EU AI Act: How smart companies are using regulations to outperform competitors
The EU AI Act is getting serious. And that’s exactly where the big opportunity lies for companies that have their compliance under control. The first sanctions have been in place since February 2025. New regulations came into force in August.
While many companies are still hesitating or relying on outdated tools, the pioneers can now extend their lead. This is because EU regulation separates the wheat from the chaff in recruiting: those who work with the right, compliance-ready providers can continue to take full advantage of AI. Those who have chosen the wrong partners are facing a problem – and should change course now.
Costy consequences
The EU AI Act provides for fines of up to €35 million or 7% of global annual turnover – whichever is higher – for violations of prohibited AI practices. Other violations can be punished with fines of up to €15 million or 3% of annual revenue, while providing false information to authorities can result in penalties of up to €7.5 million or 1.5% of revenue. The first sanctions have been in effect since February 2025.
Important to know: HR teams bear full responsibility for compliance, even when using external AI tools. We show what this means in concrete terms and how companies can ensure they are well aligned. Detailed guidance on how to proceed can be found in the free white paper.
Overview of deadlines: Action is required now
The EU has set a gradual timetable for the implementation of the EU AI Act:
- February 2025: HR teams must be trained (deadline for AI skills training)
- August 2025: Rules for general AI models come into force
- August 2026: Full compliance requirements for all providers
- 2027: Full enforcement of all regulations
The February deadline was already critical: Since then, HR teams have been required to be trained in AI. Companies that still fail to act now risk being non-compliant.
Why AI in recruiting requires special attention
The EU AI Act classifies AI systems into different risk categories. Tools for recruiting, performance evaluation, and HR decisions automatically fall into the high-risk category. This means stricter requirements:
- Transparency obligation: Companies must publicly disclose that they use AI in recruiting and how they do so. This applies to privacy policies as well as direct communication with candidates.
- Human oversight: Automated decisions must never have the final say. There must always be a qualified person who can review AI recommendations and correct them if necessary.
- Traceability: All AI decisions must be documented in such a way that they can be traced later, for example in the event of allegations of discrimination or regulatory audits.
What companies need to request of their AI providers
One of the most common misperceptions is that “the provider is EU-compliant, so the company is too.” This is not true. Companies remain fully responsible and must actively request the appropriate documentation:
- Compliance documentation: Companies should request a complete overview of technical and organizational measures (TOMs). This includes bias mitigation, system security, and monitoring processes.
- Technical documentation: HR teams need insight into the data governance structure, bias testing, and known system limitations.
- Transparency procedures: Providers must deliver ready-made texts and processes that can be used to inform candidates about the use of AI.
- Oversight mechanisms: It must be clearly defined how human review and correction of AI decisions work.
- Data protection alignment: Companies must ensure that their own data protection policies accurately reflect how the AI tool processes personal data. Providers must supply appropriate text modules and processing details.
At Zortify, for example, customers receive a complete compliance package with all the necessary documents, transparency texts, and practical implementation aids to ensure smooth, legally compliant implementation.
Governance structures: Tailored to every size of company
The good news is that companies don’t have to reinvent the wheel. Depending on the size of the company, there are proven governance models:
Small companies (up to 250 employees): A simple committee consisting of the HR director, compliance manager, and IT manager is sufficient. Semi-annual reviews and basic documentation are all that is required.
Medium-sized and large companies: Here, an interdisciplinary team consisting of HR tech, legal, IT security, data protection officer, and CTO is needed. Quarterly reviews and 1-3 dedicated full-time positions for AI governance are the norm.
Startups and micro-enterprises: Compliance is possible even with minimal resources. An HR manager plus a technical founder, plus external legal advice if needed, can meet the requirements.
Incident management: When things go wrong
Even the best preparation cannot protect against all problems. This makes well-thought-out incident management all the more important. Typical scenarios in the field of AI in HR:
- Data breaches: An AI tool accidentally displays data belonging to other candidates or is compromised by prompt injection attacks.
- Discriminatory results: The AI systematically favors or discriminates against certain groups of candidates. Important: Different results are only problematic if they are based on bias, not on actual differences in performance.
- System failure: The AI produces absurd results or crashes during critical recruiting phases. System failure: The AI produces absurd results or crashes during critical recruiting phases.
The emergency plan must contain clear time frames: Immediate measures within two hours, complete damage assessment within 24 hours, and in the case of data breaches, the GDPR reporting requirements apply within 72 hours.
The costs of non-compliance
Although reduced penalties apply to small and medium-sized enterprises and start-ups, the risk of fines far exceeds the costs of compliance. For most companies, the latter mainly consist of organizational measures. The investment in proper documentation, training, and processes is minimal compared to the financial and reputational risks of non-compliance.
Practical immediate measures for companies:
1. Create an inventory of all AI tools used—including those outside of HR.
2. Request the aforementioned compliance documents from all providers. Set deadlines.
3. Train HR teams (the deadline was already in February 2025) and document evidence.
4. Revise privacy policy and communication with applicants.
5. Establish review routines: At least semi-annual fairness and accuracy checks.
Conclusion: Compliance as a competitive advantage
The EU AI Act may seem like a burden at first glance. In fact, it offers companies the opportunity to position themselves as trustworthy employers. This is because candidates are becoming increasingly sensitive about how their data is handled and AI-based decisions are made.
Companies that act proactively now will gain a competitive advantage: they can be transparent about their use of AI, offer candidates security, and at the same time benefit from the efficiency gains of the technology.
It is only a matter of time before EU AI Act audits begin. But one thing is clear: not using AI in recruiting is not a solution. The results are too impressive, and the advantages for talent acquisition and retention are too significant. The coming months will determine who will stay ahead in the long term when it comes to using smart AI tools in recruiting, who is well prepared, and who will be caught off guard when the first audits begin.
Download the white paper now with the most important steps to take.
Introverted top talents are being overlooked
The best teams are not made up of clones!
