← Back to all articles
Challenges

(1/3) Brussels Just Reclassified Your Hiring Stack as High-Risk

By Marc Molas·May 29, 2026·9 min read

For most of the last three years, the conversation around AI in recruiting has been about productivity. How many CVs can you screen per hour. How much faster you can source candidates. How many interview notes you can auto-summarize. The European Union has forced a reframe on that conversation entirely, and the new frame is risk to fundamental rights.

Regulation (EU) 2024/1689 — the EU AI Act — entered into force on 1 August 2024, but the full applicability of the Act, including most high-risk AI obligations, is scheduled for 2 August 2026. However, recent provisional agreements (the "Digital Omnibus") have postponed key high-risk deadlines to 2 December 2027 for standalone systems and 2 August 2028 for AI embedded in regulated products.

It is the world's first comprehensive, horizontal law governing artificial intelligence, and it does something most coverage glossed over: it singles out the workplace as one of the most heavily regulated environments for AI in the entire text. If your company uses software to filter applications, rank candidates, score interviews, or evaluate employee performance — and in 2026, almost every company does — you are now operating inside that regime.

This is the first post in a three-part series. I'll try to map the landscape: what the Act actually says about AI in HR, why nearly all of it lands in the "high-risk" bucket, and what's banned outright. Part 2 covers the concrete obligations that fall on employers. Part 3 is about how we built Conectia's candidate preselection to live inside these rules rather than fight them.

The Risk Pyramid, and Why HR Sits Near the Top

The Act doesn't regulate "AI" as a monolith. It sorts systems into four tiers by the risk they pose, and the obligations scale with the tier:

  • Unacceptable risk — banned entirely (Article 5).
  • High risk — permitted, but subject to the heaviest compliance regime in the law (Articles 8–27, Annex III).
  • Limited risk — permitted, with transparency duties (Article 50). Think chatbots that must disclose they're not human.
  • Minimal risk — essentially unregulated. Spam filters, recommendation engines, most of what's in a normal product.

The political logic of the pyramid is simple: the more an AI system can affect a person's life, livelihood, or rights, the more the law cares. And there are few decisions a piece of software can make that affect a person's livelihood more directly than whether they get the job.

That's why the EU put employment in Annex III — the list of high-risk use cases — as a category of its own. Point 4 of that annex covers AI systems used in employment, workers management, and access to self-employment. In plain terms, it captures two phases of the employment relationship:

  1. Recruitment and selection — placing or targeting job advertisements, filtering applications, and evaluating candidates.
  2. Decisions affecting the relationship — promotion and termination, allocating tasks based on behavior or traits, and monitoring or evaluating performance.

Read that list against your actual hiring stack. An ATS that ranks applicants by fit. A sourcing tool that decides who sees your job ad. A video-interview platform that scores candidates. A skills-assessment engine that produces a pass/fail. A performance system that flags who's underperforming. Under the Act, these are not productivity tools. They are high-risk AI systems, and that classification carries a specific, demanding set of duties that I'll detail in Part 2.

The Line That Can't Be Crossed: Emotion Recognition at Work

Before the high-risk obligations, there's a harder line. Article 5 lists the practices the Act considers unacceptable — prohibited since 2 February 2025, with no compliance path. You don't get to do them with paperwork; you simply can't do them.

Two of these prohibitions land squarely in HR:

  • Emotion recognition in the workplace. Any AI system that infers a person's emotional state from their face, voice, or behavior is banned in the workplace and in education, save for narrow medical or safety exceptions. The wave of interview tools that promised to read a candidate's "enthusiasm," "confidence," or "cultural fit" from facial micro-expressions is, in the EU, now illegal.
  • Social scoring and exploitation of vulnerability. Systems that score people on unrelated behavior, or that exploit a vulnerable group, are out.

This matters strategically because a chunk of the HR-tech market was built on exactly the capability the Act bans. If your vendor's differentiator was sentiment analysis on video interviews, that differentiator is now a liability in your largest potential market. The first question a European buyer should ask an AI hiring vendor in 2026 is not "how accurate is it" — it's "does any part of this infer emotion?"

The Timeline Nobody Internalized

The Act doesn't switch on all at once. It applies in phases, and the phasing is the part most companies have misjudged — usually by assuming they have more time than they do.

  • 2 February 2025 — The Article 5 prohibitions took effect. Emotion recognition at work has been illegal for over a year already. So has the Article 4 AI literacy obligation: anyone deploying AI must ensure their staff have a sufficient understanding of it. This one is quiet but live now, and it applies to the people running your hiring tools.
  • 2 August 2025 — Rules for general-purpose AI models and the EU governance structures came online.
  • 2 August 2026 — The full high-risk regime — the one that governs your hiring and HR AI — becomes applicable. This is the date that matters most for employers.
  • 2 August 2027 — The remaining high-risk classification rules (for AI embedded in regulated products) apply.

So the prohibitions are already enforceable, and the high-risk obligations for HR are a matter of months away, not years.

The Wobble: the Digital Omnibus

Here's the complication, and you'll hear about it from every vendor hoping to slow-walk compliance. In late 2025 the European Commission proposed a Digital Omnibus package that would, among other things, make some high-risk obligations conditional on the availability of harmonized technical standards and support tools — potentially pushing parts of the high-risk deadline beyond August 2026, with dates floated as far out as December 2027 or August 2028.

Treat this exactly as what it is: a proposal, not the law. It can change in negotiation, it can be narrowed, and even if it lands, it does not touch the Article 5 prohibitions that are already in force. Building your hiring strategy on the assumption that Brussels will blink is a bet against the entire direction of the last five years of EU digital policy. The defensible position is to plan for August 2026 and treat any slippage as a bonus, not a basis.

Why This Is a Strategic Story, Not a Legal Footnote

It would be easy to file this under "compliance" and hand it to legal. That would be a mistake, and it's the mistake I want this series to prevent.

The AI Act is doing to AI hiring what the GDPR did to data: it's turning a feature into a structural property of the market. Just as "we handle EU user data" stopped being a checkbox and became an architectural commitment, "we use AI to evaluate people in Europe" is becoming a commitment to human oversight, documentation, and accountability that has to be designed in, not bolted on.

For companies hiring in Europe — and for everyone building the tools they hire with — this reshapes three things at once:

  • Build-vs-buy. Whether you're the provider of an AI hiring tool or merely its deployer changes which obligations land on you. Most companies are deployers and don't realize the law still holds them directly accountable. (Part 2.)
  • Vendor selection. The capabilities that sold HR tech in 2023 — emotion reading, opaque scoring, full automation — are now the capabilities that create exposure.
  • Process design. A hiring pipeline that keeps a competent human genuinely in control of decisions is no longer just good practice. It's the difference between a compliant process and an illegal one.

That last point is where my own bias shows, and I'll own it up front: I've spent this whole blog arguing that AI augments human judgment, it doesn't replace it. It's quietly satisfying to watch the largest regulatory bloc on earth write that thesis into binding law for the one domain where the stakes are most personal — who gets hired, and who doesn't.

In Part 2, we get concrete: the specific obligations the Act puts on employers who deploy these systems, why most of them fall on you and not your vendor, and what "meaningful human oversight" has to actually look like to count.

Related Articles

(2/3) The AI Act's Bill Lands on the Employer, Not the VendorChallenges

(2/3) The AI Act's Bill Lands on the Employer, Not the Vendor

Most companies assume the AI Act's burden falls on the AI vendor. For hiring tools it largely doesn't — it falls on you, the deployer. Part 2 of the series: human oversight, worker transparency, impact assessments, and the GDPR overlap.

May 29, 2026·10 min read
(3/3) We Built Our Preselection for the Law Before the Law ExistedChallenges

(3/3) We Built Our Preselection for the Law Before the Law Existed

The EU AI Act demands meaningful human oversight in hiring. At Conectia, that was already the design: AI assists, a senior engineer decides. Part 3 of the series — how compliant candidate preselection actually works in a remote hiring pipeline.

May 29, 2026·9 min read
Building a Compliant AI Legal Engine: Multi-Model Routing, Legal RAG, and the EU AI Act in PracticeChallenges

Building a Compliant AI Legal Engine: Multi-Model Routing, Legal RAG, and the EU AI Act in Practice

How we approached architecture for an AI contract analysis platform: legislation-aware retrieval, intelligent model routing, and compliance as a design constraint — not an afterthought.

January 15, 2026·10 min read

Ready to build your engineering team?

Talk to a technical partner and get CTO-vetted developers deployed in 72 hours.

Get Started →