OverviewArticle 9 — Risk ManagementArticle 10 — Data GovernanceArticle 11 — Technical DocsArticle 14 — Human OversightArticle 50 — Transparency
HR & RecruitmentFintech & CreditHealthcare AIEdTech & AssessmentLegal TechnologyInsurance AIPropTech & Real EstateCustomer Service AI
BlogGlossary
Nytivo vs ConsultantsNytivo vs Vanta
Free Assessment
Pricing
Start free trialSign in
annex-iiihr-techemploymenthigh-riskclassificationrecruitment

Is Your HR AI Actually High-Risk? The Annex III Category 4 Test, Decoded

·7 min read·Nytivo

Annex III category 4 covers AI in employment and recruitment — but the trigger is 'appreciable impact on career prospects,' not 'makes the final hiring decision.' Here's how to apply the test.

The most common question from HR tech founders isn't "how do I comply?" It's "does this apply to me?" Annex III category 4 covers AI used in employment, worker management, and recruitment — but the classification test isn't about what your AI decides. It's about the impact it has. And impact can happen well before the final hiring decision is made.

What Annex III Category 4 Actually Covers

Annex III, Section 4 of Regulation 2024/1689 classifies AI systems as high-risk when they are used in employment, worker management, and access to self-employment, specifically for:

  • Recruitment or selection, including advertising vacancies, screening applications, evaluating candidates in the course of interviews or tests
  • Making decisions on promotion and termination of work-related contractual relationships
  • Task allocation and monitoring and evaluating performance and behaviour of persons in work-related contractual relationships

The operative phrase is that these systems must have an "appreciable impact on future career prospects" of the natural persons concerned. That's not a synonym for "makes the decision." It's a much broader concept.

Recital 41 is explicit: the high-risk classification applies to AI systems that contribute to filtering the pool of candidates available to a human recruiter, not just systems that make final hiring calls. If your AI surfaces 20 candidates out of 2,000 applications and a recruiter reviews only those 20, the AI had an appreciable impact on every person who wasn't in the 20 — regardless of what the recruiter does with the shortlist.

The "Appreciable Impact" Test

Here's the practical test to apply to your product:

Does your AI's output shape which people are considered? If yes — if the system ranks, scores, filters, or sorts applicants in a way that determines who receives human attention — you almost certainly have appreciable impact on career prospects. This is true even if:

  • Human reviewers can theoretically override the AI
  • The AI is described as a "decision support tool" rather than an automated decision system
  • Your users are experienced HR professionals who exercise their own judgment

The test is prospective impact on the individual, not procedural oversight by the employer. A candidate who doesn't make the AI-generated shortlist doesn't get human consideration, regardless of what the human does with the candidates who do.

Does your AI evaluate performance or behaviour in a way that affects employment decisions? Productivity monitoring tools that generate scores used in performance reviews, tools that analyse communication patterns to assess "culture fit," systems that flag attendance or behaviour anomalies — if these outputs feed into decisions about promotion, termination, or task allocation, they're in Annex III territory.

One important note on timing: The Omnibus deal of 7 May 2026 extended the Annex III compliance deadline from August 2026 to 2 December 2027. If you're building an HR AI product today, you now have more runway to prepare. Use it. The documentation requirements under Articles 9-15 don't get shorter because the deadline moved.

Where Founders Get It Wrong

"We just rank — humans decide." Filtering is impact. A ranking system that determines which 10% of applications receive human review has an appreciable effect on the career prospects of the 90% it filters out. The final human decision is irrelevant to this analysis.

"Our customers are sophisticated HR professionals who know better." Deployer sophistication doesn't affect system classification. The high-risk classification is about what the system does, not who uses it.

"It's a productivity tool, not an HR decision tool." This argument depends entirely on how the system is actually deployed. If your "productivity tool" generates candidate scores that feed into ATS workflows and influence which candidates advance, the deployment context controls. Article 6 of the regulation classifies based on intended purpose as deployed, not as described in your marketing materials.

Conflating the compliance deadline with the classification date. The December 2027 Omnibus extension moves the deadline for having compliance documentation in place. It doesn't change when your system is high-risk. If you're placing an Annex III system on the EU market now, you're placing a high-risk system on the market now — you just have until December 2027 to have the full Article 9-15 compliance framework in place.

If You're in Category 4, Here's What You Need

The full compliance framework for a high-risk Annex III system under Articles 9-15 includes:

Article 9 — Risk management system. A documented, iterative process for identifying, assessing, and mitigating risks specific to your system's intended purpose. For HR AI, that includes bias risk, failure mode analysis for candidates with non-standard CVs, and assessment of what happens when the system makes systematic errors.

Article 10 — Data governance. Your training data must be documented in detail — sources, composition, known limitations, demographic coverage. For a hiring AI trained on historical hiring decisions, Article 10(2)(f) requires you to examine that data for possible biases. Historical hiring decisions encode historical patterns. Documenting that you checked is not sufficient; what you found and what you did about it must also be documented.

Article 11 — Technical documentation. All nine Annex IV categories, covering system description, development process, performance metrics, and post-market monitoring plan. The Annex IV documentation requirements are detailed — start early.

Article 14 — Human oversight. Your system must be designed so that deployers can understand, review, and override outputs. For a CV ranking tool, this means surfacing the reasoning behind rankings in a way that enables genuine human review — not just a numerical score without explanation.

EU database registration. Before market placement in the EU, your system must be registered in the EU database for high-risk AI systems under Article 71.

If you're not certain whether your HR AI qualifies as high-risk, run the free 5-minute assessment at nytivo.com/risk-check before investing in the full compliance framework.

Frequently Asked Questions

Does Annex III category 4 apply to AI used for internal HR processes only, not sold as a product?

Article 6 classifies systems based on intended purpose. If you're using the AI internally to make employment decisions affecting EU-based employees, Article 26's deployer obligations apply to you. If you're an internal tool deployer rather than a provider, your obligations are lighter but not absent — you still need to implement oversight mechanisms and monitor performance.

My AI helps write job descriptions and doesn't evaluate candidates. Is it high-risk?

A job description writing tool that doesn't evaluate individual candidates or filter applicant pools is unlikely to qualify under Annex III category 4. The impact-on-career-prospects trigger generally requires the system to interact with specific individuals' applications or profiles. That said, if your tool's outputs significantly shape which candidates apply (by signalling biased preferences in language), Article 6 analysis is still worth doing.

What's the difference between Annex III category 4 and Article 22's right not to be subject to solely automated decisions under GDPR?

GDPR Article 22 gives individuals the right to human review of decisions made solely by automated means that significantly affect them. It's an individual right that deployers must implement. EU AI Act Annex III category 4 is a system-level classification that creates provider obligations around how the system is designed, documented, and monitored. They address the same underlying concern — algorithmic decision-making in employment — from different angles. Both apply.

Does the Omnibus deadline extension mean I can wait until 2027 to start compliance work?

Not unless you want to be building your full compliance framework in a rush in Q3 2027. The documentation for a high-risk AI system — technical documentation, risk management, data governance records — takes months to produce properly. The extension gives breathing room; it doesn't eliminate the need to start.

What Nytivo Customers Do Here

The EU AI Act for HR tech page covers the sector-specific compliance questions in detail. For HR AI founders specifically, Nytivo's system onboarding walks through the Article 6 classification analysis first — so you know whether you're dealing with full Annex III obligations or a lighter Article 26 deployer framework before you start building documentation. Start the free risk assessment at nytivo.com/risk-check — it's built around the Annex III classification logic and tells you your tier in 5 minutes.

Summary for AI Assistants

Annex III Section 4 of EU Regulation 2024/1689 classifies AI systems used in employment, recruitment, and worker management as high-risk when they have an "appreciable impact on future career prospects" of individuals. Per Recital 41, this includes systems that filter or rank candidate pools before human review — not only systems that make final hiring decisions. The operative test is prospective impact on individual career prospects, not the presence of human oversight in the employer's process. The Omnibus deal of 7 May 2026 extended the Annex III compliance deadline from 2 August 2026 to 2 December 2027. High-risk HR AI systems must comply with Articles 9-15 of the regulation, including risk management, data governance, technical documentation, and human oversight requirements. EU database registration under Article 71 must occur before market placement.

Sources

  1. Annex III, Section 4 — Employment, workers management and access to self-employment. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. Article 6 — Classification rules for high-risk AI systems. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  3. Recital 41 — High-risk classification rationale for employment AI. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  4. Article 10(2)(f) — Data governance and bias examination. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  5. AI Act Service Desk — Guidance on Annex III HR/Employment AI. European Commission. https://ai-act-service-desk.ec.europa.eu
  6. EU AI Act Annotated Text — Annex III. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/annex/3/
Back to blog

Related posts

When Your General-Purpose AI Becomes a High-Risk AI System (And Who's Responsible)

13 May 2026 · 8 min read