EU AI Act for HR: A Conformity Playbook for 2026
The EU AI Act treats most HR uses of AI as 'high-risk' — which carries specific obligations on documentation, human oversight, bias testing, and post-market…
On this page▾
- Almost any AI used in recruitment, evaluation, or promotion is classed as 'high-risk' under the EU AI Act.
- High-risk obligations: risk management system, data governance, technical documentation, logging, human oversight, accuracy/robustness, transparency.
- The deployer (you) shares responsibility with the provider (vendor). Vendor-only compliance is not enough.
- Start with an AI inventory, then a high-risk gap assessment, then a fix plan with named owners.
The EU AI Act has been in force since August 2024, with the high-risk system obligations applying from August 2026. For HR, that 2026 deadline is the one that matters: Annex III explicitly classifies AI used for recruitment, selection, performance evaluation, task allocation, and termination decisions as high-risk. If you use AI to screen CVs, score interviews, recommend internal moves, or predict attrition — and you operate in or hire into the EU — you are a 'deployer' of a high-risk AI system with specific obligations.
What's in scope for HR
| HR use case | AI Act classification | Why |
|---|---|---|
| CV / resume parsing and ranking | High-risk (Annex III) | Employment decisions |
| AI-scored video interviews | High-risk | Employment + biometric/behavioural inference |
| Performance prediction or rating assistance | High-risk | Affects employment decisions |
| Promotion / internal-mobility recommenders | High-risk | Career-impacting decisions |
| Chatbots for FAQ / policy questions | Limited risk (transparency only) | Information-providing |
| JD drafting tools (GenAI) | Generally limited / minimal risk | Content generation, not decision-making |
| Sentiment analysis of employee comms | High-risk if affecting employment decisions | Emotion recognition in workplace context |
Deployer obligations
- 1Use according to instructionsOperate the system within the conditions the provider specified — including data quality, oversight model, and use cases.
- 2Assign human oversightNamed, competent humans responsible for monitoring outputs and intervening. Not 'HR signs off' — specific named roles.
- 3Input data relevance and representativenessIf you control input data, ensure it is relevant and sufficiently representative of the intended use.
- 4Monitor operationOngoing monitoring of system behaviour; report serious incidents to the provider and authorities.
- 5Keep logsRetain automatically generated logs for at least 6 months.
- 6Inform workers and repsInform worker representatives and affected workers before putting a high-risk AI system into service in the workplace.
- 7Right-to-explanationAffected individuals can request an explanation of decisions involving a high-risk system.
Step 1: AI inventory
You cannot govern what you cannot see. The first step is a complete inventory of every AI capability touching HR decisions — including the ones embedded in your HRIS, your ATS, your learning platform, and your engagement tool. Most HR functions discover 15–40 AI features when they look properly; they expected 3–5.
- List every HR-adjacent system used in the last 12 months.
- For each, list every AI-enabled feature (vendor disclosed + features you've enabled).
- Classify: Annex III high-risk / limited-risk / minimal-risk / GenAI foundation model.
- For high-risk: identify provider, version, and date deployed.
- Map data flows: what employee/candidate data enters; where outputs go; who acts on them.
Step 2: gap assessment
For every high-risk system, run a gap assessment against the seven deployer obligations. The most common gaps in HR are: no named human oversight role (everyone is responsible = no-one is), no worker-representative notification, no logging policy, and no documented right-to-explanation process. Vendors typically provide the technical documentation but cannot provide your governance — that is on you.
Step 3: the fix plan
| Gap | Fix | Owner |
|---|---|---|
| No AI inventory | Quarterly inventory process, owned by HR + IT | CHRO + CIO |
| No named oversight role | Per system: name a role, define escalation, train them | HRBP per system |
| No logging / retention | Vendor confirms log retention; document policy | HR Ops |
| No worker notification | Comms plan + works-council notification template | ER lead |
| No explanation process | Standard response process, 30-day SLA, legal-reviewed templates | HRBP + Legal |
| No bias testing cadence | Quarterly outcome review with disparate-impact stats | People Analytics |
Even if your vendor is fully compliant as a 'provider' under the Act, you as 'deployer' have separate obligations. The most common 2026 enforcement scenario will be a vendor with a clean CE mark and a deployer with no oversight role, no logs, and no notification trail. Don't be the deployer in that story.
Non-compliance with high-risk obligations can attract administrative fines up to €15 million or 3% of global turnover (whichever is higher). For prohibited practices (e.g. inferring emotions of workers in most contexts), fines can reach €35M or 7%.
Read next
All playbooksNew York City's Local Law 144 requires an independent bias audit of any automated employment decision tool. Here is what 'independent', 'audit', and 'bias'…
Half of HR AI vendor failures are predictable from the procurement conversation. Here is the 30-question standard top procurement and HR partnerships use to…
A practical decision framework for AI in hiring — what AI can safely do (sourcing, screening assist, interview notes), what it must not do (final ranking…