EU AI Act compliance for HR-tech companies in Austria
The EU AI Act (Regulation (EU) 2024/1689) is uniform across all 27 member states. Austrian HR-tech companies deploying AI for hiring, performance management, or workforce evaluation face the same obligations as any other EU deployer — no national exemptions, no opt-outs, no delayed transposition. This page sets out what applies, when it applies, and what PowerQuant can deliver for a fixed price.
Why HR and recruitment AI is classified as high-risk
Annex III point 4 of the EU AI Act lists employment, workers management, and access to self-employment as a high-risk use area. The specific categories are:
- Point 4(a) — AI intended for recruitment or selection: placing targeted job advertisements, analysing and filtering applications, evaluating and ranking candidates.
- Point 4(b) — AI that makes or materially influences decisions on promotion, termination, task allocation, or performance monitoring.
This classification applies uniformly across the EU, including Austria. If your organisation deploys a CV-screening tool, an applicant-ranking engine, an interview-analysis platform, or an automated performance-scoring system, it is in scope. The narrow exception in Article 6(3) — for systems that pose no significant risk to fundamental rights — does not apply to profiling of natural persons, and almost never applies to candidate screening or ranking.
Key dates every Austrian HR team needs to know
These dates are EU-wide and identical in Austria:
| Date | What changes |
|---|---|
| 2 February 2025 | Prohibited AI practices (Article 5) entered into force. Social scoring, manipulative AI, real-time remote biometric surveillance in public — banned. |
| 2 August 2025 | General-purpose AI (GPAI) obligations apply to foundation model providers. |
| 2 August 2026 | High-risk deployer obligations under Chapter III apply. This is the critical date for HR-tech deployers. |
| Proposed: 2 December 2027 | A proposed Digital Omnibus package may defer certain Annex III obligations for deployers to this date. This is a legislative proposal only — it has not been enacted. Austrian deployers should not rely on it and should plan for the 2 August 2026 deadline. |
Article 26 deployer obligations
Being a deployer — not the AI provider — does not remove your compliance burden. Article 26 places the following obligations directly on the organisation using the high-risk system:
- Use per provider instructions — Deploy the system only within its documented intended purpose; do not adapt it in ways the provider has not covered in the instructions for use.
- Competent human oversight — Assign responsibility for oversight to natural persons with the authority, training, and competence to intervene, override, or suspend the system (Article 26(2), read with Article 14).
- Automatic logging — retain at least 6 months — The EU AI Act requires that logs generated automatically by high-risk systems are retained for a period appropriate to the intended purpose, with a minimum of six months where relevant for traceability. Document that you have configured or instructed this.
- Inform workers and representatives — Article 26(7) requires deployers to inform affected workers and their representatives before deploying high-risk AI that affects them. This is not a post-deployment notification; it is a prior transparency obligation.
- Fundamental Rights Impact Assessment (FRIA) — Article 27 requires deployers that are bodies governed by public law, or private operators providing public services, to carry out a FRIA before deploying a high-risk AI system. Certain other deployers may also be required to conduct one depending on their sector. If your organisation falls in scope, the FRIA must be completed before go-live.
NIS2 and cybersecurity obligations
NIS2 (Directive (EU) 2022/2555) raises the baseline for cybersecurity across the EU and has been transposed into national law in each member state, including Austria. Austrian entities should confirm their sector classification and identify their national competent authority.
HR-tech SaaS vendors above the relevant size thresholds are typically classified as important entities under the digital providers category. Their customers — HR departments within medium and large organisations — may be in scope in their own right depending on their sector. NIS2 introduces mandatory security measures, supply-chain risk management, incident reporting within 24 hours (initial notification) and 72 hours (incident report), and senior management accountability.
Penalties
The EU AI Act sets uniform, maximum penalties:
- Up to EUR 35 million or 7% of global annual turnover for violations of prohibited AI practices (Article 5).
- Up to EUR 15 million or 3% of global annual turnover for violations of other obligations, including Article 26 deployer duties.
- Up to EUR 7.5 million or 1% of global annual turnover for providing incorrect or misleading information.
Whichever is higher applies in each case. National market surveillance authorities (in Austria, the relevant supervisory body) are responsible for enforcement.
What PowerQuant delivers — fixed price, fixed delivery
PowerQuant produces structured compliance-evidence packages cross-checked against the regulation text. No padded retainers, no open-ended consulting.
| Module | What you receive | Price |
|---|---|---|
| Module 1 — AI inventory & Article 4 literacy register | A structured AI-system inventory covering all in-scope systems, mapped to Annex III, plus a documented AI literacy programme per Article 4 | EUR 1,499 |
| Module 2 — Procurement Evidence Pack (Article 26) | A complete deployer-side evidence pack: supplier due-diligence records, human-oversight assignment, logging configuration confirmation, worker notification documentation, and FRIA template where applicable | EUR 3,499 |
| Ongoing monitoring | Quarterly review of regulatory developments (Digital Omnibus, delegated acts, national enforcement guidance), updated evidence records, and alert on changes that affect your documentation | From EUR 699/month |
Every deliverable references the specific article, paragraph, and recital it is designed to satisfy. You receive editable source documents, not locked PDFs.
Get a fixed quote
Contact us at kontakt@powerquant.dk to describe your AI footprint and receive a fixed-price quote, typically within one business day.
This page is technical documentation, not legal advice. For legal opinions specific to your organisation, consult a qualified Austrian or EU-admitted lawyer.
PowerQuant ApS, CVR 46274067, Copenhagen, Denmark.