Demo
All articles
Methodology·9 min read

AI Act and recruiting: what changes for your AI tools on 2 August 2026

AI Act and recruiting: why your AI tools are classified as high-risk, the timeline up to 2 August 2026, and the deployer (employer) compliance checklist.

By Raanan Haas · Contributor·Updated

The AI Act for recruiting is no longer a distant prospect: 2026 is the pivot year. Regulation (EU) 2024/1689, which entered into force on 1 August 2024, makes its "high-risk" obligations applicable to recruitment AI systems on 2 August 2026. In concrete terms, if your Talent team uses a tool that screens applications, scores profiles, or supports selection, you are concerned — not as a software vendor, but as the employer who uses it. This article explains why these tools are classified as high-risk, the real timeline, who carries which obligations, and the concrete checklist to be ready.

AI Act and recruiting: why your AI tools are classified as high-risk

The AI Act applies a risk-tiered logic. Recruitment is not a trivial use case: it is listed in Annex III §4, which covers employment, workforce management, and access to self-employment. Any AI system intended for these purposes is, by default, classified as high-risk.

In practice, this targets systems that:

  • target or deliver job ads in a personalized way;
  • analyze and filter the applications received;
  • evaluate or rank candidates according to their fit;
  • support decisions on selection, promotion, or termination of an employment relationship.

In other words, nearly all modern sourcing, matching, and scoring tools fall within this scope. The legislator considers that these systems have a direct effect on access to employment and on fundamental rights — hence a demanding regime. AI recruitment compliance is therefore not about asking "am I concerned?" but "how do I document and govern tools that I must presume to be high-risk?".

Note: Article 6 provides for cases where an Annex III system may escape the high-risk classification if it performs only a purely preparatory or accessory task with no real influence on the decision. But this exemption is narrow, must be documented by the provider, and never applies to a tool that profiles people. For a tool that scores or ranks candidates, high-risk remains the rule.

The AI Act timeline: why 2 August 2026 matters for recruiting

Application is phased in. Here are the real dates, with the one that must appear on your Talent roadmap in bold:

  • 1 August 2024 — entry into force of Regulation (EU) 2024/1689.
  • 2 February 2025 — ban on prohibited practices (e.g. social scoring, certain emotion inferences) and entry into force of the duty of AI literacy(Article 4): your teams must have a sufficient level of understanding of the systems used.
  • 2 August 2025 — obligations applicable to general-purpose AI models (GPAI), which underpin many recruitment tools from below.
  • 2 August 2026 — the key deadline for recruiting teams: the obligations applicable to high-risk systems under Annex III, and therefore recruitment, become fully applicable.
  • 2 August 2027 — last residual provisions applicable.

2 August 2026 is the milestone to remember because it is on that date that the substantive requirements — documentation, human oversight, candidate information, logging — cease to be preparation and become a controllable obligation. Since internal workstreams (mapping, review of vendor contracts, updating application processes) take several months, the work starts in 2026, not in July.

Provider vs deployer: who carries which obligations

The AI recruitment regulation distinguishes two roles, and confusing the two is the leading source of error. The provider is the entity that develops and places the AI system on the market — the vendor, the publisher. The deployer is the entity that uses that system in the course of its activity — that is, you, the employer or the recruitment firm.

The bulk of the technical obligations falls on the provider:

  • set up a risk management system;
  • ensure the governance and quality of the training data;
  • produce and keep the technical documentation up to date;
  • build in automatic event logging;
  • provide transparency and instructions for use to deployers;
  • design the system for effective human oversight;
  • guarantee accuracy, robustness, and cybersecurity;
  • carry out the conformity assessment, affix the CE marking, and register the system in the EU database.

But the deployer is not a mere passive user. Your own obligations include:

  • use the system in line with the provider's instructions for use;
  • ensure human oversight by competent people;
  • monitor operation and report incidents;
  • keep the logs generated by the system;
  • inform candidates and workers that they are subject to a high-risk AI system, and inform the relevant employee representatives.

Some deployers — notably public bodies and certain categories of actors — must additionally conduct a fundamental rights impact assessment (FRIA) before deployment. Buying a "compliant" tool does not discharge you: deployer responsibility remains yours, in your own right.

The deployer compliance checklist for recruiting

Here is the concrete approach to facing 2 August 2026 without improvising. It breaks down into six operational steps.

1. Map your AI uses in recruiting

List every AI tool and feature used in sourcing, screening, scoring, and decision support. For each, note the provider, the scope of use, and the personal data processed. Many teams discover at this stage AI features embedded in their ATS that they had not identified.

2. Verify the high-risk status of each system

Compare each use against Annex III §4. A tool that filters applications, evaluates, ranks, or targets ads is high-risk. When in doubt, presume high-risk and ask the provider for its own documented classification.

3. Require the provider's compliance documentation

Request the technical documentation, the instructions for use, proof of CE marking, registration in the EU database, and the results of the conformity assessment. These elements must appear — or be enforceable — in your contract.

4. Ensure genuine human oversight

Designate trained people, able to understand a recommendation, challenge it, and override it. Human oversight must not be a symbolic rubber stamp: it is an effective control, and the tool must be used according to the provider's instructions, never as a sole automated decision.

5. Inform candidates and employee representatives

Candidates must be informed when they are subject to a decision involving a high-risk AI system. Provide a clear notice in your application journey, a channel for explanation and human recourse, and information for employee representatives.

6. Log, monitor, and audit

Keep the automatically generated logs, monitor operation in production, track biases and anomalies, and record your controls. On audit day, it is this audit trail that demonstrates oversight exists in practice, not just on paper.

The questions to ask your recruitment AI provider

A large part of your compliance depends on the quality of your provider. Due diligence happens before purchase, or at renewal. Here are the questions to ask:

  • Is the system classified as high-risk under Annex III, and on what basis?
  • Can you provide up-to-date technical documentation and instructions for use?
  • Is the CE marking in place and the system registered in the EU database?
  • What human oversight mechanisms are built in "by design"?
  • How does automatic logging work, and can I export the logs?
  • What data was used for training, and how are biases tested?
  • How do you explain a score or recommendation to a candidate who challenges it?
  • How do you fit together with the GDPR, in particular Article 22?

This last point deserves attention. The AI Act does not replace the GDPR: the two stack. Article 22 of the GDPR prohibits a decision based solely on automated processing producing legal or significant effects, without safeguards — and grants a right to human intervention and to explanation. A well-designed recruitment tool must therefore support, not short-circuit, these rights.

How transparent tooling supports your AI recruitment compliance

No tool can "make you compliant" on your behalf — deployer responsibility remains yours. But a tool's design clearly makes your path to compliance easier or harder. At TrueCalling, two design choices line up with deployer obligations.

First, EMILY is a human-in-the-loop copilot, not an autonomous decision-maker. The system recommends, prioritizes, and prepares the work; it is the recruiter who decides. This architecture directly supports the duty of human oversight, and avoids the trap of the "solely automated" decision covered by Article 22 of the GDPR.

Second, the TrueFit 360 score is explainable line by line: each component of the score is exposed, which makes the recommendation legible for the recruiter and challengeable by the candidate. This transparency supports the duty of explanation and the possibility of recourse. To understand in detail how this score is calculated and where it can go wrong, see our dedicated article on the candidate-job matching score.

On the personal data side, our GDPR posture — legal basis, traceable consent, retention periods, channels — is detailed in the WhatsApp recruiting and GDPR guide, which complements the AI Act framework on the data protection side.

One thing to say clearly: TrueCalling does not present itself as "AI Act certified" — that label makes no sense as things stand. The employer always remains the responsible deployer. A good tool makes your compliance easier to demonstrate; it does not substitute for it.

Penalties: why the stakes are not merely symbolic

The AI Act provides for penalties on a par with the GDPR, and beyond. Failure to comply with prohibited practices can be sanctioned up to €35M or 7% of total worldwide annual turnover, whichever is higher. Breach of the other obligations — those that directly concern deployers in recruiting — can reach up to €15M or 3%. Supplying incorrect or misleading information to authorities can cost up to €7.5M or 1%. These ceilings turn compliance from a peripheral legal matter into a board-level issue.

This article is informational and does not constitute legal advice. The exact obligations depend on your situation; have your approach validated by specialized counsel.

Want to see how a human-in-the-loop copilot and an explainable score fit into a recruitment process designed for transparency? Book a guided demo of TrueCalling and bring one of your open roles: we run the sourcing live and show you, line by line, how each recommendation is explained.

ShareLinkedInXEmail

Read next

Methodology·9 min

How to Build a Talent Pool and Activate It in 2026 (5-Step Method)

Your silver-medalist finalists and sourced candidates sit dormant in the ATS while you pay for the same sourcing twice. The 5-step method to turn them into a talent pool that fills 25-40% of recurring roles.

Methodology·9 min

Recruiting Metrics That Matter in 2026: The 12 KPIs Every Talent Team Should Track

Time-to-fill and cost-per-hire are no longer enough. The 12 recruiting KPIs that matter in 2026, the benchmark for each, and the three to start with.

Methodology·8 min

The True Cost of a 15% InMail Response Rate (And How to Fix It)

667 InMails for 5 hires. 67 recruiter hours. €4K+ in labor before a single interview. The full cost of a 15% response rate — and the channel switch that fixes it.