The Law in One Paragraph
Regulation (EU) 2024/1689 (AI Act) came into force August 2024. General-purpose AI system obligations applied from August 2025. High-risk AI system obligations are phased through August 2026 (for systems under harmonised standards) and August 2027 (for others). AI used for recruitment, selection, promotion, or termination decisions is classified as high-risk under Annex III, Point 4. If you are deploying an AI interviewer platform for EU-resident candidates, high-risk obligations apply. This is not a ban; it is a compliance framework that places obligations on both the AI vendor (provider) and the employer (deployer).
High-Risk Obligations: What You and the Vendor Must Do
Risk management system
VendorOngoing risk management system documented throughout the AI system lifecycle. Iterative review as the system is updated.
Data governance
VendorTraining and test data quality, relevance, representativeness. Documentation of data sources and bias assessment.
Technical documentation
VendorAnnex IV format. Covers system architecture, training data, design choices, performance metrics, known limitations.
Record keeping (logs)
BothAutomatic logging of events relevant to high-risk AI operation. Employer (deployer) must retain logs for at least 6 months.
Transparency to users (recruiters)
VendorClear information to the deployer (your TA team) about the system's capabilities, limitations, and appropriate use.
Human oversight
BothHumans must be able to intervene, override, or halt the AI system. The employer must implement oversight procedures.
Conformity assessment
VendorPer Annex VI (internal) or Annex VII (third-party) depending on the system. Vendor responsibility.
EU declaration of conformity + CE marking
VendorVendor must declare conformity with the AI Act requirements and affix CE marking before placing the system on the EU market.
EU database registration
VendorHigh-risk AI systems must be registered in the EU database of high-risk AI systems before deployment.
Fundamental rights impact assessment
Deployer (in some cases)Public-sector bodies and certain private deployers must conduct an impact assessment on fundamental rights before deploying a high-risk AI system.
Provider vs Deployer Responsibilities
Provider (Vendor: HireVue, Sapia, etc.)
- Conduct conformity assessment before market placement
- Affix CE marking
- Register in EU database of high-risk AI systems
- Maintain technical documentation in Annex IV format
- Implement quality management system
- Provide instructions for use to deployers (your TA team)
Deployer (You: the employer)
- Use the AI system per vendor's instructions
- Ensure human oversight is implemented operationally
- Maintain operational logs for at least 6 months
- Inform candidates per Article 26(11)
- Conduct fundamental rights impact assessment if required
- Monitor for unexpected behaviour and report serious incidents
Candidate Rights Under the EU AI Act
Article 86 (from August 2026): Right to explanation
Any person subject to a decision made by, or significantly influenced by, a high-risk AI system has the right to obtain an explanation of the role the AI system played in that decision. This applies to rejected candidates, not just those progressed. Your TA team must be able to explain, in plain language, what the AI assessed and how it contributed to the outcome.
Article 26(11): Candidate information
Deployers of high-risk AI systems must inform natural persons that they are subject to the AI system's use, to the extent possible in a timely, clear, and intelligible manner. This is distinct from GDPR data-processing notice; it is specific to the AI system's use in decision-making. Verify your candidate communication flows include this disclosure for EU candidates.
Penalties
Prohibited practices
EUR 35M or 7% global turnover
Whichever is higher. For systems in the prohibited AI practices category.
High-risk system obligations
EUR 15M or 3% global turnover
Whichever is higher. Applies to AI interviewer non-compliance.
Incorrect information
EUR 7.5M or 1% global turnover
Whichever is higher. For providing incorrect or misleading information to authorities.
EU AI Act Readiness by Vendor (April 2026)
| Vendor | EU AI Act posture (April 2026) |
|---|---|
| HireVue | Trust center documentation available to enterprise customers on request. CE marking and conformity assessment: request current status before EU contract. |
| Sapia.ai | Published alignment documentation on website. Strongest EU AI Act documentation among AI interviewer vendors as of April 2026. |
| Modern Hire / Canvas | Unclear post-acquisition. Request directly from LTIMindtree Canvas team. |
| Paradox (Olivia) | Limited EU presence. EU AI Act readiness documentation not prominent. Request directly; verify before any EU deployment. |
| myInterview | GDPR-native architecture. EU AI Act documentation in development as of April 2026. Strong for EU buyers operationally; compliance documentation maturing. |
| Willo | UK-native, EU-aware. Actively positioning for EU AI Act compliance. GDPR-strong. |
| VidCruiter | Request directly. Claimed compliance; verify documentation before EU deployment. |
| Metaview | Likely lower-risk classification (assistant tool, not autonomous decision system). Verify with vendor per specific use case. |
The UK Position
The UK is not subject to the EU AI Act. The UK's post-Brexit AI regulatory approach is principles-based and sector-led, governed by existing data protection law (Data Protection Act 2018, UK GDPR) and equality law (Equality Act 2010). The UK Information Commissioner's Office published guidance on AI in recruitment in 2023.
Cross-border employers: if your company is UK-headquartered but hires EU-resident candidates (e.g., in Germany, France, Netherlands), your AI interviewer platform is subject to the EU AI Act for those EU-based deployments. The Act follows the candidate's location, not the employer's headquarters.
10-Point Action List for EU-Hiring Buyers
Request vendor conformity assessment documentation and EU database registration confirmation
Update your DPIA (Data Protection Impact Assessment) to include EU AI Act high-risk AI obligations
Draft candidate notice template for EU candidates per Article 26(11)
Define human oversight SOP: who can intervene, override, or halt the AI system, and how?
Implement 6-month log retention architecture for EU AI Act compliance
Train hiring managers on appropriate AI output interpretation (how to weight AI scores)
Request vendor indemnification on EU AI Act non-compliance claims (expect vendor resistance; note the absence)
Confirm vendor's EU database registration before any EU deployment contract is signed
Prepare Article 26(11) and Article 86 compliance documentation as part of your contract negotiation with the vendor
Conduct Fundamental Rights Impact Assessment if you are a public-sector body or if your specific deployer circumstances require it
Enterprise software pricing negotiated case-by-case. Legal compliance landscape evolving; consult employment counsel for jurisdiction-specific advice. Data verified April 2026.