EU AI Act: High-risk AI systems in employment – practical steps for compliance

Why should I read this?

Employers are increasingly using AI across the employment lifecycle – from AI-powered recruitment tools, to performance management systems, and more. Under the EU AI Act (Act), many of these tools will be classified as “high-risk”, triggering extensive legal obligations. Non-compliance can lead to substantial financial penalties, enforcement action, as well as wider employee-relations risks.

In part one of this briefing, we explained how employers can identify whether their AI system is “prohibited” or “high-risk” under the Act. In this second part, we explain which obligations apply to high-risk systems and the steps employers should take to comply.

What do I need to know?

A brief reminder: which AI systems will be classified as high-risk?

The Act sets out several categories of AI systems that will be treated as high-risk in an employment context. These are found at Annex III of the Act and includes AI systems:

• used for recruitment or selection, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates

• used to make decisions affecting terms of work-related relationships, the promotion or termination of work-related contractual relationships, to allocate tasks based on individual behaviour or personal traits or characteristics or to monitor and evaluate the performance and behaviour of persons in such relationships.

For more details and examples in the employment context, please read part one of our briefing.

Understanding your role: provider or deployer?

The specific obligations that apply to an employer under the Act in relation to a high-risk AI system will depend on whether the employer is acting as a “provider” or a “deployer” of the AI system.

• a deployer is a person or entity that uses an AI system under its authority in the course of a professional activity. In simple terms, this covers “users” of AI systems. Most employers that only purchase off-the-shelf solutions will be regarded as deployers
• a provider is a person or entity that develops an AI system (or has an AI system developed) and places it on the market, or puts the AI system into service under its own name or trademark

More stringent obligations apply to providers of AI systems, than to deployers (more on this below). The Act sets out specific circumstances however where provider obligations can transfer to other operators in the AI value chain, including deployers. This includes where:

• an operator applies a trade mark to a high-risk system already on the market or in service
• substantial modifications are made to a high-risk system already on the market or in service (such that it remains high-risk). For example, where an employer using a third-party recruitment screening tool retrains the model on the employer’s own data, or modifies the tool to assess additional criteria
• the intended purpose of a system already on the market or in service is modified, such that the modified AI system becomes high-risk. For example, where a HR team use an AI tool that assists with drafting communications to candidates and employees and modify it to instead make decisions about employee appointments, promotions or terminations

It is important to note that the Act has extra territorial reach. For example, if a deployer is established outside of the EU but the AI system output is used in the EU, or the affected individual is in the EU, then the Act will apply. These extra-territorial effects are intended to prevent circumventing the Act’s requirements by offshoring the AI processing to external providers or other group companies. Employers operating across multiple jurisdictions must be alert to this extra-territorial scope when assessing their AI systems and obligations.

High-risk AI systems: provider obligations

If an employer is acting as a provider of a high-risk AI system, the Act imposes extensive obligations.

The Act sets out a series of technical requirements for high-risk AI systems that providers must meet. A strong focus of the obligations is on implementing compliance by design principles to build AI systems with strong internal safeguards. Another key element is effective risk management. The specific obligations include, amongst other things, drawing up technical documentation to demonstrate compliance with the Act’s requirements; providing instructions for use for deployers to enable them to use the system appropriately; enabling the AI system to be effectively overseen by a human; and designing the system to achieve accuracy, robustness and cybersecurity.

In addition to these technical requirements, providers must also comply with further obligations under the Act which include (but are not limited to): including a strategy for compliance, quality control, testing and risk management; registering the AI system in the EU database; ensuring the system undergoes a conformity assessment; and more.

For those employers who are acting as deployers, it will be important to have an awareness and understanding of provider responsibilities. Not least because deployers should check, as part of any due-diligence exercise, that any third-party provider has fulfilled its obligations under the Act. To ensure compliance with these obligations, it is essential to determine (i) which AI systems are currently deployed by the employer and (ii) how they should be classified in accordance with the AI Act. Developing a comprehensive register to document AI systems and establishing ongoing processes for classification and adaptation to changes is crucial.

High-risk systems: deployer obligations

As above, most employers will be “deployers” under the Act. The Act sets outcome‑based requirements, leaving discretion to implement measures that are appropriate to the system’s risks, purpose and lifecycle. Measures are expected to see further clarification over time, primarily through harmonised standards, Commission guidance, codes of practice, enforcement decisions and litigation. A summary of deployer obligations under the Act include:

Article 26	Establish appropriate technical and organisational measures to ensure the AI system is used according to the provider’s instructions for use
	Assign competent, trained individuals with authority and support to have human oversight of the AI system
	If input data is within the deployer’s control, ensure that it is relevant and representative of the system’s intended purpose
	Monitor the system operation in accordance with its instructions; inform the provider or distributor and the relevant market authority if the system presents a risk to health or safety or fundamental rights and suspend use; report serious incidents to the relevant provider, importer and distributor and market surveillance authority.
	If under the deployers’ control, retain automatically generated logs for a period appropriate to the intended purpose of the high-risk AI system of at least six months
	Before putting into service, or using the high-risk system, employers who are deployers must inform workers’ representatives and affected workers that they are subject to a high-risk system. See below for more information.
	Register in the EU database, where required under the Act e.g. for certain public bodies
	Carry out a data protection impact assessment where applicable
	Inform natural persons of the use of high-risk systems in decisions to which they are subject
	Cooperate with the relevant competent authorities in any action they take to implement the AI Act
Article 27	Carry out a fundamental rights impact assessment (FRIA) where required
Article 86	Any affected person subject to a decision taken by a deployer on the basis of the output of certain high-risk systems has the right to obtain a clear and meaningful explanation from the deployer of the role of the AI system in the decision-making procedure and the main elements of the decision taken

What are the deployer’s obligations towards employee representatives?

The AI Act makes clear that “Before putting into service or using a high-risk AI system at the workplace, deployers who are employers shall inform workers’ representatives and the affected workers that they will be subject to the use of the high-risk AI system. This information shall be provided, where applicable, in accordance with the rules and procedures laid down in Union and national law and practice on information of workers and their representatives.”.

The involvement of employee representatives in the implementation of new and updated technology is not a new requirement across the EU, with many Member States already requiring such involvement in various forms as part of existing local laws and practices, particularly where that technology has the ability to monitor the behaviour or performance of workers. However, the AI Act now introduces a baseline requirement across the EU specifically in relation to high-risk AI systems. Read our global guide to employee representative involvement in workplace AI implementation for more details.

AI literacy

The Act also places a specific emphasis on “AI literacy”. From 2 February 2025, providers and deployers must take measures to ensure “to their best extent” that their staff/other persons dealing with the operation or use of AI systems on their behalf has a “sufficient level” of AI literacy. This obligation applies to all AI systems, not just high-risk AI systems.

AI literacy is broadly defined as having the skills, knowledge and understanding to deploy AI systems in an informed way, as well as having awareness about the opportunities and risks of AI and the possible harm it can cause. In practice, this means employers will need to design training and guidance that is proportionate, accessible and tailored to their workforce, ensuring that those interacting with AI systems can do so competently and with awareness of the risks and limitations involved. See our AI Literacy Unlocked eLearning product, designed to support measures in ensuring the AI literacy of workforces, which can be implemented into any standard learning management system.

When do the rules on high-risk systems take effect?

The rules on high‑risk AI systems are currently scheduled to apply from 2 August 2026. However, as explained in our earlier briefing, if approved, the Digital Omnibus proposal would extend key deadlines. However, the details of a potential extension are still unclear as the Commission proposed a rather flexible mechanism, while Parliament favours fixed deadlines. While both legislative bodies seem to agree that an extension makes sense, it is still questionable whether they will be able to come to an agreement before the current deadline expires. Employers should therefore continue preparing now — see part one of our briefing for full details.

Five practical steps for employers

1. Plan early for the Act’s obligations relating to high‑risk AI systems

• High‑risk AI systems cannot be deployed in the workplace without significant advance planning. Employers should identify the teams, processes and controls needed to meet the Act’s detailed requirements

2. Be clear about your status: deployer or provider

• Understand whether your organisation is acting as a deployer, or whether, for example, making any substantial modifications to or changing the purpose of a high risk system could mean that it also becomes a provider. Employers must therefore assess use cases carefully at the outset and continually check that systems are being used within their intended purpose to avoid inadvertently assuming more onerous responsibilities and risks under the Act

3. Build structured governance to oversee high‑risk AI systems

• Employers should establish a governance framework that brings together a multi-disciplinary team including HR, legal, data privacy, IT and cybersecurity to implement and oversee high-risk obligations

4. Prioritise information and consultation obligations

• The Act introduces an EU‑wide minimum standard requiring employers to inform affected workers and their representatives before deploying high‑risk AI systems - but local laws often go significantly further. If rolling out high-risk AI systems across the EU therefore, employers must ensure they fully understand any applicable employee representative obligations, recognising that a failure to comply can lead to disputes, delays, and employee relations risks. Early workforce engagement and planning is essential to both compliance and to maintaining trust in new AI technology

5. Equip the workforce with the capability to use high‑risk AI systems safely and responsibly

• AI literacy is no longer a nice-to-have; it is a legal requirement. Employers should ensure that workforces understand how AI systems operate, how to spot risks, and when human intervention is required. Role‑specific training and clear AI policies will support responsible use and help ensure that high‑risk AI systems function as intended

How we can help

Our teams of specialist lawyers around the world have significant experience of supporting employers to steer through the legal, regulatory and practical implications associated with the implementation and use of AI in the workplace. As well as practical advice, our teams can assist with policy and contractual reviews, training and audits of workforce-related risks.

In addition, we offer legal tech solutions to help employers create a comprehensive AI inventory and to classify AI systems in accordance with the AI Act. Our system provides an initial assessment, enabling clients to quickly identify whether their AI systems are likely to be categorised as high-risk. Clients can also request a more in-depth assessment directly through the tool, allowing for further verification and clarification from our lawyers as required. This supports compliance, streamlines risk management, and ensures clarity for legal and regulatory obligations.