EU AI Act compliance for HR-tech companies in Italy
Italy, like every EU member state, is subject to Regulation (EU) 2024/1689 — the EU AI Act — directly and without transposition. The obligations described on this page apply uniformly across the EU; there is no Italian variant of the high-risk rules, and there is no national derogation for HR software. If your company deploys AI in recruitment, performance management or workforce analytics, the analysis below applies to you regardless of whether your headquarters are in Milan, Rome, or anywhere else in the Union.
HR and recruitment AI is high-risk under Annex III
Annex III, point 4 of the EU AI Act designates employment, workers management and access to self-employment as a high-risk use area. Two sub-categories are directly relevant to HR-tech:
- Point 4(a) — AI intended for recruitment or selection: placing targeted job advertisements, analysing and filtering applications, and evaluating candidates in interviews or assessments.
- Point 4(b) — AI that makes or materially influences decisions on promotion, termination, task allocation, performance monitoring and similar matters affecting employment relationships.
The narrow Article 6(3) exception (no significant risk to fundamental rights, no material influence on decision-making) does not apply to profiling of natural persons and is effectively unavailable for CV screening, candidate ranking, or behavioural interview analysis.
Key dates — identical across the EU including Italy
| Obligation | Date in force |
|---|---|
| Prohibited AI practices (Art 5) | 2 February 2025 |
| GPAI model rules (Title VII) | 2 August 2025 |
| High-risk obligations (Title III, incl. Annex III) | 2 August 2026 |
A Digital Omnibus proposal currently before the EU institutions would, if enacted, defer some Annex III deployer obligations to 2 December 2027. As of the date of this page this remains a legislative proposal — it has not been enacted and should not be relied upon for compliance planning.
Deployer obligations under Article 26
An organisation that puts a high-risk AI system into use is a deployer under the EU AI Act and carries obligations that run in parallel with — and independently of — those of the vendor. Article 26 requires deployers to:
- Use the system per provider instructions. Configurations or use cases outside the scope of the provider's instructions for use transfer additional compliance responsibility to the deployer.
- Assign competent human oversight. Persons responsible for oversight must have the authority, training and competence to intervene and, where necessary, suspend the system (Article 14).
- Retain automatic operational logs for at least six months, unless other applicable law (e.g. GDPR data minimisation) requires a shorter period. These logs are evidence of deployer monitoring under Article 26(5).
- Inform workers and their representatives before deploying a high-risk AI system in the workplace, as required by Article 26(7).
Where a deployer is a public body, or where the system is used to make decisions that significantly affect individuals' access to employment or working conditions, a Fundamental Rights Impact Assessment (FRIA) under Article 27 is required before deployment. Private companies above applicable size thresholds should assess whether their use cases trigger this obligation.
NIS2 cybersecurity obligations
NIS2 — Directive (EU) 2022/2555 — substantially raises the floor for cybersecurity risk management and incident reporting across the EU. It is transposed into the national law of each member state, including Italy. HR-tech SaaS vendors are typically classified as important entities in the digital providers category if they exceed the relevant size threshold, and their enterprise customers may independently fall in scope depending on sector. Italian entities should verify their sector classification and identify the national competent authority responsible for their category. PowerQuant does not provide national legal classification advice; an Italian counsel or the relevant authority should be consulted for a binding determination.
Penalties (uniform across the EU)
The EU AI Act sets three penalty tiers, each expressed as the higher of an absolute amount or a percentage of total worldwide annual turnover:
- Up to EUR 35 million or 7 % for violations of the prohibited practices in Article 5.
- Up to EUR 15 million or 3 % for other violations, including non-compliance with deployer obligations.
- Up to EUR 7.5 million or 1 % for providing incorrect, incomplete or misleading information to authorities.
For SMEs and start-ups, proportionality applies but the ceilings remain the same reference point.
What PowerQuant delivers
PowerQuant provides fixed-price compliance documentation packages designed for HR-tech deployers. Every claim in our deliverables is cross-referenced against the regulatory text.
| Module | What you receive | Price |
|---|---|---|
| Module 1 — AI Inventory & Article 4 Literacy Register | Full inventory of AI systems in scope, classification rationale, and an Article 4 AI literacy register for staff | EUR 1,499 |
| Module 2 — Procurement Evidence Pack (Article 26) | Deployer compliance documentation covering Article 26 duties, oversight assignment, log retention policy, and worker notification framework | EUR 3,499 |
| Ongoing Compliance Monitoring | Continuous regulatory tracking, quarterly evidence updates, and alert service for legislative changes including Digital Omnibus progress | from EUR 699 / month |
All three modules are delivered at a fixed price with a fixed scope. No hourly billing, no scope surprises.
Get a fixed quote
Contact us at kontakt@powerquant.dk to request a scoping call and a fixed quote for your organisation.
This page is technical documentation and does not constitute legal advice. Confirm your obligations with qualified legal counsel in your jurisdiction. PowerQuant ApS, CVR 46274067.