 August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement)	Full Annex III obligations apply — providers and deployers
2 August 2027	Deadline for legacy systems placed on market before August 2026

How DilAIg Helps HR Teams and HR Tech Vendors

For HR tech vendors: DilAIg's audit classifies your system under the four AI Act risk tiers and generates the four mandatory documents — Technical Documentation (Annex IV), EU Declaration of Conformity, FRIA, and Transparency Notice — as professional drafts. Each document is structured to the exact requirements of the regulation.

For employers: The audit identifies which of your deployed AI tools are high-risk, maps your Article 26 deployer obligations, and determines whether you are required to conduct a FRIA under Article 27. If you are, DilAIg generates the FRIA draft.

Start your free AI Act audit →

Book a demo →

FAQ: HR AI and the EU AI Act

Is every ATS (Applicant Tracking System) high-risk?

Only if it uses AI to make or significantly influence hiring decisions. A basic ATS that stores and organises applications without AI scoring is not high-risk. An ATS with AI-powered CV ranking, candidate scoring, or automated shortlisting is high-risk under Annex III §4.

Does this apply to internal hiring tools built in-house?

Yes. If your company built its own AI tool for screening candidates or evaluating employees, and you use it in the EU, your company is both the provider and the deployer. All provider and deployer obligations apply.

What if the AI only gives a recommendation — a human makes the final decision?

A "human in the loop" does not remove the system from high-risk classification. What matters is whether the AI significantly influences the decision — not whether a human formally approves it. If hiring managers routinely follow AI recommendations without substantive independent review, the oversight requirement is not met.

Does the AI Act require us to explain AI hiring decisions to rejected candidates?

Yes — through a combination of Article 26(11) (disclosure of AI use) and the AI Act's transparency provisions. Candidates have the right to know they were assessed by an AI system. The right to a meaningful explanation of automated decisions may also apply under GDPR Article 22 if the decision was fully automated.

Does this apply to performance monitoring AI (e.g., productivity tracking tools)?

Yes, if the AI monitors individual performance or behaviour in a way that informs work-related decisions (promotions, task allocation, termination). The worker notification obligation under Article 26(7) is particularly important here — employers must inform workers before deploying such systems.

Key Takeaways

HR and recruitment AI is unambiguously high-risk under Annex III §4 — no grey area
Both vendors (providers) and employers (deployers) have independent mandatory obligations
Vendors must complete: risk management, bias assessment in training data, technical documentation, conformity assessment, EU Declaration of Conformity, registration
Employers must: assign trained human oversight, retain logs ≥ 6 months, notify workers before deployment, disclose AI use to candidates, monitor and report incidents
The regulation intersects with EU anti-discrimination law — AI that produces discriminatory outcomes creates liability under multiple legal frameworks
Full obligations apply from 2 August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement)
DilAIg generates all mandatory documents for both providers and deployers