25 Jun AI Act for HR: What You Need to Do Before 2 August 2026
Key Takeaways
- From 2 August 2026, recruitment AI systems are classified as high-risk AI and subject to the full obligations of the AI Act (Regulation EU 2024/1689).
- Compliance responsibility rests with the organisation deploying the software, not its vendor.
- Closed source code makes it structurally impossible to meet the algorithm auditability requirement mandated by the AI Act.
- MintHCM as an open source HCM meets AI Act requirements structurally, without additional compliance tooling.
- The Digital Omnibus proposal (European Commission, May 2026, not yet formally adopted) may shift the Annex III deadline to 2 December 2027. Preparing now is the right move regardless of the exact enforcement date.
The AI Act (Regulation EU 2024/1689) is the world’s first comprehensive legal framework for artificial intelligence. For HR departments, it carries one specific and unavoidable obligation: any software that evaluates candidates, ranks CVs, or makes employment decisions is classified as a high-risk AI system. The obligations that follow become enforceable on 2 August 2026, and the responsibility for compliance falls on the organisation using the system, not the organisation that built it.
Does the AI Act apply to your HR system?
The AI Act applies to every organisation that uses software to evaluate candidates, filter CVs, monitor employees, or make employment decisions affecting people in the EU. It does not matter whether the system was built in-house or purchased from an external vendor. It does not matter whether the company is headquartered in Europe or outside it. If an AI decision concerns a person in the EU, the rules apply.
Annex III of the AI Act, point 4, explicitly lists HR systems as high-risk. The definition is broad and covers:
- AI used for the recruitment or selection of people, including tools for analysing and filtering CVs and evaluating candidates (Annex III, point 4a, Regulation EU 2024/1689).
- AI used to make decisions affecting terms of employment, promotion, termination, and task allocation (Annex III, point 4b).
- AI used to monitor or evaluate employee performance and behaviour.
The key test: does the AI rank, filter, evaluate, or recommend anything about a specific person’s employment? If yes, you are dealing with a high-risk system and the compliance obligations are yours, even if the software comes from an external provider.
When do the different AI Act provisions come into force?
The AI Act did not enter into force all at once. Obligations are introduced in phases, giving organisations time to prepare. Below is the timeline of key dates (source: European Commission, digital-strategy.ec.europa.eu, 2024):
| Date | What comes into effect |
| 1 August 2024 | AI Act enters into force (Regulation EU 2024/1689) |
| 2 February 2025 | Prohibition of unacceptable AI practices, AI literacy obligations |
| 2 August 2025 | Rules for General Purpose AI (GPAI) models |
| 2 August 2026 | Obligations for high-risk AI systems (Annex III) and transparency rules (Art. 50) |
| 2 December 2027* | Possible new Annex III deadline per Digital Omnibus proposal (May 2026, not yet formally adopted) |
Note on Digital Omnibus: the European Commission proposed on 7 May 2026 to shift the Annex III obligations from 2 August 2026 to 2 December 2027. As of the publication date of this article, the proposal has not been formally adopted by the European Parliament and the Council of the EU. Organisations should plan for compliance regardless of the exact date the obligation takes effect.
What obligations does the AI Act place on HR departments?
Obligations apply to both software providers (those who build AI systems) and deployers (organisations that use them). For HR, the deployer role is the critical one: you are responsible for ensuring the system operates lawfully, even if you did not build it. The key deployer obligations under Chapter III of the AI Act are summarised below:
| Obligation (AI Act Article) | What it means for your HR team |
| Human oversight (Art. 14) | Every AI-assisted recruitment decision must be overridable by a human |
| Transparency to candidates (Art. 26) | Candidates must be informed that AI was involved in evaluating their application |
| Right to explanation (Art. 86) | Candidates can request an explanation of why the AI rejected or advanced their application |
| Logs for min. 6 months (Art. 26) | AI system actions must be recorded and archived for at least six months |
| Technical documentation (Annex IV) | 12 documents confirming system operation, available to auditors on request |
| EU AI Database registration (Art. 49) | The deployer must register the system in the EU AI database before use |
A conformity assessment is required before deploying the system. For most HR systems, this is an internal assessment, documented and available to supervisory authorities. For some categories, third-party assessment may be required.
Why does compliance responsibility sit with the company, not the vendor?
This is one of the most frequently overlooked aspects of the AI Act. Article 26 of the regulation explicitly states that a deployer bears independent compliance obligations that cannot be contractually transferred to the software provider. A vendor may declare that their system is AI Act compliant. But if your organisation cannot demonstrate to a regulator how the system works, who oversees it, and how logs are stored, the vendor’s declaration is not sufficient.
Penalties for AI Act violations reach up to EUR 15 million or 3% of global annual turnover, whichever is higher (Art. 99, Regulation EU 2024/1689). Additionally, the supervisory authority may order the system to be withdrawn from use.
In practice, this means: before deploying any AI tool in your recruitment process, you must verify that you can independently fulfil all deployer obligations. Asking the vendor is not enough. You need your own documentation, your own logs, and your own human oversight procedure.
Why do closed-source HR systems make AI Act compliance harder?
The AI Act requires algorithm auditability. A regulator or a candidate can ask: how exactly did the system reach this decision? For an internal auditor or a supervisory authority, the answer must be concrete and verifiable.
With closed-source software, the answer is: we cannot show you the code because it is proprietary. That is not an acceptable answer under the AI Act. Compliance is your responsibility, but the tools needed to prove compliance are in the vendor’s hands.
This applies to systems such as SAP SuccessFactors, Workday, Oracle HCM, and other closed recruitment platforms. None of these vendors offer a built-in MCP server or full client control over system logic. Workday and BambooHR have MCP integrations built by third-party companies (Composio, StackOne), but these are not maintained by the vendors themselves and are not embedded in the product core.
How does open source HCM help meet AI Act requirements?
An open source HCM such as MintHCM gives an organisation full access to the system’s source code. This is not a marketing argument. It is a structural property that directly translates into meeting AI Act obligations.
| AI Act Requirement | How MintHCM meets it |
| Algorithm auditability | Full access to source code on GitHub; every decision logic is open and inspectable |
| Human oversight | Human-in-the-loop mechanism: every significant AI action requires user confirmation before execution |
| Action logging | MCP logs every agent action; history is traceable and verifiable by auditors |
| Data control | Self-hosting, full ownership of candidate data, EU-based hosting option (GDPR + AI Act compliant) |
| No vendor lock-in | LLM model (Claude, GPT, Gemini) can be selected and replaced without dependency on a single provider |
| System modifiability | If regulations change, you can modify the system yourself without waiting for a vendor patch |
MintHCM is the only open source HCM with MCP built into the product as part of its core, not as an external plugin or third-party service.
For organisations hosting MintHCM on their own servers or in EU-based cloud infrastructure, candidate data never leaves a controlled environment. This simultaneously satisfies the data control requirements of both GDPR and the AI Act.
What should you do before 2 August 2026?
Regardless of the final enforcement date for Annex III obligations, preparing now is smarter than waiting. Here are the concrete steps that HR, IT, and Legal should complete together:
- Conduct an AI inventory of your HR technology stack. Identify every tool that ranks, filters, or evaluates candidates or employees.
- For each tool, determine whether it falls under the Annex III definition. If uncertain, a documented analysis is better than no documentation at all.
- Ask your vendor for technical documentation, bias testing results, and system logs. If they cannot provide these, the compliance gap is on your side.
- Design a human oversight procedure for every AI system used in recruitment. A human must have a real, documented ability to override AI decisions.
- Prepare templates for informing candidates about AI involvement in the recruitment process.
- Implement log archiving for a minimum of six months.
Frequently Asked Questions
Does the AI Act apply to small companies?
Yes. The AI Act applies to every organisation deploying high-risk AI systems, regardless of size. Small and medium-sized enterprises may benefit from simplified conformity assessment procedures, but the compliance obligation remains.
Is a recruitment chatbot a high-risk AI system?
It depends on the chatbot’s function. If the chatbot only answers candidate questions and does not evaluate, rank, or filter applications, it is not high-risk. If the chatbot scores candidates or collects data that influences their selection, a high-risk classification is highly likely.
Is MintHCM itself a high-risk AI system?
MintHCM as an HCM system stores and processes HR data. High-risk classification applies to specific AI use cases, not to the entire system. Using Claude or another LLM via MCP to evaluate candidates is a use case that triggers the compliance procedure. Using Claude to generate a job posting based on system data does not.
What are the penalties for non-compliance with the AI Act?
Financial penalties reach EUR 15 million or 3% of global annual turnover. More significant operationally: a supervisory authority can order the AI system to be shut down in the middle of an active recruitment process. This is a real business risk, not just a financial one.
Do GDPR and the AI Act overlap?
Yes. Candidate data is processed under both GDPR and the AI Act. AI systems in recruitment often process special category data (health status, disability). A Data Protection Impact Assessment (DPIA) under Art. 35 GDPR is required and can complement the AI Act documentation.
Has the Digital Omnibus delayed the AI Act deadline?
The European Commission proposed on 7 May 2026 to shift the high-risk Annex III obligations from 2 August 2026 to 2 December 2027. As of the publication date of this article, the proposal has not been formally adopted by the European Parliament and the Council of the EU. The date 2 August 2026 remains an active compliance deadline for the transparency obligations under Art. 50.
Where can I find the official AI Act text?
The full text of Regulation EU 2024/1689 is available on EUR-Lex (eur-lex.europa.eu). The European Commission’s AI Act Service Desk (ai-act-service-desk.ec.europa.eu) offers a navigable article-by-article overview.
Sources
- Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (AI Act). Official Journal of the EU, 12 August 2024.
- European Commission, Digital Strategy: AI Act implementation timeline. June 2026.
- AI Act Service Desk, Annex III: High-Risk AI Systems.
- Knowlee, AI Act Annex III HR & Employment: High-Risk AI Compliance Guide for 2026. April 2026.