EU AI Act Compliance

EU AI Act for HR Managers: The 2026 Compliance Guide

If your company uses AI in recruitment, performance reviews, or workforce planning, Article 26 makes you the accountable party. Here is exactly what HR teams must do before the August 2026 deadline.

· 6 min read · By

EU-law graduate (Maastricht University) · MSc International Tax Law (AI & technology). Builds AI systems and advises SMEs on EU AI Act compliance.

You Are the Deployer — and That Changes Everything

The term eu ai act for hr managers is not just a search query. It describes a legal reality that took effect in August 2024 and becomes fully enforceable for high-risk AI systems on 2 August 2026. If your organisation uses AI to screen CVs, rank candidates, score employee performance, or allocate shifts, you are a deployer under the EU AI Act. That word carries specific, enforceable obligations under Article 26.

This is not about your AI vendor's compliance. It is about yours.

What Counts as High-Risk in HR?

Annex III of the EU AI Act lists the categories of AI systems that are automatically classified as high-risk. Annex III, point 4 covers employment, workers management, and access to self-employment. The list is specific:

  • AI used for recruitment or selection of natural persons, notably to advertise vacancies, screen or filter applications, and evaluate candidates
  • AI used to make decisions affecting terms of work relationships, including promotion, termination, and task allocation
  • AI used to monitor and evaluate performance and behaviour of persons in employment

If your HR stack includes any of these tools, whether it is an ATS with automated ranking, a performance management platform with predictive scoring, or a scheduling tool with algorithmic allocation, you are operating a high-risk AI system. The clock is ticking.

Your Six Obligations Under Article 26

Article 26 sets out what deployers of high-risk AI must do. Here is each obligation translated into plain HR language:

1. Use the system according to the provider's instructions. Your vendor supplies a user manual or technical documentation. Read it. Keep it on file. Do not use the tool in ways it was not designed for.

2. Assign human oversight. You cannot let the AI make the final call on hiring or dismissal. A named, qualified person must review AI-generated outputs before any decision is made. Document who that person is and what their review process looks like.

3. Monitor for unexpected risks. Once the system is live, you must monitor it. If the tool starts producing outputs that seem biased, inaccurate, or inconsistent with its intended purpose, you must report that to your provider and log the incident.

4. Maintain logs. Many high-risk AI systems generate automatic logs. Article 26(5) requires you to keep those logs for at least six months, or longer where required by other applicable law such as the AVG (GDPR).

5. Inform employees that AI is being used. Article 26(6) requires that workers subject to AI-assisted decisions are informed of this fact. This means updating employment contracts, works council consultations, and privacy notices.

6. Suspend use if the system poses risks. If you identify a serious risk, you must stop using the tool and notify the relevant national authority. In the Netherlands that is the Autoriteit Persoonsgegevens; in Belgium it is the APD/GBA.

Bias Testing: Not Optional, Not Vague

One of the most misunderstood obligations in Article 26 is the requirement to monitor for bias. The AI Act does not describe this as a vague aspiration. It requires you to ensure that the AI system performs as intended and does not produce discriminatory outcomes.

In practice this means running regular disparity analyses across protected characteristics: gender, age, ethnicity, disability status. You do not need a data science team to do this. You need structured output logging and a quarterly review process.

A basic bias-testing workflow looks like this:

  1. Export decision outputs from the AI tool (shortlists, scores, rankings) for a defined period, at least quarterly.
  2. Tag outputs against available demographic data where lawfully held, or proxy indicators where not.
  3. Calculate pass rates, selection rates, or score distributions across groups.
  4. Flag any disparity of more than 4 percentage points for review. This threshold is not in the Act itself but aligns with EEOC four-fifths rule practice used widely in employment discrimination analysis.
  5. Document findings, actions taken, and sign-off by the responsible HR lead.

Keep these records. The national market surveillance authority can request them.

A Clarification on the FRIA: HR Is Out of Scope

You may have read about the Fundamental Rights Impact Assessment (FRIA) required under Article 27. There is confusion in the market about who must complete one.

The FRIA under Article 27 applies only to deployers who are bodies governed by public law, or private operators providing public services such as banks and insurers in the context of credit scoring or life insurance. Private-sector HR teams at SMEs are not in scope for the Article 27 FRIA obligation.

However, this does not mean you are off the hook for rights assessments entirely. The AVG/GDPR requires a Data Protection Impact Assessment (DPIA) for high-risk processing of personal data, which AI-driven HR decisions almost certainly qualify as under Article 35 of the GDPR. Run the DPIA. It covers much of the same ground as a FRIA anyway.

Training Records: What You Actually Need

Article 4 of the EU AI Act requires that all staff who work with AI systems have sufficient AI literacy for their role. For HR teams this is concrete and achievable.

You need three things:

A training register. A simple spreadsheet listing each employee who uses an AI-assisted HR tool, the date they completed AI literacy training, and the name of the training completed. This does not need to be elaborate. It needs to exist and be current.

Role-appropriate training content. A recruiter using an AI screening tool needs different training than a CHRO approving headcount strategy. The training must cover: what the tool does, what its known limitations are, how to identify and escalate a suspicious output, and who to contact if something goes wrong.

Annual refresh cycles. AI systems change. So do the risks. Update training at least once per year or whenever the vendor issues a significant update to the system.

If you are starting from scratch, ask your vendor for their technical documentation and user guidelines. That material forms the backbone of any role-specific training programme.

The Timeline You Cannot Ignore

The EU AI Act entered into force on 1 August 2024. The prohibition on unacceptable-risk AI systems (Article 5) applied from 2 February 2025. High-risk AI systems under Annex III, which includes HR applications, must be fully compliant by 2 August 2026.

That is less than 14 months from now. For most SMEs with 20 to 200 employees, the practical steps are:

  • Q3 2025: Complete an AI tool inventory. List every tool that touches an employment decision.
  • Q4 2025: Run a DPIA for each high-risk tool. Update employment contracts and privacy notices.
  • Q1 2026: Establish human oversight roles, logging procedures, and incident reporting channels.
  • Q2 2026: Complete first bias analysis cycle. Deliver AI literacy training. File training records.
  • 2 August 2026: Full compliance required.

Penalties for non-compliance with high-risk obligations can reach €15 million or 3% of global annual turnover, whichever is higher, under Article 99 of the AI Act. For an SME with €20 million turnover, that is a €600,000 exposure.

One Action You Can Take Today

Open a spreadsheet. List every AI-assisted tool your HR team uses. For each one, note: what decisions it informs, who the vendor is, whether you have their technical documentation, and whether any employee-facing notice currently exists. That list is the foundation of your Article 26 compliance programme.

You do not need to solve everything today. You do need to know what you are working with.

Ready to move faster? Run the free 2-minute compliance check at comply.khairos.ai to see exactly where your HR AI tools stand against the 2026 deadline.

Need help getting compliant?

The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.

Start the free check →