EU AI Act: HR Compliance for High-Risk AI Systems — Frequently Asked Questions

The EU AI Act is the first binding legal framework in the world to regulate artificial intelligence by risk category — and it puts most HR AI tools, including the AI features inside your ATS, squarely in the high-risk classification. Whether you are headquartered in Frankfurt or Phoenix, if your AI systems touch hiring or workforce decisions for EU-based people, you are in scope. The questions below cover the obligations, the penalties, the strategic choices, and the practical steps HR teams need to act on now. For the broader operational context — how to build your HR tech stack correctly before adding AI — start with our guide on supercharging your ATS with automation before layering in AI.

Jump to a question:

• What is the EU AI Act and when does it apply to HR teams?
• Which HR AI systems are classified as high-risk?
• What compliance obligations come with high-risk HR AI systems?
• Does the EU AI Act apply to companies outside the EU?
• What are the penalties for non-compliance?
• How does the Act address algorithmic bias in hiring?
• What is required for human oversight of high-risk HR AI?
• Does deterministic HR automation count as high-risk?
• What should HR leaders do right now?
• How does the EU AI Act interact with GDPR?
• Are AI-powered video interview platforms covered?
• Does the Act affect how we evaluate ATS vendors?

What is the EU AI Act and when does it apply to HR teams?

The EU AI Act is the world’s first comprehensive legal framework governing artificial intelligence, formally adopted in March 2024 and entering phased enforcement from 2025 onward. For HR teams, the most critical obligations activate when you deploy AI systems that influence employment decisions — hiring, screening, performance monitoring, promotion — for anyone working or applying within the EU.

The Act uses a four-tier risk classification: unacceptable risk (banned), high-risk (heavily regulated), limited risk (transparency requirements only), and minimal risk (few obligations). The majority of AI tools marketed to HR teams — resume ranking, candidate scoring, predictive fit models, performance monitoring software — fall in the high-risk category. That classification carries the full compliance burden: conformity assessments, bias testing, human oversight, and ongoing documentation.

Companies outside the EU are not exempt. The Act’s scope follows the impact of the AI system, not the location of the company deploying it. If your AI affects EU-based workers or applicants, you are in scope. This extraterritorial logic mirrors how GDPR operates and has similar implications for global HR tech strategy.

Which HR AI systems are classified as high-risk under the Act?

The Act explicitly names employment-context AI as high-risk. Any system whose output influences whether a person gets a job, keeps a job, or advances in their career qualifies.

In practice, that means:

• ATS resume screening and ranking algorithms that score or sort applicants before a human reviews them
• Skills-matching and fit-prediction models that recommend or deprioritize candidates
• Automated interview scheduling tools that include scoring or selection logic (not just calendar logic)
• Performance monitoring software that generates risk scores, productivity ratings, or behavioral flags on employees
• AI tools that inform promotion or termination decisions, including workforce planning models that identify at-risk employees

The test is not whether the AI makes the final decision — it is whether the AI output materially influences a decision that affects a person’s employment. Systems that merely automate deterministic logistics (scheduling, routing, data sync) sit in a lower risk tier. The distinction matters practically: see the question below on deterministic automation.

Gartner research consistently flags that HR leaders underestimate how many AI-adjacent features are embedded in standard HR platforms — performance dashboards with trend-scoring, engagement tools with attrition-risk flags, and ATS match-score features all meet the high-risk threshold and are often treated as incidental product features rather than regulated AI systems.

What compliance obligations come with high-risk HR AI systems?

High-risk classification triggers a demanding and ongoing compliance stack. A vendor marking their system ‘GDPR-compliant’ or ‘privacy-first’ does not satisfy these obligations — they are distinct and additive.

Required before deployment:

• Conformity assessment — a structured evaluation demonstrating the system meets Act requirements, documented in an Annex IV technical file
• Data governance documentation — evidence that training data was tested for representativeness and bias, with records of what datasets were used and how gaps were addressed
• Risk management system — an ongoing process identifying, evaluating, and mitigating risks across the system’s lifecycle

Required during operation:

• Human oversight mechanisms built into the system’s interface, not just stated in policy — humans must be able to monitor, understand, and override outputs without friction
• Transparency to affected individuals — candidates and employees must be informed when AI is involved in decisions that affect them
• Logging and incident reporting — automatic event logs must be maintained and made available to supervisory authorities on request
• Accuracy, robustness, and cybersecurity standards — ongoing performance testing against stated metrics

Harvard Business Review analysis of AI governance frameworks consistently emphasizes that compliance is not a checkbox — it requires institutional infrastructure, dedicated ownership, and regular review cycles. Treating the EU AI Act as a one-time procurement question will not survive audit.

Does the EU AI Act apply to companies headquartered outside the EU?

Yes, without exception. The Act applies whenever an AI system’s outputs affect EU-based individuals or when a system is placed on the EU market — regardless of where the deploying company is incorporated or where the system is hosted.

Practical examples of companies in scope despite non-EU headquarters:

• A US-based manufacturer hiring at its German facility using an AI-powered ATS
• A Canadian staffing firm screening candidates for EU-based client roles
• A global SaaS HR platform with EU customers, even if the AI models run on US servers
• A Singapore-headquartered company with a UK or EU subsidiary using centralized HR AI

McKinsey Global Institute research on AI governance has noted that organizations attempting to maintain separate AI governance regimes by geography face significant operational complexity. The de facto global standard dynamic — similar to GDPR — means many multinationals find it more efficient to apply EU AI Act standards enterprise-wide rather than segment by geography.

Compliance responsibility falls on both the provider (vendor who built the AI system) and the deployer (the HR team or company using it). If your vendor is non-compliant, you as the deployer may still be liable. This makes vendor due diligence a compliance obligation, not just a procurement preference.

What are the penalties for non-compliance?

Fines under the EU AI Act are tiered by violation type and are calibrated to be consequential at enterprise scale:

• Prohibited AI practices (unacceptable-risk systems, e.g., real-time biometric surveillance in prohibited contexts): up to €35 million or 7% of global annual turnover, whichever is greater
• Breaches of high-risk obligations (the category most HR AI tools fall into): up to €15 million or 3% of global annual turnover, whichever is greater
• Providing incorrect or misleading information to regulators: up to €7.5 million or 1% of global annual turnover, whichever is greater

These figures are structurally comparable to GDPR enforcement levels. Deloitte’s human capital research has repeatedly noted that regulatory risk is among the most significant underweighted risks in HR technology investment decisions — and the EU AI Act enforcement architecture is designed to make that calculus explicit.

National supervisory authorities in each EU member state will have primary enforcement responsibility. Enforcement practice will vary by country and by sector, but the employment context — given its direct connection to fundamental rights — is expected to be a priority area for early enforcement actions.

How does the Act address algorithmic bias in hiring?

Bias mitigation is a legal obligation, not a best practice. This is one of the Act’s most consequential provisions for HR teams, because many AI hiring tools have a documented history of encoding bias from historical hiring data.

Specific requirements for high-risk HR AI systems:

• Training datasets must be tested for representativeness across protected characteristics — gender, ethnicity, age, disability status, and others as defined by applicable EU law
• Bias-testing methodology must be documented and available to regulators on request
• The system must be designed to minimize discriminatory outputs throughout its operational life — a pre-deployment audit is not sufficient
• Ongoing monitoring for bias drift (where model accuracy diverges for subgroups over time) is required

For HR teams, this creates a direct procurement obligation: every AI vendor must be able to produce documentation of bias testing before you deploy their tool. A vendor who cannot provide this is not just a compliance risk — they are a legal liability. For implementation guidance on building screening workflows that satisfy both ethical and regulatory standards, see our deep-dive on stopping ATS bias through ethical AI and our guide to automated blind screening to reduce hiring bias.

What is required for human oversight of high-risk HR AI?

The Act requires that high-risk AI systems be designed — not just described in policy — so that qualified humans can effectively monitor, understand, and override AI outputs. A blanket policy stating ‘managers make the final call’ does not satisfy this requirement if the system’s interface makes override difficult, invisible, or friction-laden.

Technically, human oversight mechanisms must include:

• The ability for designated persons to monitor the system’s operation in real time
• Explainability: the system must provide a rationale for its outputs that a non-technical reviewer can evaluate — not just a score
• Low-confidence flagging: outputs below a reliability threshold must be surfaced to human reviewers rather than processed automatically
• A documented and frictionless override pathway — the human reviewer must be able to reverse an AI recommendation without technical barriers
• Records of override decisions, enabling audit of whether human oversight is actually exercised

SHRM research on AI adoption in HR consistently identifies a gap between stated governance policies and actual workflow design. Oversight that exists in a policy document but not in the product UI does not satisfy the Act’s requirements. HR operations leaders need to walk through the actual screen-by-screen workflow with compliance counsel to verify that override mechanisms are genuinely accessible.

Does deterministic HR process automation count as high-risk?

Generally, no — and this distinction is one of the most strategically useful parts of the EU AI Act for HR teams building automation programs.

Deterministic rule-based automation — routing applications to the right recruiter based on role criteria, sending status-update emails triggered by ATS stage changes, syncing candidate data between your ATS and HRIS, or scheduling interviews based on calendar availability — does not involve AI probabilistic judgment about a person’s suitability for a role. These systems follow fixed logic. They sit in the minimal-risk category and carry minimal regulatory overhead.

This regulatory gap creates a clear build sequence:

1. Build the automation spine first — scheduling, routing, communications, data capture — using deterministic logic. This is faster, cheaper, and low-risk by regulatory default.
2. Add AI only at the judgment points where deterministic rules genuinely break down and where you have governance infrastructure in place to satisfy high-risk requirements.

This is exactly the sequence outlined in our parent guide on supercharging your ATS with automation before layering in AI. For a structured approach to building that automation foundation, see the phased approach to recruitment automation.

What should HR leaders do right now to prepare for EU AI Act compliance?

Compliance preparation has a clear starting point: inventory before strategy.

1. Complete a full AI tool inventory. List every AI-adjacent feature in your HR tech stack — including features embedded in your ATS, HRIS, performance platform, or engagement tool that you did not procure separately. Many high-risk features were added in product updates without a separate procurement event.
2. Apply the employment-decision test. For each tool or feature, determine: does this output influence whether a person gets a job, keeps a job, or advances? If yes, it is likely high-risk.
3. Request vendor documentation immediately. For every high-risk system, request the Annex IV technical documentation, bias-testing records, and conformity assessment status. Log which vendors respond and which cannot produce documentation — that gap is a material procurement risk.
4. Assign compliance ownership. Each high-risk system needs a named internal owner responsible for monitoring, audit logs, and incident reporting — not a committee, a person.
5. Build and test human override pathways. Walk through the actual workflow for each high-risk system and verify that override mechanisms are genuine, frictionless, and logged.
6. Assess your automation foundation. Before investing in additional AI features, evaluate whether your deterministic automation spine is complete. Gaps in scheduling, routing, and data sync automation increase your dependence on AI tools and, therefore, your regulatory exposure. Reviewing the ROI case for ATS automation can help build the business case for prioritizing that foundation.

How does the EU AI Act interact with GDPR for HR data?

The two frameworks are complementary and often overlap, but they are not duplicative — each creates obligations the other does not.

GDPR already restricts automated decision-making that produces legal or similarly significant effects on individuals (Article 22), requires a lawful basis for processing personal data, and gives candidates and employees rights of access, explanation, and objection. Most HR AI outputs trigger Article 22 provisions.

The EU AI Act adds a technical and governance layer on top of GDPR’s data rights framework. Where GDPR gives a candidate the right to request an explanation of an automated decision, the EU AI Act requires that the system be architecturally capable of providing a meaningful explanation — the right to explanation is hollow if the system cannot generate one. Where GDPR requires data minimization, the AI Act adds dataset representativeness testing as an additional data quality standard.

Key practical point: a GDPR-compliant data retention policy, lawful basis assessment, or data processing agreement does not automatically satisfy EU AI Act conformity requirements. HR teams operating in the EU must satisfy both frameworks simultaneously, and legal counsel familiar with both is essential for accurate gap analysis.

Are AI-powered video interview platforms covered by the Act?

Yes — when they analyze candidate behavior, tone, facial expressions, or speech patterns to generate assessments or scores that influence hiring decisions, they qualify as high-risk AI systems.

Platforms in this category that generate candidate ratings, trait assessments, or predictive fit scores from video analysis are explicitly within scope. Transparency obligations require that candidates be informed, before the interview takes place, that AI is analyzing their performance. The information provided must be meaningful — a generic ‘this interview may use AI technology’ disclosure likely does not satisfy the Act’s transparency standard.

Some capabilities within these platforms — particularly facial recognition used to infer emotional states or personality traits — may additionally trigger provisions governing biometric data and biometric categorization systems, which carry their own specific restrictions and, in some use cases, bans. HR teams evaluating or renewing contracts with AI video interview vendors should conduct a capability-by-capability review against Act requirements, not just a platform-level assessment.

Does the EU AI Act affect how we evaluate ATS vendors?

Directly and substantially. AI features in an ATS — resume ranking, candidate scoring, predictive fit models, automated screening logic — are high-risk AI systems. The vendor who builds them and the HR team that deploys them share compliance responsibility under the Act.

Compliance-aware vendor evaluation should include:

• Annex IV technical documentation — does the vendor have it, can they produce it on request?
• Bias-testing records — what datasets were used, how was representativeness verified, how frequently is bias testing repeated?
• Conformity assessment status — has the system undergone a formal conformity assessment, and by whom?
• Human oversight design — how does the product UI surface AI rationale and support override decisions?
• Audit logging — what event logs does the system generate and how are they accessed?
• Roadmap for ongoing compliance — as the EU AI Office issues implementing guidance, how will the vendor update the system?

Vendors who cannot answer these questions are a regulatory liability. For HR teams rebuilding their vendor evaluation process, the essential automation features for ATS integrations guide provides a functional baseline, and the analysis of how AI transforms your existing ATS beyond parsing helps distinguish high-risk AI capabilities from lower-risk automation enhancements.

The EU AI Act does not make AI adoption in HR impossible — it makes governance a prerequisite. Organizations that build compliance infrastructure now, audit their vendor stack, and prioritize deterministic automation as the foundation will be better positioned than those treating the Act as a distant regulatory concern. For the complete operational framework — how to sequence automation and AI deployment in your ATS correctly — return to our guide on supercharging your ATS with automation before layering in AI.