The EU AI Act (AIA) is the European Union’s landmark artificial intelligence law—widely considered the strictest AI regulation in the world. Several of the EU AI Act’s risk-based obligations will take effect by August 2026, especially for high-risk HR uses of AI such as hiring and promotions—meaning companies must start assessments, transparency measures, and governance processes now to avoid costly penalties.
It is designed to heavily regulate how companies develop, deploy, and use AI systems that impact EU citizens. The law categorizes AI systems by risk level, from minimal risk to prohibited, and imposes corresponding compliance obligations.
If your company operates in the EU—or even outside the EU but serves EU customers—understanding the EU AI Act is essential to avoid fines that can reach €35 million or 7% of global revenue.
Which companies must comply with the EU AI Act?
Simply put, if your company is using AI tools that affect people living in the EU—directly or indirectly—you are subject to the EU AI Act. This applies whether your company operates within the EU or is based outside the EU (including the US) but uses AI in ways that impact EU residents.
Let’s take a look at what that means in more depth. For starters, a company operating inside the EU is bound by the new law. For example, a US company that offers an AI-driven app to EU residents falls under the AIA. If, however, a US company only operates in the US, the EU AI Act wouldn’t apply.
How does the EU AI Act work?
The application of the AIA depends on a variety of factors, including:
- The specifics of the AI technology involved
- How AI is used
- The role of the individual using that AI.
The law also prohibits the use of certain types of AI systems that present an unacceptable risk to EU citizens. The EU AI Act classifies AI systems into categories based on their potential risk to health, safety, or fundamental rights:
1. Prohibited AI systems under the AIA include:
- Certain AI systems for biometric categorization and identification
- AI systems that deploy subliminal techniques, exploit vulnerabilities or manipulate human behavior
- AI systems for emotion recognition in law enforcement, border management, the workplace and education
- AI systems for the social scoring evaluation or classification of natural persons over a period of time based on their social behavior
2. High-Risk AI systems (HRAIS):
The EU considers these systems to pose a high-risk to the health, safety, or fundamental rights of EU citizens. Therefore, they carry the most robust obligations.
Examples of high-risk AI systems include:
- AI systems used to determine prospective students’ access to institutions of higher learning, or in assessing students. This includes screening prospective students or using AI to grade exams.
- AI systems used in the insurance and banking sectors
- AI systems used by HR teams for the recruiting and hiring of employees. Examples include placing job ads, scoring candidates, screening or reviewing job applications, and using AI for decisions related to employee performance, promotions or terminations.
Compliance requirements for high-risk AI systems:
The requirements for companies or individuals using HRAIS are robust. For example, they can require that a company using HRAIS include accompanying instructions for its use of that AI. These instructions may need to cover topics such as record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity (the requirement for resilience to cyber-attacks). Other requirements may include the obligation to carry out fundamental rights impact assessments and other requirements.
3. Limited risk AI systems:
This category covers risks associated with the lack of transparency about AI usage. It requires companies to be explicit and transparent in their use of AI.
Examples of limited-risk AI systems include:
- AI-driven chatbots that interact with customers
- Automated decision-making tools to aid HR professionals in screening resumes
- AI-powered content generation tools used to create marketing materials
Compliance requirements for limited-risk AI systems:
Requirements focus on ensuring that EU citizens are aware of AI’s role as they interact or are affected by these systems. Requirements could include:
- Clearly informing users when they are interacting with AI (rather than a human).
- Providing documentation that explains how AI-driven decisions are made and allowing users to contest AI-driven decisions with a human being.
- Indicating that content was generated with the use of AI.
4. Minimal-risk AI systems:
The minimal-risk category comprises using AI systems to perform relatively simple tasks for convenience or efficiency that involve no interaction with EU citizens.
Examples of minimal-risk AI systems include:
- AI spelling and grammar checkers
- AI-powered recommendations (algorithms) for suggesting content, like movies or articles
- AI chat assistants that simply provide general information (no decision-making ability)
Compliance requirements for minimal-risk AI systems:
While the minimal-risk category does not have any compliance requirements, the law does offer recommendations for responsible use (for example, ensuring that the content or algorithm doesn’t spread misinformation, providing user transparency, and maintaining privacy and security when processing personal data, to name a few).
5. General purpose AI systems (GPAI):
Apart from the prohibited or high-risk categories, general purpose AI models (GPAI) are the category with the most rigorous requirements. These requirements chiefly focus on documentation and transparency. For larger systems however, there are also requirements for risk mitigation.
This category covers General Purpose AI Systems (GPAI), which are AI models designed for broad applications across multiple sectors. These systems (including foundation models from which other systems can be built) and generative AI, can be integrated into various industries, from healthcare to finance and machine learning. Examples of these AI systems include:
- Large language models (LLMs) that generate text, images, or provide translations. Examples of these include Gemini and ChatGPT and Google Translate or DeepL.
- AI image or video generators
- Speech recognition models used for voice assistants or automated transcription services
Compliance requirements for general purpose AI systems (GPAI):
These requirements generally center around providing technical documentation to show how the model functions and providing training data (for transparency). There are many other requirements, ranging from adhering to copyright laws to rigorous testing, reporting, and risk mitigation for more powerful models.
Which area of the EU AI Act is most likely to affect your company?
No matter the industry, most companies are likely to be affected by the high-risk AI category under the AIA. This is because the law explicitly classifies common HR activities as high-risk, meaning they will be subject to strict compliance requirements.
For example, AI systems used in recruitment and hiring—common HR responsibilities—would be classified as high-risk. Tasks such as placing targeted job ads, filtering and screening potential employee applications all use AI to assist in evaluating candidates in some form—thus falling into the high-risk s category. Similarly, AI tools that influence decisions on promotions, task assignments, terminations, or performance monitoring based on personal traits or behaviors are also considered high-risk by the AIA.
There’s a good chance that your company is already using (or will use) AI in some of these ways. If your company’s AI systems affect or interact with EU citizens, you’ll now need to ensure that you meet the AIA’s strict obligations for transparency, reporting, and accountability. Fines for non-compliance range from €7.5 million or 1.5% of global annual turnover (whichever is higher) for lower tier infractions and up to €35 million or 7% of global annual turnover (whichever is higher) for higher tier infractions.
Who should oversee EU AI Act Compliance within your organization?
As you’ve probably seen, the topic of AI governance and the people responsible for it is still in its nascent stages. Despite the fact that this is a relatively new field of compliance, there are considerable similarities and overlap between data privacy compliance and AI governance.
Thus, if your company already has a Data Protection Officer (or even an external third party fulfilling this role), consider using this person to oversee AI compliance as well. If that’s not a possibility, you can assign this to someone with the necessary technical skills and appropriate seniority and ability to understand the operation of the AI system in your business.
3 Steps to Prepare
If you are currently using AI to interact with EU citizens (or are considering doing so), here are three steps that you can take immediately to avoid the AIA’s strict penalties:
- Become familiar with the law immediately and review your systems closely to identify any that may fall within the AIA’s risk categories.
- Make sure that you have assigned an expert individual or third party to oversee AI compliance and make the necessary changes to meet the requirements based on your current usage of AI systems.
- Leverage proven legal expertise to help you understand the impact of the law on your company’s current and future use of AI systems. HSP’s team of legal and global expansion experts can quickly help you assess your exposure to these new AI regulations in the EU.
How HSP Can Help with EU AI Act Compliance
The EU AI Act introduces several risk-based obligations that will take effect by August 2026—and these will have an immediate impact on companies using AI in high-risk HR activities such as hiring, promotions, and employee evaluations. These requirements include formal assessments, transparency measures, risk mitigation strategies, and documented governance processes to ensure compliance.
HSP helps you prepare now—before the deadlines hit—by:
Assessing your AI systems and classifying them under the EU AI Act’s risk categories
Designing governance and compliance frameworks tailored to high-risk HR AI applications
Implementing transparency protocols, risk assessments, and ongoing monitoring procedures
Ensuring alignment with GDPR, data privacy laws, and other applicable EU regulations
Don’t wait until August 2026 to react. The compliance work for high-risk AI systems takes time—starting now will reduce risk, protect your operations, and prevent costly penalties.
Contact us today to schedule your EU AI Act readiness assessment and get a clear, actionable plan for compliance.
HSP is an end-to-end global expansion solutions provider focused on helping companies scale their operations overseas effectively and efficiently. We are the only global expansion expert to offer growing companies a full suite of end-to-end solutions designed to help them scale to any size and country.
