1. What makes HR AI high-risk
The EU AI Act uses a risk-based approach. Most AI tools are minimal or limited risk and carry light obligations. HR AI is different: it sits in Annex III, Category 4 — one of eight categories the regulation identifies as high-risk by definition.
Category 4 covers AI systems used in employment, workers management, and access to self-employment, specifically when they:
- Are used for recruitment or selection, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates
- Make or influence decisions on promotion and termination of work-related contractual relationships
- Are used for task allocation or to monitor and evaluate performance and behaviour of persons in employment relationships
The burden is heavier on providers (the companies that build these tools), but as a deployer — the organisation that uses HR AI in your own professional activities — you carry a substantial set of obligations under Article 26 that are yours alone to fulfil.
2. Which HR tools are in scope
Any tool that does one or more of the following falls under Annex III, Category 4:
| Use case | Risk level | Example tools |
|---|---|---|
| CV screening and filtering | High-risk | Workday, Greenhouse, iCIMS, Taleo |
| Candidate ranking and scoring | High-risk | Eightfold AI, Beamery, LinkedIn Recruiter |
| Video interview analysis | High-risk | HireVue, Pymetrics |
| Automated candidate engagement | High-risk (+ Art. 50) | Paradox Olivia, Bullhorn |
| Performance monitoring | High-risk | SAP SuccessFactors, Oracle HCM, Cornerstone |
| Talent pool and workforce planning AI | High-risk | Beamery, Eightfold AI |
| Meeting analysis and note-taking | Limited risk (Art. 50 only) | Otter AI, Fireflies AI |
3. Your obligations as a deployer
As the HR department or company deploying a high-risk AI system, Article 26 sets out your specific obligations. These apply regardless of which vendor built the tool.
Use the system as intended
You must use the high-risk AI system only for its intended purpose as defined by the provider in their instructions for use. Using a CV screening tool to evaluate performance, or a hiring tool to decide on terminations, takes you outside the intended purpose — and may make you a provider with full technical obligations.
Assign human oversight
Article 26(2) requires that you assign the task of human oversight to natural persons with the necessary competence, authority, and resources. This is not a formality. The person responsible must be able to understand the AI system's outputs, identify anomalies, and override or suspend the system if needed.
Monitor operation
Article 26(3) requires you to monitor the operation of the high-risk AI system based on the provider's instructions for use. If you notice the system behaving unexpectedly or producing biased outputs, you must act — report to the provider and suspend use if necessary.
Provide input data that matches intended use
Article 26(4) requires that input data — CVs, interview recordings, performance metrics — remains relevant and sufficiently representative for the system's intended purpose. Feeding a CV screening model data from a different job family or geography than it was trained on increases bias risk and puts you in breach.
Retain logs
Article 26(5) requires that you keep automatically generated logs for at least six months, unless EU or national law requires longer retention. See Section 6 for detail.
Inform workers
Article 26(7) is unique to employment AI: you must inform workers and their representatives before deploying a high-risk AI system that affects them. See Section 4 for what this disclosure must cover.
Cooperate with authorities
Article 26(6) requires deployers to cooperate with market surveillance authorities and provide logs and documentation on request. If your national data protection authority or labour inspectorate asks for evidence of your AI oversight procedures, you must be able to provide it.
| Obligation | Article | Deadline |
|---|---|---|
| Use system per provider instructions | Art. 26(1) | 2 Aug 2026 |
| Assign competent human oversight | Art. 26(2) | 2 Aug 2026 |
| Monitor system operation | Art. 26(3) | 2 Aug 2026 |
| Ensure relevant input data | Art. 26(4) | 2 Aug 2026 |
| Retain logs ≥ 6 months | Art. 26(5) | 2 Aug 2026 |
| Inform workers before deployment | Art. 26(7) | 2 Aug 2026 |
| AI literacy training for all staff | Art. 4 | Already in force |
4. Worker and candidate transparency
The EU AI Act introduces two separate transparency obligations for HR AI: one for existing employees, and one that applies when AI interacts directly with candidates.
Informing workers — Article 26(7)
Before you deploy a high-risk AI system that is intended to be used in the context of employment or working conditions, you must inform workers or their representatives. This obligation applies before deployment — not after. The notification must be meaningful, not just a line buried in a policy update.
Best practice is to include in the notification:
- The name and purpose of the AI system being deployed
- What data the system processes (CVs, performance metrics, video recordings)
- What decisions the system influences and who makes the final decision
- How workers can raise concerns or request human review
- The name of the person responsible for human oversight
Candidate transparency — Article 50
If your HR AI tool interacts directly with candidates — an AI chatbot that screens applicants, an automated video interview system — Article 50 also applies. Candidates must be informed at the start of the interaction that they are communicating with an AI system.
Tools like Paradox Olivia or AI-driven screening chatbots built on ChatGPT or similar platforms fall under both Annex III (high-risk) and Article 50 (transparency). The candidate disclosure must happen before or at the very start of the AI interaction — not in the privacy policy.
Use the free Chatbot Disclosure Generator to produce compliant Article 50 disclosure text for your hiring chatbot.
5. Human oversight requirements
Human oversight is the core deployer obligation for high-risk HR AI. It is not a box to tick — it is an operational requirement that must be built into your hiring and performance processes.
Article 26(2) requires that the person assigned to oversight has:
- Necessary competence — they understand what the AI system does, what it optimises for, and where it can fail
- Necessary authority — they can override, suspend, or flag decisions made by or influenced by the AI
- Necessary resources — sufficient time and access to actually review AI outputs, not just sign off on volume decisions
In practice, this means:
- A hiring manager who approves every CV ranking shortlist must actually review the shortlist, not rubber-stamp the AI's output
- An HR director overseeing a performance AI must receive meaningful alerts when the system flags anomalies
- Rejecting all candidates below a certain AI score, without human review, is not compliant
6. Log retention
Article 26(5) requires deployers to keep the automatically generated logs of high-risk AI systems for at least six months, unless a longer retention period is required by EU or national law applicable to the deployer.
In HR, this intersects with GDPR: candidate data typically cannot be retained indefinitely. The practical approach is:
- Retain AI decision logs (what the system scored, ranked, or recommended) for six months minimum
- Separate log retention from personal data retention — you can retain anonymised decision logs longer than identifiable candidate data
- Document your retention policy in writing, including the legal basis for the retention period you choose
Your HR AI vendor may generate these logs automatically. Check whether your contract with the vendor gives you access to those logs, and whether they are retained on the vendor's infrastructure or yours. If the vendor controls the logs, your contract must require them to make logs available to you on request and to cooperate in the event of a regulatory inquiry.
7. AI literacy — already in force
Article 4 of the EU AI Act has been in force since 2 February 2025. It requires that providers and deployers take measures to ensure a sufficient level of AI literacy for their staff dealing with AI systems.
This is the one obligation most HR teams have already missed. AI literacy training must be proportionate to the role: staff who use AI tools in hiring decisions need deeper training than staff who never interact with AI.
At minimum, HR staff using high-risk AI tools should understand:
- What the AI system does and what it does not do
- The types of errors the system can make, including systematic bias
- How to identify when an AI output looks wrong or unexpected
- How to escalate concerns about AI outputs
- The legal and ethical context — why oversight is not optional
8. Timeline and deadlines
| Date | Obligation | Status |
|---|---|---|
| 2 Feb 2025 | Article 4 AI literacy — all staff dealing with AI | Already in force — act now |
| 2 Aug 2026 | All Article 26 deployer obligations for high-risk HR AI | 14 months away |
| 2 Aug 2026 | Article 50 chatbot/AI disclosure if your tool interacts with candidates | 14 months away |
| 2 Aug 2027 | Full application of all EU AI Act provisions | 26 months away |
The August 2026 deadline sounds distant. It is not. Assigning human oversight, creating log retention procedures, updating employment contracts, consulting works councils, and training HR staff all take months of internal process. Companies that start in Q1 2026 will be scrambling. Companies that start now will be ready.
9. Your 8-step action plan
- Audit your HR AI tools. List every tool your HR team uses that could influence a hiring, promotion, performance, or termination decision. Check whether each falls under Annex III, Category 4. Use the specific tool guides on this site for each vendor.
- Check your contracts. Review your vendor agreements. Do they provide the instructions for use required under Art. 13? Do they give you access to logs? Do they offer a Declaration of Conformity? If a vendor cannot answer these questions, that is a compliance risk.
- Start AI literacy training immediately. Article 4 is already in force. Schedule a training session for all HR staff who use AI tools. Document who attended, when, and what was covered. Proportional and documented is compliant; zero training is not.
- Assign a human oversight owner. Name the person responsible for overseeing each high-risk AI system in your HR stack. Write down their name, role, and what their oversight responsibilities are. This is the evidence a regulator will ask for first.
- Notify workers and representatives. Draft a notification for your workforce about the AI tools you use in employment decisions. If you have a works council, begin the consultation process now — it takes time.
- Fix your candidate transparency. If you use any AI tool that interacts with candidates directly, add an Article 50 disclosure to the first touchpoint. Use the free disclosure generator to produce compliant text.
- Set up log retention. Confirm with your vendors that logs are being generated and that you have access to them. Document your retention policy — at least six months for AI decision logs.
- Update your hiring process documentation. Your internal hiring process docs, job offer templates, and HR policies should reflect that AI is used, what human review happens, and how candidates can request human reconsideration of an AI-influenced decision.
Check your specific HR tools
Detailed compliance guides for every major HR AI platform — what the provider must deliver, what you must do as deployer, and current compliance status.
10. Frequently asked questions
Does the EU AI Act apply if our HR AI vendor is based outside the EU?
Yes. The EU AI Act has extra-territorial scope under Article 2. If you are deploying an AI system within the EU, the regulation applies regardless of where the vendor is headquartered. US-based HR AI providers whose tools are used by EU employers are subject to the regulation. As the deployer, your Article 26 obligations are yours to fulfil regardless of your vendor's location.
What if we only use AI as a tool and a human makes the final decision?
Having a human make the final decision is the correct approach and satisfies Article 26(2) on human oversight — but it does not eliminate your other obligations. You still need to notify workers, retain logs, ensure your staff are AI-literate, and use the system within its intended purpose. "A human decides in the end" is not a compliance programme; it is one element of one obligation.
Does GDPR still apply alongside the EU AI Act?
Yes. The EU AI Act does not replace GDPR — both apply simultaneously. Processing candidate or employee data with AI requires a lawful basis under GDPR Article 6. Automated decision-making with significant effects on candidates may engage GDPR Article 22. The AI Act adds obligations on top of GDPR; it does not substitute for them. Your DPO should be involved in any high-risk HR AI deployment.
What are the fines for HR AI non-compliance?
Fines for non-compliance with high-risk AI obligations (Articles 9–17, 26) can reach €15 million or 3% of worldwide annual turnover, whichever is higher. SMEs and micro-enterprises receive proportionally reduced penalties. Market surveillance and enforcement begins in August 2026 alongside the obligations themselves.
Our vendor says their tool is compliant. Is that enough?
No. A vendor claiming compliance satisfies their provider obligations — it does not satisfy yours as a deployer. The vendor must provide a Declaration of Conformity and instructions for use. You must then actually follow those instructions, assign human oversight, train your staff, notify workers, and retain logs. Both parties have independent obligations; your vendor's compliance does not transfer to you automatically.