Skip to content
Playbook
AdvancedHRPeopleOpsCEO

EU AI Act for HR: A Conformity Playbook for 2026

The EU AI Act treats most HR uses of AI as 'high-risk' — which carries specific obligations on documentation, human oversight, bias testing, and post-market…

13 min read
On this page
60-Second Summary
  • Almost any AI used in recruitment, evaluation, or promotion is classed as 'high-risk' under the EU AI Act.
  • High-risk obligations: risk management system, data governance, technical documentation, logging, human oversight, accuracy/robustness, transparency.
  • The deployer (you) shares responsibility with the provider (vendor). Vendor-only compliance is not enough.
  • Start with an AI inventory, then a high-risk gap assessment, then a fix plan with named owners.

The EU AI Act has been in force since August 2024, with the high-risk system obligations applying from August 2026. For HR, that 2026 deadline is the one that matters: Annex III explicitly classifies AI used for recruitment, selection, performance evaluation, task allocation, and termination decisions as high-risk. If you use AI to screen CVs, score interviews, recommend internal moves, or predict attrition — and you operate in or hire into the EU — you are a 'deployer' of a high-risk AI system with specific obligations.

What's in scope for HR

HR use caseAI Act classificationWhy
CV / resume parsing and rankingHigh-risk (Annex III)Employment decisions
AI-scored video interviewsHigh-riskEmployment + biometric/behavioural inference
Performance prediction or rating assistanceHigh-riskAffects employment decisions
Promotion / internal-mobility recommendersHigh-riskCareer-impacting decisions
Chatbots for FAQ / policy questionsLimited risk (transparency only)Information-providing
JD drafting tools (GenAI)Generally limited / minimal riskContent generation, not decision-making
Sentiment analysis of employee commsHigh-risk if affecting employment decisionsEmotion recognition in workplace context

Deployer obligations

Seven deployer obligations under Article 26
  1. 1
    Use according to instructions
    Operate the system within the conditions the provider specified — including data quality, oversight model, and use cases.
  2. 2
    Assign human oversight
    Named, competent humans responsible for monitoring outputs and intervening. Not 'HR signs off' — specific named roles.
  3. 3
    Input data relevance and representativeness
    If you control input data, ensure it is relevant and sufficiently representative of the intended use.
  4. 4
    Monitor operation
    Ongoing monitoring of system behaviour; report serious incidents to the provider and authorities.
  5. 5
    Keep logs
    Retain automatically generated logs for at least 6 months.
  6. 6
    Inform workers and reps
    Inform worker representatives and affected workers before putting a high-risk AI system into service in the workplace.
  7. 7
    Right-to-explanation
    Affected individuals can request an explanation of decisions involving a high-risk system.

Step 1: AI inventory

You cannot govern what you cannot see. The first step is a complete inventory of every AI capability touching HR decisions — including the ones embedded in your HRIS, your ATS, your learning platform, and your engagement tool. Most HR functions discover 15–40 AI features when they look properly; they expected 3–5.

  • List every HR-adjacent system used in the last 12 months.
  • For each, list every AI-enabled feature (vendor disclosed + features you've enabled).
  • Classify: Annex III high-risk / limited-risk / minimal-risk / GenAI foundation model.
  • For high-risk: identify provider, version, and date deployed.
  • Map data flows: what employee/candidate data enters; where outputs go; who acts on them.

Step 2: gap assessment

For every high-risk system, run a gap assessment against the seven deployer obligations. The most common gaps in HR are: no named human oversight role (everyone is responsible = no-one is), no worker-representative notification, no logging policy, and no documented right-to-explanation process. Vendors typically provide the technical documentation but cannot provide your governance — that is on you.

Step 3: the fix plan

GapFixOwner
No AI inventoryQuarterly inventory process, owned by HR + ITCHRO + CIO
No named oversight rolePer system: name a role, define escalation, train themHRBP per system
No logging / retentionVendor confirms log retention; document policyHR Ops
No worker notificationComms plan + works-council notification templateER lead
No explanation processStandard response process, 30-day SLA, legal-reviewed templatesHRBP + Legal
No bias testing cadenceQuarterly outcome review with disparate-impact statsPeople Analytics
Vendor compliance ≠ your compliance

Even if your vendor is fully compliant as a 'provider' under the Act, you as 'deployer' have separate obligations. The most common 2026 enforcement scenario will be a vendor with a clean CE mark and a deployer with no oversight role, no logs, and no notification trail. Don't be the deployer in that story.

Penalties

Non-compliance with high-risk obligations can attract administrative fines up to €15 million or 3% of global turnover (whichever is higher). For prohibited practices (e.g. inferring emotions of workers in most contexts), fines can reach €35M or 7%.

Written by Pawan Joshi.Sources cited inline.
First published 23 Jun 2026See site changelog →