Skip to main content
L
Lexara Advisory
HR AI · Cross-Border Compliance

HR AI Compliance in the EU and U.S.

HR AI systems face dual compliance obligations in the EU and US. This guide compares the frameworks and offers practical guidance for hiring, screening, and promotion.

June 27, 2026 · By Constantin Razvan Gospodin, Legal AI Risk Manager

until EU AI Act high-risk obligations take effect

Organizations using AI for human resources face one of the most complex regulatory landscapes in AI governance. Employment AI is high-risk under the EU AI Act, subject to automated decision rules under GDPR, and regulated by local bias audit laws in New York City. This article compares HR AI compliance requirements across the EU and US, focusing on hiring, screening, and promotion decisions.

What This Means

AI systems used in human resources are among the most heavily regulated AI applications globally. This is because employment decisions directly affect individuals' livelihoods, career advancement, and economic security. Regulators in both the EU and the US have recognized that AI hiring tools can perpetuate or amplify historical biases, and they have enacted specific rules to address these risks. In the European Union, the EU AI Act (Regulation (EU) 2024/1689) classifies AI systems used in recruitment, screening, hiring, promotion, and termination as high-risk under Annex III, Category 4. This classification triggers the full suite of high-risk obligations: conformity assessment, technical documentation, risk management systems, data governance, human oversight, transparency, and registration in the EU database. For US companies hiring EU-based candidates, these obligations apply extraterritorially under Article 2(1)(c). GDPR adds a separate layer of protection. Article 22 of the GDPR grants individuals the right not to be subject to solely automated decisions that produce legal effects or similarly significant effects on them. AI hiring tools that automatically reject candidates or make final hiring decisions without meaningful human review may trigger Article 22. Even when human review is present, GDPR requires transparency about the logic of the decision-making process, the significance of the decision, and the right to contest the decision. In the United States, the regulatory landscape is fragmented. NYC Local Law 144 is the most specific and demanding HR AI regulation at the local level. It requires annual independent bias audits of AEDTs, public summary publication, and candidate notice. California, Illinois, and Maryland have enacted laws regulating specific AI applications in employment, such as facial recognition in video interviews. Federal agencies including the EEOC and FTC have issued guidance on AI discrimination, but comprehensive federal legislation has not yet been enacted. The practical implication is that a multinational employer using AI for hiring faces overlapping obligations from three distinct sources: the EU AI Act (high-risk classification), GDPR (automated decision protection), and US state and local laws (bias audits and transparency). Each framework has its own definitions, requirements, timelines, and enforcement mechanisms. A compliance program that addresses only one framework will leave significant gaps.

Key Requirements

EU AI Act: High-Risk Employment AI.

Under Annex III, Category 4, AI systems used to recruit or select natural persons, including by advertising, screening, filtering applications, and evaluating candidates, are high-risk. AI systems used to make decisions affecting terms of work-related relationships, including promotion and termination, are also high-risk. Providers of these systems must complete a conformity assessment before placing the system on the market. Deployers must conduct a fundamental rights impact assessment before putting the system into service and must implement human oversight mechanisms.

GDPR Article 22: Automated Decision-Making.

Article 22 applies when AI systems make decisions without meaningful human involvement. The threshold for "meaningful" human involvement is high; a cursory review by a recruiter who rubber-stamps the AI's recommendation does not satisfy the requirement. Employers must provide individuals with information about the logic of the decision-making process, the significance of the decision, and the consequences for the individual. Individuals must have the right to obtain human intervention, express their point of view, and contest the decision.

NYC Local Law 144: Bias Audit and Transparency.

US State and Federal Guidance.

Beyond NYC, Illinois requires consent for video interview analysis using AI. Maryland regulates facial recognition in employment. California has enacted broad AI safety legislation (the RAISE Act) targeting large developers, but employment-specific rules are still evolving. The EEOC has issued guidance warning that AI tools that discriminate against protected classes violate Title VII, even if the discrimination is unintentional. The FTC has warned that AI claims must be substantiated and that unfair or deceptive AI practices may violate consumer protection laws. A US company using an AI hiring tool for candidates in both NYC and the EU must satisfy both LL144 and the EU AI Act simultaneously. The EU AI Act's requirements are substantially broader and more demanding. A compliance program built around the EU AI Act will likely cover most LL144 requirements as a subset, but the reverse is not true. LL144's bias audit alone does not satisfy the EU AI Act's conformity assessment or fundamental rights impact assessment requirements.

Practical Steps

Inventory All HR AI Systems.

Start with a comprehensive inventory of every AI tool used in hiring, screening, promotion, and workforce management. Include tools embedded in applicant tracking systems, video interview platforms, assessment providers, and internal talent management systems. Document the vendor, the intended use, the decision points, and the geographic scope of each tool.

Classify by Jurisdiction and Risk.

For each tool, determine which jurisdictions it affects. Does it evaluate candidates in the EU? In New York City? In California? Map each tool against the applicable legal frameworks. EU-based candidates trigger the EU AI Act and GDPR. NYC-based candidates trigger LL144. Other states may have their own requirements. Document your classification rationale for each tool.

Build a Unified Compliance Roadmap.

Start with the highest-risk framework, which is typically the EU AI Act. Build a compliance program that addresses the EU AI Act's Annex III requirements, then map LL144 and GDPR requirements into it. Identify gaps where LL144 requires something the EU AI Act does not, such as the independent bias audit and the ten-day candidate notice. Build specific processes to address those gaps.

Evaluate Human Oversight.

Review your actual hiring workflows to determine whether human oversight is meaningful or merely procedural. Under the EU AI Act, human oversight must be effective: the human operator must understand the system's capabilities and limitations, must be able to correctly interpret the system's output, and must be able to decide not to use the system in particular situations. Under GDPR, the human must have genuine authority to override the AI's recommendation. Train your recruiters and hiring managers on these requirements.

Prepare for Fundamental Rights Impact Assessments.

If you deploy high-risk AI systems in the EU, you must conduct a fundamental rights impact assessment (FRIA) before putting the system into service. The FRIA must evaluate the risks to the rights of the affected persons, including privacy, non-discrimination, and due process. For HR AI, this means assessing how the tool affects candidates' rights to fair treatment, data protection, and equal opportunity. Document your FRIA and retain it for regulatory inspection.

Consult Qualified Counsel.

Dual-jurisdiction HR AI compliance is complex and fact-specific. The classification of a tool, the applicability of Article 22, and the adequacy of a bias audit all depend on your specific circumstances. Lexara Advisory provides compliance mapping and readiness support, but we do not provide legal advice. Consult qualified legal counsel in both jurisdictions for advice tailored to your organization.

Related Resources

HR AI Compliance

EU AI Act

High-Risk AI in HR

Frequently Asked Questions

Does the EU AI Act apply to HR AI systems?

Yes. AI systems used in recruitment, screening, hiring, promotion, or termination are classified as high-risk under Annex III, Category 4 of the EU AI Act. This classification applies regardless of whether the employer is based in the EU, provided the AI system affects EU individuals.

How does GDPR Article 22 apply to AI hiring tools?

GDPR Article 22 grants individuals the right not to be subject to solely automated decisions that produce legal effects or similarly significant effects. AI hiring tools that automatically reject candidates or make final hiring decisions without meaningful human review may trigger Article 22. Employers must provide information about the logic involved, the significance of the decision, and the right to human intervention.

What is the difference between EU AI Act and NYC LL144 for HR AI?

The EU AI Act classifies employment AI as high-risk and requires comprehensive compliance including conformity assessment, technical documentation, risk management, human oversight, and fundamental rights impact assessment. NYC LL144 focuses specifically on bias auditing, public summary disclosure, and candidate notice for AEDTs used in NYC hiring. The EU AI Act is broader and more demanding in scope.

Can one compliance program satisfy both EU and US HR AI requirements?

Partially. A well-designed compliance program built around the EU AI Act's high-risk requirements will cover many of the documentation and oversight requirements that US frameworks emphasize. However, specific requirements like NYC LL144's independent bias audit, the EU's fundamental rights impact assessment, and GDPR's data protection by design are not fully interchangeable. Organizations should map requirements across both jurisdictions and identify gaps.

What should HR teams do first for AI compliance?

Start with an inventory of all AI tools used in hiring, screening, promotion, and workforce management. Classify each tool by jurisdiction and risk level. Then map each tool against the applicable requirements: EU AI Act Annex III, GDPR Article 22, and NYC LL144 for relevant tools. Build a unified compliance roadmap that addresses the highest-risk requirements first. Map Your Dual-Jurisdiction HR AI Compliance Our free AI Regulatory Readiness Assessment evaluates your HR AI exposure across EU AI Act, GDPR, and NYC LL144 requirements.

Need help with AI compliance?

Take our free AI Regulatory Readiness Assessment to evaluate your exposure level and next steps.

Start the Free Assessment

Lexara Advisory LLC provides AI governance consulting and is not a law firm. This article reflects our understanding of applicable regulations as of the date of publication. It does not constitute legal advice. Organizations should consult qualified legal counsel for advice specific to their circumstances.