Updated 7 May 2026 · The Digital Omnibus AI Act trilogue agreement of 7 May 2026 postpones Annex III high-risk obligations (employment §4 explicitly enumerated by EP) from 2 August 2026 to 2 December 2027. Employment was explicitly listed in the postponement. 18 months of regulatory runway to produce a defensible position before binding obligations apply.
Sector — HRTech / Employment
Employment AI under the EU AI Act
Annex III §4 — and what it means for HR directors and CHROs of European employers.
AI used in hiring, screening, performance evaluation, or termination triggers Annex III §4. Most HR deployers do not know they are deployers — Annex A §0.2 calls this the recognition gap. Post-Digital Omnibus (trilogue agreement 7 May 2026), Annex III §4 obligations bind on 2 December 2027 — 18 months of regulatory runway. The cascade is structural: Article 26 §1–§12, Article 27 FRIA (conditional on works-council activation), Article 25(1)(b) reverse-bascule check, and Article 49 EU database registration.
- · Independent — not affiliated with any provider, regulator, or notified body
- · Article-by-article: Annex III §4 + Article 26 §1–§12 + Article 27 FRIA + Article 25 reverse-bascule + Article 49
- · 18-month runway: 2 December 2027 — confirmed post-Omnibus, not arbitrable
Classification
When HR AI puts you in Annex III §4
Annex III §4 covers AI systems intended to be used in employment, workers' management, and access to self-employment. Two activity buckets: (a) recruitment and selection (placing targeted job ads, analysing and filtering applications, evaluating candidates); (b) decisions affecting employment relationships (terms of work, promotion, termination, allocation of tasks, monitoring/evaluating performance). If you operate one of these systems on EU-based workers or candidates — even procured from a US vendor — you are an Annex III §4 deployer.
Test: does AI rank, screen, evaluate, or recommend any decision about a person's employment? If yes — Annex III §4 applies, and the deployer cascade activates regardless of vendor location.
| Activity | Annex III §4 | Article 27 FRIA |
|---|---|---|
| AI-assisted CV screening / candidate ranking | Yes | Conditional (works-council activation) |
| AI-driven performance evaluation / monitoring | Yes | Conditional |
| AI in promotion / termination recommendations | Yes | Conditional |
| Targeted job ad placement (algorithmic distribution) | Yes — §4(a) | Conditional |
| Generic HR chatbot (no employment decision influence) | No — Art. 50 instead | No |
Source: Reg. 2024/1689 Annex III §4 · Annex A §4 (May 2026) · MDCG-equivalent guidance pending from EU AI Office.
Timeline
The HR deadline is 2 December 2027 — not 2 August 2026
Most companies in the AI ecosystem focus on 2 August 2026 (Article 50 transparency). For HR deployers under Annex III §4, the binding deadline post-Digital Omnibus (trilogue agreement 7 May 2026) is 2 December 2027 — high-risk obligations on Annex III high-risk use cases postponed by 16 months from the original 2 August 2026.
Employment was explicitly listed in the postponement. Annex III §4 binds 2 December 2027. 18 months of regulatory runway to produce a defensible position before binding obligations apply. Plan accordingly: works-council consultation timelines, fundamental rights impact assessments, and Article 26 §7 worker information cascades take quarters, not weeks.
Note on certainty: 10 EU Member States (AT, DK, NL, SK, SI, ES, GR, PT, RO, LV) formed a blocking minority against further deregulation. The 2 December 2027 deadline is durable. Vente sur certitude, pas sur arbitrage.
Sources: Reg. 2024/1689 Annex III §4 · Council/Parliament press release (7 May 2026) · Annex A v1.0 §4 (May 2026, Sprinkling Act).
Four deltas
Four obligations specific to HR deployers
GDPR Article 22, national employment law, and existing HR governance frame the broader compliance posture. But none of them produces an Article 26 paragraph map. These deltas need to be added to the existing risk framework.
Delta 1 — Article 26 §7 worker information (pre-deployment)
§7 requires deployers to inform workers' representatives and workers concerned BEFORE putting an Annex III system into service. This is information, not consultation — but it is binding and requires a documented disclosure trail. In DACH, the works council (Betriebsrat) trigger sharpens with KI-MIG codification.
Delta 2 — Article 26 §11 individual notification (post-decision)
§11 requires deployers to inform a natural person subject to an Annex III decision that they are subject to such a decision. The HR-specific case (Annex A §4.4): a candidate or employee receiving an AI-screened outcome must be informed. Most HR pipelines today do not produce that disclosure automatically.
Delta 3 — Article 27 FRIA conditional on works-council activation
Unlike banking (FRIA automatic by activity) or healthcare (FRIA does not apply), HR FRIA is conditional on works-council activation. Once the council formally requests it under EU/national law, the FRIA scope and timeline activate. Plan as if FRIA is reachable, not as if it is automatic.
Delta 4 — Article 25(1)(b) reverse-bascule (fine-tuning trap)
Employers that fine-tune a vendor screening model on their own historical hiring data may be reclassified as providers under Article 25(1)(b), inheriting the heavier Articles 16–22 regime. The boundary check is contractual, not technical: performed at the moment a fine-tuning option is contractually accepted.
Sources: Reg. 2024/1689 Articles 25–27 · GDPR Reg. (EU) 2016/679 Art. 22 · Annex A v1.0 §4 (Sprinkling Act, May 2026) · KI-MIG (DACH works-council codification).
Our scope
What our assessment covers for HR AI
The Sprinkling Act report for an HR AI system covers the six gates of the standardised methodology, with the HR specificity layered in.
- →G1 — Art. 5 — Are any of the 8 prohibited practices triggered? (emotion recognition workplace exception is checked)
- →G2 — Art. 6(1) — Is the AI system a safety component of an EU-regulated product? (rare for HR)
- →G3 — Art. 6(2) + Annex III §4 — Employment AI classification — core gate for HR
- →G4 — Art. 50 — Does an end user interact with the AI without knowing? (chatbot disclosure to candidates)
- →G5 — Art. 51/53 — Does the system use or distribute a general-purpose AI model?
- →G6 — Art. 6(3) — Can the “no significant risk” exception apply? (rare for §4)
HR specificity:
- ·Annex III §4(a)/§4(b) determination (recruitment vs employment-relationship)
- ·Article 26 §1–§12 paragraph subset map (HR-specific active subset: §2 + §5 + §6 + §7 + §11)
- ·Article 27 FRIA scope memo (conditional on works-council activation pathway)
- ·Article 25(1)(b) reverse-bascule check on fine-tuning contracts
- ·Article 5(1)(f) emotion recognition workplace check (medical/safety carve-out)
- ·GDPR Art. 22 × AI Act Article 26 §11 dual-regime mapping
- ·Timeline orientation (2 December 2027 post-Digital Omnibus)
Out of scope (explicit):
- ×National employment law dispute resolution (handled by qualified labour counsel)
- ×Works-council negotiation strategy (consultative, not regulatory)
- ×DPIA full preparation under GDPR Article 35 (separate engagement)
Integration
How this fits with GDPR, national employment law, and works-council practice
GDPR Article 22 covers automated decision-making rights; AI Act Article 26 §11 specifies the post-decision information obligation. They interlock — failure to integrate creates dual-regime exposure. National employment law frames the consultation-vs-information boundary for works councils. The AI Act Article 26 §7 specifies pre-deployment information of workers, which complements (does not replace) national consultation regimes.
Concretely: the HR deployer ends up with four documents (GDPR Article 22 record, national employment law consultation trail, AI Act Article 26 paragraph map, FRIA scope memo when activated). The Sprinkling Act report produces the third document. The other three are produced by your existing HR/legal frameworks.
Sources: GDPR Reg. (EU) 2016/679 · Reg. 2024/1689 Articles 26–27 · National employment law (varies) · Annex A v1.0 §4.6 reverse-bascule worked example.
Apply it to your own position
The 9-question diagnostic identifies whether you trigger Annex III §4, the conditional Article 27 FRIA, or Article 25 reverse-bascule as an HR deployer. 60 seconds. Zero data collected.
This page is informational. It does not constitute legal advice, regulatory determination, or a conformity assessment under Article 43 AIA. Specific classifications for any specific HR deployer require a tailored screening. Organisations recognising themselves in the Annex III §4 description should consult qualified labour counsel and engage works-council representatives where applicable before making compliance decisions.
SEE ALSO
Annex A — The Deployer Multiplier
Three downstream segments where the AI Act cascade becomes visible. HRTech covered in §4.
Free Diagnostic
9-question assessment — HR-specific gates flagged.
Sprinkling Act Methodology
The 6-gate framework behind the assessment.
Pricing
Free assessment. €690 full report. No subscription.