A recruitment agency in Hamburg shortlists 400 candidates a month using an AI scoring tool. Under the EU AI Act, that agency is a deployer of a high-risk AI system — and from December 2027 it faces obligations that its software vendor cannot fulfil on its behalf.
Most recruiters who have heard of the EU AI Act (Regulation 2024/1689) think it is someone else's problem — a concern for the tech companies building the tools, not the agencies using them. That assumption is wrong, and understanding why it is wrong is the most important first step any recruitment team can take right now.
This guide covers what deployers must do, why the provider/deployer distinction matters, what the December 2027 deadline actually means in practice, and how to build a compliance posture that protects your clients, your candidates, and your business.
Why Recruitment AI Is Classified as High-Risk
Recruitment and candidate-selection AI sits in Annex III of the EU AI Act, which lists the categories of AI systems the regulation classifies as high-risk. This classification applies because AI-assisted shortlisting, CV screening, and candidate scoring directly affect a person's access to employment — a consequential outcome the Act treats on the same level as access to credit, education, and essential services.
The full Annex III list includes AI used for recruitment, selection, promotion, and performance assessment in employment contexts. If your ATS or sourcing tool uses any form of machine-learned ranking, scoring, or filtering that influences which candidates advance, it almost certainly qualifies. The threshold is not "fully automated decisions" — even AI-assisted ranking with human sign-off falls within scope.
The European Commission's regulatory framework makes the purpose of this classification clear: high-risk AI must be subject to rigorous requirements precisely because the consequences of failure — discriminatory screening, opaque rejections, biased shortlists — fall on individuals who have no visibility into the system producing those outcomes.
"The candidate rejected by an AI scoring tool has no idea why. The Act exists to ensure that gap — between algorithmic decision and human understanding — is bridged before the decision reaches them."
The December 2027 Deadline: What Changed and Why It Still Matters
The high-risk deployer obligation deadline moved from 2 August 2026 to 2 December 2027 under the provisional Digital Omnibus political agreement reached by the Council and Parliament on 7 May 2026. Formal adoption of that agreement is pending, but the political direction is settled.
This extension matters for planning, not for urgency. The structural changes Article 26 requires — human oversight mechanisms, data governance policies, audit logs, worker information protocols — cannot be built in a sprint. The agencies that will be compliant in December 2027 are the ones building their frameworks in 2026. The extension bought time for implementation, not a reason to defer thinking.
| Milestone | Date | What It Means for Recruiters |
|---|---|---|
| AI Act enters into force | 1 August 2024 | Regulation 2024/1689 published |
| AI literacy (Art 4) applies | 2 February 2025 | All staff using any AI need appropriate training — now |
| Original high-risk deployer deadline | 2 August 2026 | Extended under Digital Omnibus |
| Revised high-risk deployer deadline | 2 December 2027 | Article 26 full compliance required (pending formal adoption) |
Provider vs Deployer: The Distinction That Changes Everything
The provider/deployer split is the most consequential structural feature of the Act for recruitment teams. The provider is the organisation that develops and places the AI system on the market — your ATS vendor, your sourcing platform, your CV-screening tool. The deployer is the organisation that puts the system to use in a professional context — your agency or in-house TA function.
Providers carry obligations around design, testing, technical documentation, and CE conformity marking. Deployers carry a separate set of obligations that exist regardless of whether the provider has fulfilled theirs. A vendor with a fully certified, compliant AI product does not discharge your obligations as the organisation using it. The full Article 26 text makes this division explicit.
| Obligation | Provider | Deployer (You) |
|---|---|---|
| Technical documentation & conformity assessment | Yes | No (but must verify it exists) |
| Human oversight assignment (Art 14) | No | Yes — you must assign a competent person |
| Log retention (≥6 months) | Partially | Yes — operational logs under your control |
| Input-data relevance monitoring | No | Yes — you control the data fed in |
| Discrimination output monitoring | Design-level only | Yes — ongoing operational monitoring |
| Fundamental Rights Impact Assessment (Art 27) | No | Yes — where required by Art 27 criteria |
| Worker/candidate information | No | Yes — your obligation to inform |
Article 26 Deployer Duties: The Full Checklist
Article 26 sets out seven core obligations for deployers of high-risk AI systems. Each has direct, practical implications for how a recruitment agency or TA function operates day-to-day. The human oversight requirements in Article 14 underpin several of them.
1. Assign human oversight. You must designate a competent person — with the skills and authority to understand the system's outputs and override them — as the responsible human overseer. This is not a token sign-off. The person must be capable of identifying when the AI's output is wrong or discriminatory and acting on that identification. Giving a junior recruiter the title without the training and decision-making authority does not satisfy this requirement.
2. Follow the provider's instructions. Your vendor supplies instructions for intended use. Operating the system outside those parameters — using a CV-screening tool for purposes it was not designed for, or connecting it to data sources the vendor did not test against — shifts liability toward you and may invalidate the vendor's conformity documentation.
3. Ensure input-data relevance. The data you feed into the AI must be relevant, representative, and sufficiently accurate for the intended purpose. If your candidate database contains outdated records, biased historical hiring data, or incomplete profiles skewed toward one demographic, the AI outputs will reflect that — and the responsibility for that input quality rests with you, the deployer.
4. Retain operational logs for at least six months. You must maintain logs of the system's operation under your control for a minimum of six months. These are the audit trail that regulators will request if a complaint is raised. Logs should capture what inputs were processed, what outputs were generated, and which human decisions followed.
5. Monitor for discriminatory output. Ongoing monitoring for bias is a deployer obligation, not a one-time vendor commitment. You must have a mechanism for detecting whether the system's outputs are producing discriminatory patterns — by gender, age, nationality, disability status — and a process for escalating and addressing findings. This connects directly to your existing GDPR obligations under EU data protection law.
6. Conduct a Fundamental Rights Impact Assessment where required. Article 27 requires a FRIA where certain conditions are met — including where the deployer is a body governed by public law, or where the AI system poses particular risks to fundamental rights. Many private recruitment agencies will not be directly required to conduct a formal FRIA, but working through the FRIA questions is good practice regardless, and some client organisations (public sector employers) may require evidence of it.
7. Inform workers' representatives and affected candidates. Where high-risk AI is used in employment decisions, workers' representatives must be informed. Candidates whose applications are subject to AI processing must also be notified — this connects to GDPR's transparency principle and, in cross-border recruitment, to varying national implementation requirements across EU member states.
"The vendor built the train. You are driving it. Article 26 exists because the person behind the controls is responsible for where it goes — regardless of what the manufacturer's manual says."
AI Literacy: The Obligation Already in Force
AI literacy under Article 4 came into force on 2 February 2025 and applies immediately to all AI systems — not just high-risk ones. Every member of your team who uses any AI tool in their daily work must have appropriate AI literacy. This is not about understanding the mathematics of machine learning. It is about understanding what the tool does, where its outputs might be wrong or biased, and how to use it in a way that keeps a human meaningfully in control.
According to SHRM research on talent acquisition practices, AI literacy remains one of the largest gaps in recruitment teams that have adopted AI tools. Most recruiters have been trained on how to use a feature — not on what the model is actually doing, what its limitations are, or when to override it.
Practical AI literacy training for a recruitment context should cover: what the AI system is optimising for, what data it was trained on, the categories of error it is most likely to make, how to spot an anomalous output, and the process for escalating concerns. This is not a one-day course — it is an ongoing competency that needs to be embedded into onboarding and refreshed as systems are updated.
How Yena Is Built for Article 26
Platforms designed with the human as orchestrator — rather than the AI as decision-maker — align naturally with what Article 26 requires. Yena's sourcing tools keep the recruiter in control at every stage: the AI surfaces and scores candidates, the recruiter reviews and decides. Every shortlist includes the reasoning behind each candidate's score, not just a ranked number — because explainability is exactly the kind of artifact that satisfies the human oversight and log-retention requirements.
Decision logs in Yena capture which AI-generated rankings were acted on, which were overridden, and why — building the six-month operational audit trail Article 26 requires without extra manual effort. The system is built to assist the recruiter's judgement, never to replace it.
For agencies evaluating platforms before the December 2027 deadline, the question to ask every vendor is not just "is your AI compliant?" — it is "can I demonstrate my own Article 26 compliance using your logs?" Those are different questions, and the answer to the second one is what regulators will care about.
"The agencies that will find December 2027 straightforward are the ones using tools that treat AI as augmentation, not automation. The paper trail almost builds itself when the human is genuinely in the loop."
Penalties: What Non-Compliance Actually Costs
Article 99 of the Act sets out a tiered penalty structure. For violations of high-risk deployer obligations — the Article 26 duties covered in this guide — the ceiling is €15 million or 3% of total global annual turnover, whichever is higher. For violations of prohibited AI practices (which recruitment AI is unlikely to engage in, but are worth knowing), the ceiling rises to €35 million or 7% of global turnover.
For a boutique executive search firm with €2 million annual revenue, 3% is €60,000. For a mid-size agency group at €50 million, it is €1.5 million. These are not enforcement theatrics — the GDPR penalty track record across EU member states shows that regulators are willing to levy significant fines against organisations that process personal data in employment contexts without adequate controls. The AI Act adds a second enforcement layer on top of existing GDPR exposure.
The compliance cost of building Article 26 frameworks is substantially lower than the maximum fine ceiling, and substantially lower than the reputational cost of being the recruitment firm named in an AI Act enforcement action.
Frequently Asked Questions
Is recruitment AI classified as high-risk under the EU AI Act?
Yes. Annex III of Regulation 2024/1689 explicitly lists AI systems used for recruitment, CV screening, and candidate selection as high-risk. Any agency or in-house TA team deploying such tools must comply with the Article 26 deployer obligations.
When do Article 26 deployer obligations take effect?
The original deadline of 2 August 2026 was extended to 2 December 2027 under the provisional Digital Omnibus political agreement (Council and Parliament, 7 May 2026). Formal adoption is pending. The runway changed; the destination did not.
What is the difference between a provider and a deployer under the AI Act?
The software vendor who builds the AI system is the provider. The recruitment agency or HR function that puts it to use is the deployer. A vendor's own compliance certification does not discharge the deployer's independent Article 26 obligations.
What are the penalties for non-compliance with the EU AI Act in recruitment?
Penalties under Article 99 reach up to €15 million or 3% of global annual turnover, whichever is higher. Violations of prohibited AI practices carry up to €35 million or 7% of turnover.
Does AI literacy training apply to my recruitment team now?
Yes. Article 4 AI literacy obligations came into force on 2 February 2025 and apply to all AI systems, not just high-risk ones. Every staff member who uses any AI tool in their work must receive appropriate training. CIPD resources at cipd.org/uk/knowledge include practical guidance on AI skills development for HR professionals.
The EU AI Act does not require recruitment agencies to stop using AI. It requires them to use it responsibly — with documented human oversight, clean input data, retained logs, and transparent disclosure to candidates. That is not a ceiling on what AI can do in recruitment. It is the floor that makes AI-assisted hiring trustworthy enough to scale.
If you are building your Article 26 compliance framework and want to see how Yena handles explainability, decision logs, and human oversight in practice, the answer starts with tools designed for the human-in-the-loop from the ground up — not retrofitted with an audit export after the fact.