EU AI Act compliance for HR-tech companies in Spain
Spain-based organisations that deploy AI in recruitment, candidate evaluation, or workforce management face the same binding EU AI Act obligations as every other member state. Regulation (EU) 2024/1689 is directly applicable law across the European Union — there is no Spanish version, no national transposition, and no opt-out. The rules are uniform. The deadlines are uniform. The penalties are uniform.
This page explains what the regulation requires of HR-tech deployers, when obligations apply, and how PowerQuant delivers the evidence your organisation needs.
HR and recruitment AI is high-risk — EU-wide
Annex III of Regulation (EU) 2024/1689 lists AI systems in employment, workers management, and access to self-employment as high-risk use cases. Point 4 specifically covers:
- Point 4(a): AI systems for the recruitment or selection of natural persons — including targeted job advertising, CV and application filtering, and candidate evaluation.
- Point 4(b): AI that makes or materially influences decisions on promotion, termination, task allocation, and performance or behaviour monitoring.
This classification applies identically whether the deploying organisation is headquartered in Madrid, Barcelona, Valencia, or any other EU location. The Annex III list is part of the regulation itself, not a national measure.
Key dates (uniform across the EU, including Spain)
| Date | Obligation |
|---|---|
| 2 February 2025 | Prohibited AI practices (Article 5) are banned. AI literacy obligations (Article 4) apply. |
| 2 August 2025 | Rules for general-purpose AI (GPAI) models apply. |
| 2 August 2026 | Full high-risk obligations under Annex III and Article 26 apply. |
Note on the proposed Digital Omnibus: The European Commission has proposed legislative amendments — commonly referred to as the Digital Omnibus package — that would defer certain Annex III deployer obligations from 2 August 2026 to 2 December 2027. As of June 2026, this proposal has not been enacted. Deployers should plan for the 2 August 2026 deadline until the legislative process concludes.
Article 26 — Deployer obligations
Once the high-risk regime applies, organisations deploying Annex III HR or recruitment AI must comply with Article 26 of the EU AI Act. The core obligations are:
- Use per instructions: Operate the AI system in accordance with the provider's instructions for use.
- Competent human oversight: Designate natural persons with the necessary competence, training, and authority to exercise meaningful oversight — not rubber-stamp review.
- Log retention: Keep the logs automatically generated by the system for at least six months.
- Inform workers and representatives: Before putting a high-risk AI system into use in the workplace, inform the workers concerned and their representatives.
Where applicable, deployers in scope for Article 27 must also conduct a Fundamental Rights Impact Assessment (FRIA) before first deployment. This assessment documents the likely impact of the system on fundamental rights and must be submitted to the relevant market surveillance authority on request.
Article 4 — AI literacy (already in force)
Since 2 February 2025, deployers must ensure a sufficient level of AI literacy among staff involved in operating and using AI systems. This is not aspirational — it is a current legal obligation. Maintain a structured register of training delivered to recruiters, hiring managers, and HR business partners. PowerQuant's Module 1 includes an Article 4 literacy register template.
Penalties (uniform across the EU)
Infringement of the EU AI Act carries the same penalties regardless of where in the EU the deployer is based:
- Up to EUR 35 million or 7% of global annual turnover for violations of prohibited AI practices (Article 5).
- Up to EUR 15 million or 3% of global annual turnover for violations of obligations applicable to providers, deployers, and other operators.
- Up to EUR 7.5 million or 1% of global annual turnover for supplying incorrect, incomplete, or misleading information to authorities.
The higher figure applies in each bracket.
NIS2 cybersecurity obligations
NIS2 (Directive (EU) 2022/2555) raises cybersecurity standards across the EU and is transposed into national law in each member state, including Spain. HR-tech SaaS vendors are typically classified as important entities (digital infrastructure or digital providers) if they exceed the relevant size thresholds. Their customers may also be in scope under their own sector classification.
Spanish organisations should confirm their sector classification and identify the relevant national competent authority under the Spanish transposition of NIS2. Requirements include governance measures, incident reporting, supply chain security, and regular risk assessments.
PowerQuant does not provide NIS2 implementation services, but our procurement evidence pack documents how you have assessed the cybersecurity posture of your AI vendors, which is directly relevant to NIS2 supply chain obligations.
What PowerQuant delivers
PowerQuant provides fixed-price, fixed-scope compliance evidence packages for HR-tech deployers. Every document is cross-checked against the regulation text — not against a consultant's interpretation.
| Module | What you receive | Price |
|---|---|---|
| Module 1 | AI system inventory + Annex III risk classification + Article 4 AI literacy register | EUR 1,499 |
| Module 2 | Procurement Evidence Pack under Article 26 (vendor instructions review, oversight SOP, log-retention policy, worker information notice, FRIA template) | EUR 3,499 |
| Ongoing monitoring | Quarterly regulatory update briefings + documentation refresh as the law evolves | From EUR 699/month |
Delivery in five working days. No retainer required for Module 1 or Module 2.
Get a fixed quote
Email kontakt@powerquant.dk to describe your HR-tech stack and receive a fixed quote within one business day.
This page is technical documentation prepared by PowerQuant ApS (CVR 46274067). It is not legal advice. For advice on your specific legal position under the EU AI Act or NIS2, consult a qualified lawyer or your national supervisory authority.