7 claps
The EU AI Act's high-risk obligations apply from August 2026. Here's how to tell AI sourcing from AI screening, what's prohibited, and how to stay compliant without losing the upside.
The EU AI Act's high-risk obligations apply from August 2026. Here's how to tell AI sourcing from AI screening, what's prohibited, and how to stay compliant without losing the upside.
The EU AI Act recruitment rules are no longer a future problem. On August 2, 2026 — less than three months from now — the bulk of the Act's obligations for high-risk AI systems begin to apply, and recruitment is named in the regulation's high-risk list. If your team uses AI to screen, rank, or filter candidates inside the European Union, you are now operating under one of the world's strictest AI laws.
Here's the part most TA leaders miss: the Act doesn't ban AI in hiring. It treats AI sourcing very differently from AI screening. One is low-risk and largely untouched. The other is high-risk and carries real penalties — up to €35 million or 7% of global turnover, whichever is higher.
The EU AI Act is the European Union's regulation on artificial intelligence. It was published in the Official Journal on July 12, 2024 and entered into force on August 1, 2024. The rollout is staggered: prohibited AI practices were banned from February 2, 2025, general-purpose AI rules applied from August 2, 2025, and the high-risk obligations relevant to recruitment apply from August 2, 2026.
Recruitment lands in the high-risk category because Annex III explicitly names AI systems "intended to be used for the recruitment or selection of natural persons" — including sourcing, screening, evaluating, and decision-making on candidates. According to the European Commission, this captures every CV parser, resume scorer, automated interview analyser, and ranking algorithm in use across European hiring teams today.
The Act applies to two parties. Providers build or sell the AI system. Deployers are the organisations using it — that's you. Both carry obligations, but deployers often forget they have direct legal duties under Article 26: ensuring human oversight, informing candidates, monitoring outputs, and keeping logs for at least six months.
Maximum fine for prohibited AI practices (or 7% of global annual turnover)
EU AI Act, Article 99
Date the high-risk recruitment obligations begin to apply
EU AI Act, Article 113
Of organisations now regularly use generative AI — nearly double the prior year
McKinsey State of AI 2024
Here's the cleanest mental model for the EU AI Act in recruitment: AI that helps a candidate find you is low-risk. AI that decides whether you find a candidate is high-risk. That single distinction explains 80% of the compliance work ahead.
Sourcing AI works on the open part of the funnel — surfacing roles, matching candidates to opportunities they choose to explore, recommending relevant talent communities. Screening AI works on the gated part — scoring, ranking, filtering, rejecting. The Act draws its red line right between those two functions.
The screening list is striking because almost every ATS in Europe ships at least one of those features by default. According to LinkedIn's 2024 Future of Recruiting report, 62% of talent professionals are optimistic about AI's impact on hiring — but most have not audited which of those features will trigger high-risk obligations after August 2026.
The point isn't to rip AI out of your stack. It's to know which side of the line each tool sits on, and to make sure the high-risk pieces have the legal scaffolding they need.
A high-risk AI system, in the EU AI Act's definition, is any AI used in the eight domains listed in Annex III where the use significantly affects fundamental rights, safety, or access to essential services. Recruitment is one of those eight domains — and the definition is broader than most legal teams initially read it.
Article 6 of the Act gives the formal test. A system is high-risk if it is intended to be used in a listed domain (Annex III) and it materially influences the outcome of a decision affecting a natural person. The European Commission's accompanying guidance clarifies that this includes both fully automated decisions and AI used to "support" human decision-makers in recruitment.
| AI use case in recruitment | Risk classification | Key obligations |
|---|---|---|
| Resume parser that extracts text only | Minimal / low-risk | General GDPR rules apply |
| Resume parser that scores or ranks | High-risk (Annex III) | Article 26 deployer duties |
| Candidate-matching engine in a talent community | Generally limited risk | Transparency notice required |
| Automated video-interview analysis | High-risk + emotion-recognition rules | Article 26 + Article 5 prohibitions on emotion inference in the workplace |
| AI chatbot answering candidate FAQs | Limited risk | Inform candidate they are interacting with AI |
| AI-driven knockout questions on protected attributes | Prohibited (Article 5) | Already banned since Feb 2025 |
Notice the third row of that table. Emotion-recognition AI in workplaces — including hiring — is treated separately under Article 5 and is one of the practices closest to outright prohibition. Several vendors that built their products around tone-of-voice or facial-expression analysis have already pulled out of the European market. SHRM reported in late 2024 that about 1 in 4 organisations now use AI for HR activities, and many are realising mid-deployment that their tools sit on the wrong side of the line.
Compliance with the EU AI Act for recruitment isn't a single document or a one-off audit. It's an operating rhythm. Here is the sequence Jobful's enterprise customers are using to land before the August 2026 deadline, drawn from work alongside HR and legal teams across CEE, DACH, and Western European markets.
List every tool that touches a candidate — ATS, CRM, scheduling, sourcing, assessment, video, communication. For each one, note whether it makes, scores, ranks, or filters a decision.
Most teams find more AI than they expected. Career-site personalisation engines and chatbot rerouting often slip the audit.
Walk every tool through the four-tier classification. Prohibited features come out immediately. High-risk features stay only if you can meet Article 26.
Don't trust the vendor's self-classification on its own — verify against Annex III in plain language with your legal counsel.
Article 14 requires that high-risk AI decisions are subject to meaningful human review — not a recruiter glancing at a top-10 list. Document who reviews, when, and what they can override.
Rubber-stamping does not count. The reviewer needs the authority and information to disagree with the model.
Update your career-site privacy notice, application confirmation emails, and assessment landing pages to state which AI tools are used and what decisions they support.
Candidates also gain a right to a meaningful explanation when an AI system has a significant role in a decision that affects them.
Article 26 obliges deployers to ensure that automatically generated logs from high-risk AI systems are retained for at least six months, where the deployer is in control of the logs.
Some workers' council agreements (especially in Germany and the Nordics) push this much further — closer to two years.
Public bodies and certain private deployers must complete a FRIA before putting a high-risk system into use, under Article 27. Even when not strictly required, it is the most defensible record of due diligence.
Think of it as a DPIA's bigger sibling — wider in scope, focused on impact on candidates as people, not just on their data.
If a serious incident occurs — discriminatory outcomes, sustained system failure, or harm to a candidate — the provider must be informed and, in many cases, the relevant national authority within the required timeframe.
Decide now who owns this in your team. The clock starts the moment the incident is identified, not weeks later.
The EU AI Act stacks penalties higher than GDPR. According to Article 99 of the Act, fines can reach €35 million or 7% of global annual turnover for prohibited practices, €15 million or 3% for high-risk non-compliance, and €7.5 million or 1% for incorrect or misleading information supplied to authorities. SMEs get reduced ceilings, but the lower of the two figures applies — not the higher.
Enforcement is national. Each member state designates a market surveillance authority, and the European AI Office coordinates at the union level. In several countries, the data protection authority is doubling up as the AI authority — meaning if you've already had a GDPR conversation about recruitment, you may meet the same regulator again with a different hat on.
Feb 2, 2025 — Prohibited AI practices banned (social scoring, certain emotion recognition, manipulative AI). Already in force.
Aug 2, 2025 — General-purpose AI model obligations begin.
Aug 2, 2026 — Main high-risk system obligations apply. Most recruitment AI lands here.
Aug 2, 2027 — Final phase for high-risk AI systems already on the market under product-safety legislation.
The smartest TA teams in the region are not trying to make their existing screening AI compliant. They're moving up the funnel — investing in AI that surfaces and engages candidates before any screening decision needs to happen. That shift sidesteps most of the high-risk obligations and, almost as a side effect, fixes the quality-of-hire problems that screening AI was supposed to solve in the first place.
HEINEKEN Romania ran exactly this play. Instead of leaning on CV-screening AI to filter Gen Z applicants, the team built a gamified, community-driven candidate experience with Jobful. The result: a 43% increase in applications, more self-qualified candidates, and a recruitment flow where AI does the matching and the engagement — not the rejecting. Wyndham Hotels followed a similar pattern across its multilingual, multi-country franchise network and saw applications grow 290% after rebuilding around a talent-community model.
Use AI to recommend roles, surface communities, and personalise content — not to reject candidates. This single shift moves most of your AI out of the high-risk bucket.
Gamified challenges and structured assessments produce direct evidence of competence. They're far easier to defend under the Act than a CV-ranking score nobody can fully explain.
Transparency, the right to explanation, and meaningful human review all get easier when candidates are part of an ongoing relationship — not anonymised CVs in a queue.
It would be a mistake to read the EU AI Act as anti-AI. It's anti-opaque-AI-making-life-decisions-with-no-human-in-the-loop. There's a wide and growing space where AI in recruitment stays low-risk, fully compliant, and useful in practice.
Talent matching inside a community. Personalised role recommendations. Automated communications and nudges. Skill-tagging from open-ended candidate input. Multilingual interaction at scale. Behavioural analytics on engagement (not on the candidate). Every one of those use cases plays to AI's strengths and stays on the safe side of Annex III.
AI matches members to roles they opt into. The candidate makes the move, not the algorithm. Stays out of Annex III.
Structured, behaviour-based, explainable. Generates compliant evidence of skills with the candidate's active participation.
Answers questions, schedules calls, surfaces next steps. Limited-risk category — just disclose the candidate is talking to AI.
Aggregate performance metrics on your hiring process — not individual candidate scoring. Powerful, compliant, and CFO-friendly.
The teams that win in 2026 will treat the EU AI Act not as a tax on AI but as a clarifier — a forced answer to the question of where AI actually adds value in recruitment. The honest answer, for most teams, is that AI was always better at engagement than at judgment. The Act just turns that into the strategic default.
See how leading European employers — from HEINEKEN to Wyndham — are using talent communities and gamified sourcing to stay compliant and outperform old-school screening AI.
Join 5,000+ HR professionals receiving monthly insights.