EU AI Act: what hiring AI deployers must do

What it is

The EU AI Act (Regulation 2024/1689) is the European Union’s horizontal regulation of artificial intelligence systems. It classifies AI systems by risk and imposes proportionate obligations on each tier. AI systems used "in the area of employment, workers management, and access to self-employment" — explicitly including recruitment and selection — are designated high-risk under Annex III, point 4.

Who is on the hook

The Act distinguishes between providers (who build or place AI systems on the EU market) and deployers (who use AI systems in a professional capacity). For a company that purchased an off-the-shelf AI hiring tool and uses it to screen candidates, the company is the deployer.

Deployer obligations apply if any of the following are true:

• The company is established in the EU.
• The company hires candidates in the EU.
• The AI system’s output is used in the EU.

The deployer obligations apply in parallel to — not instead of — the provider obligations placed on your AI hiring vendor.

What the deployer must do

For a high-risk AI system used in hiring, deployers must, among other obligations:

• Conduct a Fundamental Rights Impact Assessment (Article 27) before first use. The FRIA covers the system’s purpose, the categories of persons affected, the foreseeable risks to fundamental rights, the mitigation measures, the oversight measures, and the complaint mechanisms.
• Use the system in accordance with the provider’s instructions (Article 26). Document deviations. Notify the provider when you identify risks the provider did not foresee.
• Maintain human oversight (Article 14) in the form documented by the provider. Train the humans doing the oversight.
• Keep system logs (Article 19) for at least six months — longer if national law or the system’s use case requires.
• Run post-market monitoring in coordination with the provider, per Article 72. Performance drift, incident reporting, customer notification.
• Inform affected workers and worker representatives before the high-risk system is put into use in the workplace.

Penalties

The Act’s top-tier civil penalty is €40 million or 7% of global annual turnover, whichever is higher, for breaches of the prohibited-AI provisions. Most deployer breaches sit in a lower tier (up to €15M or 3% of turnover) but the practical risk is reputational and procurement-driven: your enterprise customers will start asking to see your conformity file in RFPs.

Timeline

The Act entered into force on 1 August 2024. The high-risk obligations applicable to hiring AI become enforceable on 2 August 2026. Member state enforcement authorities, the AI Office at the Commission level, and the European AI Board are in place.

If you are reading this and you operate an AI hiring tool in the EU, you are inside the enforcement window.

What this means in practice

For most deployers, the EU AI Act is a documentation problem first and a technical problem second. The hardest deliverable is the FRIA — most companies have no template, no methodology, and no inventory of the fundamental rights at stake.

The Casework engagement produces the FRIA, the Article 9 risk management documentation, the Article 72 post-market monitoring plan, and the companion conformity file in a four-week, fixed-price engagement.

---

Looking at this regulation from the vendor side instead? HireAIScore covers vendor compliance posture against this regulation.