EU AI Act Compliance for HR Technology
HR technology is one of the highest-risk areas under the EU AI Act. AI systems used for recruitment, performance evaluation, and employee management are explicitly listed as high-risk in Annex III. If you build software that helps companies make decisions about people's careers, the full compliance framework applies to you — and the August 2026 deadline is closer than most HR tech founders realise.
Which Annex III Category Applies
Annex III, Category 4 covers AI systems intended to be used for recruitment or selection of natural persons — specifically including: advertising vacancies, screening or filtering applications, evaluating candidates in the course of interviews or tests. It also covers AI systems used for making decisions on promotion and termination of work-related contractual relationships, for task allocation, and for monitoring or evaluating the performance and behaviour of persons in employment or self-employment relationships.
The scope is deliberately broad. The category does not require that your AI system makes final hiring decisions — it applies to systems that contribute materially to those decisions. A CV ranking tool that filters a 200-application pool to 20 candidates for human review is within scope, even though a human makes the final selection.
What This Means for Your Product
The following HR tech products are almost certainly high-risk AI systems under Annex III Category 4:
- ATS platforms with AI-powered CV scoring or ranking
- Interview analysis tools that score candidates on verbal content, tone, or video behaviour
- Job matching engines that recommend candidates to employers or roles to job seekers
- Automated reference checking or background screening tools that produce risk scores
- Performance management systems that generate automated performance assessments
- Workforce analytics tools that predict employee flight risk, performance trajectories, or promotion readiness
- Task allocation systems that assign work based on predicted individual capability
The key test is whether the AI system contributes to decisions that affect a person's employment, opportunities for employment, or working conditions. If yes, Annex III Category 4 applies.
Compliance Obligations for HR Tech
As a provider of high-risk AI, you must comply with Articles 9–15 before placing your system on the EU market. Here is what each article means specifically for HR technology:
Identify, document, and continuously mitigate risks across the recruitment lifecycle: from job description AI to CV screening, interview scoring, and offer decisions. Pay specific attention to risks of discriminatory outcomes and proxy discrimination (see below).
Training data must be examined for bias — particularly important in HR AI where historical data frequently encodes discriminatory hiring patterns. Document training dataset composition, sources, and steps taken to address identified biases. This is the Article most often underestimated by HR tech teams.
Prepare the full Annex IV documentation pack before placing the system on the EU market. For HR AI, this includes detailed description of the algorithm, the training data methodology, performance metrics disaggregated by relevant demographic groups, and the risk management system file.
Provide instructions of use that tell deployers what the system was designed to do, its performance limitations, known risks of bias, and the human oversight measures required. Enterprise HR buyers will increasingly require this documentation as a condition of procurement.
The system must be designed so that human HR professionals can meaningfully review, understand, and override AI-generated candidate assessments. 'Meaningful' is the key word — if the workflow makes human review perfunctory, the design fails Article 14 regardless of whether formal approval steps exist.
Timeline for HR Tech Compliance
Begin Article 9 risk management system. Document training data provenance and bias examination (Article 10). These are hardest to retrofit — do them during development.
Implement post-market monitoring for production bias metrics. Demographic parity checks should run continuously in production, not just at evaluation time.
Complete all 9 Annex IV technical documentation categories (Article 11). Prepare the EU declaration of conformity. Confirm human oversight mechanism satisfies Article 14 in practice.
Full compliance required. System must be registered in the EU database for high-risk AI before continued operation in the EU market.
Common Compliance Gaps in HR Tech
Proxy discrimination through seemingly neutral features
CV screening AI trained on historical data frequently learns that features like residential postcode, educational institution, name, or employment gap correlate with past hiring outcomes. These correlations often reflect historical discrimination. Article 10 requires you to examine training data for these patterns and take steps to address them. Documenting that you checked is not sufficient — the steps taken must be proportionate to the findings.
Interview AI using behavioural biometrics without disclosing it
Video interview tools that analyse tone of voice, facial expressions, or speaking patterns to score candidates are processing biometric data. This may bring them into the biometric categorisation category (Annex III cat. 1), not just the employment category (cat. 4). Article 50(3) requires deployers to inform candidates that emotion recognition or biometric categorisation is operating. Many HR teams are unaware their interview tool does this.
Human oversight that exists only on paper
Article 14 is frequently satisfied formally but not substantively. A workflow where a recruiter reviews AI scores but is under time pressure, cannot see the AI's reasoning, and has no practical mechanism to override without significant friction does not constitute meaningful human oversight. The system architecture — not just the process documentation — must support genuine intervention.
No documentation of model drift or post-market performance
HR AI models trained on historical data degrade as the labour market changes, as job roles evolve, and as the candidate pool changes. Article 9's continuous risk management obligation requires monitoring for performance drift in production. Most HR tech teams have no production monitoring for demographic parity metrics. This is a significant gap — and the one most likely to surface in an enforcement investigation following a discrimination complaint.
Start your HR AI compliance documentation
Nytivo generates the full Annex IV technical documentation pack for your HR AI system — including the Article 9 risk management file, training data documentation, and performance metrics section — starting at €79/month.
Start free trialEU AI Act for HR Tech — Frequently Asked Questions
Does the EU AI Act apply to our ATS if we only use it in the EU for some roles?
Yes. If your AI-powered ATS screens candidates for roles where any part of the selection process involves candidates in the EU — regardless of where the hiring company is headquartered — the Act applies. The obligation attaches to the use of the system affecting individuals in the EU, not to the operational location of the HR team.
Is a 'human reviewer checks every decision' approach sufficient for Article 14?
Not automatically. Article 14 requires genuine human oversight, not rubber-stamp review. If human reviewers are routinely approving AI recommendations without independent assessment — because the volume is too high, the UI nudges toward acceptance, or reviewers lack the information needed to evaluate the AI's reasoning — the oversight mechanism does not satisfy Article 14. The system design must support meaningful intervention, not just formal approval.
We use a third-party ATS vendor with AI features. Are we still responsible?
As a deployer, you have real obligations: using the system according to the provider's instructions of use, ensuring human oversight is in place, monitoring for discriminatory outputs, and reporting serious incidents. If your vendor substantially modifies their AI system or provides inadequate documentation, that creates risk for you. Before deployment, verify that your vendor has prepared the Article 11 technical documentation and can share the relevant sections. Ask for the EU declaration of conformity.
What makes training data 'representative' under Article 10 for HR AI?
Article 10 requires training data to be relevant, sufficiently representative, and to the best extent possible free of errors. For HR AI, this means the training data — typically historical hiring decisions — must not reflect historical discrimination patterns. If your training data was generated from decisions made by a workforce that was predominantly one demographic, the resulting model will likely perpetuate those patterns. Representativeness requires explicit examination and documentation of the demographic composition of training data and the outcomes it encodes.
When must our HR AI system be compliant by?
For Annex III high-risk AI systems, the full compliance deadline is 2 August 2026. By that date, your system must have: a documented risk management system (Article 9), data governance documentation (Article 10), technical documentation covering all 9 Annex IV categories (Article 11), logging and record-keeping (Article 12), instructions of use for deployers (Article 13), and a functioning human oversight mechanism (Article 14). Starting now gives you the development process alignment that makes Article 11 documentation accurate — retrofitting it after launch is significantly harder.