Changes to EU AI Act Deadlines: What It Means for Employers and HR Technology Providers

The EU is moving toward a delay in the application of the EU AI Act’s high-risk AI systems obligations and other amendments, with its current proposals providing that certain of these requirements should take effect in late 2027 or 2028 instead of their current deadlines in 2026 or 2027. While this development reflects growing recognition of the challenges associated with implementation, it does not alter the fundamental position: certain AI systems used in a HR context may potentially be classified as “high-risk” under the act.

For employers and HR technology providers, the message is clear—this is additional preparation time, not a reprieve.

We have considered these amendments in more detail in a companion LawFlash available here.

HR-RELATED AI REMAINS A FOCUS OF AI ACT REGULATION

AI systems used in certain employment contexts are explicitly captured within the act’s high-risk category (Annex III). This includes certain systems used for

• recruitment and CV screening;
• candidate assessment and selection;
• performance management and monitoring;
• promotion and career progression decisions; and
• disciplinary processes and dismissal.

Importantly, there are exceptions to the high-risk AI system classification even with respect to these HR-related use cases that employers will need to consider carefully.

Nonetheless, if such AI systems are considered “high-risk” they will be subject to a potentially rigorous compliance framework, including requirements to maintain

• risk management systems addressing potential harm to individuals;
• data governance and quality controls, particularly to mitigate bias and discrimination risks;
• human oversight measures, ensuring meaningful intervention in automated decision-making;
• technical documents and recordkeeping, logging and auditability measures;
• transparency measures toward employees and, where relevant, their representatives (particularly Works Councils when considering the adoption of new AI systems); and
• sufficient accuracy, robustness and cybersecurity levels and consistent performance throughout the AI system’s lifecycle.

Certain AI Act obligations that are already in effect are not dependent on the high-risk AI systems obligations timeline, notably prohibitions on specific AI practices deemed to present an “unacceptable risk” and AI literacy requirements. Employers should ensure they are already considering and addressing these elements.

The EU/UK General Data Protection Regulation (GDPR) also contains parallel obligations that are relevant in the HR context, notably the rules under Article 22 relating to solely automated decision-making and profiling.

WHY THE DELAY TO COMPLIANCE DEADLINES MATTERS FOR HR TEAMS

The anticipated delay is largely driven by the slow development of harmonised technical standards and implementation guidance, which are essential for translating the AI Act’s high-level requirements into operational processes. Many of these standards (covering areas such as data quality, documentation and human oversight) are now expected by late 2026.

For HR teams and HR technology providers, this creates a longer but still finite runway resulting in

• more time to assess existing AI tools and determine which systems fall within the high-risk category;
• greater opportunity to build structured governance frameworks, including AI impact assessment, data processing impact assessments, vendor due diligence and escalation protocols;
• improved clarity in the future as standards and guidance are finalised, reducing interpretive uncertainty; and
• continued exposure to legal and reputational risk in the interim, particularly where AI is used in ways that may affect fairness, equality or employee rights.

PRACTICAL STEPS FOR EMPLOYERS TO TAKE NOW

Employers should continue progressing AI governance in HR functions, focusing on the following priority actions:

• Map AI use across the HR lifecycle, identifying systems that are likely to fall within scope as “high-risk”
• Consider parallel issues under the EU/UK GDPR, especially with respect to automated decision-making and profiling
• Engage with HR technology vendors to understand their development and compliance roadmaps and assess contractual risk allocation
• Establish internal governance structures, including clear accountability, oversight mechanisms and documentation processes
• Prepare for employee information and consultation obligations which may already arise under the AI Act and existing national labour laws
• Integrate AI risk into existing compliance frameworks, including data protection, employment and equality programmes
• Monitor evolving standards, regulatory guidance and Codes of Practice, which will shape how the rules are implemented in practice
• Maintain an AI literacy programme

LOOKING AHEAD

The likely delay to high-risk AI system obligations provides valuable time but not reduced scrutiny.

HR-related use cases remain a key focus of the regulatory framework established by the EU AI Act and the GDPR given the direct impact on individuals’ livelihoods, opportunities and rights. As a result, employers using AI in hiring, workforce management or employee monitoring should continue preparing now.

Organisations that act early will be better positioned to not only meet regulatory expectations but also demonstrate fairness, transparency and accountability—all of which are becoming central to both enforcement risk and employee trust.