EU AI Act compliance for recruitment-tech founders

Is your product high-risk under Annex III?

Annex III point 4 explicitly covers AI used in employment, workers management, and access to self-employment. For recruitment-tech, the in-scope use cases are:

• AI for placing targeted job advertisements (passive sourcing)
• AI for filtering, ranking, or analysing job applications
• AI for evaluating candidates in interviews (video, voice, written assessments)
• AI for assigning, allocating, or routing candidates between hiring teams
• AI for monitoring candidate behaviour during assessments (proctoring)
• AI for predicting hire success, retention, or culture fit

If your product covers any of these and ships to EU employers, you are operating a high-risk AI system. Chapter III applies in full.

Article 50 transparency obligations

Article 50 layers on top of the high-risk obligations:

Article 50(1): every candidate interacting with your AI must be told they are interacting with AI. Sourcing emails written by your AI must disclose AI origin to the recipient. Chatbot-driven candidate intake must include a clear AI disclosure on first interaction.

Article 50(3): if you classify candidates by personality, traits, or sentiment (common in video-interview analysis), explicit disclosure to the candidate is required before they participate in the assessment.

Article 50(4): AI-generated interview questions, AI-generated candidate communications, and AI-summarised candidate feedback must be marked as AI-generated.

The GDPR Article 22 overlap is sharp in recruitment: candidates retain the right to human review of automated rejection decisions, and your UI must surface that right within the candidate-facing flow.

Self-audit checklist before 2 August 2026

Seven checks before 2 August 2026:

1. List every AI feature touching the candidate journey: sourcing, CV parsing, ranking, video analysis, voice analysis, assessment scoring, chatbot, scheduling, communication generation.
2. Tag each feature with its Annex III point 4 sub-category and the relevant Article 50 sub-rule.
3. Build the Article 43 conformity assessment file. Document training data, particularly demographic representation; bias testing across protected characteristics is required under Article 10.
4. Implement human-recruiter override controls for every candidate decision. Document the override workflow and the rejection-justification audit trail.
5. Add Article 50 disclosures to candidate-facing surfaces. Update employer-facing documentation explaining the disclosure approach.
6. Build GDPR Article 22 human-review surfacing into candidate-rejection communications.
7. Set up the incident reporting workflow per Article 73. Material incidents (discriminatory outcomes, repeated false rejections, accessibility failures) go to your national regulator within 15 days.

Penalties and enforcement

Penalty ceilings under Article 99:

• Operating a high-risk recruitment system without conformity assessment: €15M or 3% of global turnover
• Article 50 failures: €15M or 3%
• Article 10 data governance / bias-testing failures: €15M or 3%

Worked example: a recruitment-tech SaaS with €4M ARR and 40 staff faces a theoretical maximum of €120,000 per violation. National regulators apply SME proportionality. Bigger cost: enterprise customer loss. Workday, Greenhouse, Lever, and Ashby ecosystem partners are tightening Article 50 attestation requirements for any integration touching candidate decisioning. Discrimination claims under EU Directive 2000/78 stack separately and have historically reached €1M to €5M for systemic violations.