Automated scoring, ranking and matching have become essential in modern hiring. They let recruiters triage thousands of applicants in minutes instead of months. But new rules coming from the European Union — and active enforcement in the UK — are forcing talent teams and job boards to reconsider how those systems operate.
The short answer is that the EU AI Act does not outlaw candidate scoring and matching outright, but it places recruitment systems in a "high-risk" category that triggers heavy duties for anyone who deploys them. That distinction matters because it shifts the conversation from whether to use AI at all to how to use it legally and responsibly.
What the EU AI Act means for hiring tools
Under Annex III of the EU AI Act, any AI intended for recruitment or selection of natural persons is classified as high-risk. That includes tools used to advertise vacancies, screen applications, score CVs, rank candidates, and filter lists before a human ever looks at them. When an algorithm materially influences who is considered for a role — for example, by showing only the top-ranked candidates to a recruiter — it is treated as making a selection decision and falls squarely within the law.
High-risk status brings five core obligations: a continuous risk-management process; bias monitoring and data governance; detailed technical documentation before deployment; official conformity assessments where required; and meaningful human oversight. Put simply, you cannot buy an off-the-shelf scoring model, flick it on, and call it a day. The vendor may have built the model, but the employer or job board using it is the deployer and carries independent legal responsibilities.
The UK has already shown what enforcement looks like. In its November 2024 AI in Recruitment Outcomes Report, the Information Commissioner’s Office audited major HR tech providers and found systemic compliance gaps. Auditors issued 296 recommendations and 42 advisory notes; the companies accepting those findings underscores that many common practices were plainly out of step with data-protection obligations. Those same shortcomings will attract even greater scrutiny under the EU AI Act.
Why vendors can't shield employers
One of the most important practical points for TA leaders is that vendor assurances do not transfer legal liability. The Act distinguishes between developers (who build models) and deployers (who use them). As the deployer you must be able to demonstrate that the system is safe, that bias has been assessed and mitigated, and that humans meaningfully supervise automated outputs.
That means contracts and sales pitches are not enough. If your ATS filters out candidates automatically without a trained human confirming the decision, you are likely failing the human-oversight requirement. If a model infers protected characteristics from names or past hiring patterns and uses that inference to rank people, you risk discriminatory outcomes — and large fines. The law allows penalties up to €35 million or 7% of global turnover, whichever is higher, so the stakes are real.
Time is short: compliance windows and practical steps
The compliance timeline is tight. High-risk provisions were scheduled to apply from August 2, 2026, and negotiations in May 2026 may extend certain deadlines to December 2, 2027; either way, the work to meet the rules is substantial and cannot be postponed. For systems already in use there is a slightly different timetable but the same obligations apply.
For HR teams and recruitment platforms the immediate work is straightforward in principle, if demanding in practice. Start by mapping every part of your hiring stack that automates scoring, filtering, ranking or matching. Demand technical proof from vendors: data governance records, bias-testing results, and the documentation that explains how the model makes decisions. Reconfigure workflows so that no candidate is permanently excluded by automation without a trained human review.
Three practical first steps to protect your organization
Perform an instant AI audit: inventory every tool that influences hiring decisions and identify where automated outputs materially influence selection.
Require technical evidence from vendors: ask for documented risk assessments, bias tests, and model behavior explanations — not just marketing claims.
Build human-in-the-loop controls: ensure recruitment workflows prevent irrevocable exclusions and that humans can interpret, override, and document algorithmic decisions.
These are not optional niceties. They are the steps that shift responsibility from reactive crisis-management to demonstrable compliance. Many firms currently lack a mature AI governance framework: studies show a large minority operate without any policy at all, and many more only have rudimentary controls. The coming regulation forces a governance upgrade.
If you use or plan to use candidate scoring or matching tools, read the legislation and your vendor documentation, and start the audit now. The tools remain valuable, but the unregulated era is over. For a practical starting point, review the College Recruiter article that summarizes the legal framing and expert view here: https://www.collegerecruiter.com/blog/2026/05/26/does-the-eu-ai-act-make-job-seeker-scoring-ranking-match-by-job-boards-and-ats-illegal.
For recruiters, HR leaders and founders, the takeaway is clear: automated hiring can continue to speed and scale talent acquisition, but only if you can prove it is safe, fair, and supervised. Begin the work today to avoid disruption, fines, and reputational harm tomorrow.