AI now touches nearly every step of recruiting. With the EU AI Act, there are clear rules for how employers can use it. Below is a practical, plain-English guide to what’s banned, what counts as “high-risk,” who’s in scope (EU and non-EU), and the key dates you need to hit.
Legal disclaimer: The information provided here is for general informational purposes only and does not constitute legal advice. It may not reflect the most current legal developments and may vary by jurisdiction. Reading or using this content does not create an attorney–client relationship. You should consult qualified legal counsel licensed in your jurisdiction before acting on any information contained here.
Who’s covered
The AI Act applies to any organization whose AI is placed on the EU market or whose outputs are used in the EU; including non-EU companies hiring remotely into the EU. In hiring, tools that shortlist CVs, rank candidates, or score interviews fall under the Act’s high-risk category.
Banned AI uses in hiring (effective 2 February 2025)
These uses are outright prohibited and must stop immediately:
- Emotion recognition in workplaces (e.g., reading facial expressions or voice tone in interviews)
- Biometric categorisation that infers protected traits (e.g., race, political views, sexual orientation)
- Social scoring of people’s trustworthiness or suitability based on broad personal or online behaviour
- Harmful manipulation that materially distorts behaviour and causes likely harm
(The Act also bans untargeted scraping of facial images for recognition databases.)
High-risk hiring systems and what they must do
High-risk covers AI used for recruitment, candidate screening/ranking, interview analysis, skills testing, performance prediction and related HR decisions. Providers and deployers have to meet strict obligations, including:
- Risk management, data governance, documentation, accuracy/robustness, human oversight and CE marking before the system is placed on the market
- Registration of high-risk systems in the EU database (by providers; some public-sector deployers must also register)
- Post-market monitoring and incident reporting
Informing people and workplace notices
If you use a high-risk hiring system that makes or helps make decisions about individuals, you must inform those individuals. Employers also have a separate duty to inform affected workers before using high-risk AI at the workplace.
Timeline you actually need
- 1 Aug 2024 — AI Act entered into force
- 2 Feb 2025 (6 months) — Bans apply + AI literacy obligations start
- 2 Aug 2025 (12 months) — General-purpose AI (GPAI) model obligations start (e.g., transparency duties for model providers)
- 2 Aug 2026 (24 months) — Core obligations for Annex III high-risk systems (including employment) apply. This is the big hiring deadline
- 2 Aug 2027 (36 months) — Extended date for high-risk AI embedded in regulated products (less relevant to typical HR stacks)
Transparency and documentation you’ll need by 2026
From August 2026, high-risk hiring systems must operate with full documentation and human oversight. For deployers (employers), that includes:
- Clear explanations of the AI’s role and logic in decisions, available to affected persons
- Records showing who reviewed AI-assisted decisions and what factors were considered beyond the AI’s output
- Using provider information to complete your GDPR DPIA where applicable
Penalties if you miss
Maximum fines reach €35 million or 7% of global annual turnover for prohibited uses; other breaches can be €15 million or 3%. Member-state authorities enforce locally.
How this fits with GDPR and employment law
The AI Act sits alongside GDPR (it doesn’t replace it). If you rely on solely automated decisions that have legal or similarly significant effects (e.g., automatic rejections), GDPR Article 22 restricts that unless strict conditions and safeguards are met—typically meaningful human involvement is needed. Expect to run DPIAs and to answer access/explanation requests about automated logic.
A practical, 6-step action plan
- Map your AI in hiring: ATS candidate screening, ranking, interview analytics, assessments, background/ID automation. Tag what’s high-risk
- Disable banned features now: any emotion recognition, biometric categorisation of protected traits, social-scoring-like features
- Pick compliant vendors: confirm EU database registration plans, CE marking pathway, and post-market monitoring
- Build human oversight: define reviewers, escalation, override criteria; keep per-decision review notes
- Write your notices: short candidate and worker disclosures stating where AI is used and how it influences decisions
- Prep for 2 Aug 2026: finish documentation, DPIAs, and training; lock in a bias testing and monitoring cadence
FAQs
Does this apply to a US company hiring a remote employee in Germany?
Yes. If the AI’s output is used in the EU, the Act applies—even if you’re outside the EU.
Can we still use LLMs (like ChatGPT) to help screen CVs?
Yes—as assistance to humans with disclosure and oversight, not as the sole decision-maker. Treat it as high-risk if it meaningfully shapes hiring outcomes, with documentation and human review.
Do providers have to register high-risk hiring tools?
Yes. Providers must register high-risk systems in the EU database before use; certain public-sector deployers must also register their use.
What’s the big date for HR teams?
2 August 2026. That’s when core high-risk obligations for employment systems kick in. Plan your compliance work back from that date.
