EU AI Act compliance for HR-tech companies in Germany
If your HR-tech product uses AI to screen CVs, rank candidates, set performance targets, or monitor employees, it is already classified as high-risk under EU law — regardless of where in the European Union you operate. This page sets out what that means for deployers in Germany and how PowerQuant helps you build the evidence you need before the deadlines arrive.
The EU AI Act applies uniformly — including in Germany
Regulation (EU) 2024/1689 (the EU AI Act) is a directly applicable EU regulation. It does not require national transposition and its obligations are identical in every member state, including Germany. There is no separate "German AI Act" — the same rules, thresholds, and timelines apply to a deployer in Munich as to one in Madrid or Warsaw.
HR and recruitment AI is high-risk under Annex III
Annex III, point 4 of the EU AI Act designates AI systems used in employment, workers management, and access to self-employment as high-risk. This covers, among other things:
- AI used to place targeted job advertisements or pre-screen applications (point 4(a))
- AI that evaluates candidates during interviews or assessments (point 4(a))
- AI used to monitor, evaluate, or manage the performance of employees (point 4(b))
- AI that allocates tasks or targets productivity in the workplace (point 4(b))
If your company deploys any such system — even a tool built and maintained by a third-party vendor — you are the deployer under the regulation and carry your own obligations.
Key dates (uniform across the EU)
| Milestone | Date |
|---|---|
| Prohibited AI practices banned | 2 February 2025 |
| GPAI (general-purpose AI) obligations apply | 2 August 2025 |
| High-risk deployer obligations apply | 2 August 2026 |
A proposed "Digital Omnibus" package currently under discussion in the EU legislative process would defer certain Annex III high-risk obligations to 2 December 2027 for some deployers. This has not yet been enacted; until it is, the 2 August 2026 date remains the binding deadline. Deployers who rely on a deferral that does not materialise will face full retrospective exposure.
What deployers must do: Article 26 obligations
Once the high-risk regime applies, you as deployer must:
- Use the system only in accordance with the provider's instructions — deviations can shift liability to you.
- Ensure competent human oversight under Article 14, including the practical ability to intervene, override, or suspend outputs before they affect a worker or candidate.
- Retain automatic operational logs for a minimum of six months (Article 26(5)) — your own logs, separate from any logs the vendor keeps.
- Inform workers and their representatives that an AI system is being used before it affects them.
- Conduct a Fundamental Rights Impact Assessment (FRIA) under Article 27 if you are a body governed by public law, or if the system processes personal data and is used in the context of employment or access to essential services.
These are deployer-level duties that cannot be fully outsourced to your vendor. Even if the provider is fully compliant, you need your own documented evidence.
Penalties
The EU AI Act sets maximum penalties that apply uniformly across the EU:
- Up to EUR 35 million or 7% of global annual turnover for violations involving prohibited AI practices
- Up to EUR 15 million or 3% for violations of high-risk obligations including Article 26 deployer duties
- Up to EUR 7.5 million or 1% for providing incorrect information to authorities
Germany's national AI supervisory authority will enforce these rules within the country. The risk is not theoretical: AI Act enforcement infrastructure is being built now, ahead of the August 2026 application date.
NIS2 cybersecurity obligations
NIS2 — Directive (EU) 2022/2555 — raises mandatory cybersecurity standards for entities in covered sectors and has been transposed into national law in each EU member state, including Germany. HR-tech SaaS vendors are typically classified as important entities (digital providers) above the employee and revenue thresholds, and their enterprise customers may independently be in scope through their own sector classification. Obligations include incident reporting, supply-chain security measures, and governance requirements with personal liability for management.
German organisations should confirm their own sector classification and identify their national competent authority to determine their NIS2 obligations — these depend on the specific national implementing act and sector designation. PowerQuant's compliance packages include a structured NIS2 scope review to help you establish that picture.
What PowerQuant delivers
PowerQuant provides fixed-price, fixed-scope compliance evidence packages built directly from the regulation text. Every claim in our deliverables is cross-referenced against Regulation (EU) 2024/1689 or Directive (EU) 2022/2555 — not paraphrased from secondary sources.
| Package | What you get | Price |
|---|---|---|
| Module 1 — AI Inventory & Article 4 Literacy Register | Structured inventory of your AI systems, Annex III classification, and documented AI literacy programme for staff | EUR 1,499 |
| Module 2 — Article 26 Procurement Evidence Pack | Vendor due-diligence schema, Article 26 deployer checklist, FRIA screening, log-retention policy, and worker-notification template | EUR 3,499 |
| Ongoing Compliance Monitoring | Quarterly regulatory updates, flag on Digital Omnibus or enforcement guidance changes, and maintained evidence trail | from EUR 699/month |
All packages are delivered digitally, typically within five working days of intake.
Get a fixed quote
Send your company name, number of AI tools in use, and the sectors you operate in to kontakt@powerquant.dk — we will reply with a fixed quote, no discovery call required.
This page is technical documentation for informational purposes only and does not constitute legal advice. Consult a qualified legal adviser for advice specific to your situation. PowerQuant ApS, CVR 46274067.