EU AI Act Hiring Compliance Checklist: What to Do Now

On March 13, 2026, the EU Council formally postponed high-risk AI Act obligations from August 2, 2026 to December 2, 2027 (and August 2, 2028 for embedded AI systems). Most CTOs we talk to read that announcement and quietly exhaled. They shouldn't have.

Compliance for high-risk AI systems takes 12–18 months to build properly. Bias testing protocols alone take 6 months of data to validate. The companies that wait until Q3 2027 will be the ones panicking. The companies that move now will be the ones quietly winning enterprise contracts in 2027 because their compliance posture is already in place.

This is the 12-point checklist we'd want if we were starting today.

Why the delay is a trap, not relief

The official rationale for the postponement (EU Digital Omnibus, March 2026): the technical infrastructure to support compliance — specifically, the harmonized standards from CEN/CENELEC — isn't ready. Companies couldn't comply even if they wanted to, because the standards they need to comply against don't exist yet.

What the delay does NOT change:

●The penalties (€35M or 7% of global turnover, whichever is higher)

●The classification of AI hiring tools as high-risk under Annex III

●The requirement that buyers (you) bear responsibility for the AI you deploy, not just the vendor

●The expectation that enterprise buyers will demand documented compliance from their suppliers, regardless of regulatory deadline

What the delay DOES change:

●You have 20 months instead of 4

●Standards may shift — you'll need to adapt twice (once to current best practice, again when CEN/CENELEC ships)

●Competitors using non-compliant AI will have longer to embed it before the cleanup begins

The smart move is to build a compliant foundation now and refine it as standards crystallize. Not to wait.

The 12-point compliance checklist

1. Inventory all AI tools used in hiring

Most companies underestimate this. Beyond the obvious (ATS, video interview platforms), check:

●Resume parsers and rankers

●Job description writing assistants

●Sourcing tools that "score" LinkedIn profiles

●Skill assessment platforms with AI scoring

●Productivity analytics that influence promotion/retention decisions

●Background check services using AI for verification

If it processes candidate data and produces a score, ranking, or recommendation, it's in scope.

2. Classify each tool against Article 6 (high-risk criteria)

Article 6 + Annex III defines AI in employment as high-risk when used for:

●Recruitment or selection (any AI scoring of candidates)

●Promotion or termination decisions

●Task allocation based on individual behavior

●Performance monitoring

Most hiring AI is high-risk. Some peripheral tools (purely administrative chatbots, basic resume formatting) may not be. Document the classification reasoning for each tool.

3. Risk management process (Article 9)

A documented process showing you've:

●Identified known and reasonably foreseeable risks (bias, discrimination, errors)

●Estimated impact of those risks

●Adopted mitigation measures

●Tested those mitigations work

For each AI tool, write a 1-page risk register. It should not be your only documentation — but it's a starting point.

4. Data governance and quality (Article 10)

The AI you use must be trained on data that is "relevant, representative, free of errors, and complete." For most buyers, this means:

●Asking your vendor for documentation of their training data sources

●Verifying bias testing has been done on protected characteristics (gender, age, disability, ethnicity, where legally permissible)

●Implementing your own monitoring on outputs (do candidates from group X get systematically lower scores than group Y?)

If your vendor can't answer these questions, that's a red flag.

5. Technical documentation (Article 11)

Annex IV lists 9 categories of required documentation. The condensed version:

●General description of the AI system

●Detailed description of components and processes

●Risk management documentation

●Information on data and data governance

●Cybersecurity measures

●Performance metrics

●Human oversight design

●Lifecycle and update procedures

●Conformity assessment

Vendor should provide this. You should keep a copy for your records.

6. Record-keeping / logging (Article 12)

The AI system must automatically log events. For hiring:

●Every candidate evaluation (input, output, timestamp)

●Every override or correction by a human reviewer

●Every retraining or update to the model

Retention period: minimum 6 months, ideally 5+ years for hiring decisions (matches GDPR statute of limitations for discrimination claims).

7. Transparency and information to candidates (Article 13)

Candidates must be informed before AI evaluation begins:

●That AI is being used

●What data is processed

●What the AI assesses

●That they have the right to a human review

This needs to be clear, not buried in a privacy policy. A simple consent screen at the start of the interview meets the bar.

8. Human oversight design (Article 14) — the real one

This is where most vendors fake compliance. "Human in the loop" is not enough if the human is rubber-stamping AI decisions without context.

Real human oversight requires:

●A human can understand the AI's output (interpretability)

●A human can override the AI's decision

●A human is empowered (organizationally) to actually use that override

●A record is kept when overrides happen, and at what rate

Recruo's model: every shortlist is reviewed and signed off by a human recruiter before delivery to the client. AI is a recommendation engine, not a decision-maker.

9. Accuracy, robustness, cybersecurity (Article 15)

Documented metrics on:

●Accuracy (precision, recall, F1) on a representative test set

●Performance under edge cases (non-native English speakers, unusual career paths)

●Adversarial robustness (can someone game the system?)

●Cybersecurity (data at rest, data in transit, vendor SOC 2)

10. Conformity assessment + CE marking

For high-risk AI, you (or the vendor on your behalf) must complete a conformity assessment. Two routes:

●Internal control (Annex VI) — vendor self-assesses against a harmonized standard

●Third-party assessment (Annex VII) — needed if no harmonized standard exists or if biometric-based

Once passed, the system gets a CE marking and is registered in the EU AI database.

Standards aren't fully ready yet (which is why the delay happened). Track CEN/CENELEC progress quarterly.

11. Post-market monitoring

Once deployed, ongoing monitoring of:

●Model performance drift

●Bias drift

●Incident reporting (any case where the AI caused harm)

●Annual or more frequent re-assessment

12. Vendor due diligence

The 5 questions to ask any AI hiring vendor:

1.What's your conformity assessment status? ("In progress, here's the timeline" is acceptable. "What's that?" is not.)

2.Show me your bias testing protocol and most recent results.

3.What's your retention policy and how do candidates exercise their right to deletion?

4.Walk me through your human oversight design — not 'we have humans in the loop', but exactly when and how a human reviews the AI's output.

5.What happens if the EU AI Act standards finalize differently from your current implementation?

If the vendor can't answer 4 of 5 confidently, you have a vendor risk problem.

Common gotchas we see on calls with CTOs

"Our vendor said they're compliant."

Most don't yet have CE marking — because the conformity assessment standards aren't ready. "Compliant" is currently a marketing claim, not a regulatory one. Ask for the documentation, not the claim.

"We're using a US tool, so EU AI Act doesn't apply."

Wrong. The Act applies based on where the AI is used and where its outputs are used, not where the vendor is incorporated. If your candidates are in the EU or your hiring decisions affect EU candidates, you're in scope.

"GDPR compliance covers us."

GDPR and the AI Act are complementary but separate. GDPR is about data; AI Act is about the AI system itself. You need both.

"We'll deal with it closer to December 2027."

By then, every enterprise procurement RFP will require AI Act compliance documentation. You don't want to be assembling it under deadline pressure while losing deals.

Practical next steps for the next 30, 60, 90 days

Days 1–30: Audit and inventory

●Catalog every AI tool in your hiring stack

●Classify each against Article 6

●Document current state (what's logged, who reviews, what's documented)

Days 31–60: Documentation and vendor contracts

●Update vendor contracts to include AI Act compliance commitments

●Build a risk register for each high-risk tool

●Implement candidate notification flows

Days 61–90: Bias testing + human oversight SOPs

●Define and document your human oversight process

●Set up bias monitoring on outputs

●Train hiring team on override procedures

●Draft the candidate appeals/human review workflow

By day 90, you'll have a compliance foundation that can absorb whatever the final standards look like — without a fire drill.

How Recruo handles this

Our model is human-in-the-loop by design. Every shortlist is reviewed and signed off by a human recruiter before delivery. We document AI outputs, retain audit logs for 5+ years, run quarterly bias audits, and publish a compliance checklist with each engagement.

We are not a vendor selling a black-box AI tool. We're an agency where AI is a screening tool and humans own every shortlist decision. That maps directly onto what the EU AI Act requires — not something we added after the fact.

If your team is building or auditing AI hiring compliance, book a 30-min compliance review — we'll share what we've built and the templates we use. No sales pitch required.