The EU Just Delayed Its AI Hiring Rules to 2027. Don’t Treat It as a Reprieve.

Why Hiring Software Counts as “High-Risk”

The Act sorts AI by the harm it could do, and it singles hiring out by name. Its high-risk list covers systems used to place targeted job advertisements, to analyse and filter applications, and to evaluate candidates — along with tools that decide on promotions and terminations, allocate tasks, or monitor how people perform once they are hired. The logic is straightforward: these decisions shape livelihoods, and an opaque automated system can encode the same bias across thousands of applicants at once.

Whether you bought an off-the-shelf tool or wired together a few AI features yourself, if it screens or scores people applying for a job, it falls inside the Act’s definition of high-risk use. And the rules reach beyond Europe: if your system evaluates an EU-based applicant, it applies regardless of where your company is incorporated. A startup in San Francisco hiring a remote engineer in Lisbon is squarely in scope.

A Delay, Not a Reprieve

The Digital Omnibus moves the headline date, and that is real relief for teams that were racing an August deadline. But two things are easy to miss in the coverage. First, parts of the AI Act already apply today. Since February 2025, every organization using AI has been expected to ensure a baseline of “AI literacy” among the staff who operate it, and a short list of manipulative uses has been outright prohibited. Those duties did not move.

Second, the delay is still provisional. It only becomes binding once the package is formally adopted and published, expected before August 2026, and it changes the date, not the direction. The obligations are coming either way. The only real question is whether you adopt the sensible ones on your own timeline, or scramble to retrofit them against someone else’s.

What the Rules Actually Ask For

When the high-risk obligations land, the ones that fall on you as a deployer — the company using the tool, not the one building it — are less exotic than the word “compliance” suggests. You are expected to keep a human meaningfully in the loop rather than letting software auto-reject people; to inform candidates and your own staff that a high-risk AI system is part of the process; to use the tool the way it was designed and monitor how it behaves; and to keep logs — at least six months’ worth — so a decision can be reviewed after the fact.

The penalties for ignoring this are not symbolic. Breaching the high-risk obligations can draw fines of up to €15 million or 3% of global annual turnover, whichever is higher. For the handful of outright prohibited practices, the ceiling climbs to €35 million or 7%. Those figures are aimed at willful neglect at scale, not an honest small team doing its best — but they set the tone for how seriously regulators intend to treat hiring AI.

Why the Best Teams Won’t Wait

Here is the part the deadline obscures: almost everything on that list is just good hiring. Keeping a human on the final call, being able to explain why a candidate was passed over, telling people how they are being evaluated, and leaving a trail you can revisit — these protect you from a bad hire and a bias complaint long before they ever protect you from a regulator. Treating them as a 2027 chore gets the timing exactly backwards.

Small teams actually hold the advantage here, the same one we have written about before. With fewer decisions flowing through the funnel, it is far easier to keep judgment human and reasoning visible than it is at enterprise volume, where automation gets switched on precisely because no one can read every application. The practical move is to treat the new date as runway, not a snooze button. Map where AI already touches your pipeline. Prefer tools that explain their output instead of handing you an unexplained number. Make sure a person signs off on rejections and advances. And check where candidate data actually lives — the AI Act sits on top of GDPR, and “hosted in Europe, deleted on a clear schedule, never used to train someone else’s model” is a far simpler story to tell than the alternative.

That last lens is, frankly, the one we built Kynto through. It scores every candidate against criteria you define and explains each score point by point, so a person can see the reasoning and overrule it — the human-in-the-loop the rules assume. Candidate data is hosted in Europe, deleted on a fixed schedule, and never used to train models for anyone else. None of that turns a vendor’s marketing into your compliance program. But starting from tools designed for transparency and European data rules means the 2027 deadline asks you to document what you already do, rather than rebuild how you hire.

Key Takeaways

• Recruitment AI is “high-risk” under the EU AI Act. Sorting CVs or scoring candidates puts you in scope, and the law reaches any system that evaluates an EU applicant, wherever your company is based.
• The headline deadline moved to December 2, 2027 under the provisional Digital Omnibus deal — but the delay is provisional and partial. AI-literacy duties and the ban on manipulative uses already apply, and the direction of travel has not changed.
• The core obligations — human oversight, transparency to candidates, and a reviewable trail — are simply good hiring practice. Adopt them now and 2027 becomes paperwork, not a scramble.

The regulation is, in the end, catching up to how careful teams already want to hire: transparently, with a person in charge of the decision. If you would rather your hiring stack already speak the language regulators are moving toward — explainable scoring, a human on every final call, candidate data kept in Europe — that is the ground Kynto is built on. You can see how it works at kyntoai.com.