Your hiring algorithm just became a legal problem

Written By Stefania Quintaje

The EU AI Act is now entering its operational phase, and automated recruiting tools are squarely in its crosshairs. Here is what every employer and HR vendor needs to understand — and do — before the clock runs out.

What is an automated recruiting system, exactly?

If your company uses software to screen CVs, rank candidates, score applications, or filter who makes it to the next round, you are using an automated recruiting system. These tools go by many names — Applicant Tracking Systems (ATS), AI sourcing platforms, talent intelligence software — but they all share one defining feature: an algorithm makes judgments about human beings based on data.

At their most basic, these systems scan resumes for keywords and sort candidates into yes/no/maybe piles. At their most sophisticated, they assign scores based on dozens of variables — education, career trajectory, skills matches, even the language used in a cover letter — and present ranked shortlists to recruiters who may never see the profiles that did not make the cut.

For years, employers have relied on these tools to manage the sheer volume of applications that a single job posting can generate. The efficiency gains are real. So, unfortunately, are the legal risks.

An algorithm that decides who gets an interview is no longer just a productivity tool. Under EU law, it is a high-risk AI system — and it must be treated as one.

Why this matters right now

The EU AI Act has been in force since August 2024, but its requirements have been rolling out in stages. Until recently, most employers could reasonably watch and wait. That window is closing.

The law classifies AI systems by their potential for harm. Recruiting and HR tools — any system that filters, ranks, evaluates, or profiles job candidates — fall into the "high-risk" category. This classification is not based on how complex the algorithm is, but on what it does and where: an AI that makes decisions affecting people's access to employment sits alongside AI used in credit scoring, education, and law enforcement.

In May 2026, the EU reached a political agreement known as the AI Omnibus package, which adjusted the compliance deadline for high-risk HR systems from August 2026 to December 2027. This is not a reprieve — it is a runway. Achieving compliance for a high-risk AI system takes well over a year of technical and organizational work. Companies that wait until late 2027 to begin will not make it.

The compliance timeline at a glance

Aug 2026

Transparency obligations kick in

Any AI-powered chatbot or automated tool used in initial candidate contact must clearly identify itself as AI, not a human.

Dec 2026

AI-generated content must be labelled

Job descriptions, communications, and assessments produced by AI require digital watermarks or explicit disclosure.

Dec 2027

Hard deadline for high-risk HR systems

Non-compliant ATS filters and automated screening tools become illegal for use within the EU. No extensions expected.

What is already illegal today

Some practices are not in a transition period — they are prohibited outright, effective now.

Banned immediately — no transition period

  • AI tools that infer a candidate's emotions, mood, or personality from facial expressions in video interviews

  • Emotion analysis based on tone of voice in automated screening calls

  • Systems that profile candidates using biometric data to make hiring decisions

  • AI that manipulates candidates through subliminal techniques to influence their responses

If your ATS vendor offers "personality scoring" or "culture fit analysis" derived from video or voice, turn it off. Not in 2027 — now.

What must change by December 2027

For AI systems that currently operate in a legally grey zone, the December 2027 deadline sets the standard they must meet. The three pillars of compliance are human oversight, bias governance, and transparency.

Human oversight

  • No final rejection or selection by algorithm alone

  • Recruiters must be able to review and override automated outcomes

  • Override decisions must be logged

Bias & data governance

  • Continuous testing for discrimination against protected characteristics

  • Documented data governance policies

  • Regular audits of model outputs by protected group

Transparency

  • Clear notice to candidates that AI is used in screening

  • Detailed technical documentation of the system

  • Comprehensive logs of all automated decisions

What does not count as high-risk AI

Not every digital filter in your hiring process requires the full compliance treatment. The law exempts tools that perform purely preparatory or administrative tasks — provided they do not evaluate or profile candidates.

A hard knockout question — "Do you have the legal right to work in this country?" — is not AI; it is a binary form field. A simple boolean keyword search that retrieves CVs containing the words "Python" and "Berlin" is not profiling. These tools fall outside the high-risk category and are not subject to the Act's most demanding requirements.

The line is drawn at evaluation. The moment a system scores, ranks, weights, or infers anything about a candidate as a person, it crosses into high-risk territory.

The problem with non-EU vendors

Many of the most widely used ATS and recruiting AI platforms are built by US companies: Workday, Greenhouse, Lever, HireVue, and others. A common assumption is that because the software is American, EU rules do not fully apply. That assumption is wrong.

The EU AI Act follows the same territorial logic as the GDPR. What matters is not where the vendor is based, but where the candidate is located. If a US-built AI system evaluates a job applicant based in France, Germany, or Italy, the Act applies — to the vendor and to the employer using the tool.

What this means in practice for non-EU vendors

  • US vendors placing AI systems on the EU market must appoint an EU representative and register high-risk systems in the EU database before the deadline

  • Employers using non-compliant foreign tools carry joint responsibility — "my vendor is American" is not a legal defence

  • Contracts with non-EU vendors should include explicit compliance warranties and audit rights under the AI Act

  • If a vendor cannot demonstrate conformity assessment documentation, the employer must be prepared to switch tools or suspend automated screening for EU candidates

In practice, the major US HR software companies are aware of this exposure and are working on compliance. But awareness and readiness are two different things. Before December 2027, every employer using a non-EU platform should request a written compliance roadmap from their vendor — not a sales deck, but a technical document. If the vendor cannot produce one, treat that as a red flag.

A further complication arises around data transfers. Many US platforms process candidate data on servers outside the EU. This triggers both GDPR and AI Act obligations simultaneously: the data transfer must be lawful under GDPR, and the AI processing performed on that data must comply with the Act. The two frameworks interact, and a gap in either one creates exposure.

Using a US vendor does not put you outside the EU AI Act's reach. It puts you in a position where you need to verify compliance twice — theirs and yours.

The cost of getting it wrong

€35M

Maximum fine for violations, or 7% of global annual turnover — whichever is higher. These are not theoretical ceilings. The enforcement architecture is already in place, and national supervisory authorities across the EU are actively building capacity.

There is also a strategic risk that goes beyond fines. The EU AI Act includes a grandfathering provision: systems already on the market before the compliance deadline benefit from favorable transition treatment. Vendors racing to certify their software now are locking in their market position before the window closes. Employers who rely on non-compliant vendors after the deadline inherit the legal exposure.

Six concrete actions to take before you have to pull the plug

The goal is not to stop using recruiting technology. It is to use it in a way that survives legal scrutiny. Here is where to start.

1 Map every tool in your recruiting stack

List every piece of software involved in your hiring process, from job board integrations to your ATS to any scoring or ranking layer. Identify which tools touch candidate evaluation. This inventory is the foundation of everything else.

2 Classify each tool by risk level

Does the tool score, rank, filter, or profile candidates? If yes, it is high-risk and requires full compliance. If it only retrieves or organizes data without evaluating candidates, it likely falls outside the high-risk category. When in doubt, treat it as high-risk.

3 Audit your vendors' compliance roadmaps — including non-EU ones

Ask every ATS and AI vendor directly: what is your compliance plan under the EU AI Act, and by when? For US-based vendors, also ask whether they have appointed an EU representative and whether candidate data processed in the US falls under an adequacy framework. Request written answers, not verbal reassurances.

4 Build human oversight into your process — now

Do not wait for software updates. Require that every automated rejection is reviewed by a recruiter before it takes effect. Document these reviews. This step alone reduces your exposure significantly and demonstrates good faith to regulators.

5 Draft your candidate-facing AI notice

Candidates have the right to know that AI is used in screening their application. Prepare a clear, plain-language notice — not buried in a privacy policy — that describes what automated processing takes place and what it affects. The August 2026 transparency deadline is your first hard target.

6 Start the bias testing now

Pull a sample of past automated screening decisions and analyze outcomes by gender, age, and where data permits, ethnicity. If your system has been rejecting protected groups at disproportionate rates, you need to know — and fix — this before a regulator finds it for you.

The bottom line

Automated recruiting tools are not going away, and they should not. Used correctly, they help organizations manage scale, reduce unconscious bias in the initial stages of review, and surface candidates who might otherwise be overlooked. The EU AI Act does not prohibit them — it regulates them.

The law asks three things: that a human remains in control of the final decision, that the system is regularly tested for discrimination, and that candidates know what is happening to their applications. These are not unreasonable demands. They are, in fact, good practice — and organizations that implement them will be better employers as a result.

The December 2027 deadline sounds distant. The compliance work required to meet it does not give you that luxury. Start the audit, talk to your vendors, and get your human oversight processes in place. The clock is already running.

This article is for informational purposes only and does not constitute legal advice. For guidance specific to your organization, you can write at info@thelegalsybil.com

Stefania Quintaje
Next

Artificial Intelligence and Employment: The Chinese Xinyuan Case and the Lessons for Europe