AI Act & recruitment: why it's high-risk and what you need to do

From 2 August 2026 the AI Act’s obligations for high-risk systems placed on the market kick in. And if you use AI to screen CVs or evaluate candidates, you’re inside it: the AI Act on staff selection classifies it as a high-risk system.

This isn’t the general AI Act guide (that’s in our AI Act for companies guide). Here we cover only the HR/recruitment angle, where the obligations are heaviest for an SME.

In short:

• Annex III of the AI Act classifies AI for staff selection, screening and evaluation as a high-risk system: not banned, but bound to specific obligations.
• The concrete duties for the user (the deployer) are five: effective human oversight, candidate notice, immutable logging, documented risk assessment, record retention.
• Even if you buy an ATS with built-in AI, part of the liability stays with you: the vendor is the provider, you are the deployer.
• Fines for breaching the high-risk system obligations (the tier that applies to recruitment) reach up to EUR 15 million or 3% of worldwide annual turnover.
• The compliant pattern doesn’t require giving up AI: the agent filters and ranks, the human recruiter always signs, everything is logged and candidates are informed.

Why CV screening is ‘high-risk’

The AI Act doesn’t look at the technology, it looks at the impact on people. Annex III explicitly lists among high-risk systems those used for recruitment and selection: filtering applications, evaluating candidates, decisions that significantly affect access to employment.

An agent reading 500 CVs and returning a ranked shortlist falls here. Not because it “decides” alone, but because it influences a decision affecting a person’s working life. That’s the criterion.

Watch the most common misconception: “but our output is reviewed by a human”. Good, that’s necessary — but on its own it doesn’t pull you out of high-risk. It reduces operational risk, it doesn’t change the classification.

The 5 concrete obligations for the deployer

1. Effective human oversight

A human rubber-stamping everything with one click isn’t enough. You need a person who can actually override the agent’s output, who understands its limits and signs the final decision. For recruitment the principle is simple: the agent can’t permanently reject a candidate on its own.

2. Candidate notice

Candidates must know an AI system is involved in the process. In Italy this also ties to the Transparency Decree and art. 22 GDPR on automated decisions. Put it in writing in the privacy notice for your selection process.

3. Immutable logging

Every agent decision must be logged: input received, rules applied, output produced, any escalation to a human. It must be immutable and retained. Without logs you can’t answer “why was this candidate excluded?” — and that question, sooner or later, arrives.

4. Documented risk assessment (+ DPIA)

You need a documented risk analysis, linked to the DPIA required by GDPR when processing personal data at scale. It’s not a drawer PDF: it’s the document that shows a reviewer you thought about bias, errors and remedies.

5. Art. 28 DPA with your provider

If you use an external provider to build or run the agent, you need a Data Processing Agreement under art. 28 GDPR. We include it by default in every sprint, because without it we can’t even touch candidate data.

ATS bought “with AI”: whose fault is it?

A distinction many skip. The software vendor is the provider. You who use it to select are the deployer. You have your own duties: ensuring human oversight, informing candidates, keeping logs, using the system within declared scope.

Before signing an “AI-powered” ATS, ask in writing: what does the vendor cover on the AI Act front, and what stays with you. If the answer is vague, liability defaults onto you.

The compliant pattern we use

On recruitment projects we always treat screening as high-risk. Concretely:

• The agent filters and ranks, it doesn’t reject autonomously.
• The human recruiter always signs the shortlist.
• Immutable audit log on every decision.
• Candidate notice and DPIA as deliverables.
• EU hosting and art. 28 DPA in the contract.

It’s the same scheme with which, in APraise, the agent handled 100k+ candidates — equivalent to 4 extra recruiters — without ever taking the final decision alone. Volume handled by AI, decision in human hands: that’s exactly what holds efficiency and compliance together.

Want to understand where your process falls and what you’re missing? Look at our Recruitment & HR use cases or let’s talk for 20 minutes, no pitch.

When you DON’T need a custom project

Honestly: if you hire 5 people a year and read CVs by hand, you don’t need a screening agent — and so you don’t need this heavy compliance apparatus either. High-risk kicks in when AI enters the process. If volume is low, operational risk doesn’t justify either the agent or its governance overhead.

This changes above dozens of applications per role: there AI makes the difference, and it must be done by the book.