Back to Blog
ComplianceAI & AutomationDACHAgencies

The EU AI Act and Recruitment: What Your Agency Needs to Do

The EU AI Act classifies recruitment AI as high-risk, with full compliance required by August 2026. Here's what agency owners actually need to change — and.

Janis Kolomenskis

14 min read
Share

Six months. That's roughly how long you've got before the EU AI Act's high-risk rules kick in on 2 August 2026. And if you run a recruitment agency that uses any kind of AI — resume screening, candidate matching, automated outreach, chatbots on your careers page — this law is aimed squarely at you.

Update (July 2026): The EU Council and Parliament have agreed a "Digital Omnibus" package that pushes back the high-risk AI deadlines. Standalone Annex III systems — including recruitment and candidate-scoring AI — now have until December 2, 2027 to meet full obligations, not August 2, 2026. AI embedded in regulated products (Annex I) moves to August 2, 2028. The change is agreed but not yet formally in force — it takes legal effect once published in the EU Official Journal, expected before the original deadline. The date moved; the obligations didn't disappear. Agencies that treat this as breathing room rather than a reprieve will be in better shape either way. Source: the European Commission's AI Act Service Desk implementation timeline.

I'll be honest: when I first heard about the EU AI Act back in 2024, my reaction was somewhere between "that sounds like a problem for Big Tech" and "someone else will figure this out before it matters." Two years on, neither of those things happened. The deadlines are real (even if they've now moved), the penalties are eye-watering, and most small to mid-sized agencies I talk to haven't started preparing.

So I sat down, read the actual legislation (yes, all of it — it's 144 pages; no, I wouldn't recommend it for light reading), spoke with two GDPR lawyers and a compliance consultant who specialises in HR tech, and put together what I wish someone had told me eighteen months ago.

What the EU AI Act Actually Says About Recruitment

The Act splits AI systems into four risk tiers: unacceptable, high-risk, limited, and minimal. Recruitment AI lands firmly in the "high-risk" category. Not "might be high-risk." Not "depends on how you use it." Straight-up high-risk, every time.

That classification covers a surprisingly wide range of tools:

  • CV screening and parsing software
  • AI-powered candidate ranking or shortlisting
  • Chatbots that pre-qualify applicants
  • Automated interview scheduling with candidate scoring
  • Any system that helps decide who gets hired, promoted, or made redundant

If you're thinking "well, my ATS just does keyword matching, that's not really AI" — the Act uses a broad definition. If the software makes predictions, recommendations, or decisions that influence employment outcomes, it's covered. The legal text references "AI systems intended to be used for recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates." That's basically every modern ATS on the market.

The Stuff That's Already Banned

Some things didn't wait until August. Since February 2025, certain AI practices have been flat-out illegal in the EU. The ones most relevant to recruitment:

  • Emotion recognition in interviews. If your video interview tool claims to analyse a candidate's facial expressions, tone of voice, or body language to assess their "fit" or "engagement level" — that's done. Banned. HireVue dropped their facial analysis feature years ago after heavy criticism; the EU codified that instinct into law.
  • Social scoring. Building a trustworthiness profile of candidates based on their social media behaviour, online activity, or any aggregated "character score" — illegal.
  • Subliminal manipulation. AI that nudges candidates into accepting lower salaries or unfavourable terms without them realising. This one sounds dystopian, but the regulators clearly thought it was worth spelling out.
  • Biometric categorisation for protected characteristics. Using AI to infer someone's race, religion, sexual orientation, or political views from photos, video, or biometric data. Not in interviews, not in screening, not ever.

The penalty for using banned AI? Up to €35 million or 7% of your global annual turnover, whichever is higher. For a recruitment agency doing €2 million in revenue, that's a potential €140,000 fine. For a larger operation, it scales fast.

Most agencies I know aren't deliberately using any of these. But it's worth checking. If you're using a video interview platform, log in and look at what analytics it provides. If there's anything about "candidate sentiment analysis" or "engagement scoring" based on facial or vocal patterns, switch it off or switch platforms. This is especially critical given how AI is already changing candidate assessment.

What Changes When the High-Risk Rules Take Effect

This is where it gets properly involved. From 2 December 2027 (the deferred date — see the update above), if you deploy high-risk AI in hiring (and we've established that most recruitment AI qualifies), you need to meet a stack of obligations. Here's what they actually mean in plain English.

You Need a Risk Assessment

Before you use any AI tool in your recruitment process, you need to assess the risks it poses. Sounds vague, but the Act is quite specific about what this includes: potential for discrimination or bias, accuracy of the system's outputs, impact on candidates' fundamental rights, and what happens when the system gets it wrong.

When I ran my agency, we used an AI matching tool that consistently underranked candidates who'd taken career breaks. Mothers returning to work, people who'd cared for elderly parents, anyone with a gap on their CV. We only noticed because one of my recruiters, Sarah, kept flagging it manually. Under the new rules, that kind of bias should have been caught before the tool went live.

Practically, this means you need to document: what AI tools you use, what decisions they influence, what data they're trained on, and what could go wrong. It doesn't have to be a 50-page report. But it has to exist.

Human Oversight Is Mandatory

No fully automated hiring decisions. Full stop. A human being must be able to review, override, or disregard what the AI recommends. If your ATS automatically rejects candidates below a certain match score and nobody reviews those rejections, that's a problem under the new rules.

This one actually aligns with how most good agencies already work. You use AI to surface candidates, but a recruiter makes the call. The difference now is you need to be able to prove that's how it works. That means audit trails showing human decisions at key stages.

Transparency — Tell Candidates About the AI

Candidates have the right to know when AI plays a significant role in decisions about them. This isn't just a nice thing to do; it's a legal requirement. You need to disclose what AI tools are involved, what data they process, and what role their outputs play in the hiring decision.

I know what you're thinking: "Great, another disclaimer nobody reads." Fair point. But the intent matters. A one-liner in your privacy policy isn't enough. The guidance suggests clear, accessible notification — think a short paragraph in your application confirmation email, not buried legalese on page 17 of your terms.

Something like: "We use AI-assisted tools to help match your experience with this role. A recruiter will review all shortlisted and rejected applications. If you'd like to know more about how this works, contact us at [email]."

Technical Documentation

Your AI vendor should provide this, not you. But you need to know it exists. The Act requires that high-risk AI systems come with detailed documentation covering how the system was designed, what data it was trained on, its intended purpose, its known limitations, and instructions for proper use.

If your vendor can't produce this documentation, that's a red flag the size of Brandenburg Gate. It means either they haven't prepared for the Act, or their system doesn't meet the standard. Either way, you're the one left holding the liability. This is one of many reasons agencies are reassessing their ATS investments in 2026.

Logging and Record-Keeping

High-risk AI systems need to automatically log their operations. What decisions were made, what data was processed, when, and by whom. These logs must be kept for a period appropriate to the system's intended purpose — the Act mentions at least six months.

For recruitment agencies, this translates to: your ATS should keep a record of every AI-driven action. Which candidates were surfaced by AI matching, which were filtered out, what scores they received. If a candidate later challenges a rejection and claims it was discriminatory, you need the data to show what actually happened.

Who's Actually on the Hook?

There's a common misconception floating around LinkedIn that the EU AI Act only applies to companies that build AI tools. That's not accurate. The Act creates obligations for two groups:

Providers — the companies that develop and sell AI systems. They bear the heaviest compliance burden: conformity assessments, CE marking, technical documentation, and registration in the EU database.

Deployers — the companies that use AI systems in their operations. That's you, the recruitment agency. Your obligations are lighter than the provider's, but they're still real. You need to use the AI system according to the provider's instructions, ensure human oversight, monitor for risks, keep logs, and inform candidates.

And here's the bit that catches people off guard: the Act has extraterritorial reach. If your AI tool processes candidates who are in the EU — even if your agency is headquartered in London, New York, or Singapore — you're in scope. Sound familiar? It's the same logic as GDPR. The location of the person affected is what matters, not the location of your office.

What This Means for DACH Agencies Specifically

If you recruit in Germany, Austria, or Switzerland, you're already operating under some of Europe's strictest data protection regimes. GDPR has been enforced aggressively in Germany in particular — the country's data protection authorities issued over €50 million in fines in 2023 alone.

The EU AI Act layers on top of GDPR. It doesn't replace it. You still need lawful basis for processing personal data, you still need consent management, you still need to honour data subject access requests. The AI Act adds a new set of requirements on top of that existing framework.

For German agencies, the Betriebsrat (works council) angle is also worth noting. If your clients have works councils — and any German company with five or more employees can form one — those councils have co-determination rights over the introduction of AI tools that monitor or evaluate employees. Even during the hiring phase, some works councils have taken the position that AI screening tools require their involvement. The legal picture is still developing here, but it's something to be aware of when advising your clients.

A Practical Compliance Checklist (For Agencies, Not Lawyers)

Right. Enough theory. Here's what you should actually do before the (now-extended) deadline arrives. I've tried to make this as concrete as possible, because the "consult your legal team" advice is useless when your legal team is a part-time lawyer you share with three other businesses.

1. Map Your AI Tools

Sit down for 30 minutes and list every tool in your recruitment workflow that uses any form of AI or automation. Don't overthink the definition — if the vendor's marketing mentions "AI," "machine learning," "intelligent matching," or "automated screening," write it down.

Typical list for a mid-sized agency:

  • ATS with AI candidate matching
  • LinkedIn sourcing extension with profile scoring
  • Email outreach tool with AI personalisation
  • Chatbot for initial candidate screening
  • Video interview platform
  • Resume parser

For each tool, note: what data it processes, what decisions it influences, and whether a human reviews its outputs before action is taken.

2. Ask Your Vendors the Hard Questions

Send an email to every vendor on your list. Keep it simple:

"We're preparing for EU AI Act compliance ahead of the December 2027 deadline. Can you confirm: (a) whether your tool is classified as high-risk under the Act, (b) what technical documentation you can provide, (c) whether your system includes automated logging of AI-driven decisions, and (d) your timeline for achieving CE marking or equivalent conformity assessment?"

If a vendor can't answer these questions clearly, you have two options: push them harder or start looking at alternatives. When the deadline arrives, "my vendor didn't tell me" won't be a defence.

3. Document Your Human Oversight Process

Write down — literally, in a document — how human decision-making works in your hiring process. Where does AI make recommendations? Where does a human review those recommendations? Can a human override the AI? Is there a process for reviewing candidates that the AI filtered out?

This doesn't need to be elaborate. A one-page flowchart is fine. The point is that it exists and that your team knows about it.

4. Update Your Candidate-Facing Communications

Add AI disclosure to your privacy notice and your application confirmation emails. Be specific about what tools you use and what they do. Vague language like "we may use technology to assist in the recruitment process" probably won't cut it.

Better: "We use [Tool Name] to match your skills and experience against the requirements of this role. This tool analyses the text of your CV and compares it to the job description. A recruiter reviews all matches and rejections before any decision is made."

5. Review Your Client Contracts

If you're placing candidates on behalf of clients who operate in the EU, your engagement contracts should address AI use. Who's responsible for compliance — you or the client? If you screen candidates using AI before presenting them to the client, the liability sits with you as the deployer. Make sure your contracts reflect this.

6. Set Up Monitoring

The Act requires ongoing monitoring, not just a one-time assessment. Check your AI tools' outputs quarterly: are they consistently underrepresenting certain demographics? Are candidates with non-traditional backgrounds being filtered out at higher rates? You don't need a data science team for this. Pull a sample of 50 AI-screened candidates, review the demographics of who made it through and who didn't, and look for patterns.

The Opportunities Nobody's Talking About

I've spent most of this article on compliance requirements, which makes it sound like the EU AI Act is nothing but cost and hassle. It isn't.

There's a real commercial opportunity here for agencies that get ahead of this. Your clients — especially enterprise clients in regulated industries — are going to start asking their recruitment partners about AI compliance. Banks, insurance companies, pharmaceutical firms, government contractors: these organisations will want to know that the agency screening their candidates is doing it in a way that won't create legal exposure.

Being able to say "yes, our AI tools are EU AI Act compliant, here's our documentation" is a genuine competitive advantage. It's the same playbook that worked with GDPR. Back in 2018, agencies that could demonstrate GDPR compliance won mandates from clients who were nervous about data handling. The same dynamic is about to play out with AI compliance.

I've already seen this with two of our clients at Yena. A Frankfurt-based executive search firm landed a retained search from a DAX 40 company partly because they could demonstrate their AI screening process included human oversight and bias monitoring. The competitor, using a tool with no audit trail, couldn't match that assurance.

Small agencies have an edge here, too. You're more agile. You can update your processes in weeks, not quarters. A 500-person staffing company with legacy systems and entrenched workflows will take far longer to adapt. Move now, and you're positioned ahead of larger competitors who are still in the "let's form a committee" phase. Modern compliant ATS platforms are designed with this agility in mind.

What Good AI Compliance Looks Like in Practice

Let me paint a picture of what a compliant recruitment workflow looks like once the high-risk rules are in effect. It's not as different from what you're doing today as you might fear.

A candidate applies for a role through your website. They see a clear statement: "We use AI to help match candidates to roles. Here's how it works." Your ATS parses their CV using AI and generates a match score against the job description. That score is logged automatically — time, data processed, result.

A recruiter reviews the shortlist, including the AI match scores. They also review a sample of candidates the AI ranked lower to catch any false negatives. The recruiter makes the shortlist decision, and that decision is logged too.

If a candidate asks why they weren't shortlisted, you can pull the log showing the AI's score and the recruiter's review. You can explain the factors that went into the matching — not the algorithm's internal weights, but the general logic: "the role required five years of B2B SaaS sales experience in Germany, and your profile showed three years in a different market."

Quarterly, you run a check on your AI tool's outputs. You look at who's being surfaced and who isn't. If the tool is consistently underranking candidates from certain universities, age groups, or geographies, you flag it, document it, and either adjust the tool's configuration or raise it with your vendor.

That's it. Not painless, but not impossible either.

Common Myths I Keep Hearing

"This only applies to big companies." Wrong. The Act applies to any organisation that deploys high-risk AI in the EU. Size doesn't matter. There are lighter administrative obligations for SMEs, and the European Commission has indicated that enforcement will be "proportionate," but you're still subject to the core requirements.

"We don't use AI, just an ATS." Check with your vendor. Most modern ATS platforms include AI features — candidate matching, resume parsing, smart search. If your vendor calls it AI, the Act might too.

"GDPR already covers this." It covers data protection. The AI Act covers something different: the safety, accuracy, and fairness of AI systems themselves. You need both. Think of GDPR as protecting the data and the AI Act as governing the tool that processes it.

"I'll wait until someone gets fined, then react." By then, your competitors will already have client-ready compliance documentation. And fines under the AI Act aren't gentle warnings — they start at €7.5 million for minor infractions and go up to €35 million for the serious stuff. The obligation now starts in December 2027, but building the documentation, oversight process, and vendor relationships takes months — waiting until the deadline is close is still the expensive option.

Picking the Right ATS for an EU AI Act World

If you're already thinking about switching your ATS — or you're overdue for a review — the EU AI Act should be on your evaluation criteria. Here's what to look for:

  • Audit trails. Every AI-driven action should be logged: what was processed, when, what the output was, and whether a human reviewed it.
  • Explainability. When the AI surfaces a candidate, it should be able to tell you why. "85% match" means nothing without context. "85% match because of 7 years' experience in supply chain management, fluent German, and prior work in the automotive sector" — that's useful and compliant. This is what transparent AI matching looks like in practice.
  • Consent management. Built-in tools for collecting and managing candidate consent around AI processing, separate from your general GDPR consent.
  • Data governance. Clear documentation about what data the AI uses, where it comes from, and how it's stored. If the vendor can't answer these questions, walk away.
  • Vendor readiness. Ask directly: "What's your EU AI Act compliance roadmap?" If the answer is vague or non-existent, that tells you everything.

We built Yena with this stuff baked in from day one — not because we saw the regulation coming (honestly, we got a bit lucky on timing), but because GDPR taught us that compliance-by-design is always cheaper than compliance-by-retrofit. Our AI matching explains its reasoning, logs every decision, and keeps humans in the loop at every stage. If that matters to you, have a look.

What Happens If You Do Nothing

Maybe nothing, for a while. The obligations are now legally binding from December 2027 (once the Digital Omnibus deferral is formally adopted), which means any candidate, competitor, or regulator can start scrutinising your practices from that date.

More realistically, your clients will start asking. RFPs will include AI compliance questions. Procurement departments will want evidence of responsible AI use. Candidates — especially senior ones — will ask how their data is being processed by AI tools.

And at some point, someone will get fined. When that happens, every agency in Europe will scramble to comply overnight, competing for the same lawyers, the same consultants, and the same compliant software. The agencies that prepared early will already be there.

The deadline has moved further out, but that's not a reason to shelve this. Start with the checklist above, send those vendor emails this week, and spend an afternoon documenting your current process. You don't need to be perfect by the deadline. You need to be credibly prepared.

The EU AI Act isn't going to kill AI in recruitment. It's going to separate the agencies that use AI thoughtfully from the ones that use it carelessly. I know which side I'd rather be on.

Janis Kolomenskis

February 8, 2026

Share
Yena

Turn a role brief into a qualified shortlist.

Describe who you need. Yena finds passive candidates, explains why they fit, adds verified contact data, and keeps outreach in the same recruiting workspace.