PowerQuantEUSend your AI questionnaire

EU AI Act and NIS2 for HR-tech deployers across the European Union. Twenty-six concrete questions about roles, timelines, high-risk classification, Art 26 deployer obligations, fines and the NIS2 overlap — with article references to Regulation (EU) 2024/1689 and Directive (EU) 2022/2555.

Last updated: June 2026. PowerQuant ApS (CVR 46274067) is a technical documentation and evidence vendor — not a law firm. The information below is not legal advice. Always verify against the current regulation text and the competent national authority before any compliance decision.

1. Who does the law apply to? (Roles)

Roles determine which obligations apply. Confusing the deployer role with the provider role is the single most common mistake we see in EU HR-tech.

What is the difference between a deployer and a provider under the EU AI Act?

A provider develops an AI system (or has it developed) and places it on the EU market or puts it into service under its own name or trademark (Art 3(3) of Regulation (EU) 2024/1689). A deployer is a natural or legal person using an AI system under its own authority in the course of a professional activity (Art 3(4)). Most EU HR-tech companies are deployers of third-party AI (Workday Recruiting, Greenhouse, HiBob, Microsoft Copilot, ChatGPT Enterprise, Bullhorn AI) and may simultaneously be providers of their own AI features.

Are we a deployer if we simply use Workday or Greenhouse?

Yes. When you actively use an AI system in your recruiting or HR process, you are a deployer of that system regardless of who built it. You therefore have stand-alone obligations under Art 26 (high-risk deployer duties) and Art 50 (transparency) that cannot be contracted away to the provider.

We sell HR-tech that contains an AI feature — are we a provider or a deployer?

Both at the same time, if you both develop and market the AI feature and also use it internally. As a provider you are subject to Art 16-22 (conformity assessment, CE marking, post-market monitoring, technical documentation). As a deployer toward your own customers you should still deliver instructions for use and logging output so customers can evidence their own Art 26 obligations.

If we fine-tune or substantially modify a model, do we become a provider?

Yes, under Art 25(1). If you place your own name on a high-risk AI system already on the market, substantially modify a high-risk AI system, or modify the intended purpose of a non-high-risk system so it becomes high-risk, you are considered a new provider with full provider obligations. Ordinary configuration or prompt-tuning typically does not trigger Art 25; fine-tuning a model on your own data may.

Does the EU AI Act apply to SMEs and start-ups?

Yes, the AI Act applies regardless of company size. A few specific easements exist: SMEs and start-ups get priority access to AI regulatory sandboxes (Art 62), and the cap on administrative fines under Art 99(6) is calculated as the LOWER of the fixed EUR amount and the percentage of turnover (the opposite of the rule for larger undertakings, where the HIGHER applies).

2. Timelines — what applies when?

The AI Act entered into force on 1 August 2024 (Regulation (EU) 2024/1689) with phased application. The key dates for EU HR-tech deployers:

When did the prohibitions on unacceptable AI practices (Art 5) start to apply?

2 February 2025. Art 5 prohibits, among other things, social scoring by public or private actors, manipulative AI that materially distorts behaviour to a person's detriment, real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions), and — particularly relevant for HR-tech — emotion recognition at the workplace and in educational settings, except for medical or safety reasons.

When must we comply with Art 4 AI literacy?

Art 4 has applied since 2 February 2025 for both providers and deployers. The Commission's AI Office has confirmed there is no transition period for Art 4 itself. Active supervisory enforcement by national market-surveillance authorities begins 2 August 2026, but the substantive duty is in force today.

When do Art 50 transparency obligations for deployers start to apply?

2 August 2026. Deployers that generate or manipulate image, audio or video that constitutes a deepfake must disclose that the content is artificially generated or manipulated (Art 50(4)). Deployers using emotion-recognition or biometric-categorisation systems must inform the natural persons exposed to the system (Art 50(3)). AI-generated text published to inform the public on matters of public interest must be labelled as artificially generated unless it has undergone human editorial review with editorial responsibility.

When do the Annex III high-risk obligations start to apply?

The original deadline is 2 August 2026 (Art 113(c)). The Digital/AI Omnibus political agreement of 7 May 2026 has PROPOSED to defer the stand-alone Annex III high-risk obligations to 2 December 2027 (and AI embedded in Annex I regulated products to 2 August 2028). The European Parliament endorsed the provisional agreement on 16 June 2026, but the Council has not yet completed formal adoption and the text has not yet been published in the Official Journal as of 25 June 2026. Until that publication takes effect, 2 August 2026 remains the legally binding date.

What is the current status of the Digital Omnibus proposal?

Provisional political (trilogue) agreement was reached on 7 May 2026 between the Commission, the Parliament and the Council. The Parliament formally endorsed the provisional agreement on 16 June 2026. Council formal adoption and Official Journal publication are still outstanding as of 25 June 2026. The Omnibus does not touch Art 4 (AI literacy), Art 5 (prohibitions), Art 50 (transparency) or the General-Purpose AI obligations in Chapter V — those continue on their original timelines. Until the Omnibus is formally adopted and published, the original 2 August 2026 high-risk deadline is the date that legally binds you; we recommend planning toward 2 August 2026 and treating any final deferral as buffer.

3. When are we high-risk? (Annex III)

Annex III lists eight categories of high-risk use cases. HR-tech is typically caught by point 4 (employment, worker management and access to self-employment) and may also be caught by point 1 (biometrics) depending on use.

Is recruiting AI high-risk?

Yes. Annex III point 4(a) classifies AI systems intended to be used for the recruitment or selection of natural persons as high-risk, including systems used to place targeted job advertisements, to analyse and filter applications, and to evaluate candidates. Applicant tracking systems with AI scoring, CV screening, video-interview analysis and resume parsing typically fall into this category.

Is worker monitoring and performance evaluation high-risk?

Yes, when it goes beyond neutral time tracking. Annex III point 4(b) covers AI intended to be used to make or materially influence decisions affecting terms of work-related relationships, the promotion or termination of work-related contractual relationships, the allocation of tasks based on individual behaviour or personal traits, and the monitoring and evaluation of the performance and behaviour of persons in such relationships. Workforce-analytics scoring, productivity-scoring and behaviour-based dashboards are typically caught.

Are employee-facing chatbots (HR helpdesks, policy bots) high-risk?

Usually no, not on their own. A pure information chatbot primarily triggers the Art 50(1) transparency duty (the user must know they are interacting with an AI). However, if the chatbot makes or materially supports decisions on terms of employment, performance or access — for example automatically approving leave requests, escalating grievances or scoring employee feedback — it can shift into Annex III point 4 high-risk territory.

Our AI feature is a small part of a larger product — is it still high-risk?

Feature size does not decide the question. What matters is whether the AI system is intended for a high-risk use case under Annex III and whether it has a significant influence on the outcome of the decision-making process (Art 6(3)). The Art 6(3) carve-out for narrow procedural tasks (pattern detection, preparatory tasks, improvement of completed human activity without material influence) must be documented in writing and registered in the EU database before placing on the market — it is not an automatic exemption.

4. What do we have to do? (Deployer obligations)

Art 26 sets out the deployer obligations for high-risk AI systems. They are stand-alone duties owed by the deployer to the regulator and cannot be contracted away to the provider.

What are the main Art 26 deployer obligations for high-risk AI?

The principal duties: (a) take technical and organisational measures to ensure the system is used in accordance with the instructions for use, (b) assign human oversight to natural persons with the necessary competence, training and authority to intervene, (c) ensure that input data is relevant and sufficiently representative for the intended purpose where the deployer controls the input, (d) monitor the operation of the system and report serious incidents to the provider and the relevant national market-surveillance authority, (e) keep automatically generated logs for at least 6 months, (f) inform affected workers and their representatives before the system is put into service at the workplace, (g) coordinate with GDPR data protection impact assessments where relevant, and — for public bodies and certain private deployers — carry out a Fundamental Rights Impact Assessment under Art 27.

What transparency obligations do we owe to our own employees?

Art 26(7) requires deployers of high-risk AI at the workplace to inform workers' representatives and the affected workers — before the system is put into service — that they will be subject to the use of a high-risk AI system. This duty is independent of the GDPR Art 13/14 information duties and any national co-determination / works-council rules. The information must be understandable (not just a legal-technical notice) and documented.

What is a Fundamental Rights Impact Assessment (FRIA)?

Art 27 requires deployers that are bodies governed by public law, private operators providing public services, and deployers of specific high-risk AI listed in Annex III points 5(b) and 5(c) (creditworthiness and life or health insurance risk assessment) to carry out a FRIA before putting the system into service. The FRIA describes the deployer's processes in which the system will be used, the period and frequency of use, the categories of affected natural persons, the specific risks of harm and the human-oversight measures. The result must be notified to the national market-surveillance authority. A FRIA is not the same as a GDPR DPIA, but the two can be coordinated.

What does Art 50 transparency look like in practice for HR-tech deployers?

Three practical things: (1) chatbots and conversational AI: end-users must be informed they are interacting with an AI system unless that is obvious to a reasonably well-informed person (Art 50(1) applies to providers, but deployer-side disclosure is best practice). (2) AI-generated or manipulated image, audio or video that constitutes a deepfake: the DEPLOYER must disclose that the content has been artificially generated or manipulated (Art 50(4)). (3) AI-generated text published to inform the public on matters of public interest: must be labelled as artificially generated unless the content has undergone human editorial review and a natural or legal person holds editorial responsibility (Art 50(4)). Disclosure must be clear, distinguishable and provided no later than at the time of the first interaction or exposure.

What does Art 4 AI literacy mean in practice, and what should a register contain?

Art 4 requires providers and deployers to take measures to ensure a 'sufficient level' of AI literacy for staff and other persons operating or using AI systems on their behalf, taking into account their technical knowledge, experience, education, training and the context of use. A useful register typically contains: a list of roles with AI exposure, competency requirements per role, completed training activities (date, content, attendee list), evaluation method, and documentation of ongoing follow-up. The required level is contextual — an HR administrator using Copilot for candidate communication needs a different level than a data scientist training your own models.

5. Fines and enforcement

Art 99 sets out three tiers of administrative fines. For larger undertakings the fine is the HIGHER of the fixed EUR amount or the percentage of worldwide annual turnover; for SMEs and start-ups it is the LOWER of the two (Art 99(6)).

How large can fines under the EU AI Act be?

Three tiers under Art 99: (1) Art 99(3) — breach of Art 5 (prohibited practices): up to 35 million EUR or 7% of total worldwide annual turnover, whichever is higher. (2) Art 99(4) — breach of other obligations including Art 16-29 (provider and deployer duties), Art 50 transparency and obligations on notified bodies: up to 15 million EUR or 3%. (3) Art 99(5) — supplying incorrect, incomplete or misleading information to notified bodies or national competent authorities in reply to a request: up to 7.5 million EUR or 1%. For SMEs and start-ups, the LOWER of the two amounts applies (Art 99(6)).

Who enforces the EU AI Act in each Member State?

Each Member State must designate one or more national competent authorities, including at least one notifying authority and one market-surveillance authority, and notify them to the Commission by 2 August 2025 (Art 70). Enforcement is national; cross-border coordination runs through the AI Office at the Commission and the AI Board. The European Data Protection Supervisor (EDPS) acts as the market-surveillance authority for EU institutions, bodies, offices and agencies. Always verify the current designation in the Member State where you are established or where the AI system is used.

Do the fines apply equally to SMEs and start-ups?

Yes, but the calculation is different. For SMEs (including start-ups), the fine is the LOWER of the fixed EUR amount and the percentage of turnover, per Art 99(6). This means a start-up with 500,000 EUR in turnover that breaches Art 5 can be fined up to 35,000 EUR (7% of turnover), not 35 million EUR. The supervisory authority must also take into account the SME's interests and economic viability when setting the fine.

Who can complain or trigger an investigation?

Art 85 gives any natural or legal person the right to submit a complaint to the relevant national market-surveillance authority where they have grounds to consider that there has been an infringement of the AI Act. Affected workers, candidates, civil-society organisations and competitors can all submit complaints, which the authority must handle in line with its own procedures and inform the complainant of progress and outcome.

6. NIS2 + EU AI Act overlap

NIS2 (cybersecurity) and the AI Act (AI governance) are separate regimes but can overlap for HR-tech that handles personal data on employees and candidates.

What is the difference between NIS2 and the EU AI Act?

NIS2 (Directive (EU) 2022/2555) is a cybersecurity regime requiring risk management, incident handling, supply-chain security and reporting from essential and important entities in 18 listed sectors. The AI Act regulates AI systems specifically — risk classification, transparency, human oversight, bias and quality of training data. An HR-tech company can be subject to both: NIS2 if it falls within a listed sector and meets the size thresholds, the AI Act independently whenever it provides or deploys AI systems in the Union.

Is HR-tech caught by NIS2?

It depends on three factors: (1) sector — Annex I and II to NIS2 list digital infrastructure, cloud computing service providers, data-centre service providers, managed service providers and managed security service providers, which can cover the underlying infrastructure that HR-tech runs on, (2) size — at least medium-sized (50+ headcount OR more than 10 million EUR annual turnover) for most sectors, with smaller-entity carve-outs for criticality, (3) the concrete service offered. Pure HR-SaaS sitting on top of cloud is typically not caught directly by NIS2 unless it qualifies as a digital service provider or critical service in its Member State; the underlying cloud, hosting and SOC providers usually are. Always check the registration regime in the Member State of establishment.

What is the NIS2 transposition status across the EU?

The transposition deadline was 17 October 2024 (Art 41). By May 2026, 22 of the 27 Member States had transposing legislation in force; France, Ireland, Luxembourg, the Netherlands and Spain were still in the legislative procedure per the ECSO transposition tracker. This means an EU-wide HR-tech vendor must work Member State by Member State to identify which national NIS2 law applies, the local supervisory authority, registration cut-off and incident-reporting workflow.

What incident-reporting timelines apply under NIS2?

Art 23 NIS2 imposes a layered notification regime to the CSIRT or competent authority: an EARLY WARNING within 24 hours of becoming aware of a significant incident (with an indication of whether the incident is suspected to be of malicious origin), an INCIDENT NOTIFICATION within 72 hours with an initial assessment of severity and impact, and a FINAL REPORT no later than one month after the incident notification (or a progress report if the incident is ongoing). National laws may add sector-specific obligations on top.

7. About PowerQuant

Is PowerQuant a law firm?

No. PowerQuant ApS (Danish CVR 46274067) is a technical documentation and evidence vendor. We cite EU regulation text verbatim and deliver compiled compliance evidence (AI inventory, Art 4 register, Art 50 disclosure pack, Annex III scope assessment, FRIA templates, Art 26 deployer-control gap analysis). For binding legal interpretation of specific cases, liability questions or litigation, please engage a specialised AI/IT law firm in your jurisdiction.

How long does Module 1 take, and what do I receive?

Five business days from booking. You receive an AI inventory of your in-use AI systems, an Art 4 AI-literacy register, a role-based controls memo, an Art 50 disclosure pack (copy-ready text for chatbots, generative AI, deepfakes where relevant) and a gap analysis against the Art 26 deployer obligations. Deliverables are PDF (PDF/A-4), JSON and Markdown — all Ed25519-signed and source-cited to the regulation. Fixed price per the .eu pricing page; the underlying Module 1 reference price on the Danish site is 10,999 DKK ex. VAT per AI system.

Where is data processed?

Within the EU. PowerQuant uses EU-hosted infrastructure and processes customer-uploaded compliance evidence inside the EU. Sub-processors and the data-residency table are listed at /en/trust/sub-processors. We act as your processor under GDPR Art 28 and sign a data processing agreement before any personal data is shared.

Primary sources

  • Regulation (EU) 2024/1689 — Artificial Intelligence Act (Official Journal 12 July 2024; into force 1 August 2024)
  • European Commission — AI Act Service Desk + Shaping Europe's Digital Future (Art 4 AI literacy Q&A; in force 2 February 2025)
  • Annex III — High-Risk AI Systems (point 1 biometrics, point 4 employment, points 5(b)/(c) FRIA triggers)
  • Article 99 — Penalties (35 M EUR / 7%; 15 M EUR / 3%; 7.5 M EUR / 1%)
  • Digital/AI Omnibus political agreement 7 May 2026; Parliament endorsement 16 June 2026; Council adoption and Official Journal publication pending as of 25 June 2026
  • Directive (EU) 2022/2555 (NIS2) — transposition deadline 17 October 2024; 22/27 Member States transposed per ECSO tracker (May 2026)
  • European Data Protection Supervisor (EDPS) — market-surveillance authority for EU institutions