Your Recruitment Software Is Already Regulated as High-Risk — The August 2026 Deadline Your HR Team Doesn't Know About

The Regulation That Already Started in Your HR Department

The conversation about AI compliance in HR tends to focus on the future: regulations that are coming, standards being developed, deadlines on the horizon. That framing misses the enforcement reality of 2026.

The EU AI Act has already begun shaping legal obligations in the employment context. Since February 2, 2025, AI practices classified as unacceptable risk are prohibited. That includes biometric categorization and emotion recognition in the workplace — tools that many organizations are still running, embedded in video conferencing platforms, employee monitoring software, and customer service systems.

The next milestone is August 2, 2026. On that date, the full suite of high-risk AI system obligations becomes enforceable for all AI tools used in employment decisions — including every candidate screening system, recruitment ranking algorithm, performance monitoring tool, and workforce allocation platform your company currently uses.

The compliance gap is not theoretical. A March 2026 analysis published on the EU AI Act information site — after Finland became the first EU member state to confer enforcement powers on its national market surveillance authority in January 2026 — concluded plainly: "The staffing businesses that will handle this transition best are the ones that start now."

What Has Been Illegal Since February 2025

Before addressing the August 2026 deadline, it is necessary to state clearly what the EU AI Act already prohibits — because enforcement of these prohibitions is already active.

Emotion recognition in workplaces is banned. Article 5 of the EU AI Act, which has been in force since February 2, 2025, prohibits AI systems that infer the emotions of individuals in workplace and educational settings. This is not limited to dedicated "emotion AI" tools sold as such. It applies to any AI capability that analyzes facial expressions, voice patterns, body language, or physiological signals to draw inferences about emotional state.

The practical implications are broader than most companies have registered:

• Video conferencing platforms with emotion detection features: Several major platforms have embedded sentiment analysis or engagement scoring capabilities that analyze participant facial expressions. If these features are active in EU business contexts, they fall under the prohibition.
• Employee monitoring software with mood tracking: Tools that track engagement levels through behavioral signals, keystrokes, mouse movements, or camera analysis to infer emotional states are prohibited in workplace settings.
• Customer service AI with agent sentiment monitoring: Systems that analyze the emotional state of customer service agents to manage their performance or wellbeing through AI inference are within scope.
• Biometric categorization systems: AI that categorizes employees or candidates by physical characteristics — race, gender, age — using biometric analysis is prohibited, with narrow exceptions.

These prohibitions do not require intent. Using a platform that has emotion detection enabled — even if you did not specifically enable that feature — can constitute a violation if the output is being used in a workplace context. The obligation falls on the deployer: the organization using the tool, not just the vendor that built it.

The August 2, 2026 Deadline: What Must Be in Place

The August 2 deadline is the inflection point for the high-risk AI framework in employment. After this date, every AI system used in decisions affecting workers and candidates — in any organization with EU operations or EU-based candidates — must comply with the following requirements.

Mandatory Risk Assessment and Conformity Documentation

Before deployment, and on an ongoing basis, high-risk AI systems must undergo documented risk assessment. This is not a one-time checkbox. Under the AI Act framework, risk assessment must cover:

• The intended purpose of the AI system and the scope of its deployment
• Known and foreseeable risks to health, safety, and fundamental rights — including the specific risk of discriminatory outcomes in hiring and employment decisions
• Data governance: the datasets used to train or configure the system, their representativeness, and steps taken to address biases
• Performance metrics including accuracy, error rates, and performance across demographic groups
• Human oversight mechanisms and the conditions under which automated AI outputs are used to influence decisions

Most HR and recruitment teams have never produced this documentation for the AI tools they are using. Many do not know what data their vendor's AI was trained on, or whether it has been tested for differential performance across demographic groups.

Human Oversight Is Not Optional — and It Cannot Be Delegated to the Vendor

Article 14 of the EU AI Act is explicit: every high-risk AI system must be deployed in a way that allows effective human oversight. The people exercising oversight must be able to detect and correct errors — including discriminatory patterns — and must have both the training and authority to override AI outputs.

This obligation has a specific implication that many organizations are misreading: you cannot satisfy Article 14 by pointing to the vendor's claims about their system's accuracy. The obligation is on the deployer. Your recruiters, HR managers, and account managers must understand how the AI system works, what its limitations are, and what conditions require human intervention. A policy document that says "all AI outputs are reviewed by a human" does not satisfy this requirement if the review is cursory or lacks documented criteria for when to override.

Furthermore, the deployer cannot pass compliance obligations to the technology vendor. The March 2026 EU AI Act analysis is direct on this point: "You cannot comply with obligations you do not know you have" — and knowing which obligations apply is the deployer's responsibility, not the vendor's. If your recruitment platform provider tells you that compliance is their responsibility, that answer is legally incorrect under the EU AI Act.

Candidate Disclosure: Article 26 and Article 86

Two articles create obligations toward candidates and workers that most HR teams are not prepared to fulfill.

Article 26(7) requires that before deploying a high-risk AI system in employment contexts, deployers must inform workers' representatives and affected individuals. For recruitment, this means candidates must be told:

• That AI is being used in the hiring process
• What role the AI plays in decisions that affect them
• How the system functions at a level that allows them to understand its significance

This disclosure must be visible and meaningful. Burying it in the terms and conditions of a job application is not sufficient.

Article 86 gives individuals subject to decisions by high-risk AI systems the right to request an explanation of the main factors behind those decisions. A candidate who applies for a position, is screened out by an AI tool, and receives no substantive response is entitled to request an explanation of how the AI evaluated their candidacy. Organizations must be operationally prepared to provide this explanation on request — which requires documenting how the AI system produces its outputs.

For high-volume recruitment operations that screen thousands of candidates, these disclosure and explanation requirements create an infrastructure challenge that must be scoped and built before August 2.

Log Retention for Six Months Minimum

Deployers of high-risk AI systems must keep logs generated by those systems for at least six months. This is an infrastructure requirement. It means that every AI-generated score, ranking, screening decision, and recommendation in your recruitment or performance evaluation workflow must be retained in a format that can be accessed, reviewed, and provided to regulators or candidates on request.

Most off-the-shelf recruitment platforms do not provide this log retention by default. Organizations must ask their vendors explicitly: what logs are generated, how long are they retained, and in what format can they be exported for regulatory compliance?

Bias Testing and Ongoing Monitoring

The AI Act requires that high-risk AI systems be monitored for performance after deployment. For employment AI, this means ongoing monitoring for differential performance across demographic groups — the system must not produce systematically worse outcomes for candidates based on protected characteristics.

This is not a one-time audit at deployment. It is a continuous obligation. And it requires data about candidate outcomes that most organizations do not currently collect in a structured way.

The Article 6(3) Exemption: Why Your Tools Almost Certainly Don't Qualify

When organizations first encounter the EU AI Act's high-risk classification for employment AI, many legal and compliance teams reach for Article 6(3), which provides a narrow exemption for AI systems used in high-risk areas that nonetheless perform only procedural, preparatory, or assistive functions.

The exemption covers four scenarios:

1. The system performs only a narrow procedural task (sorting documents into categories, flagging duplicates)
2. It improves the result of a previously completed human activity (editing language in a drafted document)
3. It detects decision patterns in prior human decisions (flagging inconsistencies in a manager's past ratings)
4. It performs only a preparatory task (indexing, translating, searching source material before a human decides)

This sounds like it might apply to many recruitment tools. It does not.

Article 6(3) explicitly excludes systems that involve profiling within the meaning of GDPR Article 4(4). Profiling is any automated processing of personal data that evaluates personal aspects of an individual — including predicting work performance, reliability, behaviour, or fit.

Almost every candidate matching tool, applicant ranking algorithm, CV screening system, and workforce allocation platform does exactly this. They take personal data, apply automated logic, and produce predictions about suitability for a role. That is profiling, which renders the Article 6(3) exemption unavailable.

The March 2026 EU AI Act analysis is explicit: "For anything that matches, ranks, evaluates, or allocates workers based on personal characteristics, it almost certainly is not" exempt.

The Commercial Risk Beyond Fines

The EU AI Act's penalty framework for high-risk system violations reaches €15 million or 3% of global annual turnover — whichever is higher. For a company with €500 million in global revenue, that is a fine of up to €15 million.

But the fine is often described as the wrong thing to focus on. The more commercially significant risk is a power regulators have that receives less attention: the power to withdraw or recall non-compliant AI systems from the market, with immediate effect.

For an organization whose recruitment operations depend on an AI-powered screening platform, having that platform pulled by a regulator mid-hiring cycle — mid-contract, during a critical talent acquisition period — creates operational disruption that no fine calculation captures. The March 2026 analysis identified this explicitly: "For a staffing business whose operating model depends on technology-enabled matching and screening, that is the more commercially significant risk: a core tool pulled mid-contract, with immediate operational disruption."

The Finland Signal

In January 2026, Finland became the first EU member state to confer enforcement powers on its national market surveillance authority under Article 99 of the AI Act. This is not a procedural footnote. It means that enforcement of the AI Act's high-risk provisions — the provisions that apply to employment AI — is now fully operational in at least one EU jurisdiction, with other member states progressing through their national implementation.

The decentralized enforcement model means that obligations vary by member state interpretation and enforcement priority. But for multi-country operations, the lowest common denominator is not adequate protection. An organization that is compliant in Germany but not in Finland has a violation in Finland, and Finland's market surveillance authority is now equipped to act on it.

What Must Be Done Before August 2

For organizations using AI in employment decisions with any EU exposure, the practical action sequence before August 2, 2026:

1. Complete the AI inventory for HR and recruitment: List every AI system used in candidate screening, ranking, matching, performance monitoring, or workforce allocation. Include tools embedded in third-party platforms. If the platform uses AI to surface candidates or score applications, it is in scope regardless of how the vendor markets the tool.

2. Classify each tool under the EU AI Act framework: Apply the risk classification. Any tool that profiles candidates or workers — which is the definition of most recruitment AI — is high-risk under Annex III, and the Article 6(3) exemption almost certainly does not apply.

3. Audit vendor compliance documentation: Contact every HR AI vendor in your stack with specific questions: Have they pursued conformity assessment? Can they provide technical documentation and bias testing results? Can they provide logs in a format that meets your retention obligations? Will they contractually support your deployer obligations? Silence or vague answers are themselves a compliance signal.

4. Design and deploy candidate disclosure: Draft the disclosures required under Article 26(7) and integrate them into your application workflows. These must be clear, visible, and delivered before or at the time of the first AI-influenced interaction. They cannot be buried in terms and conditions.

5. Build the explanation capability for Article 86: Establish the process for responding to candidate requests for explanation. This requires knowing what data points the AI system uses, how it weights them, and how its output is produced. If the vendor cannot provide this information, that is an Article 14 oversight failure.

6. Establish the human oversight protocol: Define specifically who reviews AI outputs, under what criteria they would override the AI's recommendation, and how that override is documented. Train the relevant staff — not just on using the tool, but on its limitations and error patterns.

7. Implement log retention infrastructure: Confirm with your vendor or your IT team that the minimum six-month log retention is in place for every high-risk employment AI system. Audit the log format to confirm it can be provided to regulators or candidates on request.

Frequently Asked Questions About HR AI and the EU AI Act

We're a Brazilian company with no EU office. Does this apply to us?
If your AI system is used to screen, rank, or evaluate candidates who are located in or applying for roles in the EU — for example, a remote role posted in the EU, or a candidate based in Germany — the Act's extraterritorial provisions apply. The regulation covers AI systems whose output is used in the EU, not just AI systems operated by EU companies.

Our ATS (applicant tracking system) vendor says they handle compliance. Is that true?
No. Under the EU AI Act, the deployer — the organization using the system — has its own independent compliance obligations. The vendor's compliance with their provider obligations does not satisfy your deployer obligations regarding human oversight, candidate disclosure, log retention, and ongoing monitoring. The obligation to assess whether the tool is high-risk is also yours.

We use a scoring system that a human always reviews. Are we covered?
It depends on the review. Article 14 requires that the human oversight be substantive: the person reviewing must understand how the AI system produced its output, must have criteria for when to override it, and must exercise genuine judgment rather than routinely ratifying AI outputs. A review where the recruiter almost always follows the AI score is not effective human oversight in the regulatory sense.

What happens to tools that cannot be made compliant before August 2?
Organizations should consider two options: either cease using the non-compliant tool before the deadline (accepting the operational disruption now, on your terms, rather than through regulatory action later), or accelerate engagement with the vendor to establish a documented compliance roadmap. Using a non-compliant high-risk system after August 2 is a direct violation.

Is this really being enforced, or is it aspirational regulation like GDPR initially was?
Finland's January 2026 conferral of enforcement powers — ahead of the August 2026 deadline — suggests a more active early enforcement posture than GDPR's initial years. And the EU AI Act's enforcement architecture includes multiple routes: market surveillance authorities, downstream provider complaints, the scientific panel, and individual rights to file complaints with regulators. Unlike GDPR, where enforcement required a data breach or complaint to trigger action, the AI Act creates proactive supervision obligations.

---

Intrabit works with HR and compliance teams to assess their AI tool inventory against EU AI Act requirements, develop candidate disclosure frameworks, and build the governance infrastructure required for demonstrable high-risk AI compliance before August 2026.

Further Reading

• The EU AI Act Is Already Enforcing
• AI Compliance in Regulated Industries
• Generative AI and Data Privacy
• How to Audit AI Usage Across Your Enterprise