Under the EU AI Act, algorithmic scoring is legal, but how it is being used is not

A monumental shift is underway in the global talent acquisition (TA) technology space, driven by the European Union’s landmark Artificial Intelligence Act (EU AI Act). The industry, which relies heavily on algorithms to score, rank, match, and filter job seekers, is grappling with a central question: Will the new law make these core technological functions illegal?

Before we attempt to answer that question, let’s first address what problem the EU is attempting to solve. Michael McCready of McCready Law gave us a nice overview.

When you send a CV for a job you have been waiting for, you probably imagine someone carefully reading it. In reality, more and more often a machine evaluates it first. This is not science fiction. This is happening today in more and more companies around the world.

Millions of people send applications and never hear back. What many do not know is that a human may never have seen their CV at all. AI systems are now doing the sorting. The EU wants to change that, not by banning these tools, but by forcing companies to use them responsibly. That means regular checks and making sure a real person reviews and approves the decision.

The problem arises when AI starts quietly making decisions about candidates without any explanation. If the system automatically rejects a person, hides their CV from recruiters, or does not allow them to apply because they received a low score, that can be a serious legal problem. It is especially risky when the system uses data such as age, gender, disability or ethnicity, because that easily becomes discrimination.

AI can flag, filter, and rank. But deciding someone’s future should never be fully automated. There should always be a person who is able to check that decision, because people who get rejected deserve an explanation.

The consensus among legal and AI governance experts is clear: the EU AI Act does not ban the ranking, scoring, or matching of job seeker applications outright. The law is not designed to destroy helpful technology. However, virtually all employers and TA tech companies operating in the EU are currently using these systems in a way that will become illegal when the Act’s rigorous obligations come fully into effect by August 2027. The key distinction lies between the AI’s ability to suggest and a company’s practice of allowing the AI to determine a candidate’s fate without genuine human involvement.

The EU AI Act classifies AI systems based on the risk they pose to individuals’ fundamental rights. AI systems used in recruitment and employment decisions—including candidate screening and ranking—are explicitly classified as “High-Risk”. This is a direct, non-negotiable rule. According to Christian Espinosa, founder and CEO of Blue Goat Cyber, “High-risk does not mean illegal. But it does mean those systems must meet strict requirements around transparency, human oversight, data quality and bias auditing before deployment in EU markets.”

Nicola Cain, CEO and principal consultant at Handley Gill Limited, confirms the AI Act defines “AI systems intended to be used for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates” as high-risk systems, imposing obligations on both the developers and deployers of such technology. This means both the tech vendors and the employers using the tools share the compliance burden. Nicola adds, “While these rules were due to come into effect in August 2026, through the EU’s Digital Omnibus proposals, provisional agreement has been reached to delay these until at least December 2027 and we await the confirmation of this agreement by publication in the Official Journal.”

We also received some guidance from Jenifer Hunter, an expert specializing in career guidance, education, job market research, and degree and alternative pathways. An aspect of the Act that is often overlooked is one that she focused on. According to Jenifer, “Systems that systematically disadvantage protected categories without documented mitigation strategies may trigger enforcement actions by national authorities, requiring redesign or withdrawal from the EU market to avoid fines up to 6% of global turnover.”

Isvari Maranwe, CEO of Yuvoice, pointed out that Annex III high-risk AI systems will be deemed not be high-risk if the AI system is intended to perform a narrow procedural task; improve the result of a previously completed human activity; detect decision-making patterns or deviations from prior decision-making patterns and is not meant to replace or influence the previously completed human assessment, without proper human review; or perform a narrow preparatory task to an assessment relevant for the purposes of the use cases listed at Annex III. I think that it is fair to say that many lawyers will bill for many hours trying to find ways of sliding otherwise high-risk systems into one of these exceptions.

It will be interesting to see how the enforcement of the new law plays out with respect to employers who aren’t located in the European Union. According to Jackson White, founder and principal consultant at White, Turing & Lovelace LLC, “the Act applies extraterritorially. A US-based job board with EU users, or whose ranking output is used by an EU-based employer, is in scope as either a provider or a deployer.”

We should spend a little time on whether the Act merely codifies behavior already widely accepted by employers. In short, definitely no. Ali Hayat, CEO of Axipro Technology noted that, “more than half of the recruitment companies we’ve worked with this year lack a documented Article 14 human oversight mechanism. That’s the gap that’s going to hurt most businesses.”

There’s little doubt that many and perhaps most employers and their TA tech vendors will be upset at the new rules, and the enforcement of them. Consumers, however, are likely to be in favor. One of the experts that we reached out to drew an analogy to help illustrate this point. Sergio Pantoja Torres is a college counselor at Education World Wide. “A parallel can be drawn here with university admissions. If a university used AI tools to rank international applicants and rejected anyone below a certain score, people would expect a transparent process, not a black box with a polite rejection email. In job recruitment, stating that someone cannot apply because their CV score is too low is much riskier than using an AI tool to organize applications so a trained human reviewer can look over them.”

We can probably all agree that it is one thing for a governmental body to pass a law that makes something illegal. It is quite another for the government to then enforce that law in a way that meaningfully changes behavior. Welly Mulia is the founder of CartMango, which builds AI-driven SaaS tools that automate decisions inside digital workflows. According to him, the employers using these systems and the vendors who are creating them are already being forced to change. “I watched a mid-size recruitment platform lose three enterprise clients in one quarter after their legal team flagged that classification. Most operators are nowhere near ready.”

So, what is likely to trigger action by regulators? According to Timour Haider, CEO of Remote Job Assistant, “If an AI system blocks a candidate from even applying, or materially determines access to employment opportunities, regulators will probably look at whether real human oversight exists, and also whether the parallel obligations under GDPR, including the rules on automated decision making, are fully met.”

The most significant operational change required by the EU AI Act is the mandate for meaningful human oversight. Current industry practice—allowing systems to run on autopilot—is now a major legal liability. If a candidate is automatically rejected, filtered out, or prevented from applying based purely on an algorithm’s score, the AI is making a life-changing decision without the required human intervention. That all said, is the new Act so onerous that these systems will die out? According to Daniel Preston, founder of LiveInCare USA, no. “AI-driven recruitment systems are definitely here to stay, but their legality hinges on compliance with regional data protection laws, like the GDPR in the EU.”

Bottom line, according to Joanna Smykowski, licensed attorney at Custody X Change, “Using computers to make all the decisions on their own will no longer be allowed. Companies that follow the new rules will not have any problems.”