Check my compliance →
AIActComply / Blog / EU AI Act and Recruitment: Is Your ATS Making You a High-Risk Deployer?

EU AI Act and Recruitment: Is Your ATS Making You a High-Risk Deployer?

If your company uses an AI-powered applicant tracking system, you are almost certainly a high-risk AI deployer under the EU AI Act. Here's what that means and what to do about it.

Published 7 January 2026

Most HR teams have not been part of their company’s EU AI Act conversation. That is a problem, because recruiting technology puts HR squarely inside one of the Act’s highest-risk categories, alongside banks running credit scoring models and healthcare providers using AI diagnostics.

If your company uses an AI-powered applicant tracking system, you are almost certainly a high-risk AI deployer. The obligations that follow are real, and the August 2026 deadline is not far off.

Why recruitment is explicitly high-risk

The EU AI Act lists high-risk AI categories in Annex III. Category 4 covers “employment, workers management and access to self-employment.” The specific systems named include:

This is not a grey area. The EU legislator chose to name employment explicitly, placing it alongside access to credit, education decisions, and law enforcement tools. The reason is the same in each case: the AI system makes or informs decisions that materially affect people’s lives, and those people have limited ability to contest the decision or understand how it was made.

What actually triggers the classification

Not every piece of HR software is high-risk. The question is whether the system uses AI to rank, score, or filter candidates, and whether that ranking influences who you look at.

Here is a practical breakdown:

Tool typeDoes it trigger Annex III?What you need
ATS with AI CV ranking or scoringYesUsage policy, oversight, logging
ATS without AI features (manual pipeline only)NoAI literacy policy only
LinkedIn Recruiter standard featuresProbably notAI literacy policy only
LinkedIn Recruiter with AI recommendations used for shortlistingYesUsage policy, oversight, logging
Video interview analysis tools (HireVue-type)YesUsage policy, oversight, applicant notification
AI performance management systems that influence pay or role decisionsYesUsage policy, oversight, logging

The line is whether the AI is making a filtering decision before a human sees the candidate. If the system decides who you even look at, it is within scope.

”We always review the final shortlist ourselves”

This argument comes up frequently and it does not hold.

If an AI system scores 400 applicants and surfaces the top 25 for human review, the human is not reviewing the AI’s work. The human is reviewing the 25 people the AI selected. The other 375 candidates have already been removed. No human will ever see them.

The Act is not fooled by this framing. What matters is whether the AI system exercises a filtering or sorting function that affects access to employment. If it does, the deployer obligations apply regardless of how much review happens downstream.

The Article 6(3) exception and why it rarely applies

There is a partial exception in Article 6(3) for AI systems that perform a “preparatory task” that is not directly used to make decisions affecting people. Some legal commentaries have suggested this might exempt AI tools that simply organise or present information without scoring.

In practice, most modern ATS AI features do not fall here. A system that recommends candidates, ranks CVs, or generates a shortlist is performing a substantive filtering function, not a preparatory one. If you are hoping this exception applies to your recruiting software, you need a specific legal opinion on the system’s actual functionality, not a general reading of the exception text.

What you actually need to do as a high-risk deployer

The obligations for high-risk AI deployers are set out in Article 26. For recruiting, that means:

Usage policy: A written document that describes which AI systems you use in the hiring process, what decisions they inform, how human oversight works, and who is responsible for the process.

Named human oversight: Someone must be designated to oversee the operation of the high-risk system. This does not have to be a dedicated role. It can be the Head of Talent or VP of HR. But someone must be named, and the responsibility must be documented.

Logging: You must be able to reconstruct what the AI did in a given hiring decision. Most enterprise ATS vendors retain logs. Verify that your contract gives you access to them for at least the required retention period.

Informing applicants: Where AI is used in a way that produces legal or similarly significant effects, affected individuals must be informed. For ATS systems used in shortlisting, you will need to update your job advertisements or application confirmations to disclose AI use.

Your vendor’s CE mark is their problem. Verifying it exists is yours.

If you are using a high-risk AI system under Annex III, your vendor is required to have completed a conformity assessment and obtained CE marking. You did not build the system, so those obligations belong to them.

But you are responsible for verifying that the vendor has met those obligations before you deploy the system in a high-risk context. Ask your ATS vendor directly:

If the vendor cannot answer these questions, or says the regulation does not apply to them, that is a contractual and compliance risk you are taking on. Document the conversation.

Getting ready before August 2026

The August 2026 deadline covers most high-risk deployer obligations. For recruiting, that means you need your usage policy, oversight documentation, and applicant notification text in place before then.

The good news is that the documentation is not particularly technical. A usage policy for an ATS does not require AI expertise. It requires clear thinking about how your hiring process works, where the AI sits in that process, and who is accountable for what. Most organisations can complete this in a focused afternoon if they have the right template.

Find out if your ATS makes you a high-risk deployer

Answer 20 questions about your AI systems. AIActComply generates your complete compliance documentation, prefilled for deployers, in 11 EU languages.

Check my compliance →
Ready to get compliant?
Get all your EU AI Act documents in 30 minutes
Answer 20 questions. AIActComply generates your AI Literacy Policy, Risk Classification Memo, Usage Policy, and Transparency Notice — prefilled, in 11 EU languages. €99 one-time.
Start now →