Is Your HR Team Ready for the EU AI Act Updates?

The EU AI Act isn't new, but the part that hits HR hardest is about to take effect. 

Most departments aren't ready for what that means. A recent survey of more than 400 European HR executives, business leaders and in-house lawyers found just 18% say they’re very prepared for the changes, while 20% admit they're not prepared at all. 

The rest sit somewhere in the murky middle of ‘somewhat ready.’

Maybe you have a basic AI policy written months ago and never tweaked again. Or smart workflows, hiring tools, performance scoring and AI scheduling that are still running exactly as they were before anyone read the words Annex III.

There's no such thing as mostly compliant. Either your systems can survive a regulator's questions, or they can't. And that means ‘somewhat ready’ isn't ready at all.

The AI Act explained

This is the EU's attempt to govern AI, the same way that GDPR governs data. It’s a broad, risk-based framework for companies operating in or affecting people in the EU, regardless of where the business is headquartered. 

It came into effect in August 2024, with obligations rolled out in phases. Different obligations have different start dates. The Act also sorts AI systems into four risk tiers:

• Unacceptable risk (banned outright)

• High-risk (heavily regulated but allowed)

• Limited risk (just needs transparency, like disclosing ‘this is a chatbot’)

• Minimal risk (no special rules)

HR and the high-risk tier

The main implications for HR land in the high-risk category, specifically the section known as Annex III.

New rules are being introduced for AI tools used in recruitment and candidate screening, performance evaluation, task allocation and monitoring of workers, as well as decisions on promotion or termination. That's a wide net, which includes common workplace tools like CV ranking, performance scoring, AI scheduling and other similar systems many companies already use. 

The high-risk status doesn't mean an outright ban on these tools. But it does mean any organisation using them has to meet a set of obligations around risk management, bias testing on the data feeding the system, technical documentation and audit logs. 

And ‘we thought our provider had that covered’ isn't a viable defence. Accountability for high-risk systems sits with the deployer using the tool, not just the provider who built it. 

A recent court case involving Workday tested exactly this question, after the company argued it shouldn't be liable for hiring decisions made by employers using its screening software. The court disagreed and let the case proceed, indicating the company that builds the tool and the company that uses it can both end up on the hook.

Non-compliance with high-risk obligations carries fines of up to €15 million or 3% of global annual turnover, whichever is higher. Using a prohibited practice (such as the workplace emotion-recognition ban, already in force – more on that below) carries fines up to €35 million or 7%.

What's already in effect vs. what's coming

This is the part that trips people up. A few things are already law: 

• The ban on prohibited practices, including AI that infers emotions in the workplace, took effect in February 2025

• Rules for general-purpose AI model providers took effect in August 2025

However, the high-risk obligations described above haven’t kicked in yet, which is the part that actually governs most everyday HR tools. 

The deadline for compliance was originally set for 2 August 2026. But in May 2026, EU lawmakers reached political agreement to push that deadline back to December 2027. It isn't formally law yet, so companies are technically still working against the original date until that changes.

4 steps to stay compliant

#1: Build the inventory. Track every tool that touches a hiring, performance, monitoring, or termination decision. Not just the obvious ones like your ATS – the AI embedded inside scheduling software, survey platforms and any other HR tech. If you don't know what's running, you don't know what's high-risk. And not knowing can get you in trouble quick.

#2: Push your vendors. Ask who built the AI, what they've tested it on and what they'll actually put in writing. If they go quiet or vague, that's your answer. A vendor that can't document their own system's compliance has just handed you the liability, whether you took it knowingly or not.

#3: Make oversight real. Human review means someone who can actually override a recommendation, not a sign-off ticked in ten seconds because the system said so. Your audit trails should exist before a regulator asks, not because one did. And check whether you need a Fundamental Rights Impact Assessment, because often a general risk policy probably won't cover it.

#4: Loop in the right people. Bring your HR, Legal, IT and Compliance teams into one governance stream, so you don’t end up with four departments quietly assuming someone else owns it. And tell employees when AI is involved in decisions that affect them. Unlike the high-risk deadline, this transparency rule isn't being pushed back so it's still due on the original date of 2 August 2026.

Ready when it counts

None of this requires HR to become a compliance department. It requires the same thing good HR has always needed: visibility into what's actually happening, not what's supposed to be happening.

'Somewhat ready' always feels fine, right up until a regulator or employee asks for proof. The teams treating this as infrastructure to build, rather than a policy to file, are the ones who won't be scrambling when someone starts asking difficult questions.