Annex III of the EU AI Act explicitly classifies AI used in recruitment, CV screening, interview evaluation, performance monitoring, and task allocation as high-risk. If you use AI tools in any part of your HR process, this guide tells you exactly what obligations apply to you before the August 2, 2026 deadline.
Section 4 of Annex III lists two categories of employment AI that are explicitly high-risk under the EU AI Act. Unlike the risk classifier, which requires you to determine risk level, the EU AI Act has already answered this question for HR tools that fit these descriptions.
AI systems used in advertising vacancies, screening or filtering applications, and evaluating candidates during interviews or tests.
Examples in scope
AI used to make or influence decisions about promoting, demoting, or ending work relationships, allocating tasks, or monitoring and evaluating worker performance and behaviour.
Examples in scope
Not every AI tool used by an HR team creates high-risk obligations. The test is whether the AI evaluates, scores, ranks, or makes decisions about people — not whether it is used in an HR context. These common tools fall outside Annex III Section 4:
| HR tool | Why it is NOT high-risk |
|---|---|
| AI job description writer | Assists with drafting text — no decision-making or evaluation of a person. |
| AI interview scheduling assistant | Logistics only — no evaluation, ranking, or scoring of candidates. |
| HR chatbot for employee FAQs | Answering general questions is not an employment decision. Still needs Article 50 chatbot disclosure. |
| Spell-checker or grammar tool used in performance reviews | Text editing with no independent evaluation of the employee. |
| AI that summarises a job posting from a provided brief | Content generation with no candidate or employee assessment. |
| Sentiment analysis on anonymous employee surveys | Aggregate analysis not linked to individual evaluation or decisions. If it creates individual profiles, reassess. |
Note: Even if a tool is not high-risk, it may still trigger other obligations — for example, Article 50 transparency requirements for AI chatbots that interact with employees or candidates.
The EU AI Act draws a sharp distinction between providers (organisations that develop and place AI systems on the market) and deployers (organisations that use AI systems in their own context). Most businesses using commercial HR software are deployers — and deployers have a distinct, lighter set of obligations than providers, but those obligations are real and enforceable.
Provider obligations include technical documentation, risk management, conformity assessment, and EU registration — significantly more than deployer obligations.
Most SMBs fall here. The six deployer obligations below apply to you — read them carefully.
If you deploy a high-risk HR AI system — even if you bought it from a reputable vendor — these obligations apply to you directly under Article 26 of the EU AI Act. They are not optional and cannot be delegated to your vendor.
You must use the AI system in accordance with the provider's instructions for use. Do not repurpose a recruitment AI tool for a different task (e.g., using a CV-screening tool to also evaluate employees for promotions) without confirming the provider has covered that use case in their documentation.
You must designate specific individuals to perform human oversight of the AI system. These individuals need sufficient competence, training, and authority to override AI outputs. For HR: a hiring manager or HR professional must review all AI-generated shortlists, scores, or recommendations before a decision is made. The AI cannot be the sole decision-maker.
If you control the data fed into the AI system (e.g., uploading CV data, providing custom training data), you are responsible for ensuring that data is appropriate, relevant, and does not introduce biased or irrelevant signals. This is particularly important for AI trained on historical hiring data, which can perpetuate past discriminatory patterns.
You must inform employees and candidates that a high-risk AI system is being used in decisions that concern them. For recruitment: notify applicants in the job advertisement or application process that AI tools are used to screen or evaluate applications. For performance management: notify employees in employment contracts, handbooks, or direct notice. This is not optional — it is a binding obligation.
Where your system generates logs automatically (as required of the provider), you must retain those logs. If you cannot access logs from the AI provider's system, request them — or document your own oversight records (who reviewed each AI output, what decision was made, and why any AI recommendation was overridden). Retention period: at least 6 months from each use of the system.
If you believe the AI system is not conforming to the EU AI Act — for instance, because the provider cannot provide required documentation, or because the tool's outputs show signs of discriminatory patterns — you must suspend its use and notify the provider. You cannot simply continue using a non-compliant tool because it came from a reputable vendor.
A recruiter who asks ChatGPT to "review these 50 CVs and rank the top 10" is not simply a deployer of a GPAI model. Under Article 28(1)(b) of the EU AI Act, if you use a general-purpose AI model and deploy it specifically for a high-risk use case listed in Annex III — such as candidate evaluation — you may become the provider of the resulting high-risk AI system.
This matters because providers face significantly heavier obligations than deployers: technical documentation, a risk management system, a conformity assessment, logging capability built into the system, and potentially EU database registration. OpenAI put ChatGPT on the market as a general-purpose tool, not as a recruitment-decision system. If you repurpose it for that, the Act treats the resulting system as your product.
Practical guidance for GPAI-assisted hiring:
This table is illustrative — the actual risk classification of any tool depends on whether and how AI features are used, not the vendor brand. Always confirm with your provider whether their tool uses AI for candidate evaluation or employee decision-making.
AI ranking of candidates or employees for promotion triggers Annex III 4(a)/(b).
You are a deployer. Review Annex III deployer obligations below.
AI-assisted performance scoring and succession planning falls under Annex III 4(b).
You are a deployer. Obtain provider documentation and implement oversight.
Evaluating candidates via AI analysis of video responses is explicit Annex III 4(a).
You are a deployer. Must notify candidates, ensure human review, keep logs.
LinkedIn is the provider. If you use AI-ranked shortlists to make final hire/no-hire calls, you have deployer obligations.
Ensure a human reviews all shortlists. Do not rely solely on AI-ranked results.
You may become the effective provider (Article 28). See the GPAI section below.
Do not make hiring decisions based solely on AI output. Add human review.
A database of applications with no AI ranking or scoring is not in scope.
No Annex III obligations. Check if you layer any AI tools on top.
Availability matching with no candidate evaluation.
None required under EU AI Act. Ordinary data protection rules apply.
Article 5(1)(f) of the EU AI Act prohibits the use of AI systems that infer emotions of natural persons in the context of the workplace and educational institutions. This is not a future obligation — it has been enforceable since February 2, 2025.
If your HR tech stack includes any of the following, review it immediately:
Using a prohibited AI system today — even a commercial product from a reputable vendor — exposes you to Tier 1 fines (up to €35M or 7% of global turnover). The vendor's own compliance does not transfer to you.
Audit your HR tech stack
List every software tool used in recruitment, performance management, task allocation, and employee monitoring. Note whether each has AI features that evaluate or rank people.
Check for prohibited tools
For any tool that analyses emotions, facial expressions, or mood of employees or candidates: stop using it now or remove the AI feature. This obligation is already in effect.
Identify your high-risk tools
Any tool with AI-powered CV ranking, candidate scoring, interview analysis, performance scoring, or task allocation AI is high-risk under Annex III. Contact your vendor to confirm whether their AI features are covered by the Act and to request their technical documentation and instructions for use.
Implement and document human oversight
For each high-risk HR tool, designate a named individual responsible for reviewing AI outputs before decisions are made. Document this in your HR procedures: "AI output is a recommendation; [role] reviews and records their independent decision."
Add candidate and employee notifications
Update your job advertisement template, application form, or privacy notice to disclose that AI tools are used in recruitment. Update employee handbooks or contracts to disclose use of AI in performance management or scheduling.
Set up log retention
Confirm with your vendor that their tool generates logs. If so, ensure you retain them for at least 6 months. If not, implement your own record-keeping: for each hiring decision, log what AI tools were used, what the AI output was, and what the human reviewer decided.
Yes. Annex III 4(a) covers AI systems that screen or filter applications — the AI does not need to make the final decision. If AI produces the shortlist a human then reviews, you are deploying a high-risk AI system. The human review is good practice and required, but it does not remove the classification. You still have all six deployer obligations.
This is one of the EU AI Act's trickiest grey areas. OpenAI is the provider of the GPAI model. But when you build a workflow (even an informal one) that uses that model to make employment decisions, you may become the "provider" of the resulting HR AI system under Article 28(1)(b). This means provider-level obligations could apply to you — including technical documentation, conformity assessment, and registration. At minimum, treat yourself as a deployer with a human reviewing every AI output, and do not use AI-generated scores as the sole basis for any hiring decision.
Yes, if you process data or make decisions affecting EU residents — for example, hiring EU-based employees or screening EU candidates for remote roles. The EU AI Act has extraterritorial reach similar to GDPR: it covers AI systems that are placed on the EU market or whose outputs are used within the EU, regardless of where the provider or deployer is based.
Under Article 27, a FRIA is required for public bodies, and for private organisations deploying high-risk AI systems under an obligation stemming from Union or national law (such as regulated employment services, financial institutions hiring for regulated roles, or public-sector contract holders). Most private SMBs using commercial HR software do not need a formal FRIA — but you do need to document your human oversight process and have a proportionate risk assessment on file.
No. Provider compliance and deployer compliance are separate. Even if your vendor has completed all provider-side obligations (technical documentation, conformity assessment, CE marking), you still have your own deployer obligations: implementing human oversight, notifying workers, keeping logs, and using the system only as intended. "Our vendor is compliant" does not satisfy your obligations.
The EU AI Act does not have a headcount exemption for deployers. Micro-enterprises and SMEs get proportional fines and some regulatory support (Article 55), but the underlying obligations apply regardless of company size. The good news: if you only use basic commercial HR software with no AI ranking features, you are probably not deploying a high-risk AI system at all.
Proceed with extreme caution. Any AI that analyses emotional states of employees — including stress, burnout, or mood — in a workplace setting is likely prohibited under Article 5(1)(f), which bans emotion recognition in work and educational settings. This is already enforceable since February 2, 2025, not August 2026. If your HR tech stack includes any employee "wellbeing AI" with emotion or sentiment analysis, review it against the Prohibited Practices guide immediately.
The full high-risk AI system obligations under Chapter III of the EU AI Act apply from August 2, 2026. This covers deployer obligations including human oversight documentation, worker notification, and log retention. Note that two obligations are already in effect earlier: the Prohibited Practices (including workplace emotion recognition) have been enforceable since February 2, 2025, and AI literacy obligations (Article 4) have also applied since February 2025.
Use the free EU AI Act risk classifier. Answer 5 questions about your AI system and get a classification — Prohibited, High-Risk, Limited Risk, or Minimal Risk — with your specific obligations listed.
Classify your HR AI system — free