AI Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NL·EN·DE
Analysis

Buying HR AI: the vendor due-diligence checklist for ATS software

Adopted 2026-06-22 · ≈ 3 min read · Dirk Baaijen

Procuring HR AI or ATS software means inheriting AI Act obligations. This checklist gives the questions to ask the vendor before you sign — high-risk or not, CE marking, technical documentation, bias tests, logging — plus the contractual safeguards and the oversight that follows.

Short answer: AI that recruits, selects or assesses people is high-risk under the AI Act. As the buyer you usually become the deployer and inherit your own obligations — even though the vendor built the software. Due diligence before signing is therefore no formality: you must be able to show the system is compliant, and that is only possible if the vendor hands over the right documents. Below are the questions to ask and the safeguards the contract should contain.

Why this is high-risk

Annex III of the AI Act explicitly lists AI systems for recruitment, selection and employment decisions as high-risk: CV screening, candidate ranking, performance assessment, or steering promotions. The heaviest requirements after the outright ban therefore apply. What those requirements involve — risk management, data quality, transparency, human oversight — is set out in High-risk AI obligations: the overview. For the HR-specific angle, see AI in recruitment and selection.

The provider-versus-deployer line

The law gives the builder (provider) and the user (deployer) different duties. The provider handles the conformity assessment, technical documentation, CE marking and registration. The deployer — usually you as the employer — must use the system per the instructions, run human oversight, keep logs and inform workers. Watch the trap: if you substantially modify the system or put it on the market under your own name, you can become a provider yourself, with all the building duties that entails. So ask the vendor explicitly how they see the role split.

The procurement checklist: questions for the vendor

Ask these in writing and keep the answers:

  • Is the system high-risk under Annex III? If not, on what ground?
  • Has a conformity assessment been carried out and can it be produced?
  • Does the system carry a CE marking and is it registered in the EU database?
  • Can you inspect the technical documentation (Art. 11) and the instructions for use (Art. 13)?
  • Are bias and non-discrimination test results available, with the datasets used and outcomes per group?
  • How does logging work (Art. 12) — which events are recorded and for how long?
  • How is human oversight supported — can a recruiter understand and override a decision?
  • How was the system tested for accuracy and robustness, and what are the known limits?
  • Which personal data is processed, where, and is there a processor agreement and DPIA support?

If the first questions get no clear answer, that is itself a red flag.

Contractual safeguards

Turn the answers into hard commitments. Record that the vendor warrants conformity and keeps supplying documentation on updates; that it informs you promptly of serious incidents and changes; that it cooperates with your duties (logs, transparency, audits); and that liability and indemnification are settled if the system turns out non-compliant. Add an exit and data-return clause so you are not locked into a non-compliant system.

Ongoing oversight after go-live

Due diligence does not stop at signing. As deployer you monitor operation, retain the logs, periodically review for bias and explainability, and keep human control genuinely alive — no rubber stamp. At every substantial update you repeat the test. This fits the broader frame of AI in the workplace, where the same governance discipline applies.

Good HR-AI procurement is not a price comparison but a compliance file. Whoever asks the right questions before signing does not buy in a risk they cannot carry afterwards.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Annex III lists recruitment AI as high-risk; Arts. 16 and 26 split duties between provider and deployer.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): lawful basis, DPIA and automated decision-making (Art. 22) apply alongside the AI Act.

Share on LinkedIn

Read next

W

The AI Act for procurement: supplier requirements and contract clauses

Whoever procures AI often becomes a deployer under the AI Act and carries their own obligations. A supplier claiming to be "AI Act compliant" is no guarantee. This guide explains what to ask up front and which clauses belong in the contract.

U

CRA: what to require when procuring IoT/connected hardware?

Require CE marking, a completed conformity assessment, a secure-by-default configuration and security updates throughout the support period. Fix these and the incident reporting duty in your contracts before full application on 11 December 2027.

A

Provider or deployer in HR AI: who is what?

In HR AI the builder of the ATS or HR tech is usually the provider and the employer the deployer. But an employer can become a provider itself through own branding or substantial modification (Art. 25). The role determines which duties apply.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.