Web Project Studios

Field notes

What the EU AI Act actually says about recruitment automation

13 July 2026

recruitmentcomplianceworkflow

Two workflows sit inside the same CRM. One screens CVs and ranks candidates against a vacancy. The other scores company targets for business development outreach. From the outside they look nearly identical: an AI model, some weighted criteria, a ranked list. Under the EU AI Act, they are not the same thing at all. One is high-risk. The other is not.

That distinction is not a technicality. It determines whether your agency needs conformity assessments, technical documentation, human oversight mechanisms, and registration in the EU database before August 2026. Getting it wrong does not just mean a compliance headache. It means re-platforming a live workflow at the worst possible time.

This post explains how the EU AI Act classifies recruitment AI. It does not constitute legal advice. If your agency operates in or serves clients in the EU, take qualified legal counsel before August 2026.


Annex III of Regulation (EU) 2024/1689 lists the categories of AI system that qualify as high-risk. Item 4 covers employment, workers management, and access to self-employment. The relevant sub-items are:

  • AI systems used for recruitment or selection of natural persons (filtering applications, screening CVs, evaluating candidates in interviews)
  • AI systems used to make or assist decisions on promotion, termination, task allocation, and monitoring of performance

That is the line. "Natural persons" in a hiring context. The moment your AI is doing something to a candidate, applicant, or worker, you are inside Annex III.

B2B prospecting sits outside it. Scoring a list of hiring managers at target companies, prioritising accounts by vacancy frequency, ranking BD leads by sector or headcount. None of that touches a natural person in an employment decision. It is not listed in Annex III. It is not high-risk under the Act.

One number, two completely different compliance regimes.


Being classified as high-risk under the EU AI Act is not a ban. It is a set of obligations. The obligations that matter most for a recruitment agency deploying or customising AI tools are:

Technical documentation. You need to be able to show what the system does, how it was trained or configured, what data it uses, and what its limitations are. If you are using an off-the-shelf tool and have no visibility into how it ranks candidates, that is a problem.

Human oversight. The system must be designed so that a human can intervene, override, or halt it. "The AI shortlisted them" is not a compliant process if there is no documented human review step before that shortlist is acted on.

Transparency to affected persons. Candidates subject to automated processing must be informed. This overlaps with existing GDPR obligations under Article 22, but the AI Act adds a layer specific to high-risk AI.

Registration. High-risk AI systems must be registered in the EU database of high-risk AI systems before deployment. The obligations for deployers (as distinct from providers) apply from 2 August 2026.

The deployer obligations are the ones that land on a recruitment agency using a third-party AI tool. You do not have to have built the model. If you are using it to screen candidates, you are a deployer, and the obligations apply to you.


The confusion I keep seeing comes from how AI tools are sold, not from how the law is written.

Most recruitment AI vendors market a single platform that does several things: candidate sourcing and CV screening alongside BD prospecting and market mapping. The marketing presents this as one integrated product. The AI Act does not care about product bundling. It cares about what each function does to whom.

An agency that buys a combined sourcing-and-BD platform and treats the whole thing as either high-risk or not-high-risk is going to be wrong about half of it. The BD module does not pull the sourcing module into Annex III. The sourcing module does not exempt the BD module from anything. They are assessed separately.

This matters because the compliance work required for the high-risk functions is real. Technical documentation, logging, human review workflows, candidate-facing notices. If you have not separated these functions in your internal process design, you cannot demonstrate compliance for the part that requires it. You also cannot demonstrate non-applicability for the part that does not.

The brief bottleneck problem in AI-assisted agency workflows is partly the same issue in a different context: when intake and process design are vague, the downstream compliance exposure is invisible until it is not.


Run this against your current stack. For each AI-assisted function, determine whether it involves a natural person in an employment or selection context. If it does, it is inside Annex III.

FunctionInvolves natural person in hiring contextAnnex III high-riskDeployer obligation
CV screening / rankingYesYesTechnical docs, human oversight, candidate transparency
Interview scoring / analysisYesYesTechnical docs, human oversight, candidate transparency
Candidate sourcing from databasesYesYesTechnical docs, human oversight, candidate transparency
Performance monitoring of placed workersYesYesTechnical docs, logging, transparency
BD account scoringNoNoStandard AI Act obligations only
Hiring manager contact prioritisationNoNoStandard AI Act obligations only
Job advert generationNo (no selection decision)NoStandard AI Act obligations only
Market mapping / salary benchmarkingNoNoStandard AI Act obligations only

"Standard AI Act obligations" still exist. Transparency requirements for general-purpose AI, prohibition on certain manipulative practices, and so on. But the documentation and oversight regime that comes with high-risk classification does not apply.


The provisions covering high-risk AI systems in Annex III, including deployer obligations, apply from 2 August 2026. That is three weeks away from the date of this post.

If you are a UK-based agency with no EU operations and no EU candidates, the direct legal exposure is limited. The Act applies to systems placed on the EU market or put into service in the EU. But several things make this more than an EU-only concern:

First, many UK recruitment agencies place candidates in EU roles or work with EU-based clients. If your AI is screening candidates for EU vacancies, the Act's reach is arguable.

Second, the UK is developing its own AI governance framework. The EU Act's risk classification logic is likely to influence UK guidance. Getting your function-level classification right now is not wasted work.

Third, enterprise clients and RPO contracts are already asking about AI governance. A conformity assessment for your high-risk functions is a procurement advantage, not just a compliance cost.

The AI reporting hallucinations problem is a useful parallel: the issue is not that the tool is doing something dramatic and wrong. It is that no one has documented what it is doing, so no one can verify it. That is exactly the gap the EU AI Act is trying to close for high-risk functions.


"Are we compliant" is not a useful question before August 2026. It is too binary, and it obscures where the actual work is.

The better question is: for each AI-assisted function in your workflow, can you produce documentation that shows what the system does, what data it uses, and what human oversight step exists before its output affects a candidate?

If you can answer yes for every function that touches candidates, you are close. If you cannot, the gap is not a legal problem yet. It is a process design problem. And process design problems are fixable without re-platforming anything.

The same pattern runs through every AI workflow failure: the tool is not the issue. The workflow underneath it is. The EU AI Act is forcing that conversation in recruitment whether agencies are ready for it or not.

If you want to map your current AI functions against Annex III before August, the AI Workflow Audit is the right starting point. We look at what each function does, who it affects, and what documentation and oversight exists. The output is a function-level classification and a gap list, not a legal opinion.


Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (EU AI Act) (EUR-Lex canonical text). Annex III (high-risk AI system categories, item 4), Article 22 (obligations of deployers of high-risk AI systems), and the deployer obligations provisions cited throughout. The EU AI Act Explorer at artificialintelligenceact.eu is a useful navigation aid for locating specific articles alongside the EUR-Lex canonical text.

Regulation (EU) 2016/679 (General Data Protection Regulation) (EUR-Lex canonical text). Article 22 (automated individual decision-making, including profiling) cited in relation to candidate transparency obligations.

Sources verified on 2026-07-13. This post does not constitute legal advice.