What Changed and Why It Matters Now
The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. The high-risk provisions, the ones that cover hiring, apply from 2 August 2026. That is less than three months from today.
Article 6 combined with Annex III, point 4 classifies AI systems used in "employment, workers management and access to self-employment" as high-risk. That covers any tool that uses AI to score candidates, rank applications, filter CVs, transcribe interviews, or generate hiring recommendations. If your interview platform has an AI feature, this regulation applies to you.
The penalty ceiling is 3% of global annual turnover or EUR 15 million, whichever is higher. For most SMBs and mid-market companies, the real risk is not the fine. It is a candidate who challenges a rejection and your team cannot explain how the AI was involved in the decision.
Seven Questions for Your Next Vendor Call
You do not need to read the full text of the regulation. You need to ask your interview tool vendor seven questions and evaluate the answers. If the answers are vague, that tells you something. If they are specific, that tells you more.
1. Does the AI decide, or does the AI inform?
The Act requires human oversight for high-risk AI systems (Article 14). That means a human must be able to understand, override, and take responsibility for every decision the AI influences. Ask your vendor: does the AI automatically reject candidates at any stage? Does it auto-advance them? Or does it produce a score and a rationale that a person reviews before anything happens?
The difference matters. A tool that sends automatic rejections based on an AI score is the deployer taking on high-risk obligations without human oversight. A tool that shows the score, lets the recruiter agree or disagree, and logs the human decision is built for the regulation.
2. Can you explain what the AI evaluates?
Article 13 requires that high-risk AI systems are "sufficiently transparent to enable deployers to interpret the system's output and use it appropriately." In recruiter terms: when the AI gives a candidate a 74 out of 100, can your vendor explain what drove that number? Is it based on keyword matching, rubric alignment, speech patterns, facial analysis, or something else entirely?
If the vendor cannot explain the scoring methodology in plain language, you cannot fulfill your transparency obligation to candidates. Schmidt & Hunter (1998) showed that structured scoring against a rubric is 2x more predictive of job performance than unstructured evaluation. The best AI scoring systems are transparent because they are rubric-based, not because they were forced to be.
3. Where is the audit trail?
Article 12 requires automatic logging of events "throughout the lifetime of the system." For hiring, that means: which candidates were scored, what scores they received, which human reviewer saw the score, what decision was made, and when. If a candidate asks why they were not advanced six months from now, can your team reconstruct the path from application to decision?
Some tools score candidates but do not log the scores alongside the human decision. The AI output and the human action need to be in the same record, timestamped, and attributable to a named reviewer.
4. Has the AI been tested for bias?
Article 9 requires a risk management system that identifies and mitigates risks of bias and discrimination. Article 10 covers data governance for training data. The practical question is: has the vendor run a bias audit? Across which protected characteristics? What were the results?
This is not theoretical. Amazon scrapped an AI recruiting tool in 2018 after it systematically downgraded resumes that included the word "women's." NYC Local Law 144 already requires annual bias audits for automated employment decision tools. The EU AI Act goes further. If your vendor has not run an audit, or will not share the results, that is a red flag.
5. Can candidates contest AI-assisted decisions?
Under GDPR Article 22, individuals have the right not to be subject to decisions based solely on automated processing. The AI Act adds further transparency requirements. Candidates should know that AI was used in their evaluation, what role it played, and have a path to request a human review of the decision.
Ask your vendor: is there a disclosure to candidates that AI is part of the process? Is there a mechanism for candidates to request review? Cronofy (2024) found that 42% of candidates drop out of processes they find opaque. Transparency is not just a legal requirement. It is a candidate experience requirement.
6. Where is the data stored and processed?
AI scoring in hiring means processing personal data, often including video recordings, voice data, and transcripts. GDPR data residency requirements still apply. Ask: where are the servers? Is data processed inside the EU or transferred to third countries? Is the AI model hosted in the EU, or does candidate data leave the EU for inference?
This question trips up vendors who use US-based AI providers without a Data Processing Agreement or Standard Contractual Clauses. Your Data Protection Officer will want a clear answer before the August deadline.
7. What happens to our data if we leave?
Article 16 places obligations on providers to cooperate with deployers. But the practical question is simpler: if you decide to switch tools, can you export all candidate data, scores, and audit logs in a standard format? Or is your compliance history locked inside a vendor you no longer use?
Data portability is a GDPR right (Article 20), and it becomes operationally urgent when your audit trail lives in a third-party system. Make sure the answer is specific: file format, export timeline, and whether the audit trail comes with it.
What a Compliant Setup Actually Looks Like
The regulation sounds heavy. For a well-built tool, the workflow maps to what you already do. The AI scores and summarises. A human reviewer sees the score, the reasoning, and the recording. The reviewer agrees, disagrees, or overrides. The decision is logged with the reviewer's name and timestamp. Candidates are told that AI is part of the process. There is a path to contest. Data stays in the EU.
That is not a hypothetical. It is how several async interview tools already work, including StormInterview. AI transcribes in 40+ languages, suggests a structured score with written reasoning, and produces a summary. The recruiter and hiring manager review, decide, and the platform logs who said what and when. No automated rejections. No black-box scoring. Every decision traceable to a person.
The Three-Month Checklist
Between now and August 2, 2026, here is what to do.
- Audit your current tools. List every tool in your hiring stack that uses AI. For each one, ask the seven questions above. Document the answers.
- Check your Data Processing Agreements. Make sure each vendor has a DPA that covers AI processing of candidate data, not just general data storage.
- Update your candidate communications. Your privacy notice and interview invitation should tell candidates that AI is used, what it does, and how to request a human review.
- Brief your team. Recruiters and hiring managers should know the rule: AI informs, humans decide. If anyone is using AI scores as the sole basis for a rejection, that needs to change before August.
Start With One Role
The easiest way to see whether your tools are ready is to run a real hiring round and check the audit trail afterwards. Start a free trial of StormInterview and put one role through it. After the round closes, pull up the decision log and check: can you trace every AI score to a human decision? Can you explain the scoring to a candidate? If yes, you are ready for August. If not, you have three months to fix it.