EU AI Act for recruiters: what August 2026 actually means

The Act, in one paragraph

The EU AI Act is Regulation (EU) 2024/1689. It is the first serious horizontal AI law from any major economy. It does not apply all at once. It applies in stages, and the stage that actually catches recruitment AI is later than most of the panicked posts on LinkedIn suggest. I have read the regulation. I have read what the European Commission publishes about it. Most of what is being said to agency owners right now is half right and half noise.

This post is what I would tell a friend running a recruitment agency. The dates that matter, the obligations that actually apply to you, the fines if you get it wrong, and the parts that most people are getting wrong about how this hits agencies outside the EU.

The dates that matter

Article 113 of the Act sets the timeline. Prohibited AI practices have applied since 2 February 2025. General-purpose AI and governance rules apply from 2 August 2025. The general applicability date is 2 August 2026. The obligations for high-risk AI systems under Article 6(1), which is the category that covers recruitment, apply from 2 August 2027.

Read that again. The full hammer on recruitment AI falls in August 2027. Not 2026. Eighteen months from now. You have time. Use it properly instead of panicking.

That said, do not use the extra year as an excuse to do nothing. The August 2026 general applicability still pulls in transparency obligations, disclosures, and the prohibition list. And the conformity assessment work that vendors have to complete takes the best part of a year if done properly. So if you are building AI features into your own agency tools, you should be most of the way there by mid 2027 to give yourself a runway.

Why the EU calls recruitment AI "high-risk"

Annex III of the Act lists the use cases that count as high-risk. Employment is on that list. The Commission's own policy page names it explicitly. CV-sorting software for recruitment is the worked example they give for the high-risk category. If your sourcing tool ranks candidates, if your ATS scores applicants, if your video interview platform gives an automated assessment, if your outreach tool personalises at scale using AI, you are operating a high-risk AI system the moment any of those tools is used in the EU.

This catches more agencies than people think. It catches the recruiter using a third-party tool that has AI inside it. It catches the agency licensing software where the vendor has bolted on a matching engine. And it catches the vendor selling that software into the EU market. Three layers of responsibility, often three different organisations, all sharing the legal exposure.

The category is wide on purpose. The EU's view is that any AI making consequential decisions about a person's livelihood deserves scrutiny. Whether you agree or not, that is the law. Treat it as the operating reality.

Provider vs deployer: who carries what

The Act splits obligations between two roles. Providers are the vendors who build and sell the AI. Deployers are the organisations that use it. Most recruitment agencies are deployers. The vendor of your ATS or sourcing tool is the provider.

Providers carry the heavier load. Risk management systems for the AI's whole lifecycle. Data governance and bias testing on training data. Technical documentation. Automatic logging baked into the product. Human oversight controls. Cybersecurity. Conformity assessment before the product goes on sale in the EU. CE marking. Post-market monitoring. Most of this is the vendor's problem, not yours.

Your obligations as a deployer are lighter but real. Use the system in line with the provider's instructions. Make sure a human is actually overseeing each consequential decision, not rubber-stamping. Be transparent with candidates that AI is involved in the process. Keep logs of how you use the system. Monitor for drift or discrimination in your specific use. Cooperate with the regulator if asked.

If you build AI features inside your own agency tools, the line moves. You become a provider, not just a deployer, and the heavier obligations apply. Most agencies are not in this category, but if you have a data team training your own matching models, you are. Know which side of the line you sit on for each system.

The fines, in numbers

Article 99 sets the ceiling for fines. For prohibited AI practices, up to €35 million or 7 percent of global annual turnover, whichever is higher. For breaches of the high-risk obligations, up to €15 million or 3 percent. For providing false or misleading information to a regulator, up to €7.5 million or 1 percent.

These are ceilings. Member states will set their own schedules within those bands. The 7 percent figure is what gets the headlines. For most agencies the cash ceilings will bite long before the percentage does. Even so, a €15 million ceiling for getting human oversight wrong is not a number you ignore.

The Act also includes a softer landing for small and medium businesses. For SMEs, the lower of the percentage or the absolute amount applies. Useful, but do not rely on the regulator going easy on you because you are small. Reputational damage from a public fine kills small agencies faster than the fine itself does.

Why this catches UK and Dubai agencies too

The Act has extraterritorial reach. If your AI system produces output that is used inside the EU, the regulation applies to you, regardless of where you are based. A London agency placing a candidate into a French client is caught. A Dubai agency sourcing for a German employer is caught. The fact that your office is outside the EU does not exempt you when EU citizens or EU-based hires are on the other end.

This is the same principle as GDPR, and we are running into the same misunderstanding I saw five years ago. Most non-EU agencies thought GDPR did not apply to them. It did. We covered it properly in the GDPR guide for recruitment agencies. The same logic now applies to the AI Act. If you process or output information about EU data subjects, EU law follows you.

For UK agencies specifically there is a second wrinkle. The UK has no AI Act of its own yet. The Information Commissioner is acting as if it does, and our UK guide covers that in detail. Combined effect: a UK agency placing into EU has to comply with both the ICO's expectations at home and the EU AI Act for EU placements.

What I am telling our customers

The biggest mistake I see right now is panic. Agencies are reading the August 2026 headline and trying to be fully compliant by then. The Article 6(1) obligations that actually bite for recruitment do not apply until August 2027. You do not need to gut your tech stack this month.

The second mistake is treating this as something only IT or compliance has to think about. The Act puts real responsibility on the deployer, which means the people actually using the AI. Your consultants running searches, your senior recruiter reviewing shortlists, your client manager explaining why a candidate was rejected. They all need to know which tools are AI-driven and what the rules are. If your team cannot answer the question "which of our tools use AI to make decisions", that is a problem you fix this quarter.

The third mistake is assuming your vendor has it covered. Ask. We publish our position on the AI features inside Recruitly on the AI product page. If your current vendor has not given you a written statement on which of their features are classed as high-risk and where they sit on conformity assessment, that is a problem you should not be carrying for them.

What to do this quarter

Inventory your stack. Walk through every tool that touches a candidate. CV parser, sourcing tool, matching engine, interview scorer, outreach personaliser. Mark which use AI and which do not. You cannot comply with what you do not know you have.

Get vendor statements. For every AI tool on your inventory, ask the vendor in writing whether they consider it high-risk under Annex III, what their conformity assessment status is, and what they expect deployers to do. Keep the answers.

Add AI to your privacy notice. The Act will require disclosure. Tell candidates which steps in your process use AI, in plain English, in your privacy notice and your initial outreach. Most agencies will be forced to do this in 2027. Doing it in 2026 is free differentiation and trust-building.

Train your team. Everyone who uses an AI tool needs to know that a human must actually review consequential decisions. Not rubber-stamp. Actually look at the case before acting on the AI's recommendation. That is the human oversight obligation in practice.

Read the rest of the series for the picture outside the EU. The US is a state-by-state patchwork with very different rules in California, Colorado and New York. The full picture across every jurisdiction is in the parent guide.