Home / Insights / EU AI Act & Hiring AI: What HR Teams Must Do Now
Industry

EU AI Act & Hiring AI: What HR Teams Must Do Now

Summarize with AI Prompt copied — paste it into the chat

EU AI Act recruitment high-risk AI obligations are no longer a distant concern on the regulatory horizon. Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act — entered into force in August 2024, and the obligations that affect employers using AI in hiring are on a clear timeline. If your organisation uses any form of automated screening, candidate ranking, shortlisting, or assessment tool in your recruitment process, you are almost certainly operating a high-risk AI system under the Act. That classification carries specific, enforceable duties — and the time to prepare is now, not when an enforcement action arrives.

This article is a practical guide for HR leaders, talent acquisition teams, and the business owners who oversee them. It explains what the EU AI Act requires, why recruitment AI is classified as high-risk, and what steps Dutch employers need to take to meet their obligations. It covers data governance, transparency to candidates, human oversight, risk management, logging and conformity documentation. It is written to be accurate and current, but it is general information only — not legal advice. For advice specific to your organisation and circumstances, consult a qualified legal professional.

Does the EU AI Act classify recruitment AI as high-risk and what does that mean for employers?

Yes — unambiguously. Annex III of the EU AI Act lists AI systems used in employment, workers management and access to self-employment as high-risk. This covers AI used for recruitment and selection of natural persons, notably for advertising vacancies, screening or filtering applications, evaluating candidates in the course of interviews or tests, and ranking or shortlisting of candidates. The language of the Act is broad enough to capture not just bespoke custom systems but also commercial applicant tracking systems (ATS) with AI-powered scoring, automated CV screening tools, AI-driven psychometric or video interview analysis platforms, and chatbot-based pre-screening tools.

For employers, this matters because the Act draws a distinction between providers (the companies that build and place AI systems on the market) and deployers (the organisations that put systems to use in their own processes). Most HR teams are deployers, not providers. Deployers of high-risk AI systems carry their own set of obligations under the Act — separate from, and in addition to, any obligations resting on the vendor or software supplier. Choosing a compliant vendor does not transfer your compliance obligation to them; it reduces certain risks but does not eliminate your own duties.

The primary source for these requirements is the full text of Regulation (EU) 2024/1689 (the EU AI Act), published in the Official Journal of the European Union. For summaries and official guidance, the European Commission AI regulatory framework page is the authoritative secondary source. We link to both throughout this article rather than paraphrasing in ways that might miss nuance.

The phased timeline: when do EU AI Act HR compliance obligations apply?

The EU AI Act applies in phases rather than all at once. The regulation entered into force on 1 August 2024. Most of the substantive obligations — including those for high-risk AI systems such as recruitment tools — apply from 2 August 2026. Certain earlier provisions (on prohibited AI practices and on general-purpose AI models) applied sooner, from February 2025 and August 2025 respectively, but the core high-risk obligations affecting HR are in the 2026 window.

This phasing gives organisations time to prepare — but not unlimited time, and the preparation required is substantial. Building a compliant risk management system, auditing existing tools, renegotiating vendor contracts, training staff on human oversight procedures, and putting logging and documentation in place all take time. Organisations that start now have a meaningful head start over those that wait until 2026 is imminent.

It is also worth noting that national authorities in EU member states — including the Netherlands — are already developing enforcement frameworks. The Dutch Autoriteit Persoonsgegevens (AP) has jurisdiction over GDPR-related aspects of AI systems and has signalled interest in AI in employment. The AI Act will bring additional supervisory structures. Waiting for enforcement to materialise before acting is not a risk-free strategy.

What are the specific obligations for deployers of high-risk hiring AI?

Articles 26 and related provisions of the EU AI Act set out the obligations of deployers of high-risk AI systems. For HR teams using AI in recruitment, these translate into six main areas of action.

1. Risk management throughout the system lifecycle

Deployers must implement appropriate technical and organisational measures to ensure they use the high-risk AI system in accordance with the instructions for use provided by the provider. They must also assign human oversight to appropriately qualified and trained staff. This is not a one-time exercise — risk management must be maintained throughout the period the system is in use, with regular reviews as the system, the job market, and the candidate population evolve.

For HR teams, this means having a documented process for reviewing how your AI tool is performing: whether its outputs are fair, whether edge cases are handled appropriately, and whether the system is being used in the way it was designed to be used. An AI implementation audit is often the right starting point — a structured review of what your current tools are doing, what data they process, and where the gaps in your oversight framework are.

2. Data governance and quality

High-risk AI systems under the Act must be developed and used with appropriate data governance practices. For deployers, this means ensuring that the data you feed into the system — job descriptions, historical hiring decisions used to calibrate scoring, candidate profile data — is accurate, representative and not tainted by historical bias. If you are using a commercial tool trained on generic datasets, you need to understand what those datasets contain and whether they are appropriate for your specific hiring context.

Good data governance also intersects directly with the GDPR obligations that have been in place since 2018. Candidate personal data must have a valid lawful basis for processing, candidates must be informed about how their data is used, and retention periods must be enforced. The GDPR's Article 22 on automated decision-making applies independently of the AI Act and gives candidates the right to human review of decisions made solely by automated means. Robust data engineering practices are the foundation of both GDPR and EU AI Act compliance here.

3. Transparency to candidates

The EU AI Act requires deployers to inform natural persons who are subject to decisions made by high-risk AI systems. In the hiring context, this means telling candidates — clearly and in advance — that an AI system will be used in assessing their application, and what role that system plays. This is not just a legal requirement; it is also good practice. Candidates who understand that an AI tool will be involved can make an informed decision about whether to apply, and they can exercise their rights under the GDPR to request human review.

Transparency obligations extend to the type of information disclosed. Candidates should know that AI is being used in the process, what the general logic of the system is (though not necessarily the full technical detail), and how they can request human review or raise concerns. Privacy notices and candidate-facing communications will need to be updated to reflect this — likely with input from both HR and legal counsel.

4. Human oversight — the non-negotiable requirement

Human oversight is perhaps the most operationally significant obligation in the EU AI Act for HR teams. The Act requires that high-risk AI systems be designed and used in a way that allows the humans overseeing them to effectively monitor the system's operation, understand its capabilities and limitations, intervene when necessary, and override or disregard outputs when appropriate.

In recruitment, this means that no AI system — however sophisticated — can be the sole decision-maker in whether a candidate progresses through your process. A human must be genuinely involved, not merely rubber-stamping a ranked list. The human overseer must have the authority and competence to challenge the system's outputs, the visibility into what drove those outputs, and the practical ability to act differently when their judgement diverges from the algorithm's recommendation.

This has practical implications for how you structure your screening process. If a recruiter is simply accepting the top 20 candidates from an AI-ranked list without reviewing the reasoning, that almost certainly does not meet the human oversight requirement. If, on the other hand, a recruiter reviews the AI-generated scores alongside the underlying reasoning and can override individual decisions with a documented rationale, you are closer to compliance. Building machine learning systems with explainability built in — so that human reviewers can see not just a score but the factors driving it — is therefore not a nice-to-have but a compliance requirement.

5. Logging and record-keeping

High-risk AI systems must maintain logs of their operation to the extent technically possible. For deployers, this means ensuring that the AI tools you use generate records sufficient to allow post-hoc review of decisions: which candidates were scored, what scores they received, what criteria were applied, and when each step occurred. These logs need to be retained for a period specified in the Act and made available to competent authorities on request.

Many commercial ATS products generate some form of audit trail, but not all do so at the level of granularity the EU AI Act requires. Reviewing your vendor's logging capabilities and contractually requiring them to provide compliant logs is a specific action item. For custom-built systems, logging needs to be designed in from the outset rather than retrofitted.

6. Conformity documentation and fundamental rights impact assessment

Providers of high-risk AI systems must produce technical documentation and a declaration of conformity. Deployers must cooperate with providers in ensuring that the deployed system meets the requirements of the Act, and must report serious incidents to the relevant authorities. Deployers that are public bodies — including government agencies, municipalities, and public universities — must also carry out a fundamental rights impact assessment (FRIA) before deploying a high-risk AI system. This is a structured assessment of the potential impact on the rights of the people affected by the system — in this case, job applicants.

Private-sector deployers are not currently required to carry out a full FRIA under the Act, but carrying out a proportionate internal assessment of the risks to candidates' fundamental rights is good governance and will increasingly be expected by regulators, investors, and civil society.

Pull quote: Dutch collective labour agreements (CAOs) are another dimension that does not feature in the Act itself but is highly relevant for employers operating under them. - Crux Digits

EU AI Act employment Netherlands: what is specific to the Dutch context?

The EU AI Act is directly applicable across all EU member states, including the Netherlands, without the need for transposition into national law. This means Dutch employers are subject to the same obligations as employers in Germany, France or Spain. However, the enforcement and supervisory landscape does have national dimensions.

The Netherlands will designate one or more national competent authorities responsible for market surveillance and enforcement of the EU AI Act. The Autoriteit Persoonsgegevens has already shown that it takes automated decision-making in employment seriously — it has published guidance on the use of algorithmic tools in HR and has conducted investigations into employers using automated systems without adequate transparency or human oversight. The Dutch approach to AI governance has tended towards thoughtful enforcement with a period of dialogue before formal action, but the direction of travel is clear.

Dutch collective labour agreements (CAOs) are another dimension that does not feature in the Act itself but is highly relevant for employers operating under them. Many CAOs include provisions on the introduction of technology in the workplace that require consultation with employee representatives (ondernemingsraad) before deployment. Introducing an AI hiring tool may trigger Works Council consultation rights under the Works Councils Act (Wet op de ondernemingsraden), which is a separate legal obligation from the EU AI Act but equally enforceable.

For employers in the Utrecht region and broader Netherlands working with Crux Digits, we help assess which specific obligations apply, map the current state of your hiring AI against those obligations, and build or configure systems that meet them. The goal is not compliance for its own sake but a hiring process that is genuinely fair, defensible and effective.

AI Act compliance recruitment software: what to look for in a vendor

If you are using or considering a commercial recruitment software product that includes AI features, the EU AI Act gives you specific questions to ask your vendor — and reasonable grounds to expect clear answers.

  • Is your system classified as high-risk under the EU AI Act? Any vendor using AI for candidate screening, ranking or shortlisting should already have answered this question. If they cannot tell you, that is itself a signal.
  • What technical documentation and instructions for use do you provide to deployers? The Act requires providers to give deployers the information they need to use the system in compliance with the law.
  • What logging does the system generate and in what format? You need to know whether the logs will meet the requirements of the Act and your own audit needs.
  • How does the system support human oversight? Look for explainability features — score breakdowns, factor visibility — not just a ranked output.
  • What bias testing has been carried out and what were the results? Responsible providers will have tested their systems on demographic groups and will share results (or at minimum methodologies) with deployers.
  • How will the system handle the transition to full EU AI Act compliance in August 2026? Vendors should have a roadmap. If they do not, you carry the compliance risk.

The answers to these questions should inform not just your vendor selection but your contract terms. Compliance obligations on deployers can be partially managed through well-drafted data processing agreements and service contracts, but only if you negotiate them proactively.

A practical EU AI Act HR compliance checklist for Dutch employers

  • Inventory every AI tool used in your hiring process — from ATS scoring to video interview analysis to chatbot pre-screening. If it scores, ranks or filters candidates using AI, it is potentially in scope.
  • Classify each tool against Annex III of the EU AI Act to determine whether it is high-risk. In practice, almost any AI tool used in candidate selection will be.
  • Assess your vendor contracts for EU AI Act conformity obligations, logging requirements, instructions for use, and what happens if the vendor fails to meet their provider obligations.
  • Audit your data governance — training data, candidate personal data processing, GDPR Article 22 compliance, retention schedules, and privacy notices.
  • Design and document your human oversight process — who reviews AI outputs, with what level of authority, with what visibility into the system's reasoning, and how overrides are recorded.
  • Update candidate-facing communications to disclose the use of AI in your hiring process, as required by the transparency obligations of the Act and Article 13/14 GDPR.
  • Train the HR staff who will act as human overseers — they need to understand what the system does, what its limitations are, and how to exercise meaningful oversight.
  • Check Works Council obligations under the Wet op de ondernemingsraden — deploying a new AI tool in HR may require consultation or consent before introduction.
  • If you are a public body, initiate a fundamental rights impact assessment now, before any high-risk AI system goes live in your recruitment process.
  • Schedule regular reviews of system performance, bias metrics and compliance posture — not just a one-time exercise but an ongoing programme.

Why HR AI compliance is also a competitive and ethical imperative

The EU AI Act HR compliance conversation tends to focus on avoiding penalties, and that is understandable — the Act allows for significant fines. But the case for responsible AI in hiring goes well beyond regulatory risk management. Employers that use hiring AI responsibly attract better candidates (word travels fast about organisations that treat applicants fairly), build more diverse teams (because unaudited AI systems tend to replicate rather than reduce historical bias), and make better hiring decisions (because human oversight combined with AI assistance outperforms either alone when both are done well).

For HR teams operating in the competitive Dutch labour market, the ability to demonstrate that your hiring process is fair, transparent and legally compliant is increasingly a differentiator — not just with candidates but with the clients, investors and partners who want to work with organisations that take responsible AI seriously. The EU AI Act is the floor, not the ceiling, of what good practice looks like.

If you have already begun exploring AI tools for your hiring process — or if you are just starting to — Crux Digits can help you navigate the EU AI Act landscape without getting lost in regulatory jargon. Our AI implementation work covers audit, design, build and ongoing governance. Our data engineering practice ensures the data foundations are sound. And our machine learning expertise means we can assess whether the models inside your tools are actually doing what the vendor claims.

You can see how this translates in practice in our case studies. Our pricing page gives a clear view of how engagements are structured — no retainers, no surprises. When you are ready to talk through your specific situation, get in touch for a free conversation. We will give you an honest assessment of where you stand and what you need to do — without trying to sell you more than you need.

Frequently asked questions

Does the EU AI Act classify recruitment AI as high-risk and what does that mean for employers?

Yes. Annex III of the EU AI Act explicitly lists AI systems used for employment, worker management and access to self-employment — including candidate screening, ranking and shortlisting — as high-risk. For employers as deployers, this means specific obligations apply: meaningful human oversight, transparency to candidates, data governance, logging, risk management, and in some cases a fundamental rights impact assessment. These obligations take effect for most high-risk systems from August 2026. This article is general information; consult a legal adviser for advice specific to your organisation.

What human oversight does the EU AI Act require for hiring AI?

The Act requires that a competent, trained person can effectively monitor the AI system, understand its capabilities and limitations, intervene when needed, and override or disregard its outputs when appropriate. In practice, this means no AI system can be the sole decision-maker in candidate selection. A recruiter must be genuinely involved — with visibility into the reasoning behind scores and the authority to act differently from the algorithm's recommendation. Simply accepting a ranked list without meaningful review does not satisfy the requirement.

When do EU AI Act obligations for recruitment tools apply in the Netherlands?

The EU AI Act entered into force on 1 August 2024. The core high-risk AI obligations — including those covering recruitment and hiring AI — apply from 2 August 2026. The Act applies directly in the Netherlands without needing separate transposition into Dutch law. National enforcement authorities, including the Autoriteit Persoonsgegevens, will oversee compliance. Starting preparation now is strongly advisable given the scope of documentation, governance and vendor assessment required.

Does using a compliant third-party recruitment AI vendor remove the employer's EU AI Act obligations?

No. The EU AI Act distinguishes between providers (those who build and market AI systems) and deployers (organisations that use them in their own processes). Most employers are deployers. Deployers carry their own obligations under the Act — separate from those of the provider. Choosing a compliant vendor reduces certain risks and shifts some responsibilities, but it does not eliminate the deployer's own duties around human oversight, candidate transparency, logging, data governance and risk management.

How can Crux Digits help Dutch employers with EU AI Act compliance for hiring AI?

Crux Digits helps Dutch employers assess and document hiring AI for EU AI Act compliance through a structured process: inventorying tools in use, classifying them against the Act's Annex III, auditing data governance and vendor contracts, designing human oversight frameworks, and building or configuring systems with explainability and logging built in. Our approach is vendor-neutral — we recommend the right combination of tools for your context rather than a proprietary platform. See our case studies or pricing page for more, or get in touch for a free consultation.

Want any of this applied to your business?

We turn these concepts into working tools — grounded, safe and measurable. Start with a free consultation.

Book a free consultation →