In-depth look into High-Risk Annex III classifications and compliance parameters.
The August 2026 enforcement deadline
By 2 August 2026, all High-Risk AI systems deployed inside EU territory must satisfy the obligations of Articles 8–15 of the EU AI Act. Annex III explicitly lists employment, workers management and access to self-employment — meaning HR scoring engines, CV filters, video-interview analytics and automated promotion recommenders all fall under the strictest tier of compliance.
What "High-Risk" actually triggers
Risk classification is not a label — it activates a chain of operational duties: a written risk-management system (Art. 9), training-data governance (Art. 10), technical documentation (Art. 11), automatic event logging (Art. 12), human oversight design (Art. 14), and accuracy/robustness/cybersecurity testing (Art. 15). Failure to evidence each is a deficiency, not a warning.
The recruitment vendor reality
Most enterprise recruitment SaaS today (Greenhouse, SmartRecruiters, Workday, HireVue) embed scoring models without granular human-oversight hooks. CTOs assume the vendor is the provider; legally, if you fine-tune, prompt-engineer or deploy at scale, you become a deployer with parallel obligations under Article 26.
Compliance parameters to audit before August
We recommend a pre-flight inventory: catalogue every model touching candidate data, map decision points to Annex III categories, isolate any system performing ranking or filtering, and demand model cards plus DPIA-equivalent documentation from each vendor. Where docs are absent, treat the system as non-compliant by default.
Getul fast-track
Our compliance operators run a 5-day diagnostic against an enterprise HR stack: artefacts produced are a risk register, a deployer obligation matrix, and a remediation roadmap aligned to the August deadline.