EU AI Act and Hiring: What Every HR Leader Needs to Know

If your organisation uses AI-assisted tools anywhere in your hiring process, and in 2026 most organisations do, you are operating under a regulatory framework that now has real enforcement teeth. The EU AI Act is not a future concern. The provisions covering high-risk AI systems, including all AI used in employment and recruitment contexts, are in full effect. The question is not whether this regulation applies to you. It almost certainly does. The question is whether your current tooling puts you in compliance or in exposure.

This post breaks down exactly what the EU AI Act requires from organisations using AI in hiring, which tools create the most significant liability, and what a compliant hiring architecture actually looks like in practice. For assessment design that supports compliance without sacrificing signal, see how to reduce candidate drop-off and operational fit hiring.

What the EU AI Act Actually Says About Hiring

The EU AI Act establishes a risk-tiered framework for AI systems, categorising them by the potential harm they could cause to individuals and society. Just below outright prohibited systems sits the category that matters most for HR leaders: High-Risk AI Systems.

Under Annex III of the Act, any AI system used in employment contexts is explicitly classified as High-Risk. This covers recruitment, selection, candidate evaluation, promotion, termination, and task allocation. There is no grey area here. If your hiring process uses AI in any of the following ways, you are operating a High-Risk AI System:

• Automated CV screening and filtering
• AI-scored video interviews, including facial analysis and emotion recognition
• Psychometric assessments with algorithmic scoring
• Behavioural prediction tools based on candidate monitoring data
• Any AI system that supports or influences candidate selection decisions

High-Risk classification does not mean the system is prohibited. It means it is subject to a demanding set of mandatory requirements that many organisations and their vendors are not currently meeting.

Under the EU AI Act, the deploying organisation shares responsibility for ensuring compliance. Vendor non-compliance is not a complete defence. If the tool is non-compliant and you are using it, you are exposed.

The Six Mandatory Requirements for High-Risk AI in Hiring

• Risk Management System

  Organisations must implement a continuous risk management system that identifies, analyses, and mitigates foreseeable risks throughout the lifecycle of the AI system. This is not a one-time compliance audit. It is an ongoing operational process that must be documented and updated as the system is used. You cannot simply purchase a vendor's assessment tool and assume compliance transfers with it.

• Data and Data Governance

  Training, validation, and testing data must be relevant, representative, and free of errors. Datasets must be screened for biases that could lead to discriminatory outcomes, particularly in relation to protected characteristics including gender, race, age, disability, and national origin. Many legacy AI hiring tools were trained on historical hiring data that reflects the biases of the organisations that generated it.

• Technical Documentation

  You must maintain comprehensive technical documentation describing how the AI system works, how it was developed, what data it was trained on, how it was validated, and how it is monitored. This documentation must be available to national competent authorities on request. For organisations using third-party AI tools, this means your vendors must be able to provide this documentation. Many of them currently cannot.

• Record-Keeping and Logging

  High-Risk AI systems must automatically log the events and outputs relevant to their operation in a way that enables retrospective auditing. In a hiring context, this means being able to produce a complete, interpretable audit trail of any AI-assisted evaluation decision. Tools that use black-box neural networks to generate scores without interpretable logic traces fail this requirement by design.

• Transparency to Users

  The individuals operating the AI system, your HR team and hiring managers, must be given sufficient information to exercise meaningful human oversight. This means scores and outputs must be explainable, not opaque. A hiring manager who receives a candidate score of 74 with no supporting rationale cannot meaningfully review that decision.

• Human Oversight

  This is the provision with the most direct operational impact. High-Risk AI systems used in hiring must allow a human to intervene, override, or stop the system at any point. Crucially, final decisions about candidates must remain with human operators. Any tool that automates rejection of candidates without human review violates this provision directly.

What Is Prohibited Entirely

Beyond the High-Risk requirements, the EU AI Act establishes a list of AI practices that are outright prohibited in the European Union. Several of these apply directly to hiring tools currently in wide use.

• Emotion recognition in the workplace and during hiring

  AI systems that infer emotional states from facial expressions, vocal characteristics, or physiological signals during a hiring process are prohibited. This provision came into full effect in 2024 and places a significant number of currently deployed video interview tools in an untenable compliance position.

• Real-time remote biometric identification in public spaces

  This includes webcam analysis used to identify or capture biometric data from candidates without explicit legal basis. Many video interview platforms collect biometric data by design as part of their scoring methodology.

• Social scoring systems

  AI systems that evaluate individuals based on social behaviour or personality characteristics in ways that produce adverse effects in unrelated domains. Some broad personality profiling tools used in hiring touch this boundary directly.

• AI systems that exploit psychological vulnerabilities

  Assessment tools that use psychologically manipulative techniques to increase data capture from candidates who feel unable to decline. This is directly relevant to some gamified assessment tools that use pressure mechanics to collect data candidates may not fully understand they are providing.

Which Tools Are Most at Risk Right Now

What GDPR Adds to the Picture

The EU AI Act operates alongside GDPR, not instead of it. For hiring contexts, three GDPR provisions are most directly relevant.

Article 9: Special Category Data

Biometric data is special category data under GDPR. This includes facial geometry captured by webcam, voice sentiment analysis, keystroke dynamics, eye movement patterns, and any physiological measurement taken during an assessment. Processing special category data requires either explicit consent or one of a small number of specific legal bases. In employment contexts, GDPR guidance has consistently held that candidates cannot meaningfully consent because the power imbalance of the hiring relationship makes consent coerced rather than freely given. This means tools collecting biometric data in hiring lack a defensible legal basis for processing under GDPR, regardless of the consent checkbox candidates are shown.

Article 22: Automated Decision-Making

Hiring decisions based solely on automated processing that significantly affect individuals are prohibited without explicit legal basis and the right to meaningful human review. Any AI system that generates hiring decisions without mandatory human oversight of each individual case is in direct conflict with this provision.

Data Minimisation

Personal data must be limited to what is strictly necessary for the purpose. This generally supports behavioural choice data from work simulations while excluding biometric or surveillance data that goes beyond what is needed to evaluate the candidate.

What a Compliant Hiring Architecture Looks Like

Compliance with the EU AI Act in hiring is not just about avoiding prohibited features. It requires building the entire assessment architecture around compliance from the start.

The Business Case for Getting This Right Now

Compliance is not just a legal obligation in 2026. It is a commercial accelerator.

Enterprise procurement processes now routinely include EU AI Act compliance screening as part of vendor due diligence. A tool that cannot produce conformity documentation will not pass procurement at a mid-market or enterprise European organisation. The question has shifted from "do you have GDPR in your terms?" to "can you provide your technical documentation under Annex IV of the EU AI Act?"

For organisations evaluating assessment tools, compliance posture is increasingly the deciding factor in vendor selection. Because the alternative is inheriting the vendor's regulatory liability as the deploying organisation.

The cost of retrofitting compliance onto a biometric-data-dependent architecture is almost always higher than building it in from the start. The organisations that get ahead of this now will move faster through enterprise procurement cycles, carry less legal exposure, and generate more accurate hiring data because their tools are built on principles that produce better behavioural signal anyway.

The Bottom Line

The EU AI Act is the present operating environment for any organisation using AI in hiring across the European Union. Not a future regulatory horizon. Not a proposal under review. The law that applies to your hiring tools today.

The tools that were built on webcam surveillance and black-box biometric scoring are under regulatory pressure that is not going to reverse. The tools that are growing are the ones that evaluate candidates on what they actually do, on choices made in realistic operational scenarios, without any biometric or surveillance data collection.

The shift is not just about compliance. The data consistently shows that work sample assessment outperforms credential screening and interview performance on the metric that matters most: whether the person you hire is still there and performing well at month twelve. See why new hires fail in the first 90 days and the real cost of a bad hire for how early attrition compounds that risk.

Compliance and better hiring performance point in exactly the same direction. That does not happen often. Take advantage of it.