Updated 19 May 2026 · The Digital Omnibus AI Act provisional political agreement (7 May 2026) would move Annex III high-risk obligations (including §4 employment) from 2 August 2026 to 2 December 2027. Status as of 28 May 2026: provisional agreement, not yet formally adopted (Council/Parliament endorsement, legal-linguistic revision and Official Journal publication still pending). Distinct: the Article 5(1)(f) prohibition (emotion recognition in the workplace) is already in force since 2 February 2025. On 19 May 2026 the Commission published its Draft Guidelines on Article 6 (consultation open until 23 June 2026), interpreting recruitment broadly and treating profiling-based targeted ads as high-risk.
AI Act pre-conformity · HR sector (Annex III §4)
Employment AI under the EU AI Act
Annex III §4, and what it means for HR directors and CHROs of European employers.
AI used in hiring, screening, performance evaluation, or termination triggers Annex III §4. Most HR deployers do not know they are deployers; Annex A §0.2 calls this the recognition gap. The Digital Omnibus (adopted 29 June 2026, EP 16 June) moves Annex III §4 obligations from 2 August 2026 to 2 December 2027 (Official Journal publication imminent). The deployer cascade is structural: Article 26 §1–§12, GDPR Article 35 DPIA (Art. 26 §9), Article 25(1)(b) reverse-bascule check, and the Article 5(1)(f) prohibited-practice gate already in force since 2 February 2025. Article 27 FRIA is NOT triggered for a private-sector HR deployer (§4 is not listed in Article 27); it binds only public-law bodies and private entities providing public services.
- · Independent; not affiliated with any provider, regulator, or notified body
- · Article-by-article: Art. 5(1)(f) prohibited-practice gate + Annex III §4 + Article 26 §1–§12 + Article 25 reverse-bascule + Article 49
- · Two clocks: Art. 5(1)(f) emotion-recognition prohibition already in force (2 February 2025); Annex III §4 high-risk obligations under the Digital Omnibus (adopted 29 June 2026, 2 December 2027)
Definition
Annex III §4 of the EU AI Act classifies as high-risk AI systems used in employment, workers' management, and access to self-employment. Two activity buckets: (a) recruitment and selection (targeted job ads, CV screening, candidate ranking, and sourcing tools); (b) decisions affecting employment relationships (promotion, termination, task allocation, performance monitoring). The Draft Commission Guidelines on Article 6 (19 May 2026, consultation open to 23 June 2026) interpret recruitment broadly, covering the identification and attraction of potential applicants, and treat profiling-based targeted job ads as high-risk. Distinct and earlier: Article 5(1)(f) prohibits AI inferring emotions in the workplace (recruitment included), in force since 2 February 2025. The Annex III §4 high-risk obligations sit under the Digital Omnibus, adopted by the Council on 29 June 2026 (EP 16 June), setting 2 December 2027 (Official Journal publication imminent).
Classification
When HR AI puts you in Annex III §4
Annex III §4 covers AI systems intended to be used in employment, workers' management, and access to self-employment. Two activity buckets: (a) recruitment and selection (placing targeted job ads, analysing and filtering applications, evaluating candidates); (b) decisions affecting employment relationships (terms of work, promotion, termination, allocation of tasks, monitoring/evaluating performance). If you operate one of these systems on EU-based workers or candidates, even procured from a US vendor, you are an Annex III §4 deployer. Recruitment is interpreted broadly (Draft Commission Guidelines on Article 6, 19 May 2026, in consultation): it commences already with the identification and attraction of potential applicants, covering early-stage prospection activities, sourcing tools, candidate ranking in CV databases, and any tool whose output meaningfully influences who reaches the application stage.
Test: does AI rank, screen, evaluate, or recommend any decision about a person's employment? If yes: Annex III §4 applies, and the deployer cascade activates regardless of vendor location.
| Activity | Annex III §4 | Art. 27 FRIA (private deployer) |
|---|---|---|
| AI-assisted CV screening / candidate ranking | Yes | Not triggered (§4 not in Art. 27) |
| AI-driven performance evaluation / monitoring | Yes | Not triggered |
| AI in promotion / termination recommendations | Yes | Not triggered |
| Targeted job ad placement (profiling-based) | Yes: §4(a) · always high-risk, no exception when profiling | Not triggered |
| Platform deactivation / account suspension (gig / freelance platforms) | Yes: §4(b) · treated as termination | Not triggered |
| Task allocation by behavioural indicators (acceptance rate, response time, customer ratings) | Yes: §4(b) | Not triggered |
| Task allocation by objective external criteria (geographic proximity, accreditation, availability) | Out of scope: §4(b) | — |
| Generic HR chatbot (no employment decision influence) | No: Art. 50 instead | No |
Source: Reg. 2024/1689 Annex III §4 + Article 27(1) + Draft Commission Guidelines on Article 6 (19 May 2026, consultation open to 23 June 2026). FRIA (Art. 27) binds only public-law bodies, private entities providing public services, and deployers of Annex III §5(b)/(c); a private-sector HR deployer under §4 performs a GDPR Article 35 DPIA, not a FRIA.
Timeline
The HR deadline is 2 December 2027, not 2 August 2026
Most companies in the AI ecosystem focus on 2 August 2026 (Article 50 transparency). For HR deployers under Annex III §4, the Digital Omnibus (adopted 29 June 2026, EP 16 June) sets 2 December 2027 for the high-risk obligations, postponed from the original 2 August 2026. Official Journal publication is imminent (see status note below for the pre-adoption timeline). Earlier and already in force: the Article 5(1)(f) emotion-recognition prohibition (2 February 2025).
Employment is covered by the postponement. The agreed target for Annex III §4 high-risk obligations is 2 December 2027. That is meaningful runway to produce a defensible position before the obligations apply, but the prohibited-practice gate (Art. 5(1)(f), emotion recognition) is not postponed and binds now. Plan accordingly: works-council information (Art. 26 §7) and DPIA timelines take quarters, not weeks.
Status note (28 May 2026): the Digital Omnibus is a provisional political agreement, not yet formally adopted. It still requires Council and Parliament endorsement, legal-linguistic revision, and publication in the Official Journal before it binds. The 2 December 2027 date is the agreed target, not yet law. Plan on the substance, track the adoption.
Sources: Reg. 2024/1689 Annex III §4 · Council/Parliament press release (7 May 2026) · Annex A v1.0 §4 (May 2026, Sprinkling Act).
Four deltas
Four obligations specific to HR deployers
GDPR Article 22, national employment law, and existing HR governance frame the broader compliance posture. But none of them produces an Article 26 paragraph map. These deltas need to be added to the existing risk framework.
Delta 1 · Article 26 §7 worker information (pre-deployment)
§7 requires deployers to inform workers' representatives and workers concerned BEFORE putting an Annex III system into service. This is information, not consultation; but it is binding and requires a documented disclosure trail. In DACH, the works council (Betriebsrat) trigger sharpens with KI-MIG codification.
Delta 2 · Article 26 §11 individual notification (post-decision)
§11 requires deployers to inform a natural person subject to an Annex III decision that they are subject to such a decision. The HR-specific case (Annex A §4.4): a candidate or employee receiving an AI-screened outcome must be informed. Most HR pipelines today do not produce that disclosure automatically.
Delta 3 · GDPR Article 35 DPIA (not Article 27 FRIA) + the works-council discovery trigger
A private-sector HR deployer under §4 is NOT subject to the Article 27 FRIA: Art. 27(1) lists only public-law bodies, private entities providing public services, and deployers of Annex III §5(b)/(c). What does apply is the GDPR Article 35 DPIA, fed by the provider notice (Art. 26 §9). The works-council request is the discovery moment, not a FRIA trigger: when an employee, candidate, or representative asks in writing for the legal basis, the deployer must answer from its Art. 26 evidence trail. Selling a mandatory FRIA to a private HR deployer is a classification error.
Delta 4 · Article 25(1)(b) reverse-bascule (fine-tuning trap)
Employers that fine-tune a vendor screening model on their own historical hiring data may be reclassified as providers under Article 25(1)(b), inheriting the heavier Articles 16–22 regime. The boundary check is contractual, not technical: performed at the moment a fine-tuning option is contractually accepted.
Sources: Reg. 2024/1689 Articles 25–27 · GDPR Reg. (EU) 2016/679 Art. 22 · Annex A v1.0 §4 (Sprinkling Act, May 2026) · KI-MIG (DACH works-council codification).
Our scope
What our assessment covers for HR AI
The Sprinkling Act report for an HR AI system covers the six gates of the standardised methodology, with the HR specificity layered in.
- •G1 · Art. 5 · Are any of the 8 prohibited practices triggered? (emotion recognition workplace exception is checked)
- •G2 · Art. 6(1) · Is the AI system a safety component of an EU-regulated product? (rare for HR)
- •G3 · Art. 6(2) + Annex III §4 · Employment AI classification · core gate for HR
- •G4 · Art. 50 · Does an end user interact with the AI without knowing? (chatbot disclosure to candidates)
- •G5 · Art. 51/53 · Does the system use or distribute a general-purpose AI model?
- •G6 · Art. 6(3) · Can the “no significant risk” exception apply? (rare for §4)
HR specificity:
- ·Article 5(1)(f) emotion-recognition prohibition check FIRST (workplace + recruitment, medical/safety carve-out, in force 2 February 2025)
- ·Annex III §4(a)/§4(b) determination (recruitment vs employment-relationship)
- ·Article 26 §1–§12 paragraph subset map (HR-specific active subset: §2 + §5 + §6 + §7 + §11)
- ·Article 27 FRIA scope memo (for a private §4 deployer: FRIA not triggered, GDPR Art. 35 DPIA instead; FRIA only if public-sector / public-service)
- ·Article 25(1)(b) reverse-bascule check on fine-tuning contracts
- ·GDPR Art. 22 × AI Act Article 26 §11 dual-regime mapping
- ·Timeline orientation (Art. 5 already in force; Annex III §4 high-risk under the Digital Omnibus (adopted 29 June 2026), 2 December 2027)
Out of scope (explicit):
- ×National employment law dispute resolution (handled by qualified labour counsel)
- ×Works-council negotiation strategy (consultative, not regulatory)
- ×DPIA full preparation under GDPR Article 35 (separate engagement)
Integration
How this fits with GDPR, national employment law, and works-council practice
GDPR Article 22 covers automated decision-making rights; AI Act Article 26 §11 specifies the post-decision information obligation. They interlock; failure to integrate creates dual-regime exposure. National employment law frames the consultation-vs-information boundary for works councils. The AI Act Article 26 §7 specifies pre-deployment information of workers, which complements (does not replace) national consultation regimes.
Concretely: a private HR deployer ends up with four documents (GDPR Article 22 record, national employment law consultation trail, AI Act Article 26 paragraph map, GDPR Article 35 DPIA). The Sprinkling Act report produces the third document and feeds the DPIA. The others are produced by your existing HR/legal frameworks. A FRIA (Article 27) is added only if the deployer is a public-law body or a private entity providing public services.
Sources: GDPR Reg. (EU) 2016/679 · Reg. 2024/1689 Articles 26–27 · National employment law (varies) · Annex A v1.0 §4.6 reverse-bascule worked example.
FAQ
About HR AI under the EU AI Act
What is Annex III §4 of the EU AI Act?
Annex III §4 classifies as high-risk AI systems used in employment, workers' management, and access to self-employment. It covers two activity buckets: (a) recruitment and selection (targeted job ads, CV screening, candidate evaluation); (b) decisions affecting employment relationships (terms of work, promotion, termination, task allocation, performance monitoring).
Are targeted job ads automatically high-risk?
When they rely on profiling. The Draft Commission Guidelines on Article 6 (19 May 2026) treat profiling-based targeted job advertisements as high-risk under Annex III §4(a): the Article 6(3) exception is unavailable once the system profiles natural persons. Generic employer-branding ads without specific vacancy targeting fall outside scope. Note: the draft guidelines are in consultation until 23 June 2026 and are not legally binding; the authoritative interpretation remains the Court of Justice.
Does platform deactivation trigger AI Act obligations?
On the prevailing reading, yes. Platform deactivation or account suspension on gig and freelance platforms is treated as equivalent to termination of the work relationship, falling within Annex III §4(b), regardless of formal contractual status (employee or self-employed). This interpretation is being clarified through the Draft Commission Guidelines on Article 6 (consultation open until 23 June 2026).
Is FRIA Article 27 mandatory for HR deployers?
Not for a private-sector HR deployer. Article 27(1) lists only three obligated categories: bodies governed by public law, private entities providing public services, and deployers of Annex III §5(b)/(c) (creditworthiness, life/health insurance). Employment §4 is not listed. So a private employer using §4 recruitment or workforce AI performs a GDPR Article 35 DPIA, not an Article 27 FRIA. A public-sector employer or a private entity providing a public service does fall under Article 27.
Apply it to your own position
The 9-question diagnostic identifies whether you trigger the Art. 5(1)(f) emotion-recognition prohibition, Annex III §4 high-risk classification, or Article 25 reverse-bascule as an HR deployer. 60 seconds. Zero data collected.
This page is informational. It does not constitute legal advice, regulatory determination, or a conformity assessment under Article 43 AIA. Specific classifications for any specific HR deployer require a tailored screening. Organisations recognising themselves in the Annex III §4 description should consult qualified labour counsel and engage works-council representatives where applicable before making compliance decisions.
SEE ALSO
Annex A — The Deployer Multiplier
Three downstream segments where the AI Act cascade becomes visible. HRTech covered in §4.
Free Diagnostic
9-question assessment: HR-specific gates flagged.
Sprinkling Act Methodology
The 6-gate framework behind the assessment.
Pricing
Free assessment. €690 full report. No subscription.