Is Provider vs Deployer for HR AI high-risk under the EU AI Act?

Provider vs Deployer for HR AI is often high-risk when it affects people in the EU, but classification depends on purpose, Annex III mapping, and Article 6(3) exceptions. Use the questionnaire for a cited result.

EU AI Act Compliance for Provider vs Deployer for HR AI

Last reviewed 6/18/2026 · Rule set v1

Quick answer

Provider vs Deployer for HR AI in roles is typically classified as high-risk under Regulation (EU) 2024/1689 when used with EU market exposure and when it affects natural persons. Your exact tier depends on intended purpose, autonomy, and whether an Annex III exception applies.

Primary legal hook for this page: Regulation (EU) 2024/1689 Article 16 / Article 26.

When this use case is high-risk

Under Article 6(2) of Regulation (EU) 2024/1689, AI systems listed in Annex III are high-risk unless the Article 6(3) narrow exception applies (and profiling always remains high-risk). Provider obligations include risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11 / Annex IV), record-keeping (Art. 12), transparency to deployers (Art. 13), human oversight (Art. 14), and accuracy/robustness (Art. 15). Enforcement for Annex III systems: 2 August 2026 (with some extensions for embedded products).

For provider vs deployer for hr ai specifically: systems that evaluate, rank, filter, or monitor people in this domain often map to Annex III if they materially influence access to employment, credit, education, essential services, or similar opportunities.

Key articles & annexes

Regulation (EU) 2024/1689 (Regulation (EU) 2024/1689 Article 16 / Article 26)
Article 6: classification rules for high-risk AI
Article 3: definitions (provider, deployer, AI system)
Annex III: high-risk AI systems by area of use

Documents teams usually prepare

Annex IV technical documentation outline
Risk management system summary
Human oversight plan
Conformity assessment / CE marking checklist (where applicable)
Fundamental rights impact assessment (FRIA) when deployer is a public body (Art. 27)

Examples users confuse with this use case

Internal-only analytics with no individual decisions → may not be high-risk, but document scope
Human-in-the-loop review → does not automatically remove high-risk status if the AI still profiles or ranks people
Vendor vs customer role → providers hold most conformity duties; deployers have Art. 26 obligations

Run the questionnaire

Answer five to seven concrete questions (with examples for each) to get a rule-based classification with citations, not a generic AI opinion.

FAQ

Is every provider vs deployer for hr ai product high-risk? No. Article 6(3) can exclude narrow procedural systems that do not pose significant risk, unless the system performs profiling. Document your assessment.

Provider or deployer: who files what? Providers (the product vendor) typically carry Annex IV documentation and conformity duties. Deployers using a third-party tool must check Art. 26 and may need a FRIA (Art. 27) in public-sector contexts.

When do obligations start? Prohibited practices: Feb 2025. GPAI rules: Aug 2025. Most Annex III high-risk rules: Aug 2026. Plan backward from your EU go-to-market date.

Run this for your product

Five to ten minutes. Risk tier and obligations with article references.

Start questionnaire