← Back to all articles
Challenges

(2/3) The AI Act's Bill Lands on the Employer, Not the Vendor

By Marc Molas·May 29, 2026·10 min read

There's a comfortable assumption baked into how most companies think about the EU AI Act: it's a problem for the people who build the AI. The vendors trained the models, the vendors will do the conformity assessments, the vendors will carry the compliance weight. We just bought a license.

For high-risk AI used in hiring and HR, that assumption is wrong in a way that creates real exposure. The Act splits responsibility between two roles — the provider who develops and places the system on the market, and the deployer who uses it under their own authority. Yes, providers carry the heaviest design-time burden. But the Act deliberately puts a distinct, non-delegable set of obligations on the deployer. And if you're a company running an AI screening tool over your applicants, you are the deployer. The vendor's compliance does not absorb yours.

This is Part 2 of a three-part series. Part 1 mapped why nearly all HR AI is classified high-risk and what's banned outright. Here I walk through what the Act actually demands of the employer who deploys these systems — and why most of it can't be outsourced to a procurement clause.

The Deployer's Obligations, in Plain Terms

The core duties live in Article 26 ("Obligations of deployers of high-risk AI systems"). Strip out the legalese and they come down to a handful of commitments that are operational, not theoretical:

  • Use the system as intended (Art. 26(1)). You must operate it in line with the provider's instructions. Repurpose a candidate-screening tool for something it wasn't designed or documented for, and you've potentially shifted from deployer to provider — inheriting the full provider obligation set in the process.
  • Assign real human oversight (Art. 26(2)). Oversight must be given to natural persons who have the competence, training, and authority to exercise it. Not a name on an org chart. A person who understands the system and can actually act on what they see.
  • Keep the logs (Art. 26(6)). Deployers must retain the system's automatically generated logs for an appropriate period — at least six months unless other law says otherwise. If you can't reconstruct what the system did and why, you can't demonstrate compliance.
  • Inform the people subject to it (Art. 26(11)). Individuals who are subject to decisions made or assisted by a high-risk system must be told.
  • Tell the workforce first (Art. 26(7)). This one deserves its own section.

The Obligation Companies Will Trip Over: Telling Workers

Article 26(7) is short and easy to miss, and it's where I expect the most companies to be caught out. Before putting a high-risk AI system into use in the workplace, deployers who are employers must inform workers' representatives and the affected workers that they will be subject to it.

This is not a courtesy. It's a precondition for lawful deployment, and it plugs directly into the existing fabric of European labor law — which already has strong information-and-consultation rights for works councils and employee representatives. In several member states, rolling out a system that monitors or evaluates staff without going through that consultation isn't just an AI Act issue; it's a collective-labor-law issue.

Belgium is the cleanest example of the overlay. Long before the AI Act existed, Collective Bargaining Agreement No. 39 (1983) already obliged employers to inform and consult when introducing new technology that significantly affects employment or working conditions. The AI Act doesn't replace that — it stacks on top of it. So a company deploying an HR AI tool in Belgium is now answering to two regimes at once, and similar national overlays exist across the bloc.

The strategic takeaway: you cannot quietly switch on an AI evaluation system. Transparency to the workforce is part of the deployment, and "we'll tell them if they ask" is not what the law says.

Human Oversight That Actually Counts

"Human in the loop" has become one of the most abused phrases in AI. The Act tries to put teeth on it, across two articles working together.

Article 14 obliges providers to design high-risk systems so they can be effectively overseen by a human — with the interfaces, information, and stop controls that make oversight possible. Article 26(2) then obliges the deployer to actually staff that oversight with someone competent and empowered.

The bar the Act sets is meaningful oversight: the person must be able to understand the system's output, interpret it correctly, decide not to use it, and override or reverse it. A human who rubber-stamps a ranked list of candidates because the tool produced it is not oversight — that's automation with a witness. Oversight means the human's judgment can and sometimes does change the outcome.

This is the precise point where the law and good engineering converge. Oversight you can demonstrate is oversight you designed for: a decision point where a human reviews, a record of what they decided, and a real path to disagree with the machine.

The Two Impact Assessments

High-risk HR systems pull in two distinct assessment obligations, and people routinely confuse them.

  • The Fundamental Rights Impact Assessment (Art. 27). Certain deployers of high-risk systems must assess the impact on fundamental rights before deployment — who's affected, what could go wrong, what mitigations and human-oversight measures are in place. For systems that decide who gets hired or promoted, this is not a hypothetical exercise.
  • The Data Protection Impact Assessment (GDPR Art. 35). Hiring AI processes personal data — often a lot of it, sometimes sensitive. Article 26(9) of the AI Act explicitly tells deployers to use the information the provider supplies under Article 13 to carry out their GDPR DPIA. The two regimes are designed to interlock.

If that sounds like two overlapping documents, it partly is — and the smart move is to run them as one coordinated assessment rather than two disconnected paper exercises.

The GDPR Layer You Already Owed

The AI Act did not arrive into a vacuum. The GDPR has governed automated processing of personal data since 2018, and one of its provisions has always been pointed straight at AI hiring: Article 22, the right not to be subject to a decision based solely on automated processing where it produces legal or similarly significant effects.

A fully automated reject decision — no human involved — is the textbook case Article 22 was written to constrain. Candidates have rights to information, to human intervention, and to contest the decision. The AI Act's human-oversight requirements and the GDPR's Article 22 are now two reinforcing reasons to keep a competent human in the decision rather than around it.

The proposed Digital Omnibus I mentioned in Part 1 is partly an attempt to clarify how these two regimes articulate. Until that settles, assume the stricter reading: a person, not just a pipeline, owns the outcome.

What This Adds Up To

Lay the obligations end to end and a clear shape emerges. To deploy AI in hiring lawfully in the EU, a company has to:

  1. Confirm the tool and use case, and operate it as documented.
  2. Put a competent, empowered human in charge of oversight — and make that oversight real.
  3. Inform workers and their representatives before deployment.
  4. Run a fundamental-rights assessment and a coordinated DPIA.
  5. Retain logs and be able to explain any decision the system touched.
  6. Honor candidates' GDPR rights to information, human intervention, and contest.

None of these is satisfied by a vendor's compliance badge. Every one of them is something the deploying employer has to own, staff, and document.

That's a burden — but it's also a blueprint. The companies that treat this list as a design spec rather than a legal annoyance end up with hiring processes that are not just compliant, but genuinely better: more transparent to candidates, more accountable internally, and more defensible when a rejected applicant asks why.

In Part 3, I get specific about what that looks like in practice — using the one process I know intimately: how we built Conectia's remote candidate preselection so that AI does what it's good at, humans stay accountable for the decision, and the whole thing was already shaped like the law before the law required it.

Related Articles

(1/3) Brussels Just Reclassified Your Hiring Stack as High-RiskChallenges

(1/3) Brussels Just Reclassified Your Hiring Stack as High-Risk

The EU AI Act treats almost every AI tool used to recruit, screen, and manage people as 'high-risk' — and bans some outright. Part 1 of a 3-post series on what Regulation 2024/1689 means for how companies hire in Europe.

May 29, 2026·9 min read
(3/3) We Built Our Preselection for the Law Before the Law ExistedChallenges

(3/3) We Built Our Preselection for the Law Before the Law Existed

The EU AI Act demands meaningful human oversight in hiring. At Conectia, that was already the design: AI assists, a senior engineer decides. Part 3 of the series — how compliant candidate preselection actually works in a remote hiring pipeline.

May 29, 2026·9 min read
Building a Compliant AI Legal Engine: Multi-Model Routing, Legal RAG, and the EU AI Act in PracticeChallenges

Building a Compliant AI Legal Engine: Multi-Model Routing, Legal RAG, and the EU AI Act in Practice

How we approached architecture for an AI contract analysis platform: legislation-aware retrieval, intelligent model routing, and compliance as a design constraint — not an afterthought.

January 15, 2026·10 min read

Ready to build your engineering team?

Talk to a technical partner and get CTO-vetted developers deployed in 72 hours.

Get Started →