TrueStep HR
Browse Tools
Source note

The EU AI Act in employment

Most AI used to hire, manage, and monitor people is high-risk under the EU AI Act. That brings a stack of duties, and the deadline for them has just moved. Here is what counts as high-risk, what is already banned or required today, the date that keeps shifting and why, and when these rules reach an employer based outside the EU.

About a 9 minute read Last verified 2 June 2026
The short answer

The EU AI Act sorts AI by risk. Most AI used in employment, from sourcing and screening candidates to evaluating performance, allocating tasks, monitoring workers, and deciding promotions or terminations, is classified high-risk under Annex III. High-risk does not mean banned. It means the system carries a set of duties: risk management, data quality, human oversight, transparency, logging, and the obligations an employer owes once it puts the tool to use. The catch for planning is the clock. The high-risk duties were due to apply on 2 August 2026, but an agreement reached in May 2026 defers them to 2 December 2027. That change is not yet final law, so the older date still stands until it is, and a separate set of rules, including a ban on emotion-recognition AI at work, has applied since February 2025.

2 Dec 2027
The planning date for the high-risk employment-AI duties, after the Digital Omnibus agreed on 7 May 2026 moved them back from 2 August 2026. The change is provisional until it is formally adopted and published, so confirm it is in force before you rely on it. Until then, 2 August 2026 is still the date in law.
2 Feb 2025
Already in force, whatever happens to the deferral: the ban on certain AI practices, including emotion recognition in the workplace, and the duty to give the people who deal with these systems a basic level of AI literacy. Part of the Act binds employers in the EU today.
The idea in one line

Employment AI is high-risk and the deadline just moved

The AI Act puts every system into one of four risk tiers: a short list of banned practices, a larger high-risk category that is allowed but heavily regulated, a transparency tier for things like chatbots, and everything else, which is left alone. AI used to make or support employment decisions sits, with one exception, in the high-risk tier. Annex III names the employment uses directly. Read this list as the scope of the work, then read the timeline as the part that keeps changing.

What counts as high-risk employment AI
1
Recruitment and selectionTools that place targeted job adverts, source or filter applications, screen resumes, or score and rank candidates. The ordinary hiring-funnel software most teams already run.
2
Performance and task allocationSystems that evaluate performance or work behaviour, or that assign tasks and work based on a person’s traits, behaviour, or output.
3
Worker monitoringAI that tracks and analyses how people work. Note one carve-out: emotion-recognition monitoring at work is not high-risk, it is banned outright, covered below.
4
Promotion and terminationAnything that drives a decision to promote someone, change their terms of work, or end the employment relationship.

Two things follow. First, this reaches ordinary HR software, not just exotic systems; a resume screener or an interview-scoring tool is squarely in scope. Second, the duties land on whoever builds the system and, separately, on the employer that uses it. The question most people then get wrong is when.

The dates

The dates and why one of them keeps moving

The Act took effect in stages, and the stages matter, because part of it binds you now while the part most HR teams worry about has been pushed back. Here is the sequence as it stands today.

Milestonewhat the rule coversApplies
Banned practices and AI literacyArticle 5 and Article 4, in force now2 Feb 2025
General-purpose AI models, governance, penaltiesthe supervisory machinery, in force now2 Aug 2025
Transparency and content markingArticle 50, moved from 2 Aug 20262 Dec 2026
High-risk employment AI dutiesAnnex III, was 2 Aug 20262 Dec 2027
High-risk AI built into regulated productsAnnex I2 Aug 2028
The Act entered into force on 1 August 2024. The high-risk employment duties were originally set for 2 August 2026. A package called the Digital Omnibus, agreed in political terms on 7 May 2026, moves them to 2 December 2027 and pushes the transparency duty to 2 December 2026. The caveat that matters: that package is not yet final law. It still has to be formally adopted and published in the Official Journal. Until it is, the original 2 August 2026 date remains the law on the books, and if the package stalled past that date the old deadline would apply. Treat 2 December 2027 as the planning baseline, and confirm it is enacted before you lean on it.
Already binding

Part of the Act is already in force

The deferral does not buy a clean pause, because two duties already apply and one of them lands directly on the HR stack. Since 2 February 2025 the Act’s list of banned AI practices has been in effect. For employers the one that bites is the ban on emotion-recognition AI in the workplace: systems that infer a worker’s emotions from their face, voice, or body, sentiment scoring of staff, video-interview tools that read a candidate’s emotional state. These are banned outright, not merely regulated, with narrow exceptions for medical or safety reasons. If that capability sits anywhere in your HR or recruiting software and you have people in the EU, it is a problem today, not in 2027.

The second live duty is AI literacy. Providers and deployers have to take steps to ensure the people who deal with these systems understand, at a basic level, how they work and where they can go wrong. It is a light obligation next to the high-risk stack, but it applies now, and it is the cheapest first move toward everything else.

The duties

What high-risk status requires and who owes it

When the high-risk duties apply, they form a substantial stack: a risk management system, data governance and quality checks on the data the system learns from and runs on, technical documentation, automatic logging of what the system does, transparency and clear instructions for use, human oversight built in so a person can understand and override the system, and a level of accuracy and robustness fit for the job. The Act splits these between two roles, and an employer needs to know which one it is.

Provider Usually the vendor

The party that develops the system or puts it on the market under its own name builds the heavy package: the risk management system, the technical file, the conformity assessment, the CE marking, the quality system, and registration in the EU database. For most employers this is the software vendor, not them.

Deployer This is the employer

The employer that uses a high-risk system carries its own duties: use it according to the instructions, assign human oversight to people who are competent and have the authority to act on it, keep the logs, watch how it performs, and, before putting it to use at work, inform the affected workers and their representatives. Some deployers must also run a fundamental-rights impact assessment first.

Workers and candidates The people affected

A person subject to a decision made or supported by a high-risk system has the right to a clear explanation of the role the AI played and the main factors behind the decision. The transparency runs to the individual, not only to the regulator.

AI literacy Both roles, now

The duty to ensure a working level of AI literacy falls on providers and deployers alike, and unlike the high-risk stack it already applies. It is the one obligation that does not wait for 2027.

The short version for an HR team: even if you only buy a tool off the shelf, you are the deployer, and the deployer duties are yours. You cannot hand them to the vendor in a contract.

Reach

When this reaches an employer outside the EU

The Act does not stop at the EU border, but it does not reach every company on earth either. It applies to an employer outside the EU in two situations. The first is operating in the EU: if you have staff, a subsidiary, a branch, or remote employees based in a member state, the rules cover the AI you use on them. The second is the output test: if the result your AI system produces is used on people in the EU, you are in scope even without an EU office, which is what catches a company based elsewhere screening or scoring candidates who are located in the EU. A purely domestic employer hiring only people based at home, with a tool used only on people based at home, is outside the Act. The line is not where your headquarters sits. It is where your people, and the people your AI judges, are.

Where it goes wrong

Four ways employers read this wrong

  • Treating the new deadline as a reason to wait.Two duties already apply, including the ban on emotion-recognition AI at work and the literacy obligation, and they reach the HR stack now. Building governance for high-risk systems takes far longer than the runway that is left, and the deferral itself is still provisional, so the old 2 August 2026 date is not off the table yet.
  • Assuming a vendor tool is the vendor’s problem alone.The Act gives the deployer its own duties: human oversight by competent people, monitoring, logging, informing affected workers, and in some cases a fundamental-rights impact assessment. Buying off the shelf does not move those to the vendor.
  • Counting only EU-headquartered companies.The Act reaches you if you have staff in the EU or your AI output is used on people in the EU. A recruiter based elsewhere who scores EU-based candidates is in scope, headquarters notwithstanding.
  • Reading high-risk as forbidden.High-risk means allowed but regulated, not banned. The only employment AI banned outright is emotion recognition in the workplace under the prohibited-practices list. Everything else on the Annex III list is permitted once the duties are met.

An employment-AI decision under EU law can carry real legal weight, and the timeline here is provisional and moving month to month. The high-risk deferral to 2 December 2027 is a political agreement that is not yet final law, the original 2 August 2026 date stands until it is, and several duties, including the emotion-recognition ban, already apply. National authorities are beginning to enforce, with recruitment named as a priority in more than one member state. Before you deploy an AI system on people in the EU, classify a tool, or rely on any date in this article, confirm the current enactment status and the rules in each country you operate in with qualified local counsel. This page is a map of the framework for planning. It is not a statement of any country’s law and not a guarantee of compliance.

Sources

Where these figures come from

Primary sources

  1. Regulation (EU) 2024/1689, the AI Act, the text in the Official Journal. The source for the framework: the risk tiers, the prohibited practices in Article 5 including emotion recognition in the workplace, the employment uses listed as high-risk in Annex III, the provider duties, the deployer duties in Article 26, and the transparency duty in Article 50. Adopted 13 June 2024, in force 1 August 2024. eur-lex.europa.eu, Regulation (EU) 2024/1689Checked 2 June 2026
  2. European Commission, AI Act, "Shaping Europe’s digital future". The official application timeline: the prohibited-practice and AI literacy duties from 2 February 2025, the general-purpose AI and governance rules from 2 August 2025, the high-risk regime, and confirmation that a political agreement on the AI Omnibus simplification package was reached on 7 May 2026. digital-strategy.ec.europa.eu, regulatory framework for AIChecked 2 June 2026
  3. European Commission, AI Act Service Desk, frequently asked questions. Sets out the original staggered dates: prohibitions and AI literacy on 2 February 2025, governance and general-purpose AI model rules on 2 August 2025, and the Annex III high-risk obligations, the Article 50 transparency requirements, and the start of enforcement on 2 August 2026. ai-act-service-desk.ec.europa.eu, FAQChecked 2 June 2026
  4. The Digital Omnibus deferral, Gibson Dunn analysis, May 2026. The volatile layer: the provisional agreement postpones the standalone Annex III high-risk obligations to 2 December 2027 and the Annex I embedded duties to 2 August 2028, but the changes take legal effect only on formal adoption and publication in the Official Journal, expected before 2 August 2026, which remains an active compliance date until then. This is the part to re-confirm at each use. gibsondunn.com, EU AI Act Omnibus agreementChecked 2 June 2026

The framework the AI Act sets is durable, but the timeline is not. The high-risk employment duties have already been postponed once, and that change is still working its way to final adoption, so the dates here are a snapshot of a moving picture. Treat this as a way to scope and document the work and prepare for legal review, confirm the current enactment status and the national rules for every country you operate in, and do not read it as a statement that you are compliant. This is general business information, not legal or tax advice.

Put it to work

Tools for the AI in HR work

Inventory your HR AI, classify it, and track the duties

EU HR AI Risk Checklist. The EU-focused tool: it inventories your HR and recruiting AI, classifies each system against the Annex III high-risk list and the banned-practice list, and tracks readiness against the deployer duties. At truestephr.com.

AI in HR Policy and Risk Checklist. The broader policy version: a ready-to-adapt AI-use policy plus a per-tool risk assessment, a vendor due-diligence questionnaire, and a decision record, covering the US federal and state layer alongside the EU. At truestephr.com.

The EU HR AI Risk Checklist also travels inside the Global Employer EU Readiness Bundle, which gathers the EU pay transparency and AI readiness tools in one place, at truestephr.com.

Questions

Common questions

It can. Two situations bring a non-EU employer into scope. One is operating in the EU, meaning staff, a subsidiary, a branch, or remote employees based in a member state. The other is the output test: if the result your AI system produces is used on people in the EU, you are covered even without an EU office. A recruiter scoring candidates located in the EU is the common example. An employer hiring only people based outside the EU, with a tool used only on them, is outside the Act.

No. The ban on emotion-recognition AI at work and the AI literacy duty have applied since February 2025, and they reach the HR stack now. The deferral of the high-risk duties to 2 December 2027 is still a provisional agreement, not final law, so the original 2 August 2026 date stands until it is formally adopted. And the work of governing high-risk systems takes far longer than the time left either way. The safe move is to scope and start now, then confirm the current date before relying on it.

Yes, as the deployer. The vendor that builds and sells the system carries the provider duties, but the employer that uses it carries its own: use it according to the instructions, assign human oversight to competent people who can act on it, keep the logs, monitor it, and inform affected workers before putting it to use. Some deployers must run a fundamental-rights impact assessment as well. Those duties cannot be signed away to the vendor.

No. High-risk means allowed but regulated. The system is permitted once the duties are met. The only employment AI banned outright is emotion recognition in the workplace, which sits on the separate prohibited-practices list, not the high-risk list. A resume screener or a performance-scoring tool is high-risk, not forbidden. This is general information, not legal or tax advice.