AI CV screening: why it is high-risk and what that requires
Adopted 2026-06-21 · ≈ 2 min read · 
edited by Dirk Baaijen
AI that filters, parses or ranks CVs is the most widely used HR AI — and falls under Annex III of the AI Act as high-risk. That applies to bought-in tools too. This explainer covers the duties, the bias risks and the employer's role.
Short answer: Software that automatically filters CVs, extracts key fields (parsing) or gives candidates a score or ranking is by far the most widely used AI in HR — and falls under Annex III, point 4 of the AI Act as high-risk. That holds even if you buy the tool: then you are a deployer, with your own duties. The GDPR runs in parallel.
Why CV screening in particular is high-risk
The AI Act classifies AI used for recruitment and selection — targeted advertising, filtering applications and assessing candidates — as high-risk. The reason is the impact on fundamental rights: someone filtered out automatically gets no fair chance, often without knowing it. A ranking or matching score touches that same core.
The bias risk
CV screening learns from historical data. If that data contains an imbalance — few women in technical roles, say — the model reproduces the pattern. Seemingly neutral features (postcode, CV gaps, name) can act as proxies for protected characteristics. An efficiency gain then quickly shifts into discrimination in recruitment.
What the employer must do
As deployer (Art. 26) you have your own package, even with a bought-in tool:
- Human oversight (Art. 14): a recruiter must be able to assess and override the outcome — no automatic rejection without a human view.
- Use as instructed and with relevant, representative input data.
- Inform candidates that an AI system is used.
- Keep logs and monitor operation for skewed outcomes.
The provider carries the heaviest load (risk management, data quality, documentation, CE marking). Modify the tool substantially or put your own name on it, and you become a provider yourself (Art. 25).
The GDPR on top
A fully automated rejection with significant effects falls under Article 22 GDPR: you need a valid basis, transparency about the logic and a right to human intervention.
What to do
- Inventory whether your recruitment tools fall under Annex III — most matching and screening tools do.
- Demand documentation from the supplier to evidence your own duties — see AI in contracts.
- Build a human decision point before every rejection.
- Test periodically for bias and record the result.
CV screening is not a "handy tool with a caveat" but a high-risk system. Treating it that way now prevents both a complaint from a rejected candidate and a supervisory problem.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act): Annex III point 4 classifies AI for recruitment and selection as high-risk; Art. 26 (deployer duties). - https://eur-lex.europa.eu/eli/reg/2016/679/oj
Regulation (EU) 2016/679 (GDPR): lawful basis, transparency and Art. 22 for automated decisions on candidates.
Read next
AI literacy for HR and recruitment teams
The literacy duty (Art. 4) already applies and weighs heavily for HR: a recruiter operating a high-risk system can only exercise human oversight (Art. 14) if they understand the system. This guide describes what an HR team must know and how to make it demonstrable.
AI in recruitment and HR: what every employer needs to know
AI in recruitment, selection and workforce management falls under Annex III of the AI Act and counts as high-risk — for every employer, regardless of sector or size. Emotion recognition in the workplace is banned, AI literacy already applies, and the GDPR runs in parallel for automated decisions.
AI in the judiciary and justice: high-risk under Annex III
AI that assists judicial authorities in researching facts or applying the law is high-risk under Annex III of the AI Act. Purely administrative support falls outside it. The judge remains the decision-maker; AI may advise, not adjudicate.