Does the EU AI Act make job seeker scoring/ranking/match by job boards and ATS illegal?

Artificial Intelligence (AI) has completely changed how large companies hire people. Today, millions of resumes pass through automated systems every single day. If you are a senior Talent Acquisition (TA) leader at a multinational company, or if you run a major job board, you know how useful these tools are. They sort, rank, score, and match candidates in seconds. Without them, dealing with thousands of job applications would be nearly impossible. It would take months for human recruiters to read through every single application.

However, a major shift is happening in the legal world. Governments are stepping in to protect workers from unfair or hidden algorithms. The European Union has passed a landmark law called the EU AI Act, and the United Kingdom is aggressively enforcing its own data protection laws. Because of this, a wave of worry has hit the HR technology sector. Many corporate leaders are asking a frightening question: Are automated candidate scoring, ranking, and matching systems about to become completely illegal?

To get a clear, realistic answer, we reached out to a number of experts on European Union and United Kingdom laws related to the use of AI to make employment-related decisions. Over the coming weeks, we will publish a number of articles on this topic. It is fair to say that the advice we received from the experts was remarkably consistent and clear, even though it seems that some employers and talent acquisition technology (TA tech) companies seem to want to ignore that advice, or at least pretend that there’s a lot more nuance than that offered by the experts.

One of those experts was David Viney, a fractional chief information officer (CIO) and top AI governance advisor with Alchemy Consulting Services. Previously, he was the Platform Services Director for WPP, one of the world’s leading marketing businesses, and I.T. Director Platforms for Heathrow Airport. Viney helps complex organizations safely adopt new technologies while staying inside legal boundaries.

His conclusion gives us a much-needed reality check. The short answer is no, automated sorting and ranking are not illegal by itself. The law does not want to destroy helpful technology. However, the dangerous truth is that the way most current hiring systems are built and used makes it highly likely that employers and software companies will break the law. This leaves businesses exposed to massive financial penalties that could ruin them.

The Expert’s View: Constrained, Redesigned, or Withdrawn

When we asked Viney directly about the future of Applicant Tracking Systems (ATS) and job boards under these new rules, he did not hold back. He gave us a very clear summary of what is coming for the industry:

“Short answer: yes, many of these systems are about to become significantly constrained, and some will need to be withdrawn or substantially redesigned.”

This means the tools you rely on every day cannot keep operating the way they do right now. To understand why, we have to look closely at how the EU AI Act treats HR software. The law does not ban AI in hiring. Instead, it places hiring tools into a special, high-security legal category. Why? Because finding a job is a critical part of a person’s life and economic survival. A broken algorithm can ruin a person’s career opportunities without them ever knowing why.

The Legal Classification: What is “High-Risk”?

The EU AI Act groups artificial intelligence into different risk levels. Some AI systems are banned entirely, such as social credit scoring systems used by governments. Others carry very low risk, like basic email spam filters. Recruitment software falls squarely into a heavily regulated bucket called “High-Risk” AI systems.

Viney explains that this classification is written explicitly into the law. He notes that under Annex III of the EU AI Act, AI systems used for recruitment and employment decisions—including CV scoring, candidate ranking, and application filtering—are officially labeled as high-risk. This is not a gray area or a matter of debate; it is a direct and strict rule.

The law states that this high-risk classification covers any AI system that is intended to be used for the recruitment or selection of natural persons. This includes systems used for advertising job vacancies, screening or filtering applications, and evaluating candidates during interviews or tests. Viney highlights exactly why everyday software falls into this dangerous legal bucket:

“This covers systems that ‘make or materially influence decisions on recruitment or selection of natural persons.’ An AI that scores a candidate too low to apply isn’t just influencing a decision; it is making one. That is squarely within scope.”

Think about how an ATS or a job board operates in the real world. If an algorithm automatically scans 500 resumes, scores them, and only shows the top 10 to a human recruiter, it has made a definitive decision. The other 490 candidates were filtered out before a human eye ever saw them. Because the AI “materially influenced” who could get the job, it must follow the strictest safety rules in Europe.

The Five Pillars of Compliance for High-Risk AI

Once a hiring system is labeled high-risk, you cannot simply buy it, turn it on, and forget about it. The EU AI Act requires a massive amount of paperwork, testing, and continuous human supervision. Viney broke down what a high-risk classification requires in practice for any organization using or hosting these tools. To remain legal, your systems must meet five strict pillars:

1. A Documented Risk Management System

Organizations must establish a continuous, structured plan to identify and minimize the risks that the AI poses to candidates. This is not a one-time test. It is a continuous loop that lasts for the entire lifecycle of the software. You must constantly ask: What happens if our matching tool breaks? How could it harm job seekers? How do we fix it instantly?

2. Bias Monitoring and Data Governance Controls

Teams must closely analyze the data used to train the AI. They must check for hidden biases to ensure the system does not accidentally discriminate against candidates based on race, gender, age, or disability. For example, if an AI is trained on a company’s past hiring data, and that company mostly hired men in the past, the AI will learn that men are preferred candidates. This is now illegal, and you must have tools in place to find and stop this data bias.

3. Pre-Deployment Technical Documentation

Before the software is ever used to score a single candidate, complete technical documentation must be written. This paperwork must prove exactly how the AI works, what its mathematical formulas look like, what its limitations are, and how it scores candidates. If a government regulator walks into your office, you must be able to hand them this blueprint immediately.

4. Official Conformity Assessments

For the highest-risk categories, systems must undergo official evaluations. This is like a safety inspection for a car. The system must be tested to prove it meets all European Union standards before it hits the commercial market or gets deployed in an HR department.

5. Meaningful Human Oversight

This is perhaps the most critical pillar for talent acquisition leaders to understand. The law states that high-risk AI tools must be designed so that human beings can understand their limitations, prevent automated bias, and actively supervise their outputs.

Many traditional talent acquisition systems are built to run entirely on autopilot to save time and money. However, this hands-off approach is now a massive legal liability. Commenting on this major operational flaw, Viney states clearly:

“A system that automatically blocks candidates from applying without human review almost certainly fails the oversight requirement on its face.”

If your software rejects people automatically without a real human recruiter confirming that rejection, you are violating the core requirement of human oversight.

A Warning from the UK: What Real Enforcement Looks Like

Some business leaders in North America or the UK might assume they do not need to worry about European regulations. This is a dangerous mistake for two major reasons.

First, the EU AI Act has a global reach. It applies to any company worldwide if the AI system affects candidates who live within the European Union. If a company based in New York or London uses an AI tool to hire a remote worker in France or Germany, that company must follow the EU AI Act.

Second, local regulators outside the EU are already cracking down on HR tech using their existing data privacy laws. To prove this point, Viney points to recent actions taken by the United Kingdom’s data regulator, the Information Commissioner’s Office (ICO). Even without using the new EU AI Act, the ICO has shown that current hiring systems are breaking long-standing privacy laws.

In November 2024, the ICO published its highly anticipated AI in Recruitment Outcomes Report. This report was written after government auditors conducted detailed audits of several major companies that develop and provide AI tools for hiring. What they found was alarming. There were widespread, systemic compliance gaps across the entire HR technology industry.

Many software providers never performed basic accuracy testing on their algorithms. Even worse, some systems allowed corporate recruiters to explicitly filter out candidates using protected legal characteristics. Viney shared some of the shocking specifics from that investigation:

“Certain features could lead to discrimination by allowing recruiters to filter candidates based on protected characteristics, and some tools inferred candidates’ gender, ethnicity, and other characteristics from their names and application data — without a lawful basis and without the candidates’ knowledge.”

Think about that for a moment. The software was actively guessing if a candidate was male or female, or what racial background they had, simply by looking at their name. It then used that guessed information to sort them. This was happening completely in secret, without the candidates’ permission or knowledge.

The scale of the problems discovered by the UK government was massive. Across their audit engagements, ICO auditors made 296 specific recommendations and 42 advisory notes to clean up these software systems. Strikingly, every single one of those recommendations was quietly and immediately accepted by the technology companies. They did not fight the findings because they knew they were caught breaking the rules.

Viney emphasizes that the ICO’s final conclusion was completely unambiguous:

“We are concerned that across the economy there may be gaps in the application of safeguards that protect people’s rights under data protection law.”

Viney warns senior business leaders that if these massive failures are happening under the existing UK GDPR data laws, the upcoming EU AI Act is going to raise the regulatory bar much higher, catching many more unprepared companies.

The Structural Corporate Governance Gap

Why are our hiring systems so full of legal risks? According to Viney, the issue is not an accident or a minor technical glitch. Instead, it is a structural governance failure inside modern corporations. Companies have rushed to buy exciting, fast AI tools because of market hype. However, they completely forgot to build the internal management rules and guardrails to monitor those tools safely.

The data proves that this is a widespread problem. Studies show that almost a third of organizations (29%) currently operate with absolutely no AI governance policy at all. Furthermore, a mere 43% of companies have any sort of basic policy in place.

This total lack of corporate control is confirmed by broader research. McKinsey’s State of AI report revealed a terrifying reality: while 72% of enterprises have AI systems actively running in live production, only 9% of them describe their internal AI governance as mature.

Viney connects these statistics directly back to the talent acquisition department. He notes that the overwhelming majority of organizations deploying AI recruitment tools are doing so without the governance infrastructure the EU AI Act will shortly require. They are essentially driving a high-speed vehicle on a busy highway with no brakes and no steering wheel.

The “Black Box” and the Right to a Meaningful Explanation

Another major change introduced by the new rules is absolute transparency for job seekers. For years, candidates have complained about the “HR Black Box.” This is the frustrating experience where a candidate submits an excellent application, receives an instant, automated rejection email three seconds later, and can never find out why they were rejected.

The EU AI Act completely outlaws this practice. Under the new transparency rules, if an AI system is used to make a significant decision about a person’s employment application, that person has a legal right to know that AI was involved. Furthermore, they have a right to receive a clear, easy-to-understand explanation of the logic used by the algorithm.

This requirement will completely destroy standard corporate automated rejection practices. As Viney summarizes perfectly:

“The algorithm scored you too low to apply is not a meaningful explanation.”

If your system rejects a candidate, you must be able to explain the exact, objective reason why. For example, you must be able to show that the candidate lacked a specific professional certification, or had fewer years of required experience than mandated by the job description. If your software cannot provide that level of clear, transparent, and logical detail to an rejected candidate, using it is a direct violation of the law.

The Timeline Pressure: August 2026 is Coming Fast

Many senior corporate leaders read about these complex legal updates and assume they have many years to prepare. This is a dangerous delusion. The timeline to fix these automated systems is incredibly short, and the clock is already ticking loudly.

The high-risk provisions of the EU AI Act apply starting August 2, 2026 for any newly deployed hiring systems. On May 7th, EU lawmakers reached a political agreement via the Digital Omnibus on AI to extend the deadline until December 2, 2027, so an extension of roughly 16-months. As of the writing of this article, that agreement has not been formally adopted but Viney and other experts believe that it will be well before August 2nd. For systems that are already actively in use before that date, companies are given a slight extension, but they must completely comply by August 2027.

Whether the system is newly deployed or already in use, the time to act is now and the extension doesn’t change the substance of the argument at all. Viney notes, “the compliance work is the same, and the UK ICO enforcement is live regardless of EU timelines. If anything the framing becomes: ‘the deadline just moved — that’s not a reason to relax, it’s a reason to use the time well.’ The UK Data Protection Act and UK GDPR are already fully in force, the ICO consultation closed yesterday, and enforcement letters have already gone out to named organisations.”

When you look at the sheer size of the HR technology market, this timeline presents an immediate industry crisis. Viney notes that there are roughly 100,000 job boards operating globally today. He warns that a vast number of those 100,000 job boards will simply not be ready when the law takes effect. Software development takes time, and completely rebuilding an algorithm’s data pipeline to add bias monitoring and transparency cannot be done overnight.

The Vendor Trap: Why You Cannot Outsource Your Legal Liability

Perhaps the most important takeaway for senior talent acquisition leaders and corporate executives is understanding where the legal punishment falls. Many enterprise companies assume that if they buy an ATS or a matching tool from a famous third-party technology vendor, any legal trouble is the vendor’s problem. They assume that if the vendor signed a contract promising their software is compliant, the employer is safe.

This assumption is entirely wrong under the EU AI Act. The law creates a vital legal distinction between two roles:

• The Developer: The software company that builds the code and trains the algorithm.
• The Deployer: The employer or job board operator using the software to make real hiring decisions.

Viney highlights this crucial nuance, explaining that the legal obligations fall heavily on the deployer—the job board or ATS operator—not just the developer. He emphasizes a warning that every corporate legal team must hear:

“Vendor compliance does not transfer automatically. Every operator running a third-party scoring model carries independent obligations under the Act, regardless of what their vendor has certified.”

If your vendor’s tool discriminates against a candidate, or if it lacks proper human oversight controls, your company will be sued and fined as the deployer. You cannot hide behind a software contract or an indemnity clause. You carry independent legal responsibility to audit that tool and ensure it complies with the law every single day.

Immediate Next Steps for TA Leaders and Job Boards

Automated candidate scoring, ranking, and matching are not illegal. They remain powerful, vital tools for modern recruitment. But the wild, unregulated days of letting unmonitored algorithms make life-altering employment decisions are officially over. The financial penalties for violating the EU AI Act are staggering—reaching up to €35 million or 7% of a company’s global annual turnover, whichever is higher. For a large employer, a single fine could total hundreds of millions of dollars.

If you want to protect your organization from these massive financial penalties and operational disruptions, you must take action immediately. Do not wait for the deadlines to arrive. Senior leaders should implement three concrete steps right now:

1. Conduct an Instant AI Audit: Create an exact inventory of every tool in your hiring process that uses automated scoring, matching, or filtering. Find out exactly where algorithms are influencing human decisions.
2. Demand Deep Technical Proof from Vendors: Do not accept a simple marketing brochure or a sales promise claiming compliance. Ask your software vendors for their formal data governance records, their bias testing results, and their technical explanation models.
3. Establish Strict Human-in-the-Loop Safeguards: Re-engineer your recruitment workflows. Ensure that no candidate is permanently blocked or rejected by a machine without a trained human recruiter reviewing the application and confirming the decision.

By building a mature internal governance framework today, you can continue to enjoy the incredible speed and efficiency of AI recruitment tools while keeping your company completely safe from a devastating regulatory disaster.

For what it is worth, College Recruiter does not rank, score, or match candidates to job posting ads with the use of any kind of automation, including AI. Candidates enter keywords and their desired work locations into our search, get a list of job posting ads ranked by relevancy, some apply, and then our customer, typically the employer, ranks/scores/matches their CV or resume against the job ad or description. Put another way, we are not involved in the screening nor the selection of candidates.