Employment & HR · Annex III §4

AI Act readiness for hiring teams and recruiters.

If your firm uses AI to screen CVs, rank candidates, target job ads, or evaluate staff, you're operating under Annex III §4 of the EU AI Act, and some hiring tools are prohibited outright. cosantio gives HR teams, internal recruiters, and agencies the workflow, artefacts, and named officer to be audit-defensible in time. Examples here are drawn from the Irish market we know best, but the obligations apply across the EU, with some country-specific variation.

Get the Hiring Scorecard →Book a 20-minute call

What governs AI in employment & HR

Four pieces of regulation. One workflow.

Hiring AI in Ireland and the EU is regulated by more than the AI Act. The four frameworks below overlap, and one of them bans certain tools outright. cosantio's Scorecard maps your firm against all four at once.

01From 2027

EU AI Act, Annex III §4

Source: Regulation (EU) 2024/1689

Classifies AI used for recruitment, selection, and workforce management as high-risk: targeting job ads, screening and ranking applicants, and decisions on promotion, termination, task allocation, or performance monitoring. Triggers obligations on data governance, human oversight, transparency, and record-keeping.

High-risk regime applies02 Dec 2027

02In force

Article 5 prohibited practices

Source: AI Act Art. 5 · since Feb 2025

Some hiring tools are banned, not merely high-risk. Inferring a candidate's emotions in an interview is prohibited under Article 5(1)(f), and the Commission's guidelines extend “workplace” to recruitment. This applies now and is not deferred to 2027.

StatusAlready binding

03In force

GDPR & automated decisions

Source: GDPR Art. 22 · DPC

Candidate and employee data is personal data. Article 22 restricts solely-automated decisions with legal or significant effect, and a DPIA is usually required. The Data Protection Commission supervises hiring analytics, profiling, and employee monitoring.

Supervised byDPC

04In force

Employment equality law

Source: Employment Equality Acts

A screening or ranking tool that produces discriminatory outcomes across gender, age, disability, race, or other protected grounds breaches equality law regardless of the AI Act. Enforced in Ireland by the WRC and IHREC, with the burden often on the employer to justify.

Enforced byWRC · IHREC

Who's in scope

Hiring teams, agencies, and vendors. Different obligations.

The AI Act treats your firm differently based on whether you develop the AI or use it. That distinction (provider vs deployer) shapes which Article 16 or Article 26 obligations apply, and building or fine-tuning a screening tool can pull you into both.

Typically Deployer

Internal hiring teams.

HR and hiring managers in SMEs using a third-party ATS, CV-screening, or scheduling tool. Acting as deployer under Article 26 means human oversight, transparency, logging, and the worker-information duty, even though you did not build the tool.

Key obligation

Human oversight and worker notice. Inform workers and their representatives before use, under Article 26(7).

Deployer, often Provider

Recruitment agencies.

Agencies screening, matching, or ranking candidates on behalf of clients. Build a screening model, or fine-tune a vendor's on your own candidate pool, and Article 25 can reclassify you as a provider with the full Article 16 obligation set.

Key obligation

Resolve the vendor-versus-provider question first, then classification, bias testing, and candidate transparency per role.

Provider

HR-tech vendors.

Firms that build the screening, matching, or performance-management AI that everyone else deploys. Full provider obligations apply: technical documentation, data governance, conformity assessment, and EU registration.

Key obligation

Annex IV technical dossier per system, plus the instructions and documentation your deployers need to comply.

Worker-notice duty. Before using a high-risk AI system at work, Article 26(7) requires employers to inform workers' representatives and the affected workers first. This is a deployer obligation that lands even when the tool is a third-party product you did not build. The Scorecard flags where it applies to your firm.

In-scope AI systems

The systems hiring teams actually run.

Real systems we see across Irish and EU employers and agencies. Classifications and obligations below are illustrative; your firm's classification depends on the specific use, not the product name.

System type

Typical use

Classification

Primary obligation

CV screening & candidate rankinge.g. ATS shortlisting, scoring

AI that filters applications, scores CVs, or ranks a shortlist for human review. The headline §4(a) use case.

High-risk

Art. 26(7)Inform workers, plus human oversight

Targeted job advertisinge.g. audience-targeted ad delivery

AI that decides which candidates see a job advert. Named explicitly in §4(a), and a route to unlawful indirect discrimination if the audience is skewed.

High-risk

Art. 50Transparency and bias controls

Performance & workforce managemente.g. monitoring, task allocation, evaluation

AI that monitors, evaluates, allocates tasks, or informs promotion and termination decisions. The §4(b) workforce-management use case.

High-risk

Art. 14Human oversight by a manager

Emotion & sentiment analysise.g. video-interview “cultural fit” scoring

AI that infers a candidate's emotions, confidence, or engagement from face, voice, or body language is prohibited in a hiring context, not merely high-risk.

Prohibited

Art. 5(1)(f)Banned since February 2025

HR chat & schedulinge.g. candidate FAQ bots, interview booking

Candidate-facing AI for FAQs, scheduling, and routing. Not a hiring decision, but an interaction that must be disclosed.

Limited-risk

Art. 50Disclosure of AI use

Sample hiring dossier

What an audit-defensible hiring file looks like.

Excerpt from a sample Annex IV technical dossier for a candidate-screening engine. Every finding cites firm-specific evidence; every gap names an owner and a date.

Technical Report · Annex IV (EU) 2024/1689

EU AI Act Conformity · Candidate Screening

Provider: Sample Recruitment LtdSector: Employment & HR · Recruitment agency

CSC-2026-0419Issued 13 May 2026

System

TalentRank (v3.2)

Intended purpose

CV screening and candidate ranking for SME hiring

Hardware

AWS EC2 · EU-west-1

Oversight

Recruiter in the loop · mandatory human review before any rejection

01Risk ManagementArt. 9 · 3 questions

Is there a documented risk management system covering the full lifecycle?

Compliant

Cited evidence

Risk Management Framework v2.4 (Q1 2026) covers design, deployment, and post-market phases. Reviewed quarterly by the Risk Committee, chaired by the COO.

Is there a process for post-market risk monitoring?

Action required

Remediation plan

By end of Q3 2026, stand up a monthly fairness and drift monitor on shortlist outcomes with alerting to the Compliance Officer. Owner: A. Murphy (Head of People). Reviewed against the Employment Equality Acts.

03Data & Data GovernanceArt. 10 · 4 questions

Are training and input datasets tested for bias across protected groups?

Compliant

Cited evidence

Quarterly disparate-impact testing on shortlist rates by gender, age, disability, and ethnicity. Reviewed by the People & Risk Committee; last run Q1 2026 with no material disparity flagged.

Is data provenance documented for every feature in the model?

Action required

Remediation plan

By end of Q2 2026, complete the feature-lineage register for all model inputs, removing any proxies for protected characteristics and flagging social-media-derived features for an Article 5 social-scoring review. Owner: D. Byrne (Data Lead).

+ 9 more pillars in the full platform dossier · 25 questions across Annex IV

What you'll get

Start with the Scorecard. Go deeper in a demo.

The Scorecard is the same eight questions for every sector, but the result is sector-specific. Hiring teams get §4 classification, a prohibited-practice check, and the Article 26(7) worker-notice obligations layered on top of the core readiness assessment.

Recommended start

Fast Scorecard.

Free · 3 minutes · no login

Eight plain-English questions. A regulator-grade PDF that scores your firm against every AI Act obligation in scope, with hiring-specific framing throughout.

Classification under §4, with a prohibited-practice flag
The Article 25 vendor-versus-provider check
Status on Article 4, 5, 50, and 26(7) obligations
Prioritised action plan with weeks-to-readiness estimate

~3 min · PDF in 5Start the Scorecard →

Deep dossier

Deep Dossier.

Demo · 20 minutes · with our team

The full Annex IV workflow inside the platform: 25 questions across 11 pillars per AI system, producing a regulator-grade technical dossier for an auditor, a client, or your board. Book a demo to walk through a sample and the hiring-specific features.

Annex IV-shaped technical dossier per system
Cited evidence and remediation plans per finding
Sample candidate-screening pillar map (TalentRank reference)
Signed cover sheet for board and regulator use

~20 min · live walkthroughBook a demo →

Common questions

Things hiring teams ask us first.

Yes. The AI Act applies to anyone who uses a high-risk AI system in EU scope. An employer or agency running CV screening, candidate ranking, or performance-management AI is a deployer under Article 26, and the use sits in Annex III §4.

The vendor handles the system's design and documentation, but deployer duties stay with you: human oversight, logging, transparency, and the Article 26(7) duty to inform workers and their representatives before you use it.

Usually not, if you are a private employer. The Article 27 FRIA obligation falls on public bodies, private firms providing a public service, and deployers of credit-scoring and insurance-pricing systems. A standard private employer or agency using recruitment AI is generally outside it.

Your duties are the Article 26 deployer set: human oversight, logging, transparency, and informing workers under Article 26(7). A GDPR data protection impact assessment is usually required separately, and a public employment service would also need the FRIA.

Getting this boundary right matters. Over-scoping wastes effort; under-scoping leaves a gap. The Scorecard places your firm correctly.

It depends on what the tool actually does, and the dividing line is emotion. A video interview is not banned in itself; inferring a candidate's emotional state is.

On the prohibited side: Article 5(1)(f) bans AI that infers a person's emotions in the workplace, and the Commission's guidelines extend “workplace” to recruitment. A tool that scores “confidence”, “enthusiasm”, or “cultural fit” from facial expression, voice tone, or body language is caught, and has been banned since February 2025, not deferred to 2027.

On the compliant side: a tool that records and transcribes answers, or scores responses against role-relevant competencies, without inferring emotional or affective state, is permitted. It is still high-risk under §4 as candidate evaluation, so it needs human oversight, candidate transparency, and bias testing, but it is lawful. The Scorecard helps you work out which side of that line a given tool sits on.

The standalone high-risk regime applies from 2 December 2027 under the Digital Omnibus VII agreement reached in May 2026. That agreement is provisional, pending formal adoption and publication, expected before August 2026. For high-risk AI embedded in regulated products, the deadline extends to 2 August 2028.

Several obligations are already in force: Article 4 (AI literacy) and Article 5 (prohibited practices) since February 2025, plus the penalty regime. Article 50 transparency obligations apply from 2 August 2026. The 2027 date is when you need to be audit-defensible on Annex IV; none of the in-force obligations are deferred.

Eighteen months sounds like a lot. For a firm building its first technical dossier, it isn't.

Employment & HR · §4

Find out where your hiring stands.

Eight questions. Three minutes. A regulator-grade PDF with §4 classification, a prohibited-practice check, and a prioritised action plan for your firm.

Get the Hiring Scorecard →Or book a 20-minute call