EU AI Act & Recruiting: The High-Risk Deadline Just Moved to December 2027 — What To Do Now

By Asad Mahmood — founder of Gaugely; builds the AI interviewer this blog writes aboutLast updated 2026-07-11

AI systems used for recruitment and candidate evaluation are “high-risk” under the EU AI Act — but the compliance deadline just moved. The Digital Omnibus, formally adopted in June 2026, pushed obligations for standalone high-risk systems from 2 August 2026 to 2 December 2027. Use the extra 16 months to prepare, not to postpone.

What changed in June 2026

The European Parliament endorsed the Digital Omnibus package on 16 June 2026 and the Council gave its final green light on 29 June 2026. For hiring teams the material change is timing: obligations for standalone high-risk AI systems — which explicitly include tools for recruitment, candidate selection and evaluation, targeted job ads, and promotion/termination decisions — now apply from 2 December 2027 (2 August 2028 for high-risk AI embedded in regulated products). The delay exists largely because the technical standards businesses need to certify against weren’t ready.

What did not change: the classification (recruiting AI remains high-risk), the substance of the obligations, and the rules already in force — the prohibited-practices list (e.g. emotion inference in the workplace) and AI-literacy duties have applied since 2025.

What high-risk actually requires (both vendor and employer)

A common and expensive misreading: “our vendor handles compliance.” The Act binds providers (vendors) and deployers (you, the employer) separately. Providers must run risk management, maintain technical documentation, test for bias, and build in human-oversight capability and logging. Deployers must use the system per its instructions, ensure human oversight actually happens, inform candidates, and keep logs. Penalties scale to €35M or 7% of global turnover for prohibited practices, and €15M or 3% for high-risk violations.

  • Risk management system and technical documentation (provider)
  • Bias testing and data-governance evidence (provider)
  • Human oversight designed in — no fully automated rejections (both)
  • Transparency: candidates told AI is used, and how (deployer, with provider support)
  • Logging and record-keeping sufficient to reconstruct any decision (both)

Your five-step checklist for the next 16 months

Teams that treat December 2027 as a cliff will repeat the GDPR scramble of 2018. The calm version:

  • 1. Inventory every AI touchpoint in hiring — sourcing rankers, CV screeners, chatbots, interview scorers, even spreadsheet plugins. If it influences who advances, it’s in scope.
  • 2. Ask each vendor for their AI Act documentation roadmap — technical docs, bias-testing evidence, oversight design. “We’ll be ready” without artifacts is a red flag.
  • 3. Enforce human-in-the-loop today — no auto-rejection anywhere in the funnel. It’s the core obligation and the cheapest to implement early.
  • 4. Fix candidate-facing transparency — disclose AI use before interviews, obtain consent, and answer “what data, kept how long?” in plain language.
  • 5. Demand logs — if a candidate or regulator asks “why was I screened out?”, you need a replayable record, not a shrug.

Where Gaugely stands

Gaugely was built to the high-risk bar before the deadline moved: a human makes every hire/no-hire decision (no automated rejection, enforced in-product), candidates get disclosure and give consent before anything is recorded, every score cites the candidate’s words, and an append-only event log covers consent through decision. The December 2027 delay doesn’t change our posture — it just gives everyone else time to reach it. Details on the trust page.

TL;DR FOR YOUR TEAM

The EU’s Digital Omnibus (adopted June 2026) pushed high-risk employment-AI obligations from August 2026 to 2 December 2027. What the rules require for AI recruiting tools, who’s liable, and the five-step preparation checklist.

See how we implement the high-risk bar

Questions people ask

Is AI recruiting software high-risk under the EU AI Act?

Yes. Annex III explicitly classifies AI used for recruitment and selection — job-ad targeting, application filtering, candidate evaluation, promotion/termination decisions — as high-risk, triggering risk-management, documentation, bias-testing, human-oversight, transparency, and logging obligations.

When do employers have to comply?

Standalone high-risk employment AI systems must comply from 2 December 2027 (moved from 2 August 2026 by the Digital Omnibus, adopted June 2026); high-risk AI embedded in regulated products follows on 2 August 2028. Prohibited-practice and AI-literacy rules apply already.

Do non-EU companies need to care?

Yes, if the AI system’s output is used in the EU — hiring EU-based candidates counts regardless of where your company or vendor sits. The Act’s reach is extraterritorial, like GDPR’s.

Does using a compliant vendor make the employer compliant?

No. Providers and deployers carry separate obligations. A compliant vendor gives you the documentation, oversight design, and logs you need — but ensuring oversight happens, informing candidates, and using the system as intended remain the employer’s legal duties.

SOURCES

KEEP READING