EU AI Act: What Recruiting Agencies Must Know

If you are using AI to screen CVs, score candidates, or automate any part of your hiring workflow, the EU AI Act directly affects your agency — and the compliance clock is already ticking. Most recruiting agency owners I speak to have heard of the regulation but have no clear picture of what it actually requires them to do. That gap is a liability. Here is a plain-language breakdown of what matters for your business right now.

Why the EU AI Act Puts Recruiting Under a Spotlight

The EU AI Act, which entered into force in August 2024 with phased application dates running through 2027, is the world's first comprehensive legal framework for artificial intelligence. Its central mechanism is a risk-based classification system: the higher the potential harm to individuals, the stricter the rules.

Recruiting and HR applications are explicitly listed as high-risk AI systems under Annex III of the Act. The exact wording covers "AI systems used in employment, workers management and access to self-employment" — specifically:

• Recruitment and selection of natural persons (CV screening, candidate ranking, shortlisting)
• Making decisions about promotion, termination, and task allocation
• Monitoring and evaluating employee performance

This is not a grey area. If you deploy an AI tool that touches any of these functions for roles within the EU, you are operating a high-risk AI system under the Act's definition — regardless of whether you built the tool yourself or purchased it from a vendor.

What High-Risk Classification Actually Requires

Being classified as high-risk does not mean you cannot use AI in your recruiting workflow. It means you must use it responsibly and document that you have done so. The obligations fall into several categories:

1. Risk Management System

You need a documented, ongoing process for identifying, analysing, and mitigating risks associated with your AI systems throughout their lifecycle. This is not a one-time form — it is a living process that must be updated as the system or its context changes.

2. Data Governance

Training data, validation data, and operational data used by your AI systems must meet quality standards. You need to be able to demonstrate that your data is relevant, representative, and free from errors that could lead to discriminatory outcomes. For DACH agencies, this intersects heavily with existing GDPR obligations.

3. Technical Documentation

Comprehensive documentation must be drawn up before deploying a high-risk system. This includes the system's purpose, the logic it applies, its capabilities and limitations, and the data it was trained on. If you are using an off-the-shelf vendor tool, you have a right to request this documentation from the provider.

4. Transparency and Informed Consent

Candidates must be informed that AI is being used to process their applications and make decisions about them. They cannot meaningfully consent to something they do not know is happening. This obligation aligns with existing GDPR transparency requirements but goes further by specifying the AI dimension explicitly.

5. Human Oversight

High-risk AI systems must be designed and operated so that a human can understand, monitor, and — where necessary — override the system's outputs. You cannot simply let an AI tool make final hiring decisions without a qualified person reviewing them. Automated rejection of candidates without human review is exactly the scenario the Act is designed to prevent.

6. Accuracy, Robustness, and Cybersecurity

Systems must perform consistently and accurately across different user groups. You are responsible for validating that your AI does not produce significantly different outcomes based on protected characteristics such as gender, ethnicity, or age.

The Practical Reality for a Boutique Recruiting Agency

Here is where it gets concrete. Consider a tech recruitment agency with eight consultants — similar to a client I worked with recently. They were using an AI tool to score incoming CVs against job descriptions and automatically move lower-ranked profiles to an archived folder that their team rarely reviewed. No candidate was informed. No human reviewed the scoring logic. No documentation existed.

Under the EU AI Act, this setup has at least three compliance failures:

1. Candidates were not told AI was assessing them — transparency obligation breached.
2. No meaningful human oversight — profiles were effectively being rejected by the algorithm without a consultant's review.
3. No risk management or technical documentation — the agency had no record of how the tool worked or how its accuracy had been validated.

The solution was not to stop using AI. It was to restructure how AI was used: the scoring tool now produces a ranked list that every consultant reviews before any profile is archived. A short disclosure was added to the application flow. The vendor was asked to supply technical documentation. The fix took less than a week to implement.

At AI Experts, this is the kind of workflow restructure we build as standard — automation that is not just fast, but defensible.

Key Dates and Enforcement Timeline

The Act's application is phased. Here is what matters for recruiting agencies specifically:

• February 2025: Prohibited AI practices banned (e.g., social scoring, subliminal manipulation). Does not directly affect standard recruiting tools.
• August 2025: Obligations for general-purpose AI model providers began applying. If you use ChatGPT, Claude, or similar models in your workflow via API, your vendor's compliance obligations have already started.
• August 2026: High-risk AI system requirements come into force. This is the deadline that matters for recruiting agencies. CV screening, candidate ranking, and automated selection tools must be compliant by this date.
• August 2027: Obligations extend to certain AI systems already in use before the Act came into force (legacy systems).

August 2026 is 16 months away. That sounds comfortable until you consider that building documentation, validating your tools, updating candidate-facing communications, and potentially restructuring automated workflows takes time — especially if you are also running a business.

Four Steps to Start Getting Compliant Now

You do not need a legal team or a compliance department to start. You need clarity on what you are running and a plan to document it.

1. Audit every AI tool touching your recruitment workflow. List each tool, what it does, and at what stage of the process it operates. Include anything that scores, ranks, filters, or generates content about candidates.
2. Request technical documentation from your vendors. Under the Act, providers of high-risk AI systems have an obligation to supply documentation. If a vendor cannot provide it, that is a significant red flag — and potentially their legal problem, not yours, provided you document that you asked.
3. Add a transparency notice to your application flow. A single sentence — "We use AI-assisted tools to support our initial review process" — is a starting point. Your privacy policy should be updated to reflect this as well.
4. Implement a human review checkpoint before any rejection. No AI system should be the final decision-maker. Build in a step where a consultant reviews the AI's output before any candidate is effectively removed from consideration.

The Bigger Picture: Compliance as Competitive Advantage

The agencies that will be best positioned in 2026 are not the ones scrambling to comply at the last minute — they are the ones who built their AI workflows with these standards in mind from the start. Candidates are increasingly aware of how their data is used. Clients — particularly larger corporate clients placing roles through boutique agencies — are beginning to ask about AI governance as part of their vendor due diligence.

Getting your AI compliance right is not just about avoiding a fine. It is about demonstrating that your agency operates at a professional standard, that you understand the technology you deploy, and that your processes can be trusted with sensitive data. That is a differentiator in a market where AI adoption is rapid but governance is still rare.