EU AI Act compliance for HR SaaS founders

Is your product high-risk under Annex III?

Annex III point 4 of the EU AI Act covers AI used in employment, workers management, and access to self-employment. The specific use cases that hit HR SaaS:

• AI for recruitment and selection: CV screening, candidate ranking, video interview analysis, sourcing tools
• AI for performance and promotion decisions: review scoring, promotion recommendations, succession planning
• AI for task allocation: shift assignment, route optimisation, work distribution
• AI for monitoring and evaluation: keystroke logging, screenshot capture, sentiment analysis on internal communications
• AI for termination decisions or workforce restructuring inputs

If your product covers any of these and ships to EU employers, you are operating a high-risk AI system under Chapter III. The obligations stack: conformity assessment (Article 43), CE marking, technical documentation (Article 11), data governance (Article 10), human oversight (Article 14), accuracy and robustness (Article 15), post-market monitoring (Article 72), and incident reporting (Article 73).

Article 50 transparency obligations

Article 50 transparency rules layer on top of the high-risk obligations. For HR SaaS specifically:

Article 50(1): every candidate or employee interacting with your AI must be told they are interacting with AI, unless context makes it obvious. CV screening UIs do not make this obvious. You owe a disclosure.

Article 50(3): if you classify candidates or employees by emotion, sentiment, personality traits, or other inferred categories, you must disclose this to the affected person.

Article 50(4): if you generate synthetic content (AI-generated interview questions, AI-generated performance reviews, AI-generated coaching messages), the output must be marked as AI-generated in a machine-readable way.

The transparency disclosures belong in both the employer-facing admin UI and the employee or candidate-facing interface.

Self-audit checklist before 2 August 2026

Run these seven checks before 2 August 2026:

1. List every AI feature in your product. Resume parser, candidate ranker, interview scorer, monitoring tools, recommendation features, automated decisioning.
2. Identify which features touch Annex III point 4. Most HR SaaS features will.
3. For each high-risk feature, document the training data, model provider, fine-tuning approach, accuracy metrics, and known biases.
4. Build a conformity assessment file per Article 43. Self-assessment is permitted for HR systems, so you do not need a notified body, but you must keep the file.
5. Implement human oversight controls. The customer HR manager must be able to override every AI decision, and your UI must visibly support that override.
6. Update your privacy notice and customer-facing documentation with the Article 50 disclosures.
7. Set up the incident reporting workflow per Article 73. Material incidents must be reported to the relevant national authority within 15 days.

Penalties and enforcement

Penalty ceilings under Article 99:

• Operating a high-risk system without conformity assessment: €15M or 3% of global turnover, whichever is higher
• Article 50 disclosure failures: €15M or 3%
• Supplying incorrect or misleading information to authorities: €7.5M or 1%

Worked example: a 50-person HR SaaS with €5M ARR faces a theoretical maximum penalty of around €150,000 per separate violation at current revenue. National regulators apply proportionality rules for SMEs, scaling this down 50 to 80 percent in practice. The bigger cost is procurement: most EU enterprise buyers now require an AI Act attestation before signing any contract above €50,000 annual.