Skip to main content
Compliance

EU AI Act and Recruitment: What Tech Employers Need to Know in 2026

Calin Muresan
#EU AI Act#AI recruitment#compliance#high-risk AI#GDPR#2026#hiring

EU AI Act and recruitment: what tech employers need to know in 2026

The EU AI Act treats AI used in recruitment as “high-risk.” If you use software to screen CVs, rank candidates, or score interviews, you now carry legal obligations: human oversight, transparency to candidates, bias monitoring, logging, and documentation. The headline deadline was 2 August 2026. As of mid-2026, a political deal looks set to push the high-risk rules for hiring to 2 December 2027.

Here’s the uncomfortable part. The AI quietly filtering your applicants just became the EU’s business, and yours. Most hiring teams adopted these tools to save time, not to take on a compliance project.

We’re former software engineers who now recruit for Cloud, DevOps, and Data & AI roles across Europe. We read the model cards. So this guide skips the legalese. You’ll get what the EU AI Act actually means for recruitment, which tools are affected, the real timeline, and a checklist you can act on this quarter.

Key Takeaways

  • AI systems used to screen, rank, or assess candidates are classified as high-risk under Annex III of the EU AI Act, triggering strict obligations for employers who deploy them.
  • The original 2 August 2026 deadline for high-risk hiring rules is set to move to 2 December 2027 under the Digital Omnibus agreement reached in May 2026, but it is not yet formally adopted.
  • Some practices are already banned since February 2025, including emotion recognition at work and inferring “cultural fit” from facial expressions, voice, or social media.
  • As an employer, you are a deployer: you owe human oversight, candidate notification, 6-month logging, and ongoing monitoring, even if your vendor claims their tool is compliant.
  • Penalties reach €15 million or 3% of global turnover for high-risk breaches, and €35 million or 7% for prohibited practices.

What the EU AI Act means for recruitment

The EU AI Act is the world’s first comprehensive law on artificial intelligence. It sorts AI systems by risk: minimal, limited, high, and prohibited. The higher the risk to people’s rights, the stricter the rules.

Hiring sits near the top. AI used for recruitment and employment decisions is listed as high-risk because it shapes someone’s livelihood and career. That covers far more than a fancy CV parser.

Under the Act, a high-risk recruitment system is any AI that helps decide who gets hired, promoted, assigned work, or let go. Think CV screening and ranking, chatbots that filter applicants, video-interview scoring, and performance-evaluation tools.

The law splits responsibility between two roles. Providers build the AI. Deployers use it. If you’re an employer or a recruitment agency running these tools, you are a deployer, and you have your own duties that don’t disappear because a vendor wrote the code.

Want a quick read on whether this affects you? If any software touches your hiring funnel and influences a decision, assume it’s in scope. Then talk to a team that hires with these tools daily before you take a vendor’s word on compliance.

Why AI recruitment tools are classed “high-risk”

The logic is simple. A biased model in a game recommender is annoying. A biased model in hiring can quietly lock qualified people out of work, at scale, with no one noticing. The EU AI Act recruitment rules exist to make that visible and accountable.

What counts as high-risk in hiring

The high-risk net is wide. In practice, it catches the tools most tech teams already use:

  • CV screening and ranking: software that scores or sorts candidates against a role.
  • Sourcing and matching: AI that surfaces or shortlists profiles for outreach.
  • Chatbots and assistants: tools that filter or pre-qualify applicants.
  • Assessment scoring: automated grading of tests, code challenges, or video interviews.
  • Performance and workforce tools: AI used for evaluation, task allocation, or termination decisions.

Consider a real-world shape of this. Andrei, a VP Engineering at a Cluj scale-up, runs every inbound CV through an AI ranker before his team sees a shortlist. Useful, until you ask the obvious question: can he explain why candidate 4 outranked candidate 40? Under the Act, he needs to. That single tool now demands documentation, oversight, and a way for a rejected candidate to ask for a human review.

What’s already banned (since February 2025)

Some uses aren’t high-risk, they’re prohibited outright, and these rules have applied since February 2025. They’re independent of any deadline shift.

  • Emotion recognition at work, except for medical or safety reasons.
  • Inferring traits like enthusiasm, confidence, or “cultural fit” from facial expressions, voice tone, or body language.
  • Personality profiling by scraping social media or non-work behaviour to filter people out.

If a vendor sells you a tool that grades a candidate’s “passion” from a webcam, that’s not a grey area. It’s banned. Walk away.

The EU AI Act timeline for recruitment teams

Here’s where most guides are out of date, so read this part carefully and check the date on anything else you read.

The EU AI Act entered into force on 1 August 2024 and phases in over several years. The original plan made high-risk obligations, including recruitment, apply from 2 August 2026. That date is now moving.

In November 2025, the European Commission published the Digital Omnibus on AI, proposing to delay the high-risk deadlines. After negotiation, EU institutions reached a provisional political agreement on 6 May 2026, confirmed by Council representatives on 13 May 2026. If adopted as agreed, standalone high-risk systems like recruitment tools would need to comply by 2 December 2027.

DateWhat applies
Feb 2025Prohibited practices + AI literacy duty (in force now)
Aug 2025Rules for general-purpose AI models (in force now)
2 Aug 2026Original high-risk deadline for recruitment
2 Dec 2027Likely new high-risk deadline for hiring (pending adoption)

Two caveats matter. First, the deferral is not yet formally adopted. If it isn’t finalised before 2 August 2026, the original timeline applies as written. Second, the bans and the AI literacy duty are already live regardless of the Omnibus. You don’t get extra time on those.

Our honest take: treat December 2027 as your working deadline, but build the habits now. The teams that scramble in late 2027 will be the ones who used the extra time to do nothing.

Your obligations under the EU AI Act when you recruit with AI

As a deployer, you carry duties even when the tool is someone else’s product. Here’s what you owe, in plain terms.

  • Human oversight. A trained person must be able to understand the tool’s limits, interpret its output, and override or ignore it. A rubber-stamp click isn’t oversight.
  • Candidate and worker notification. People have a right to know AI is being used in a decision that affects them, and broadly how it works. In many cases you must inform workers’ representatives before deployment.
  • Logging. Keep the logs your high-risk system generates for at least six months, so decisions can be reviewed later.
  • Ongoing monitoring. Check that the system performs as intended and watch for drift or discriminatory patterns over time.
  • Documentation. Maintain records of the tool’s purpose, how it works, and its known limitations.

One trap deserves a flag in bold. A vendor’s compliance does not cover yours. Provider and deployer carry independent legal responsibility. If a sales rep says “don’t worry, we’re AI Act compliant,” that addresses their obligations, not the human oversight and notification duties that sit with you.

This is exactly the kind of gap a recruitment partner who understands the tooling can close before it becomes a liability.

EU AI Act compliance checklist for recruitment

You don’t need a 40-page policy to start. You need to know what you’re running and who’s accountable. Work through these steps in order.

  1. Inventory your tools. List every AI touchpoint in hiring: job-ad targeting, sourcing, screening, assessments, chatbots, scheduling, offer decisions.
  2. Classify risk. Flag anything that influences a hiring decision as high-risk. Flag anything doing emotion or personality inference as a possible prohibited use, and stop it.
  3. Demand vendor documentation. Ask for the technical documentation, intended purpose, bias-testing evidence, and instructions for human oversight.
  4. Run an impact check. For each high-risk tool, assess who it affects and how it could go wrong, especially for protected groups.
  5. Set human oversight. Name who reviews and can override AI outputs, and make sure they’re trained to actually do it.
  6. Inform candidates. Update your privacy notice and candidate communications to disclose AI use in clear language.
  7. Train your team. The AI literacy duty is already in force. Your recruiters should understand what the tools do and where they fail.

Maria, an HR lead at a Bucharest fintech, ran step one and found eleven AI touchpoints across her stack. She’d assumed she had two. That inventory gap is the single most common thing we see, and it’s where compliance quietly breaks.

The Romanian and Eastern European angle

For employers in Romania and the wider region, the EU AI Act doesn’t land in isolation. It stacks on top of GDPR and national labour law, and all three apply at once.

Romania, like every member state, must designate a national authority to oversee the Act. Local guidance is still settling, but the direction is clear: AI used in recruitment must be transparent, documented, and demonstrably non-discriminatory, and automated decisions must be explainable. GDPR already gives candidates rights around automated decision-making; the AI Act sharpens the expectations.

There’s a cross-border catch too. The Act can reach companies with no EU office. If a US or UK firm uses AI to recruit candidates in Romania, or to evaluate Romanian contractors, the rules can apply because the output is used in the EU. Nearshoring to Eastern Europe doesn’t move you outside the Act’s gravity.

Picture a Berlin company hiring DevOps engineers in Timișoara through a global ATS. The tool is American, the role is German, the candidate is Romanian, and the EU AI Act recruitment obligations still attach. Someone has to own oversight and notification, and “the vendor handles it” isn’t an answer.

If you’re hiring across borders into this region, our team knows the local market and the tooling, which is a useful combination when the legal and technical questions collide.

How compliant AI recruitment actually works

Here’s the reassuring part. The EU AI Act isn’t trying to ban AI from hiring. It’s trying to keep a human accountable for the decision. That’s not a constraint we resent, it’s how good recruitment already works.

At Wise Step, we use AI to source and surface candidates faster. We don’t let it decide. A human recruiter, one who’s written production code, makes the final call on every shortlist. That’s the human-in-the-loop model the Act asks for, and we ran it before the law required it.

The shift the Act forces is healthy. Move from black-box scoring to explainable shortlists. Keep a human who can say why a candidate advanced. Tell people when AI is involved. Curated shortlists beat algorithmic CV floods on both compliance and quality, which is the whole point of how we recruit.

Compliance and good hiring point the same way: fewer, better-explained decisions, made by someone who understands the role.

Frequently asked questions

Can we still use AI in hiring after 2026? Yes. The EU AI Act doesn’t ban AI in recruitment; it classifies most hiring AI as high-risk and adds obligations like human oversight, transparency, and logging. A narrow set of practices (emotion and personality inference) is prohibited. Used responsibly, AI in recruitment remains legal.

Do we have to tell candidates AI was used? Yes. Candidates have a right to know when AI plays a role in decisions affecting them, and broadly how it works. Update your privacy notice and candidate communications to disclose AI use in clear, plain language.

Is our ATS or video-interview tool compliant? Possibly not, and the vendor’s compliance doesn’t cover yours. Ask for technical documentation, bias-testing evidence, and oversight instructions. Any tool scoring “confidence” or “cultural fit” from face or voice is likely prohibited, not just high-risk.

What are the penalties under the EU AI Act? For high-risk breaches by deployers, fines reach €15 million or 3% of global annual turnover, whichever is higher. For prohibited practices, the ceiling rises to €35 million or 7% of turnover.

Does this apply to non-EU companies hiring in Romania? Often, yes. If your AI’s output is used in the EU, for example recruiting Romanian candidates or evaluating EU-based contractors, the Act can apply even without an EU office.

What to do next

The EU AI Act has turned recruitment AI into a compliance question, but not an impossible one. Three things matter most. AI used to screen, rank, or assess candidates is high-risk. The deadline is likely December 2027, though the bans and AI literacy duty already apply. And as the deployer, you owe human oversight, candidate transparency, logging, and monitoring, whatever your vendor claims.

Start with the inventory. You can’t govern tools you haven’t listed, and most teams underestimate how many they run. From there, set human oversight and tell candidates the truth about how they’re assessed.

You don’t have to navigate this alone. We hire for Cloud, DevOps, and Data & AI roles across Europe using AI-assisted sourcing with a human making every final call, the model the Act rewards. If you want a hiring process that’s both fast and defensible, tell us who you’re hiring and we’ll help you build it.

Regulatory note: this article reflects the EU AI Act and the Digital Omnibus status as of 1 June 2026. The high-risk deadline shift to December 2027 was not yet formally adopted at the time of writing. Verify the current position before making compliance decisions.

Sources:

← Back to Blog