Is Microsoft Copilot high-risk under the EU AI Act?

Microsoft 365 Copilot in standard productivity use (writing assistance, meeting summaries, email drafting) is generally limited risk — Article 50 transparency obligations apply when it generates content that could appear human-authored. Copilot becomes high-risk when used in employment, credit, or benefits decision contexts — for example using Copilot to summarise and rank candidate CVs, or using Copilot for HR to assist with performance reviews that affect employees' conditions.

Does Microsoft Copilot for HR trigger EU AI Act high-risk classification?

Yes, if it assists in employment decisions. Microsoft Copilot for HR features that summarise candidate profiles, recommend hiring decisions, or assist with performance ratings are assisting in employment decisions — which is Annex III Category 4 high-risk territory. The AI Act classification follows the decision context, not the product name.

What disclosure must organisations add for Microsoft Copilot?

For general productivity use: AI-generated content sent to EU users should include machine-readable AI content markers (Article 50(2)). For Copilot-assisted HR decisions affecting EU candidates or employees: candidate/worker disclosure required under Article 26. For any Copilot-powered chatbot or assistant that EU users interact with directly: Article 50(1) AI disclosure required at the start of the interaction.

Microsoft Copilot EU AI Act Compliance Guide 2026

Microsoft Copilot EU AI Act Compliance: What Organisations Must Do

Microsoft 365 Copilot is deployed across millions of EU workplaces. Depending on how you use it — email drafting vs candidate screening vs HR decisions — your EU AI Act obligations range from a simple transparency disclosure to full high-risk deployer requirements.

Quick answer: Standard productivity use = Article 50 disclosure for AI-generated content. Using Copilot to assist in employment or other Annex III decisions = high-risk deployer obligations. The feature is the same; the context determines the classification.

Copilot use cases by EU AI Act risk level

Use case	Classification	Obligation
Email drafting, meeting summaries, document generation	LIMITED RISK	Article 50(2) — AI content marker on output sent to others
Copilot chat / Teams assistant interacting with EU users	LIMITED RISK	Article 50(1) — disclose AI nature before interaction
CV summarisation / candidate shortlisting assistance	HIGH RISK	Annex III Cat.4 — full Article 26 deployer obligations
Performance review drafting that influences ratings	HIGH RISK	Annex III Cat.4 — worker notification + oversight
Copilot for Finance — credit or loan decision support	HIGH RISK	Annex III Cat.5 — financial eligibility decisions
Internal knowledge search, code generation, data analysis	NOT HIGH RISK	No high-risk obligations (AI literacy training still required)

What to do: tiered action plan

All Copilot deployments: Add a notice in your AI / Acceptable Use Policy that Copilot-generated content may be used in work outputs — and ensure EU-facing content carries AI attribution where required
Copilot in Teams / chat: Add Article 50 disclosure at the start of any Copilot conversation with EU users — "You are interacting with an AI assistant"
Copilot used in HR processes: Add candidate / worker disclosure, document your human oversight process, enable and retain audit logs of Copilot-assisted HR decisions for 6+ months
All high-risk use cases: Request Microsoft's EU AI Act Annex IV documentation for the relevant Copilot product; designate an internal compliance owner

Article 50 disclosure for Copilot-generated content

Add to your email footer or document templates when content is Copilot-assisted:

[This content was drafted with the assistance of Microsoft Copilot AI. It has been reviewed and approved by the sender.]

[AI-assisted content. Reviewed by [Name], [Title].]

Need a Copilot AI governance policy for your organisation?

The General AI Compliance Pack includes an AI Acceptable Use Policy template, Article 50 disclosure snippets for 7 languages, a Copilot HR use case register, and a deployer obligations checklist.

Get the Compliance Pack — €99 →

The Copilot governance challenge: same tool, different risks

The EU AI Act does not classify tools — it classifies use cases. Microsoft 365 Copilot is a general-purpose AI assistant. When your HR team uses it to summarise 200 CVs and produce a shortlist recommendation, that use case is Annex III Category 4 high-risk, even though the underlying technology is the same word-processing assistant your marketing team uses to draft blog posts.

This means you cannot rely on Microsoft's general Copilot compliance documentation as proof that your specific deployment is compliant. You need to map your internal use cases against the Annex III categories.

Microsoft's EU AI Act compliance position

Microsoft has committed to EU AI Act compliance for its AI products and publishes compliance documentation through its Trust Center. For Copilot specifically, Microsoft is positioning the product as a general-purpose AI assistant that does not autonomously make decisions — it assists human decision-makers. This framing is accurate for standard use cases.

However, when Copilot's output directly informs an employment or credit decision — even as a summary or recommendation — the deployer (your organisation) takes on high-risk obligations regardless of Microsoft's product positioning.

Frequently asked questions

We use Copilot to help write job descriptions, not to screen candidates. Is that high-risk?

No. Using AI to draft job descriptions is a content generation task — it does not make assessments about individuals. Article 50(2) may apply if the job description is published and could be mistaken for purely human-authored content, but this is a minor disclosure requirement, not a high-risk obligation. The high-risk classification arises when AI assists in assessing or ranking specific individuals.

Our managers use Copilot to help write performance reviews. Is that high-risk?

Yes, if the performance review influences decisions about the employee's working conditions, salary, promotion, or continuation of employment. Using AI to assist in performance documentation that affects employment decisions is Annex III Category 4. You need to inform employees that AI assists in their performance review process and ensure a human reviews and can override the AI-assisted assessment.

We have Microsoft's Copilot terms of service which say it complies with EU law. Isn't that enough?

No. Microsoft's contractual compliance commitments cover their role as provider. Your deployer obligations are separate and cannot be contractually transferred to Microsoft. Even if Microsoft's product is fully compliant, you still must add candidate/worker disclosure, ensure human oversight in your processes, and retain logs for high-risk use cases. Compliance terms in a SaaS contract do not discharge your regulatory obligations.