EU AI Act for HR-tech

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is the first horizontal legal framework for artificial intelligence in the European Union. For HR-tech vendors and the employers who deploy their tools, it is not an abstract piece of legislation: the use of AI in the recruitment, selection, evaluation and monitoring of workers is explicitly classified as high-risk. That classification triggers a defined set of obligations on providers and deployers, with concrete deadlines and documentation requirements.

This page explains what the AI Act means for HR-tech, which articles apply, what the realistic timeline looks like, and how a structured evidence pack reduces the workload to a known quantity.

Why HR-AI is high-risk

Annex III, point 4 of the AI Act lists AI systems intended to be used:

for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter applications, and to evaluate candidates; and
to make decisions affecting the terms of work-related relationships, the promotion or termination of such relationships, to allocate tasks based on individual behaviour or personal traits, or to monitor and evaluate the performance and behaviour of persons in such relationships.

Any AI system falling within these descriptions is, by default, high-risk under Article 6(2).

Article 6(3) introduces a narrow derogation: a system listed in Annex III is not considered high-risk if it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons — for instance because it performs only a narrow procedural task, improves the result of a previously completed human activity, detects decision-making patterns without replacing or influencing the prior human assessment, or performs a preparatory task. The derogation, however, does not apply where the AI system performs profiling of natural persons. In an HR context, candidate ranking, behavioural scoring and most performance-evaluation features will involve profiling within the meaning of Article 4(4) GDPR, and therefore remain high-risk.

In practice, it is difficult for a typical production HR-AI system to credibly invoke Article 6(3), and the Commission's guidelines on the derogation under Article 6(5) are still being finalised. Treating the system as high-risk is the safer working assumption, and the one supervisory authorities will expect to be documented either way.

Which obligations apply

For a high-risk HR-AI system, the AI Act imposes a defined set of obligations. The provider — the entity that develops the system, or has it developed, and places it on the market under its own name — carries the bulk of them:

Risk management system (Art. 9): a continuous, iterative process covering the entire lifecycle of the system, with identification, estimation and mitigation of foreseeable risks to health, safety and fundamental rights.
Data and data governance (Art. 10): training, validation and testing data sets must meet quality criteria, including relevance and representativeness, and must be examined for possible biases that could affect protected groups — directly relevant for HR use cases.
Technical documentation (Art. 11 and Annex IV): drawn up before the system is placed on the market and kept up to date, covering the elements listed in Annex IV (general description, design, monitoring, performance, risk management measures, and the like).
Record-keeping and logging (Art. 12): automatic logging of events over the lifetime of the system, sufficient to ensure traceability appropriate to the intended purpose.
Transparency and information to deployers (Art. 13): clear instructions for use, including the system's characteristics, capabilities and limitations, expected accuracy, and known or foreseeable circumstances that may lead to risks.
Human oversight (Art. 14): the system must be designed so that it can be effectively overseen by natural persons throughout the period it is in use, including measures that enable a human to intervene, override or disregard its output.
Accuracy, robustness and cybersecurity (Art. 15): appropriate levels of accuracy, robustness and cybersecurity, maintained consistently throughout the lifecycle.
Quality management system (Art. 17): a documented QMS covering the strategy for regulatory compliance, design control, data management, post-market monitoring, incident reporting and accountability.
Conformity assessment and CE marking (Art. 43 and Art. 48): for Annex III systems, this is generally based on internal control before placing the system on the market, followed by registration.
Registration in the EU database (Art. 49): providers must register the high-risk system in the EU database established under Article 71, and deployers that are public authorities, or that act on their behalf, must register the deployment.

Deployers — including the HR teams and employers using the system — have their own obligations under Article 26: using the system in accordance with the instructions for use, assigning human oversight to natural persons with the necessary competence, ensuring input data is relevant and sufficiently representative, monitoring operation and reporting serious incidents, and keeping logs to the extent they are under their control.

Where the deployer is a body governed by public law, or a private operator providing public services, Article 27 additionally requires a fundamental rights impact assessment (FRIA) before deployment. For purely private-sector HR-tech use, FRIA does not automatically apply; whether it is triggered depends on the nature of the deployer and the use case, and should be assessed case by case rather than asserted by default.

Workers and their representatives must, under Article 26(7), be informed before a high-risk system is put into service or used in the workplace.

Timeline

The AI Act entered into force on 1 August 2024, with staggered application:

2 February 2025 — the prohibitions in Article 5 apply, including the ban on AI systems that infer emotions in the workplace and on AI used for social scoring, subject to the conditions set out in the text. From the same date, Article 4 (AI literacy) requires providers and deployers to ensure a sufficient level of AI literacy among staff and other persons dealing with the operation and use of AI systems on their behalf.
2 August 2025 — the obligations for general-purpose AI models and the governance provisions begin to apply.
2 August 2026 — the main body of obligations for high-risk AI systems under Annex III, including HR use cases, becomes applicable. This is the date most HR-tech providers and deployers should plan against.
2 August 2027 — an extended transition applies for high-risk systems that are safety components of products covered by Annex I.

A political agreement reached on 7 May 2026 under the Digital Omnibus package would postpone the application date for Annex III high-risk systems to 2 December 2027. As of June 2026, this postponement is a political agreement only: the amendment has not yet been formally adopted by the co-legislators and not yet published in the Official Journal. Until that happens, 2 August 2026 remains the operative deadline, and it is the prudent planning assumption.

How PowerQuant helps

PowerQuant produces source-referenced compliance evidence packages for HR-tech providers and deployers. Each pack maps the system, its data and its lifecycle to the specific articles and Annex IV elements above, with citations to the legal text and to the underlying technical and organisational evidence.

What is included is fixed in advance:

a defined deliverable list mapped to Art. 9 through Art. 15, Art. 17, Art. 26 and Annex IV;
a transparent, fixed price agreed before work begins;
a fixed delivery date.

No retainer, no scope creep, no ambiguity about what is in or out. The output is documentation that an auditor, a customer's procurement team or a supervisory authority can read and verify against the regulation.

If you are scoping AI Act readiness for an HR-tech product or deployment, request a scoping call.