EU AI Act for HR teams: what recruitment, performance review, and worker management AI needs
HR is the most under-prepared function for the EU AI Act. Recruitment AI, CV screening, performance scoring, promotion AI, gig allocation, and worker monitoring all sit in Annex III(4) high-risk territory. Article 4 AI literacy and Article 5 prohibitions (emotion recognition in workplaces, social scoring of workers) are live today. Full Annex III(4) obligations under Articles 8-49 apply from 2 December 2027 under the post-Omnibus timeline.
- Most HR AI is high-risk under Annex III(4): recruitment, screening, ranking, promotion, termination, task allocation
- Banned under Article 5(1)(f): emotion recognition in workplaces (voice tone, facial expression, micro-expression scoring)
- Banned under Article 5(1)(c): social scoring of workers
- Article 4 literacy: live since 2 Feb 2025, applies to every HR staff member using AI
- Article 26 deployer obligations: oversight, transparency, logs, incident reporting, all required for high-risk HR AI
- Article 27 FRIA: required only for public bodies + Annex III(5)(b)/(c) credit + insurance, NOT for private SMEs using HR AI
- Full Annex III(4) obligations apply from 2 December 2027 (post-Omnibus)
- Article 99 Tier 2 fines for missing obligations: up to EUR 15M or 3% turnover
Why HR is the most exposed function in your business
HR sits at the intersection of three pressures the EU AI Act treats as serious. First, HR decisions are explicitly Annex III(4) high-risk: recruitment, performance evaluation, promotion, termination, allocation of tasks. Second, HR is one of the fastest-adopting functions for AI tooling, every modern ATS now ships ML-based candidate scoring, every performance-management platform has AI summary features, every gig platform runs on AI task allocation. Third, HR violations are visible: a single discrimination complaint can trigger an Article 79 risk procedure and a market surveillance investigation.
The under-preparedness gap is real. Most HR teams I work with can name the AI tools they procure (an ATS, a sourcing platform, an interview-scheduling assistant) but cannot describe the AI tools embedded inside Microsoft 365 Copilot, Salesforce Einstein, or their existing HRIS that are technically high-risk Annex III(4) the moment they touch a hiring or performance decision. That gap is what an audit will surface first.
What's high-risk in HR (the Annex III(4) inventory)
Article 6 + Annex III(4) explicitly captures four employment-related categories of AI:
Recruitment + selection of candidates. AI used to filter, screen, rank, or score applicants. Includes CV-parsing ML models, candidate-matching algorithms, video-interview analysis AI, automated shortlisting in ATSs, sourcing AI that picks who to contact, and chatbot-led pre-screening.
Decisions affecting promotion, termination, or work allocation. AI used to evaluate performance, predict attrition, score "fit" for promotion, recommend layoffs, or allocate work among employees. Performance-review summary AI is in scope if the summary materially influences the decision.
Monitoring + evaluation of workers. AI used to monitor productivity, behaviour, or performance with output flowing into employment decisions. Covers attendance pattern analysis, productivity scoring, communication-pattern AI, output-quality scoring.
Task allocation in platform work. Annex III(4)(b) explicitly captures AI used to assign tasks among workers, including platform-mediated gig work. The 2024 EU Platform Work Directive adds further transparency + human-intervention requirements on top.
Translation: most modern HR teams are running multiple high-risk AI systems today, often without realising it. The first compliance step is an honest inventory.
What's outright banned: Article 5 prohibitions in HR
Two Article 5 prohibitions hit HR directly and they've been live since 2 February 2025. These aren't future deadlines; an authority can investigate and fine today.
Article 5(1)(f): Emotion recognition in the workplace
AI systems that infer emotions from natural persons in workplace or educational settings are prohibited, except for medical or safety reasons. This captures voice-tone analysis in customer service ("agent stress score"), facial-expression scoring in interviews ("candidate enthusiasm"), micro-expression detection, posture-based engagement scoring, and similar inferences from involuntary biological signals.
The narrow medical/safety carve-out is exactly that: narrow. AI that detects drowsiness in a forklift driver for safety reasons is allowed. AI that scores a sales rep's "enthusiasm" on customer calls is prohibited. The line is whether the inference relates to a safety hazard or to a performance/engagement assessment.
Article 5(1)(c): Social scoring of natural persons
AI systems that classify natural persons over time based on social behaviour, personal characteristics, or predicted personality traits to produce a score that leads to detrimental treatment in unrelated contexts are prohibited. In HR this captures "employee social credit" scoring systems, AI that combines off-the-job social-media monitoring with work decisions, and cross-domain behaviour-prediction AI used to influence promotion or termination.
Article 5 has been enforceable since 2 February 2025. Fines under Article 99(3) Tier 1: up to EUR 35 million or 7% of global annual turnover, whichever is higher. Article 99(3) is the heaviest tier. An HR team running prohibited AI today is in the worst exposure position the AI Act creates.
Article 4 AI literacy for HR teams
Article 4 requires every organisation deploying AI in the EU to ensure staff has AI literacy proportionate to role + risk. It's been enforceable since 2 February 2025. For HR teams, three literacy tiers usually make sense:
All HR staff. AI fundamentals (what AI is, what it can and can't do), recognise hallucination + bias patterns, when to escalate, GDPR + Article 26 transparency obligations to candidates / employees, Article 5 prohibitions they need to know to spot. Our Staff AI Awareness course covers this.
HR managers + recruitment leads. Article 4 fundamentals + risk assessment + Article 26 deployer obligations + Article 27 FRIA design (where relevant) + vendor evaluation + the Platform Work Directive + the GDPR Article 22 automated-decision-making test. Our Manager course covers this.
HR director + CHRO. Article 4 personal-liability exposure, board sign-off on high-risk HR AI procurement, governance design, incident escalation. Our Director course covers this.
Verifiable per-learner certificates are the audit evidence. A claim that "we trained everyone" without dated, signed certificates per individual is not defensible under Article 4.
Article 26 obligations for HR AI deployers
Article 26 sets out the deployer-side obligations for high-risk AI. For HR teams the six most relevant sub-obligations:
Article 26(1), Use the system per its intended purpose. Each HR AI tool comes with Article 13 instructions for use from the provider. Use it within those instructions. Repurposing a candidate-ranking AI for promotion decisions, for example, can shift you from deployer to provider under Article 25(1).
Article 26(2), Human oversight. Assign named, trained humans to oversee each high-risk HR AI deployment. They need the competence, authority, and time to intervene. "Yes-button" oversight (where the human always rubber-stamps) fails this requirement.
Article 26(3), Input data quality. The training + input data must be relevant to the intended purpose. Using a CV-screening AI trained on tech-industry CVs for hospitality-industry hiring is a data-quality problem.
Article 26(5), Incident reporting. Inform the provider without undue delay when you become aware of a serious incident. The provider then files the Article 73 notification (2 / 10 / 15 day clocks).
Article 26(6), Log retention. Keep the automatically-generated logs the high-risk AI produces, for at least 6 months unless your industry / national law requires longer. For HR specifically, longer retention typically applies under employment-law evidence rules.
Article 26(7), Transparency to affected persons. Inform candidates / employees that they're subject to high-risk AI use. This connects to GDPR Article 13/14 information obligations. Many ATSs handle this in their candidate-facing privacy notices; verify yours does.
FRIA: when HR teams need one, when they don't
Article 27 requires a Fundamental Rights Impact Assessment for two specific categories of deployer, and HR teams in most private SMEs aren't directly in scope. The narrow population:
Public-sector HR. Government HR, public-school HR, public-hospital HR, civil-service recruitment, public-sector pension/benefits administration. All in scope of Article 27 FRIA requirements.
Credit-scoring + life/health insurance deployers (Annex III(5)(b)/(c)). Doesn't apply to most HR but to be precise: AI used in those Annex III(5) categories must run a FRIA. HR for a bank or insurer is not in itself in Article 27 scope unless the HR AI also does credit/insurance pricing.
Even if Article 27 doesn’t legally bind you, a FRIA-pattern document is the cheapest evidence of due diligence in the event of an HR AI incident. The AI Liability Directive will create a presumption of fault where the deployer can’t show structured risk assessment. The 6 elements of Article 27(1)(a) to (f) are a strong voluntary template.
Records HR teams need to keep
An audit will demand documentation, not narrative. Six categories of records every HR team running AI needs to maintain:
AI tool inventory. Every AI used in HR with: vendor, version, intended purpose, risk classification under Annex III, deployment date, accountable HR owner, list of users. Treat the inventory as a living document, update on every new tool, every model version change.
Provider Article 13 documentation. The instructions-for-use the AI provider must give you. For GPAI-based HR tools (ATSs that use OpenAI or Anthropic under the hood), also retain the Article 53(b) downstream-provider information pack. Demand it from the vendor if it’s not given.
Article 4 literacy training records. Per HR staff member, dated, certified. Must cover the AI tools that person actually uses. Generic "AI awareness" training without role-specificity doesn’t satisfy Article 4’s proportionality requirement.
Article 26 oversight log. Per high-risk HR AI deployment, log who oversaw which output, when, with what conclusion. "Approved 47 candidate scores on 12 May 2026" is the level of granularity. Spreadsheet works; dedicated GRC tooling scales better.
FRIA + updates (if in scope). For public-sector HR, the Article 27 FRIA + every update on material change. Notification to the national market surveillance authority on completion.
Article 73 incident log. Every serious incident with timeline, response, evidence, authority notification. Even non-reportable incidents and near-misses should be in your post-market monitoring log under Article 72.
A 90-day HR AI compliance ramp
For HR teams starting from scratch, this is the shape of the work:
Days 1-30: inventory + classification
Catalogue every AI in HR (procured AI tools + AI features inside existing platforms + shadow AI surfaced by interviewing the team). For each, run the Annex III(4) classification. Identify any Article 5(1)(f) emotion-recognition tools, those need to come out immediately. Output: complete AI inventory with risk classifications.
Days 31-60: Article 4 training + Article 26 oversight design
Roll out Article 4 literacy training to all HR staff. Design Article 26(2) human oversight per high-risk AI (named overseer, training, authority, time budget). Build the Article 26(6) log template. Update Article 13 information requests to vendors for any AI you don’t have docs for.
Days 61-90: Article 27 FRIA (if in scope) + incident response
If you’re in scope of Article 27 (public-sector HR), run the FRIA for each high-risk HR AI. If not, run the FRIA pattern voluntarily anyway. Build the incident response playbook with Article 73 reporting flow. Document everything. Test the runbook with a tabletop incident.
It’s rarely the technical work. The hardest part of an HR AI compliance ramp is convincing leadership that "we run a regulated process now", that recruitment AI sign-off has to flow through structured governance, that you can’t add a new vendor in a week without going through Article 13 documentation review, that the recruiter can’t take the AI’s score and ship the offer letter without an oversight log. Cultural shift work, not legal work.
Tools for HR AI compliance
Free tools we’ve built that map to HR AI compliance.
Sources
- Annex III(4) employment + worker management on EUR-Lex
- Article 5 prohibited practices on EUR-Lex
- Article 26 deployer obligations on EUR-Lex
- EU Platform Work Directive (Directive 2024/2831)
- Regulation (EU) 2024/1689 (consolidated) on EUR-Lex
Frequently asked questions
- Regulation (EU) 2024/1689 (the EU AI Act) on EUR-Lex ↗The full text of the EU AI Act on the EU's official legal portal. The source of every Article and Annex referenced in this post.
- Regulation (EU) 2016/679 (GDPR) on EUR-Lex ↗The General Data Protection Regulation. Article 22 (automated decision-making) and Article 33 (breach notification) interact directly with the EU AI Act.
- EDPB guidelines on automated decision-making (WP251rev.01) ↗The European Data Protection Board guidelines on GDPR Article 22. The practical interpretation reference for automated decisions affecting natural persons.
- Directive (EU) 2024/2831 (Platform Work Directive) on EUR-Lex ↗The 2024 Platform Work Directive. Adds transparency + human-intervention rights for algorithmic management of gig workers, stacking on top of AI Act Annex III(4).
- European AI Office ↗The European Commission AI Office, the central enforcement body for GPAI obligations and coordination across national authorities.