Blog

The EU AI Act makes recruitment AI high-risk: what HR must do now

AI tools for CV screening and candidate assessment count as high-risk under the EU AI Act. What this means for safe AI use in HR processes.

July 16, 2026 · Victor Angelier

AI tools that rank CVs, evaluate candidates or place targeted job advertisements are classified under the EU AI Act as high-risk systems. For HR departments this is no longer a theoretical matter: the way recruitment and selection is set up must demonstrably meet requirements around risk analysis, transparency, logging and human oversight. Several recent sources — including the European Commission itself and legal analyses from, among others, Hunton Andrews Kurth and DLA Piper — together paint a clear picture of what is changing.

Why recruitment AI counts as high-risk

On its page about the regulatory framework for AI, the European Commission explicitly describes that AI systems for employment, workforce management and access to self-employment — such as software that sorts CVs — fall into the high-risk category. According to the analysis by Hunton Andrews Kurth, this flows from Article 6(2) and Annex III of Regulation (EU) 2024/1689. This includes systems intended for recruitment or selection (targeted job adverts, analysing and filtering applications, assessing candidates) as well as systems involved in decisions on terms of employment, promotion, dismissal, task allocation or performance monitoring.

The scope is therefore broad. It concerns not only fully automated decision systems, but almost the entire chain of AI support within recruitment and workforce management.

Material influence weighs more heavily than automation

An important point of attention comes from the draft guidelines that the European Commission published on the classification of high-risk AI under Article 6. According to the discussion by DLA Piper, the core question is whether the AI system materially influences the employment decision — and that can be the case even when a human formally takes the final decision.

For HR specialists this means that a tool does not fall outside the high-risk category simply by placing a human at the end of the process. If the AI determines the ranking, shortlist or scoring on which a recruiter relies, that influence counts. DLA Piper also points out that the stakeholder consultation on these draft guidelines ran until 23 July 2026, with final guidelines expected at the end of 2026.

Shifted deadlines: time to build governance

Under the original planning, the obligations for high-risk systems were largely due to apply from 2 August 2026, as described by both Hunton Andrews Kurth and the CheckCompliance guide for HR. AIAdopt, however, describes that the so-called Digital Omnibus on AI shifts the application date for high-risk obligations from 2 August 2026 to 2 December 2027.

That extra time is no reason to wait and see. It is precisely a window to build a robust governance layer around recruitment tools before enforcement begins.

Concrete obligations for HR departments

The CheckCompliance guide translates the abstract rules into practical steps for HR departments deploying high-risk AI. Referring to the deployer obligations from Article 26, these include:

  • keeping the use of the system within its intended purpose;
  • informing employees and candidates about the use of AI;
  • retaining logs of AI outcomes;
  • ensuring meaningful human oversight.

CheckCompliance also notes that misuse of high-risk systems can lead to fines of up to 15 million euros or 3% of global annual turnover. The European Commission, for its part, emphasises the core obligations around risk assessment, documentation, logging and human oversight.

What this requires of safe AI use in HR

These developments shift the definition of "safe" AI use in HR. Safety means not only that a tool performs well, but that an organisation can demonstrate how AI recommendations come about, that a human has substantively assessed them, and that candidates and employees have been informed about this. That calls for systematic risk analyses, verification and logging of AI outcomes, and demonstrable human assessment before an AI recommendation feeds into an employment decision.

Recruitment data is moreover distinctly sensitive: application data touches directly on privacy and the risk of discrimination. Separating personal data and AI analysis thereby becomes a practical point of attention, not just a principle.

The role of a privacy-focused verification layer

For HR teams that want to deploy AI responsibly, a privacy-focused verification console such as I am Vera can provide support with precisely those control steps. Vera is not a chatbot and not a language model of its own, but a verification layer that makes the intermediate steps of AI use visible.

The Semantic Privacy Shield is designed so that documents are anonymised on EU infrastructure before content is offered to the selected AI models; if the privacy check fails, nothing is forwarded. Through multi-model verification, AI answers can be placed side by side, which gives more insight into the basis of a recommendation. And with Vera Office, sensitive HR documents can be viewed and edited within the same secure environment.

That does not take over the assessment: the professional final judgement remains with the HR specialist. But it makes control and documentation more feasible — precisely what the EU AI Act expects of deployers. Those who use the shifted deadlines to structurally build in verification, logging and human oversight will be in a stronger position when the high-risk obligations actually take effect.

← All articles