Skip to content
Playbook
AdvancedPillarHRFounderCEO

The EU AI Act for HR: a practitioner's guide to the parts that affect people work

What the EU AI Act actually requires of HR teams — which AI uses are high-risk, the compliance obligations, the timeline, and what to do if you're outside the…

21 min read
On this page
60-Second Summary
  • The EU AI Act (Regulation 2024/1689) classifies most AI used in HR — recruitment, performance evaluation, work allocation, monitoring — as 'high-risk.' High-risk obligations include risk management, data governance, technical documentation, logging, transparency, human oversight, and accuracy/robustness.
  • Effective dates are phased: prohibitions from Feb 2025, governance from Aug 2025, high-risk obligations from Aug 2026, full enforcement Aug 2027.
  • It applies to any employer with EU candidates or employees, regardless of where the employer is headquartered. A US-headquartered company hiring one EU candidate triggers it.
  • Most of the work is on the vendor — you're a 'deployer,' not a 'provider.' But deployer obligations (instructions of use, human oversight, monitoring) are non-trivial. Penalties: up to €35M or 7% of global turnover.

The EU AI Act is the world's first comprehensive AI regulation. For HR teams it's both the most important new law of the decade and the most misunderstood. Most coverage focuses on AI vendors. This guide focuses on what the law requires of HR teams that use AI tools — the 'deployer' role under the regulation — and what to do about it.

What the AI Act does

The Act takes a risk-based approach. It classifies AI systems into four tiers: prohibited, high-risk, limited-risk (transparency obligations), and minimal-risk (no obligations). Most HR uses of AI fall into the high-risk bucket. The Act regulates two parties: 'providers' (the company that develops and puts the AI on the market) and 'deployers' (the company that uses the AI). HR teams are almost always deployers.

Which HR uses are high-risk

Annex III of the Act explicitly names HR uses. AI used for the following is high-risk:

  • Recruitment and selection — including advertising vacancies, screening or filtering applications, evaluating candidates.
  • Decisions affecting terms and conditions of work, including promotion and termination.
  • Allocating tasks based on individual behavior or personal traits or characteristics.
  • Monitoring and evaluating performance and behavior of workers.

Practically, this covers: ATS with AI matching, AI resume screeners, video-interview AI scoring (where still used), AI performance-prediction tools, AI engagement analytics that profile individuals, AI work-allocation systems (warehouse, gig, delivery), employee monitoring AI.

What's NOT high-risk in HR

Generic productivity AI (Microsoft Copilot, ChatGPT used as a writing assistant), AI used purely to draft policies or JDs the human reviews, AI used for general internal communications, AI chatbots answering FAQ — these aren't 'making decisions about people' and don't fall under Annex III. Where AI is preparing an output that a human reviews and decides on, it's typically limited-risk (transparency obligation), not high-risk.

Deployer obligations (what HR teams must do)

For high-risk AI you deploy, you must:

  1. Use the system in accordance with the provider's instructions of use. Read them; don't deviate without justification.
  2. Assign human oversight to competent persons with the authority and training to override AI outputs. Document who.
  3. Monitor system operation and report serious incidents to the provider and to the relevant authority.
  4. Maintain logs the AI system generates, for at least 6 months (longer in some sectors).
  5. Inform workers' representatives and affected workers that a high-risk AI system will be used in their workplace, before it is put into use. (Subject to existing collective-bargaining law.)
  6. Conduct a Fundamental Rights Impact Assessment if you're a public-sector body or providing public services. (Private employers in HR roles: not currently required, but recommended.)
  7. Cooperate with national authority requests for documentation and audits.
  8. Ensure input data is relevant and sufficiently representative for the intended purpose. Don't deploy on a population the AI wasn't validated for.

Prohibited uses (no exceptions)

Some AI uses are banned outright under the Act. In an HR context:

  • Emotion recognition AI in the workplace — banned (except for medical or safety reasons). This explicitly includes 'inferring emotions of natural persons in the areas of workplace.' Applies to videoconferencing emotion analysis, voice-stress monitoring, etc.
  • Biometric categorization of workers to infer protected categories (race, political opinion, religion, sexual orientation, etc.) — banned.
  • Social scoring of individuals based on social behavior or personal characteristics, when leading to detrimental treatment in unrelated contexts — banned.
  • Manipulative AI that exploits vulnerabilities (age, disability, social/economic situation) to materially distort behavior — banned.
The emotion-recognition ban is broader than it sounds

Several HR AI products previously used facial/voice analysis to assess 'engagement,' 'attention,' or 'sentiment' during interviews and meetings. These are workplace emotion-recognition systems and are prohibited under Article 5 of the Act from February 2025 onward. Audit your tooling now; remove or disable any such feature.

Timeline

DateWhat takes effect
Feb 2025Prohibitions take effect (banned uses become illegal)
Aug 2025AI literacy obligation; governance + GPAI rules
Aug 2026Most high-risk obligations including HR uses
Aug 2027Full enforcement including high-risk AI embedded in existing regulated products

Does it apply to non-EU companies?

Yes, in many cases. The Act has extraterritorial reach under Article 2. It applies to providers placing AI on the EU market, and to deployers established in the EU. Critically, it also applies to providers and deployers established OUTSIDE the EU where the output of the AI system is used in the EU. For HR, this means:

  • A US-headquartered company hiring an EU-resident candidate using AI screening: in scope.
  • An Indian-headquartered company with EU employees using AI performance evaluation: in scope.
  • A UK company (now post-Brexit, outside EU) hiring EU residents via AI: in scope.
  • A Singapore-headquartered company with no EU candidates or employees: not in scope (until they hire one).

Compliance checklist

  • Inventory all AI tools used by HR. Classify each as high-risk / limited-risk / minimal-risk.
  • For each high-risk tool, document: provider, purpose, training data summary, performance metrics, who has oversight responsibility.
  • Confirm vendor is registered in EU database (if applicable) and that the system bears CE marking (where required).
  • Obtain provider's instructions of use; train deployer personnel on them.
  • Inform workers' representatives (works councils, unions, employee reps) before deploying high-risk AI.
  • Set up the logging and retention infrastructure.
  • Disable any emotion-recognition or biometric-categorization features used in HR.
  • Add AI-disclosure language to your candidate-facing materials.
  • Update your AI usage policy to reference the Act and deployer obligations.
  • Identify your national competent authority (each member state has one or more) and reporting paths for serious incidents.
  • Schedule annual review of AI inventory and obligations.

FAQ

Frequently asked questions

We're a US company hiring one EU candidate. Do we really need to comply?

Technically yes — the Act's extraterritorial reach kicks in once you use AI on EU-resident candidates. Practically, enforcement against small foreign employers is unlikely in the near term. Most US companies handling EU candidates achieve compliance by selecting vendors who are already EU-AI-Act compliant and documenting their use.

Our HRIS vendor (BambooHR, Rippling, Workday) has AI features. Are they high-risk?

It depends on what the features do. AI-suggested rankings of candidates: probably high-risk. AI-drafted JD: probably limited-risk. AI-summarized engagement survey: probably limited-risk. Ask the vendor directly which features they classify as high-risk under the Act and what conformity assessment they've done.

What if we use a US-only vendor that doesn't comply with the EU AI Act?

If you have any EU candidates or employees, you're deploying that AI in scope of the Act and inherit the obligations the vendor isn't fulfilling. Two options: (a) restrict use of that vendor to non-EU populations only, or (b) switch to a compliant vendor for the EU population. Many HR teams take option (a) for cost reasons.

Are penalties realistic or theoretical?

Realistic. The Act mirrors GDPR's enforcement model, which produced multi-hundred-million-euro penalties within 2–3 years. For high-risk system non-compliance: up to €15M or 3% of global turnover. For prohibited-use violations: up to €35M or 7% of global turnover. National authorities are now being staffed in 2025–2026.

Does GDPR also still apply?

Yes. GDPR governs the personal data processing; the AI Act governs the AI system. The two stack — for HR uses involving EU personal data, you need to satisfy both. GDPR has its own AI implications (Article 22 on automated decisions, profiling rules, data minimization).

What's the single highest-value action we can take?

Audit your current AI tools and explicitly disable any feature that does emotion recognition or biometric categorization in a workplace context. That's the prohibition that's in effect now, the easiest to trigger, and carries the largest penalty.

Further reading
Written by Pawan Joshi.Sources cited inline.
First published 15 Jun 2026See site changelog →