Does the AI Act apply to our 8-person startup?

Yes. No SME exemption for high-risk recruiting KI. Obligations are proportional - bias assessment with 50 applications per role is different stat power than 50,000. Do your homework proportional to size, document honestly what you did.

We use KI only for mail drafts - are we affected?

Mail drafts aren't 'selection of persons' under the AI Act. As long as KI doesn't decide stage transitions / rejections / invitations, it's not high-risk. Still, we recommend transparency - candidates should know KI templates are used.

What happens if we ignore the obligations?

Three consequence tiers. One - fines from the national supervisor (Germany: BNetzA + BfDI per aspect) up to €35M or 7% of annual turnover. Two - discrimination claims with eased burden of proof (AGG risk). Three - operational orders that forcibly change tool setup - usually more expensive than proactive compliance.

Does KI BMS do all this automatically?

Four of eight points yes: audit log, override by default, transparency in form default, per-application reasoning. Four are your homework: inventory, bias monitoring (we provide score distribution in reports, you analyse), per-role documentation, training. We can't do the homework but we make it as easy as possible.

KI BMS

Pricing

Guides

AI Act 2026 for recruiting - high-risk checklist for German HR teams

From August 2026 the high-risk duties of the EU AI Act apply to recruiting too. Here's what that concretely means, what to do now, and what can wait until 2027.

AI Act

Compliance

Guide

Finn GlasCo-Founder + Engineering

·February 11, 2026·

4 min read

Key takeaways

AI Act in force since August 2024, high-risk obligations from August 2 2026.

Recruiting KI is explicitly high-risk (Annex III, 4(a)).

Obligations apply regardless of company size - no SME exemption in the recruiting context.

Fines up to €35M or 7% of global annual turnover (Art. 99(3)).

Step by step

1. Inventory - which KI do you use?

List: ATS-embedded screening KI, external resume-parsing services, KI ad generators, conversational bots on careers page, active-sourcing AI. Also 'we use ChatGPT sometimes for mail drafts' qualifies if the mails relate to applications.

2. Add transparency to the application form

Before clicking submit, it must be clear: KI pre-sorting is used, a human decides, right to information stands. Example: 'Your application will be pre-sorted by KI (score + reasoning). A human always decides. You have the right to information, correction, and deletion at any time.'

3. Activate audit log - at least 6 months retention

Who changed what when. KI BMS does this by default; check + activate elsewhere. Store: date, user, stage transition, KI score (if relevant), reasoning text (if KI-generated).

4. Make override functionality clear

HR must be able to override a KI score in one click; the system must not 'auto-reject below score 40'. If your current config does auto-rejection: disable until a human reviews.

5. Bias monitoring: check score distribution against gender / age / origin

At least quarterly: aggregate KI scores of the last 50 applications, compare means against sensitive attributes (anonymised). If male-coded names have an 8+ point advantage, you have a bias signal - re-instruct the KI prompt.

6. Technical documentation - one page per role

Per role record: which KI prompt was used, which requirements were mandatory / knockout, what score threshold applies. A 1-page doc per role is enough; retention 5 years after role closure.

7. Check the DPA with the KI vendor

The KI vendor (e.g. us if you use KI BMS) is processor. DPA under Art. 28 GDPR + Annex IV duties under AI Act must be signed. Check: hosting region, subprocessors list, audit rights, deletion on contract end.

8. Train HR staff

Everyone working with KI should once understand: what the KI does, what it doesn't, how to override, what a bias signal looks like. A 30-minute training with practice applications suffices. Document the training date.

What the AI Act concretely requires in recruiting

The EU AI Act classifies KI systems by risk tier. Recruiting KI falls under Annex III (high-risk), 4(a): 'KI systems intended for use in the recruitment or selection of natural persons, particularly for placing targeted job advertisements, screening or filtering applications, and evaluating candidates'. That's exactly what a modern ATS with KI pre-sort does.

High-risk duties per Art. 8-15: risk management system, data governance, technical documentation, logging, user-facing transparency, human oversight, accuracy + robustness + cybersecurity. Sounds heavy; in practice it's eight concrete actions listed below.

Mandatory vs recommended - the line

Mandatory from Aug 2 2026: user-facing transparency, logging duty (audit log), human oversight, bias monitoring. Recommended (but strongly): document external risk assessment, bias tests per role, data protection impact assessment per role.

Using KI in recruiting and ignoring the duties risks: (1) fines up to 7% turnover; (2) discrimination claims with eased burden of proof (AGG lowers the bar with documented auto-sorting); (3) reputational damage when candidates learn of KI involvement only after the fact.

What 'human oversight' really means

Three aspects. One - the human must be able to override an auto-decision. Auto-rejection without override is prohibited. Two - the human must be able to understand the auto-decision. Black-box KI without per-application reasoning is risky. Three - the human must have the authority to decide against an auto-decision. If HR can de jure override but de facto never does because of time pressure, oversight is nominal, not real.

FAQ

Frequently asked

Share this article

Try KI BMS

Free plan, no credit card. We host in Germany. You can export and delete everything self-serve.

Written by

Finn Glas

Co-Founder + Engineering

Finn is one of the Co-Founders. He owns the engineering side, the infrastructure, and most of the late-night fixes that ship before anyone notices.

finn.glas at aicuflow dot comLinkedIn Website