AI is now shortlisting candidates, scoring interviews and monitoring performance. The EU AI Act treats most of these HR uses as "high-risk" — and puts specific obligations on the employer that deploys them, in addition to those on the software vendor. This article offers orientation; it does not replace advice from your DPO or legal counsel.

Why HR is squarely in scope

The AI Act ranks AI systems by level of risk. The "high-risk" category covers, among other things, decisions that directly affect people's rights — and employment is explicitly named. HR is precisely the domain where AI touches access to a job, pay and an individual's career path.

This is not an edge case reserved for large technology groups. The moment an employer uses a tool that filters CVs, ranks candidates or scores performance, it falls within scope, whatever its size. The question is no longer "does this apply to me?" but "how do I document that the use is under control?". It is the same logic of proof as the GDPR, which we set out in our guide to HR compliance software in Luxembourg.

A common trap is assuming a tool escapes the AI Act because it does not brand itself as "artificial intelligence". A shortlisting module presented as a simple "matching" feature falls in scope just the same if it steers a hiring decision. Conversely, an employer can be a deployer without realising it — that is the case when an AI component is buried inside a generalist HR suite. Mapping the real uses of AI across your HR processes is therefore the first useful reflex, before compliance is even discussed.

High-risk AI in employment

The annex listing high-risk systems includes, for employment and worker management, uses intended for:

  • Recruitment and selection. Targeted job advertising, filtering or sorting applications, evaluating candidates in interviews or tests.
  • Decisions about the working relationship. Task allocation, promotion, and termination of the relationship, based on personal data.
  • Evaluation and monitoring. Scoring performance, behaviour or individual characteristics, including workplace monitoring.

The common thread: in every case, the system's output feeds a human decision that matters to the employee. That is what justifies a high bar. By contrast, a purely clerical use — an assistant that rephrases an already-written job ad, deciding nothing — does not carry the same weight. Classification depends on the real purpose, not on the tool's marketing name.

"An AI system is not high-risk because of its technology, but because of what it decides. In HR, the algorithm's output bears on a person's career — and that is what triggers the obligations."

Luxapps product team

Employer (deployer) obligations

The AI Act distinguishes the provider (which builds the system) from the deployer (which uses it). An employer is generally a deployer. In that role, several obligations apply — in addition to, not instead of, the vendor's:

  1. Effective human oversight. The system must stay under human control. An important HR decision cannot be left to the algorithm alone: a competent person must be able to understand, challenge and override the recommendation.
  2. Transparency to candidates and employees. The people concerned must be informed when an AI system is used in a decision that affects them. The information must be clear and accessible, not buried in terms and conditions.
  3. Informing worker representatives. Deploying such a system in the workplace generally requires informing worker representatives and the affected workers. In Luxembourg this dovetails with existing social-dialogue duties; confirm the applicable timing with your advisor.
  4. Relevant, representative input data. To the extent it controls the input, the deployer must ensure the data fed to the system is relevant and representative of the intended purpose, in order to limit bias.

One more piece is easy to forget: data protection. An AI-based HR tool processes sensitive personal data and must therefore appear in your record of processing activities (GDPR, Article 30), with purpose, legal basis and retention period. The CNPD remains the competent authority in Luxembourg. We covered that requirement in our article on the compliant HRIS in Luxembourg.

These obligations do not stack at random: they overlap. Human oversight is only worth anything if the action is logged — otherwise you cannot later prove a human actually decided. Being transparent with a candidate means knowing exactly which data fed the recommendation, which loops back to input-data quality. In practice, a well-designed tool treats these requirements as one whole: access control, traceability and informing people form a single foundation, rather than four separate projects run after go-live.

The timeline — what applies when

The AI Act applies in stages, rather than on a single date. Bans on uses deemed unacceptable and certain general obligations take effect first. The obligations specific to high-risk systems — including employment-related ones — phase in later, with application expected around late 2027. Some information and transparency duties may apply earlier.

These deadlines may still be refined: treat these markers as orientation, and confirm the exact dates applying to your situation with your DPO or counsel. The practical message, though, is stable: a system you put in place today will have to meet these rules in time. It is far better to choose a tool built for that than to retrofit it under pressure.

What to ask an HR AI vendor

Before deploying an AI-enabled HR tool, a few questions separate marketing from real compliance:

  • Where is the data hosted and processed? Does it stay in the EU? Processing outside the EU creates additional obligations.
  • How is human oversight made possible? Can you see, understand and override a recommendation, and is that logged?
  • What documentation does the vendor provide? Instructions for use, description of purpose, known limits, information on training data.
  • Is the system logged? Can you reconstruct who decided what, and on what basis?
  • How are candidates and employees informed? Does the tool support transparency, or leave it entirely to you?

How Luxapps approaches AI in HR

Our principle is simple: AI assists, it does not decide alone. Every use of AI in our HR modules is designed with a human in the loop — the recommendation is visible, explainable and can be overridden, and the action is logged. Transparency to the people concerned is built into the product, not left outside it.

We host data in Luxembourg, never outside the European Union and with no dependency on a non-EU cloud provider. That sovereignty simplifies data governance for an HR AI system. And because Luxapps moves forward with Luxgap, DPO and security guidance can address the organisation's wider compliance beyond the tool itself.

Finally, our custom-build model helps on one specific point of the AI Act: control of purpose. Because each module is developed for a use defined with the client, the AI system's purpose is clear, documented and traceable from the outset — where a generic tool forces you to guess how its AI was trained. That clarity does not exempt the employer from its deployer obligations, but it makes them far easier to demonstrate on the day of an inspection.

The AI Act does not make AI impossible in HR: it demands control and proof. To see how a tool can be compliant by design, explore our approach to HR compliance software in Luxembourg — or let's talk about your project directly.

Talk about your HR project Request a demo →