HomeRegulationsEU AI Act

Regulation · European Union

EU AI Act: what hiring AI deployers must do

How the EU AI Act treats AI in hiring, what deployer obligations apply from August 2026, and how to map vendor evidence onto Annex IV and Article 27.

What the AI Act requires

The EU AI Act categorises AI by risk. Anything used to filter, rank, or score job candidates falls under Annex III §4 — high-risk AI. That classification triggers the densest part of the Act, including:

  • Article 11 / Annex IV technical documentation, kept current.
  • Article 13 transparency: deployers must give candidates the information they need to interpret system output.
  • Article 14 human oversight, designed in — not bolted on.
  • Article 26 deployer obligations: monitoring, logs, incident reporting, and ensuring oversight is real.
  • Article 27 Fundamental Rights Impact Assessment (FRIA) for deployers in public bodies and certain regulated sectors. In practice many private employers complete FRIAs voluntarily because the Article 26 monitoring obligation is much easier to defend if a FRIA already exists.
  • Article 72 post-market monitoring: tracking real-world performance drift and reporting serious incidents.

The Act draws a sharp line between providers (who put a system on the EU market) and deployers (who use it). Most hiring teams are deployers of someone else's AI; the vendor is the provider. Both have obligations, and the obligations do not perfectly mirror each other.

Who's affected

The Act applies extraterritorially. You are in scope if:

  • Your system is placed on the EU market, regardless of where you are established, or
  • The output of the system is used in the EU.

In hiring, the second branch matters more. If you assess a candidate based in Berlin, the EU AI Act applies to that assessment even if your company is incorporated in Delaware and the vendor is incorporated in California.

Key deadlines

DateTrigger
2 February 2025Prohibited practices in force (social scoring, certain emotion recognition, real-time biometric ID).
2 August 2025Governance bodies, notified bodies, and General-Purpose AI obligations begin.
2 August 2026High-risk system obligations under Articles 11, 13, 14, 26, 27, 72 begin to apply to most hiring deployers.
2 August 2027Final transitional arrangements close for systems on the market before August 2026.

The 2 August 2026 date is the load-bearing one for AI hiring. Build your compliance plan against that deadline, not a later one.

What hiring deployers specifically must do

The Article 26 deployer duties for high-risk hiring AI come down to seven concrete things:

  1. Use the system in line with its instructions. This requires the vendor to publish usable instructions. Vendors whose docs are gated to customers and stop at "AI assists humans" do not satisfy this.
  2. Ensure relevant and representative input data. You are responsible for what goes into the model at decision time, even if the vendor built the model.
  3. Monitor operation per the instructions for use. Continuous — not annual.
  4. Keep automatically-generated logs for at least 6 months (Article 26.6). The vendor must expose them.
  5. Inform workers' representatives and affected workers before using the system to make decisions about them.
  6. Provide explanations when individual candidates ask why a high-risk system reached a decision affecting them (Article 86).
  7. Report serious incidents to the relevant market surveillance authority within 15 days.

For deployers in the public sector or covered private regulated entities, add Article 27 FRIA: a documented assessment of fundamental-rights impact, mitigations, and oversight design, completed before first use.

Common misconceptions

  • "We just use the vendor's tool — they're on the hook, not us." No. The deployer is on the hook for Articles 26, 27, 72. The vendor is on the hook for Articles 11, 13, 14. Both sets apply simultaneously.
  • "AI Act compliance is the same as GDPR compliance." No. There is overlap (Article 22 GDPR profiling rights still apply), but the AI Act adds duties that GDPR does not — Annex IV documentation, FRIA, model- performance monitoring, incident reporting to a market-surveillance authority.
  • "If the AI doesn't make the final decision, it's out of scope." No. "Used to make decisions or materially influence them" is the trigger. A model that filters 95% of candidates out before a human sees them is in-scope even though a recruiter signs off on the remaining 5%.
  • "The Act only applies to AI built in the EU." No. It applies whenever the output is used in the EU, regardless of where the system was built.

How vendors are addressing it

As of 2026-05-21, the AI hiring vendor landscape splits roughly into three postures:

  1. Published Annex IV-aligned packs. Eightfold, Beamery, and Workday hold ISO 42001, which overlaps with many Annex IV controls — but ISO 42001 is not a substitute for an Annex IV pack. Treat the certification as evidence of process maturity, not as the technical pack itself.
  2. Available-on-request packs. Most enterprise vendors will provide technical documentation under NDA when a deployer asks. This satisfies the letter of the Act, but slows the deployer's FRIA preparation.
  3. Position themselves outside the Act. A few vendors argue their product is not "decision-making" and therefore not high-risk. The regulator has the final word on that classification; assume the deployer's auditor will not give the vendor's self-classification any weight.

See our methodology and the per-vendor profiles in the directory for the cited evidence behind each vendor's score on Article 11 Technical Documentation and FRIA Support.