Everything HR needs to know about the EU AI Act

The EU AI Act introduces the first comprehensive legal framework for artificial intelligence (AI).

While it applies across industries, HR teams are directly affected because many common tools involve decisions about people, hiring, promotion, performance and workforce management – many of which will be managed by ‘high-risk’ tools under the EU AI Act.

Worryingly, many HR and L&D teams don’t know much, if anything, about the EU AI Act, meaning they could be falling foul of the new regulations.

If you’re new to the EU AI Act or want to make sure you’re handling it correctly, we’ve put together a practical FAQ guide to what HR and L&D leaders actually need to know.

What is the EU AI Act in simple terms?

The EU AI Act is a risk-based law that regulates artificial intelligence depending on the level of risk it poses to people.

It groups AI systems into four categories:

• Unacceptable risk (banned use cases)
  This includes social scoring systems, malicious deepfake content and manipulative or deceptive AI.
• High risk (strict compliance requirements)
  This includes CV screening tools, candidate ranking systems, promotion recommendations and employee monitoring systems.
• Limited risk (mainly transparency rules)
  This includes AI agents in HR portals, AI coaches and learning assistants, internal AI search tools, meeting transcription tools and personal development tools.
• Minimal risk (light regulation)
  This includes spam filters, writing assistants, basic automation tools and non-work systems, such as video game AI.

The higher the risk, the more obligations organisations must meet.

Who does the EU AI Act apply to, and does it include UK businesses?

Yes – despite the fact the UK is no longer part of the EU, the EU AI Act applies to UK businesses.

The EU AI Act applies to:

• Organisations based in the EU
• Organisations outside the EU if their AI systems are used in the EU market or affect people in the EU

This means UK businesses are in scope if they:

• Provide AI tools or services into the EU
• Use AI systems that impact EU-based employees, candidates or customers

It has a similar extraterritorial reach to GDPR.

For instance, even though 5app is based in the UK, the EU AI Act still applies to our AI solutions.

Which HR tools are considered ‘high risk’ under the Act?

HR is one of the most heavily affected areas of the legislation. Even though ‘high risk’ sounds alarming, it’s more focused on the obligations of AI vendors and the organisations using them to mitigate any potential risks.

AI systems are considered high risk if they are used for things like:

• CV screening and candidate filtering
• Recruitment and hiring decisions
• Candidate scoring or ranking
• Promotion or performance assessment
• Monitoring or evaluating employees
• Decisions that influence employment conditions

In simple terms: according to the EU Annex III, if AI influences a decision about someone’s job or career, it is likely high risk.

What does 'high-risk AI compliance' actually involve?

If an HR system is classified as high risk, organisations must be able to demonstrate:

• A structured risk management process
• Data governance and bias controls
• Technical documentation of how the system works
• Logging and traceability of outputs
• Human oversight of decision-making
• Security, accuracy and robustness testing

The intention is that AI-driven decisions about people can be explained, audited and challenged.

What does 'meaningful human oversight' mean?

Meaningful human oversight isn’t just a formality. It means the human involved in the decision:

• Understands how the AI output was generated
• Has enough context to question it
• Has authority to override it
• Is not simply accepting the recommendation by default

The goal is to avoid automation bias, where people trust AI outputs without critical thinking.

For instance, it’s not enough for an administrator to accept an AI hiring platform’s candidate recommendations without reading or understanding them. A real human with the right knowledge, authority and competence must properly review the recommendations to ensure they are fit for purpose.

In HR terms, AI should support decisions with useful information and data, not replace human judgement.

Are all HR AI tools considered high risk?

No — this is a common misconception.

Many HR AI tools fall into the limited-risk category, which focuses mainly on transparency.

These often include:

• AI agents for HR queries
• AI coaching or learning tools
• Meeting transcription and summarisation tools
• General productivity assistants

The key requirement in the limited-risk category is that users must know they are interacting with AI.

When used as intended, 5app’s AI solutions VeeCoach, VeeCreate and Helix fall into the limited-risk category, as they don’t make recommendations that would affect a human user. For instance, while Helix monitors workplace behaviours, it is used as a personal development tool rather than, for example, recommending an employee for a promotion or making disciplinary decisions.

What transparency obligations do HR teams have?

If AI is used in HR processes, organisations must ensure employees and candidates understand:

• When AI is being used
• What data is being processed
• How outputs are generated
• Whether those outputs influence decisions

This applies even when historical or legacy employee data is analysed by AI systems. Transparency is a core legal requirement according to the EU AI Act, not a best practice.

Are HR teams or AI vendors responsible for compliance?

Responsibility is shared.

• Vendors must design and supply compliant AI systems
• Employers (HR teams) must ensure correct use, oversight and governance

HR teams can’t and shouldn’t rely solely on vendor assurances. Organisations should carry out due diligence to ensure they understand the risk level of their AI tools so that end users can make informed decisions about whether or how they use these tools.

Even if a tool is compliant by design, organisations remain responsible for how it is deployed in real-world decisions. For instance, for our own AI platforms like Helix, we ensure that customers are provided with the right information and training to use it responsibly and as it’s intended to be used. We are also very clear where AI is used and how it’s used across our products.

What should HR teams do first if they don’t have an AI compliance programme?

The most important first step for HR teams looking to adhere to the EU AI Act is to build an AI inventory, covering:

• What AI tools are being used?
• Where are they used in HR processes?
• Do they influence decisions or just support tasks?
• What risk category might they fall into?

From there, organisations can build governance, oversight and documentation where it matters most.

You don’t need a complex framework on day one, but you do need clarity.

When does the EU AI Act come into force?

The Act is already law, but it’s being introduced in phases:

• August 2024 – Entered into force
• February 2025 – Ban on certain AI uses + AI literacy requirements
• August 2025 – Rules for general-purpose AI begin
• From 2026 onwards – Additional obligations for high-risk systems apply (including most HR use cases)

Some areas may transition further into 2027–2028 depending on system type and implementation pathway. The European Commission AI policy overview is a good place to start for the most up-to-date timelines.

What is the key takeaway for HR leaders?

The EU AI Act isn’t about stopping AI adoption in HR, and it shouldn’t put off HR and L&D teams looking to use AI as part of their processes and strategies.

Instead, it’s about ensuring that when AI influences ‘people decisions’, organisations:

• Understand how the system works
• Maintain human accountability
• Ensure transparency for employees and candidates
• Can evidence governance and oversight

The organisations that succeed will not necessarily be those using the most AI, but those using it most responsibly.

Sources and further reading

• European Commission – AI Act overview
  
• EU AI Act Annex III (high-risk use cases)
  
• Overview of EU AI Act structure and obligations 
• EU AI Act compliance checker