Annex III, Point 4 of the EU AI Act lists AI systems intended to be used for:
- Recruitment or selection — including placing targeted job ads, analysing applications, and evaluating candidates.
- Decisions affecting terms of work, promotion, or termination.
- Allocating tasks based on individual behaviour or personal traits.
- Monitoring and evaluating performance and behaviour.
That is most of the modern HR-tech stack — ATS scoring, candidate screening, performance-management nudges, task-routing, productivity analytics. If your product touches any of those, you are in scope.
Who carries which obligation?
Two roles matter:
- Provider (Art. 16) — usually the vendor that put the system on the EU market under its own name. Conformity assessment, technical documentation, QMS, post-market monitoring.
- Deployer (Art. 26) — the employer running the system. Use it according to instructions, ensure human oversight, monitor operation, log inputs, run a Fundamental Rights Impact Assessment (Art. 27).
The cost of getting it wrong
Fines run up to €15M or 3% of global annual turnover, whichever is higher (Art. 99(4)). For a €1B HR-tech vendor that is a €30M ceiling — and that is before national worker-protection laws, GDPR Art. 22 automated-decision-making rules, and employer-liability claims.
If you are a provider: your customers will require a Declaration of Conformity, a CE mark, and proof of EU Database registration before they sign a renewal. Build the dossier now.