What is EU AI Act Annex III for HR?

Annex III of the EU AI Act lists eight high-risk AI use cases. Two are HR-specific: (1) recruitment and selection of natural persons (including targeted job ads, application filtering, and candidate evaluation), and (2) decisions affecting work-related relationships (promotion, termination, task assignment based on personal traits, performance and behavior monitoring). AI systems in either category are classified high-risk and must meet the full Annex III obligation set when the high-risk enforcement regime begins August 2, 2026.

When does the EU AI Act high-risk regime enforcement begin?

August 2, 2026. From that date, providers and deployers of Annex III high-risk AI systems (including HR-AI) must meet all obligations: conformity assessment for providers, six deployer obligations (human oversight, monitoring, logs, FRIA where required, transparency, incident reporting), and post-market surveillance. Non-compliance produces fines up to €15M or 3% of global turnover under Article 99.

What is the difference between provider and deployer?

The provider is the entity that develops or has developed an AI system and places it on the market under its own name (e.g., the AI vendor). The deployer is the entity that uses the AI system under its authority (e.g., the buyer/customer). A company that builds its own internal AI is both. A company that buys AI from a vendor is the deployer; the vendor is the provider. Provider obligations are heavier (conformity assessment, technical documentation, CE marking, EU registration). Deployer obligations include human oversight, monitoring, logs, FRIA where required, transparency to affected individuals, and incident reporting.

Is AI coaching chat with employees Annex III high-risk?

Probably not, if it has true creator-only privacy and no decision-feed to managers. The trigger for high-risk is whether the AI output influences a decision about a natural person's employment. Confidential coaching that managers cannot see and does not feed performance evaluation is closer to 'AI as personal tool' than 'AI as decision system.' It still triggers DSGVO (DPIA likely required) but probably not Annex III. The boundary is fact-specific; consult your DPO and document the analysis.

What documents should I demand from an AI vendor before August 2?

Six items: (1) conformity assessment evidence (third-party for some categories, self-assessment for others); (2) Annex IV technical documentation package (12 documents); (3) EU declaration of conformity, signed and dated; (4) CE marking; (5) registration entry in the EU high-risk AI database; (6) clear instructions for use covering the deployer's 6 obligations. If a vendor cannot produce these by July 2026, do not deploy in production past August 2. The deployer carries downstream risk for the provider's gaps.

Does my existing DSGVO notice cover Article 26(11) transparency?

Almost certainly not. The DSGVO notice covers personal data processing in general. Article 26(11) of the AI Act requires a specific AI-system notice that names the system, its purpose, and the affected individual's rights (objection under DSGVO Art. 22, explanation under AI Act Art. 86). For HR-AI, this means adding an explicit notice to the candidate-journey and employee-onboarding flow. Reusing the DSGVO notice unchanged is a common audit finding; add the AI-specific layer before August 2.

What happens if my vendor is not ready by August 2?

Three options, in order of preference: (1) Switch vendors before August 2 to one that is ready (the migration is more expensive but bounded). (2) Pause the AI deployment on August 2 until the vendor is ready (revenue impact but no regulatory exposure). (3) Continue deployment and accept the regulatory risk (not recommended; deployer carries downstream liability for provider gaps under Article 26). The right answer depends on how critical the AI is, but documenting your decision in your AI risk register is required regardless.

AI Act Annex III for HR: 2026 Compliance Guide

The EU AI Act Annex III enumerates eight high-risk AI use cases. Two of them are explicitly HR: AI systems intended to be used for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates, and AI systems intended to be used for making decisions affecting terms of work-related relationships, the promotion or termination of work-related contractual relationships, for allocating tasks based on individual behaviour or personal traits or characteristics, or for monitoring and evaluating performance and behaviour of persons. If you build, sell, or deploy AI that touches any of these, the high-risk regime applies to you.

The enforcement deadline is August 2, 2026. From that date, providers (the entity that builds and markets the AI) and deployers (the entity that uses it) both have obligations. The obligations are not optional, are not negotiable in procurement, and produce real penalties under EU AI Act Article 99: up to €15 million or 3% of global turnover for non-compliance with high-risk requirements, up to €35 million or 7% for prohibited-practice violations. The deadline is closer than most teams realize.

This guide walks through what counts as Annex III HR-AI (the scope is wider than buyers expect), what does not, what the conformity assessment actually demands, the difference between provider and deployer obligations, and a 6-step readiness plan you can run between now and August 2. It is written for the HR leader, DPO, or compliance owner who has to deliver an Annex-III-ready HR-AI stack on a fixed deadline.

For the broader EU AI compliance framework, start with our AI governance and compliance EU pillar. For the DPIA layer that runs alongside Annex III, see the DPIA template guide. This article is the specific Annex III deep-dive.

Aug 2, 2026EU AI Act high-risk enforcement deadline (Annex III obligations apply)

€15Mmax fine for high-risk non-compliance (or 3% global turnover, whichever higher)

2/8of Annex III high-risk categories are HR-specific (recruitment + work-relationship decisions)

12documents required for full Annex IV technical documentation package

What Counts as Annex III HR-AI

The scope is wider than most buyers expect. Annex III HR-AI is not just AI that screens resumes. It is any AI system used for recruitment, selection, performance evaluation, promotion, termination, task allocation, or behavior monitoring of employees. Each item below counts as high-risk; each one triggers the full Annex III obligation set.

What matters is the purpose of the AI in the workflow, not the technology. An LLM that drafts job descriptions is not high-risk. An LLM that filters which candidates a recruiter sees is. An AI that summarizes a meeting transcript is not high-risk. An AI that scores meeting participants on engagement is. The boundary is whether the AI output influences a decision about a natural person's employment.

AI use case	Annex III high-risk?	Why
Resume / CV screening AI	Yes	Filters which candidates the recruiter sees -> influences hiring decision
Targeted job ad placement AI	Yes	Explicitly named in Annex III; influences which candidates apply
AI candidate-evaluation tools (assessments, video interview scoring)	Yes	Scores or ranks candidates -> influences hiring decision
Performance evaluation AI (individual scoring)	Yes	Annex III directly names performance and behavior monitoring
AI task-assignment based on individual traits	Yes	Annex III names 'allocating tasks based on individual behaviour or personal traits'
Individual-level pulse survey AI analysis with manager visibility	if results feed promotion/termination decisions	Behavior monitoring + decision influence trigger high-risk
AI 1-on-1 coaching chat (creator-only privacy)	Likely not, if no manager visibility and no decision feed	Without decision linkage, less likely classified high-risk; still DPIA-relevant
Team-aggregate analytics (no individual identification)	No, if truly aggregated and irreversibly anonymized	No natural-person decision link -> outside Annex III
AI-drafted job descriptions (human approves before posting)	No, if human is the actual decision-maker	Tool for human decision, not decision itself
AI meeting-transcript summarizer (no scoring or evaluation)	No	Information processing without person-level decision impact

Classify Your AI Deployments

Free AI governance assessment maps each of your AI deployments against Annex III. Output: which trigger high-risk obligations, which do not, what to fix before August 2. 8 minutes, no signup.

Try It Free

Provider vs Deployer: Who Does What

The EU AI Act distinguishes two roles, and you can be both. The provider is the entity that develops or has developed an AI system and places it on the market under its own name. The deployer (called user in earlier drafts) is the entity that uses the AI system under its authority (except for personal non-professional use). A company that builds its own internal AI is both provider and deployer. A company that buys an AI tool from a vendor is the deployer; the vendor is the provider.

Obligations split between the two. Providers carry the heaviest load: conformity assessment, technical documentation per Annex IV, quality management system, post-market monitoring, EU declaration of conformity, CE marking, registration in the EU database for high-risk AI. Deployers carry: human oversight in line with provider instructions, monitoring of system operation, log-keeping, fundamental rights impact assessment (FRIA) for some Annex III uses, transparency to affected individuals (employees), and incident reporting.

In practice, most HR-AI buyers are deployers. The vendor handles the conformity assessment and technical documentation; you handle the human oversight, monitoring, FRIA, transparency, and incident reporting on your side. If your vendor cannot show their conformity assessment evidence (Annex IV docs, CE marking declaration), you should not deploy them past August 2. The deployer carries downstream risk for the provider's gaps.

The 6 Deployer Obligations You Must Meet by August 2

Document human oversight for the specific AI

Name the role (HR business partner, recruiter, line manager) that exercises oversight. Describe the moments of oversight (before sending an offer, before terminating, before assigning a task based on AI scoring). The oversight has to be effective, not symbolic; a checkbox does not count.

Set up monitoring of system operation

Continuously monitor whether the AI behaves as the provider documented. Watch for drift, bias drift, performance degradation. The deployer is responsible for catching anomalies in production. Most enterprises use the AI vendor's built-in dashboards; verify they cover Annex III monitoring requirements.

Keep operation logs for at least 6 months

Article 26(6) requires the deployer to retain logs the system produces for as long as needed and at least 6 months. For AI vendors that already produce audit trails (activity stream, agent session logs), this is automatic. For vendors that do not, you have to build the log retention yourself.

Conduct a Fundamental Rights Impact Assessment (FRIA)

Article 27 requires FRIA for public bodies and some private deployers of certain Annex III systems. For HR-AI in the private sector, FRIA is required when the deployment touches public-interest categories or vulnerable groups. The FRIA runs alongside the DPIA but is broader (covers DSGVO and beyond). Many deployers conduct an integrated DPIA-FRIA in one document.

Inform affected individuals (employees) of AI use

Article 26(11) requires that natural persons subject to high-risk AI decisions be informed. For HR-AI, this means a clear notice (in the candidate journey, in the employment contract, in the internal HR portal) that an AI system is used, what it does, and what the rights are (object to fully automated decisions per Art. 22 GDPR, request explanation per Art. 86 AI Act). Generic privacy policy boilerplate is not enough.

Report serious incidents within 15 days

Article 73 requires deployers (in coordination with the provider) to report serious incidents to the relevant national authority within 15 days. For HR-AI, a serious incident includes a discriminatory pattern, a wrongful adverse decision, or a security breach. The 15-day clock is short; have an internal incident pathway and a named coordinator before the first incident, not after.

The single most-missed obligation: Article 26(11) transparency to affected individuals. Most HR teams assume their existing DSGVO notice covers it. It does not. The AI Act requires a specific AI-system notice naming the system, its purpose, and the affected individual's rights. Audit your candidate-journey and employee-onboarding flows now; add the notice before August 2 if it is missing.

What the Provider Must Show You

A compliant provider hands over

Conformity assessment evidence (third-party assessment for some categories, self-assessment for others)
Annex IV technical documentation package (12 documents)
EU declaration of conformity, signed and dated
CE marking on the product / in the documentation
Registration entry in the EU high-risk AI database
Clear instructions for use, covering the deployer's 6 obligations

A non-compliant provider says

We are working on it
Our model is safe, you do not need that
The Act does not really apply to us
We will provide it after August 2 when the regulations are clearer
Documentation in a language you cannot read with no translation offered
No evidence of post-market monitoring or incident-reporting capability

Test Your AI Act Readiness

8-minute structured AI readiness assessment covering Annex III classification, deployer obligations, and provider evidence requirements. Free, AI-generated report.

Try It Free

The Bottom Line

August 2, 2026 is a hard deadline. After it, deploying Annex III HR-AI without the 6 deployer obligations in place is a violation that produces fines under Article 99. The window to prepare is closing. The work is not glamorous, but it is bounded: classify each AI deployment, demand provider evidence, document human oversight, set up monitoring and log retention, run FRIA where required, add transparency notices, build an incident pathway.

The vendors who will be there on August 3 are the ones who can hand you the Annex IV package, the conformity assessment evidence, and the CE marking without negotiation. The vendors who are still working on it on August 2 are vendors you should not be deploying in production. Use the next 75 days to do the audit, not to chase deadlines you cannot meet.

The broader pattern across the EU AI compliance landscape (DSGVO, AI Act, NIS2, sectoral rules) is the same: regulators have stopped accepting promises and now require evidence. Your job is not to argue with the regulation; it is to produce the documents the regulation demands, in the order auditors will ask for them. The articles in our AI governance and compliance EU pillar tell you what each document looks like.

Key Takeaways

1. Aug 2, 2026 enforcement is real. EU AI Act high-risk regime applies. Fines up to €15M or 3% global turnover.

2. HR-AI scope is wider than expected. Resume screening, candidate evaluation, performance scoring, task assignment, behavior monitoring all count. The boundary is whether the AI output influences a decision about a person.

3. Provider vs deployer obligations split clearly. Providers: conformity assessment, technical doc, CE marking, EU registration. Deployers: human oversight, monitoring, logs, FRIA, transparency, incident reporting.

4. The 6 deployer obligations are non-negotiable. Most-missed: Art. 26(11) transparency to affected individuals. DSGVO notice does not substitute.

5. Vendor evidence beats vendor promises. A compliant provider hands you Annex IV docs, conformity assessment, CE marking. Working on it on August 2 means do not deploy.

AI Act Annex III for HR: What Counts as High-Risk and What Compliance Looks Like in August 2026