EU AI Act compliance for HR-tech companies in Finland
If your organisation uses AI to screen CVs, rank candidates, assess performance, or make decisions about employment, promotion or termination — you are operating a high-risk AI system under Regulation (EU) 2024/1689 (the EU AI Act). That classification applies uniformly across all EU member states, including Finland. Compliance obligations fall on you as the deployer, regardless of where your AI vendor is headquartered.
Why HR and recruitment AI is high-risk everywhere in the EU
Annex III point 4 of the EU AI Act designates employment, workers management and access to self-employment as a high-risk use area. Point 4(a) covers AI used to place targeted job advertisements, analyse and filter job applications, and evaluate candidates. Point 4(b) covers AI that makes or materially influences decisions on promotion, termination, task allocation, monitoring of performance and behaviour, and access to self-employment.
This classification is not a national discretion — it is set in the directly applicable EU regulation and applies identically in Finland, Denmark, Germany, and every other member state. Finnish HR-tech companies deploying such systems carry the same Annex III obligations as any other EU deployer.
A narrow exception under Article 6(3) exists for Annex III systems that pose no significant risk to fundamental rights and do not materially influence decision-making. Profiling of natural persons is always high-risk and never qualifies for the exception. In practice, CV screening and candidate ranking almost never qualify because they directly influence hiring outcomes.
Key compliance dates
- 2 February 2025 — Prohibited AI practices (Article 5) became enforceable across the EU. No grace period applies.
- 2 August 2025 — General-Purpose AI (GPAI) rules apply.
- 2 August 2026 — Full Annex III high-risk deployer obligations become enforceable.
A proposed Digital Omnibus regulation (as of June 2026, not yet enacted) would defer certain Annex III obligations for deployers to 2 December 2027. This proposal has not been adopted into law; organisations should plan to the 2 August 2026 deadline unless and until the deferral is formally enacted.
Deployer duties under Article 26
The EU AI Act places active compliance duties on the organisation that puts the AI system into operation — the deployer. Article 26 requires you to:
- Use the system as instructed — follow the provider's instructions for use, including any constraints on input data and intended purpose.
- Ensure competent human oversight — designate natural persons with the necessary competence, authority and training to monitor and, where necessary, override AI-assisted decisions (Article 26(2) and Article 14).
- Keep logs for at least six months — automatically generated logs must be retained for an appropriate period, in any case no less than six months (Article 26(6)).
- Inform workers and their representatives — before putting a high-risk AI system into service in the workplace, inform affected workers and their representatives (Article 26(7)).
- Inform individuals subject to AI-assisted decisions — natural persons must be told when a decision has been taken or materially assisted by a high-risk AI system (Article 26(11)).
- Monitor operation and report serious incidents — notify the provider of serious incidents or malfunctions (Article 26(5)).
Where a high-risk AI system poses a risk to fundamental rights — as employment AI almost always does — deployers must also conduct a Fundamental Rights Impact Assessment (FRIA) under Article 27 before deployment.
Penalties for non-compliance
Sanctions are set at EU level and apply uniformly:
- Up to EUR 35 million or 7% of total worldwide annual turnover for prohibited practice violations.
- Up to EUR 15 million or 3% for non-compliance with provider or deployer obligations.
- Up to EUR 7.5 million or 1% for providing incorrect or misleading information to authorities.
Finland's national market surveillance authority will be responsible for enforcement within Finland.
NIS2 cybersecurity obligations
NIS2 (Directive (EU) 2022/2555) raises cybersecurity risk-management and incident-reporting obligations for entities across critical and important sectors. The directive is transposed into national law in each EU member state, including Finland. HR-tech SaaS vendors that exceed the medium-enterprise size threshold (50 employees or EUR 10 million turnover) typically qualify as important entities under the digital providers category. Their customers may independently be in scope through their own sector classification (banking, energy, health, public administration, manufacturing, and others). Finnish organisations should verify their sector classification and identify their national competent authority under the Finnish transposition of NIS2. Because NIS2 imposes supply-chain security requirements, in-scope entities must also manage cybersecurity risk in their HR-tech suppliers — regardless of whether those suppliers are themselves in scope.
What PowerQuant delivers
PowerQuant provides fixed-price, fixed-delivery EU AI Act compliance evidence packages for HR-tech deployers. Every claim is cross-checked against the regulation text — no filler, no generic templates.
| Module | Scope | Price |
|---|---|---|
| Module 1 | AI inventory & Article 4 AI literacy register | EUR 1,499 |
| Module 2 | Procurement Evidence Pack under Article 26 | EUR 3,499 |
| Ongoing monitoring | Continuous compliance monitoring | From EUR 699/month |
Module 1 documents your AI systems and establishes the Article 4 literacy programme required for staff involved in AI oversight. Module 2 produces the deployer evidence pack: Article 26 checklist, FRIA documentation, log retention policy, and worker notification records. Ongoing monitoring tracks regulatory developments — including the proposed Digital Omnibus — and keeps your documentation current.
Get a fixed quote
Contact us at kontakt@powerquant.dk to receive a fixed quote scoped to your specific HR systems and deployment footprint. We work with Finnish and Nordic HR-tech companies across the EU and respond within one business day.
This page provides technical documentation about regulatory requirements and does not constitute legal advice. PowerQuant ApS, CVR 46274067.