The August 2026 EU AI Act Deadline: A Compliance Checklist for Employers
On 2 August 2026, the final phase of the EU AI Act's high-risk obligations becomes enforceable. Every AI system used in recruitment, screening, interview scoring, or employee decision-making is classified "high-risk" — and the enforcement window has closed. Fines hit €15 million or 3% of global annual turnover, whichever is higher. For prohibited practices, the ceiling is €35 million or 7%.
If you're a UK employer reading this thinking "doesn't apply to us" — it does. The Act applies extraterritorially to any AI system used to make decisions about people in the EU, regardless of where the company is headquartered. If a single EU-based candidate goes through your AI CV screener, you're in scope.
We've watched the timeline since the Act entered force in 2024: prohibited-AI rules kicked in February 2025, general-purpose AI transparency in August 2025, and now — with less than four months to the 2 August 2026 deadline — the big one lands. This is a tactical checklist for what employers need to have in place.
Who the Act applies to
| Role | Definition | Your likely status |
|---|---|---|
| Provider | Builds / supplies the AI system | If you bought an ATS with AI — not you |
| Deployer | Uses the AI system to make decisions | Almost certainly you |
| Importer / distributor | Brings non-EU AI into the EU market | Only if you're reselling AI |
Most employers are deployers, and the Act places distinct obligations on deployers separate from the providers who built the tools. You can't push accountability back onto your vendor — the Act expects you to verify, document, and monitor independently.
What counts as high-risk AI in hiring
The Act is broad here. Every one of these sits squarely in the high-risk category:
- CV parsing and ranking tools (any AI that reads and scores CVs)
- Automated sourcing (candidate-discovery agents, LinkedIn Recruiter AI features, sourcing copilots)
- Interview scoring (video-interview AI, asynchronous interview analysis)
- Assessment platforms (HireVue, Pymetrics, Arctic Shores, and their 2026 successors)
- Chatbot screeners (pre-qualification conversations at application stage)
- Promotion / termination recommendation systems (yes, internal HR AI is in scope)
- Salary-recommendation AI (if it influences an offer)
If an AI tool in your stack influences a decision about a person's employment, assume high-risk and build from there.
The 15-item compliance checklist
Work through this in order. Items 1–5 are documentation; 6–10 are process; 11–15 are evidence you can show a regulator.
1. Inventory every AI system in your hiring stack
Name the tool, the vendor, the version, the decision it informs, and whether it's in production or pilot. "We don't know what we're using" is not a defence. Many employers discover three or four high-risk AI tools in their stack they hadn't accounted for — sourcing agents embedded in LinkedIn, AI scoring quietly switched on inside an ATS, a chat-bot layer added by a recruitment agency.
2. Map each tool to a risk classification
For every AI system: prohibited, high-risk, limited-risk, or minimal-risk? Hiring almost always lands in high-risk. Document the reasoning. A one-line "determined to be high-risk per Annex III point 4(a)" with a date is enough — but it has to exist.
3. Obtain the provider's conformity documentation
Providers of high-risk AI systems must supply a Declaration of Conformity, a CE marking, technical documentation, and instructions for use. As a deployer, you need copies on file. If your vendor can't produce them by summer 2026, you have a procurement problem, not a compliance problem — and you need to raise it now.
4. Complete a Fundamental Rights Impact Assessment (FRIA)
Public-sector deployers and some private deployers must complete a FRIA before putting a high-risk system into use. Even where not strictly mandatory, producing one is good practice and evidences diligence. A FRIA covers: intended use, affected persons, specific risks, measures to mitigate, and human oversight arrangements.
5. Write a deployer-side data-governance policy
How is training/input data selected, validated, and retained? What happens to candidate data post-decision? The Act cares about bias propagation — you must be able to explain what data your AI sees and how you sampled it.
6. Implement human oversight in every decision path
Human oversight is non-negotiable. That means a named reviewer sees the AI's recommendation, can override it, and has the authority to do so. "The recruiter clicked through the shortlist" isn't oversight. Logged review with an explicit accept/override field per candidate is.
7. Set up incident logging and monitoring
High-risk systems require continuous monitoring for serious incidents and malfunctions. Define what a "serious incident" looks like for your tooling (discriminatory rejection, systematic bias shift, data leak) and how it's captured and escalated.
8. Notify affected candidates
Candidates subject to high-risk AI decisions have the right to know they were subject to an AI system and to a meaningful explanation of the decision. Your careers-page privacy notice must name the AI tools used, what they do, and how to contest a decision.
9. Train your recruiters and hiring managers
Staff using high-risk AI must be trained on its capabilities and limitations. Not a one-off webinar — an ongoing competency. Keep sign-in records.
10. Build an AI register
A central, maintained register of AI systems in use, their risk classifications, and their compliance status. This is the first thing a regulator asks for. Having it in a shared Notion doc with last-reviewed dates is fine — having nothing is not.
11. Establish a complaints channel
Candidates must be able to submit complaints about AI-driven decisions. Route, respond, log. A dedicated email or form is sufficient if it's actually monitored.
12. Retain logs for at least 6 months
Automatically generated logs from high-risk systems must be retained to enable traceability. Six months is the minimum; longer is safer.
13. Review vendor contracts
Your provider contracts should now explicitly cover: responsibility allocation, indemnities on conformity, data protection, and cooperation with deployer obligations. If they don't, open the renegotiation.
14. Identify your Market Surveillance Authority contact
Each EU member state designates an MSA for AI enforcement. Know which MSA has jurisdiction over your operations and how to reach them — both for proactive engagement and in the event of an incident.
15. Run a pre-August mock audit
Four to six weeks before 2 August 2026, get an independent reviewer (internal audit, external counsel, or specialist compliance firm) to run a mock regulatory audit against your documentation. Find the gaps while there's still time to close them.
Where audit trails fit in
One of the biggest practical challenges under the Act is evidence at distance — regulators will ask, months or years later, what a specific AI system claimed about a candidate on a specific date and whether a human reviewed it. Most organisations have no durable record.
This is the compliance layer that ties into AI employer brand work. When you run an AI visibility audit and archive the results — what ChatGPT, Perplexity, Gemini, and Claude said about your company on a specific date, at a specific prompt — you're producing exactly the kind of time-stamped, third-party-generated evidence that compliance teams will want. It's not sufficient on its own for AI Act compliance, but it plugs a recurring gap: "prove what the AI said, when."
OpenRole's proof-snapshot feature produces signed, dated records of AI model outputs. As the Act's evidence requirements bed in, this category of artefact — "neutral third-party attestation of what AI said" — will move from nice-to-have to expected.
The regulatory tailwind
A deeper point: the EU AI Act is not the only regulation in this space. NYC Local Law 144 is in effect. The Colorado AI Act lands in June 2026. California's AI regulations are finalised. The EEOC's 2024 joint guidance makes it explicit that US civil-rights law applies to AI in hiring.
The direction of travel is single: regulators across jurisdictions are forcing employers to document, explain, and justify their AI-driven hiring decisions. Every compliance regime being built rewards the same structural capabilities — clean audit trails, human-in-the-loop review, candidate notification, and the ability to reproduce what a model said when.
The practical implication for the next 6–12 months: build compliance infrastructure once; apply it across every regulator. Employers who treat the Act as a one-off project will find themselves doing the work three times. Employers who treat it as the establishing regulation for a category of "AI hiring audit trails" end up with a durable competitive advantage.
Frequently Asked Questions
Q: Do UK employers need to comply with the EU AI Act?
A: Yes, if any part of your AI-driven hiring affects candidates located in the EU — which includes remote-eligible roles, EU-based applicants to UK roles, or any AI tool you supply that processes EU-resident data. Post-Brexit, UK-only hiring is outside the Act's scope, but in practice most UK employers will have some EU touch point.
Q: What's the difference between a provider and a deployer?
A: A provider builds or supplies the AI system (e.g. the ATS vendor). A deployer uses it (e.g. you). The Act places different obligations on each. Deployers cannot outsource accountability to providers — you must verify, document, and monitor independently.
Q: If our ATS vendor says they're "EU AI Act compliant", are we covered?
A: No. Vendor compliance handles the provider-side obligations only. As a deployer you have separate obligations — human oversight, candidate notification, incident monitoring, staff training, complaint handling. A vendor cannot discharge these for you.
Q: What happens if we miss the 2 August 2026 deadline?
A: Enforcement begins. Fines for deployer non-compliance reach €15 million or 3% of global annual turnover. Regulators have signalled that initial enforcement will target serious and systemic breaches rather than minor documentation gaps, but every organisation should assume scrutiny.
Q: Does the Act apply to AI tools used only for internal candidate sourcing?
A: Yes. Sourcing AI — including LinkedIn Recruiter's AI features, candidate-discovery agents, and any tool that filters or ranks potential candidates — is within scope. High-risk classification applies whether the AI surfaces candidates or scores applications.
Q: How does AI visibility auditing relate to AI Act compliance?
A: Not directly — an AI visibility audit measures what public AI models say about your employer brand, not whether your internal hiring tools comply. But both sit in the same regulatory adjacency: documented, time-stamped, third-party-generated evidence of AI behaviour. As Act evidence requirements bed in, AI visibility audit artefacts become one input to a broader compliance documentation set.
Running an AI hiring stack and not sure where you stand? Start with a free AI visibility audit to benchmark how AI currently represents your employer brand — then use the EU AI Act checklist to walk through the deployer obligations.
Related reading: