Skip to content
Confir.
Free trial
AI Inventory

HireVue Under the EU AI Act: High-Risk Classification and Deployer Duties

AI Tool Compliance23 May 2026· 13 min read· 2,642 words

HireVue is high-risk under EU AI Act Annex III point 4(a). Deployer duties, the Art 5(1)(f) emotion ban, and steps to comply by 2 December 2027.

HireVue is a video-interview and AI-assessment product used by hundreds of employers across Europe to screen candidates, score structured interviews, and rank applicants before human review. Under Regulation (EU) 2024/1689 — the EU AI Act — any employer deploying HireVue for recruitment or candidate evaluation is using a high-risk AI system within the meaning of Annex III, point 4(a). That classification carries real obligations, a hard deadline, and one bright-line prohibition that organisations using older versions of HireVue need to understand.

This guide covers the classification logic, the split of duties between HireVue (the provider) and the employer (the deployer), the prohibition on emotion/affect recognition in employment, and the practical steps for reaching compliance before 2 December 2027.

Why HireVue Is High-Risk: Annex III, Point 4(a)

Annex III of the EU AI Act lists eight categories of AI use that are presumed high-risk under Article 6. Point 4 covers employment, workers management, and access to self-employment. Sub-point 4(a) explicitly captures:

AI systems intended to be used for recruitment or selection of natural persons, notably for advertising vacancies, screening or filtering of candidates, evaluating candidates in the course of interviews or tests.

HireVue's core functionality — automated video interview scoring, competency-based ranking, and structured assessment — falls squarely within that text. Classification is not optional or discretionary.

Can an employer claim the Article 6(3) exemption?

Article 6(3) lets a provider document that an Annex III system does not pose a significant risk of harm to health, safety, or fundamental rights — and thereby escape the high-risk obligations. The conditions are narrow: the system must perform only a narrow procedural task; or improve the result of a previously completed human activity; or detect decision patterns without influencing human assessment; or do purely preparatory work. Critically, any system that profiles natural persons is always high-risk, and the exemption cannot apply.

A tool that scores and ranks candidates on competency dimensions and feeds that ranking to a recruiter is plainly influencing the hiring outcome. The Article 6(3) route is not available. If HireVue is used to evaluate candidates, the high-risk framework applies.

The Prohibited Line: Emotion and Affect Recognition Under Article 5(1)(f)

This is the most important legal boundary for any employer using HireVue.

Article 5(1)(f) of the EU AI Act prohibits AI systems that infer emotions or affect of natural persons in the workplace. The prohibition has applied since 2 February 2025. It is not subject to a transition period. The penalty ceiling is €35,000,000 or 7% of total worldwide annual turnover, whichever is higher (Article 99(3)).

HireVue attracted significant regulatory attention precisely because early versions of the product used facial-movement analysis and vocal-affect scoring alongside verbal-content evaluation. The company has moved away from those features — it publicly discontinued its facial-expression analysis component in 2021. But the legal risk for deployers has not disappeared:

  • If your organisation signed a contract with HireVue before 2021 and has not verified which model version is active, you need to confirm in writing with HireVue that no emotion or affect inference is occurring.
  • If any third-party add-on to your recruitment workflow infers candidates' emotional states from video, voice tone, or facial microexpressions during an employment process, that component is prohibited — regardless of how it is marketed.
  • The prohibition covers the employment context specifically. It applies to interviews, assessments, and any on-the-job monitoring scenario.

Document your verification. If HireVue confirms in writing that the version you use does not perform emotion inference, keep that confirmation in your compliance file.

Roles: HireVue Is the Provider, Your Organisation Is the Deployer

The EU AI Act distinguishes sharply between the company that builds and places an AI system on the market, and the company that uses it in a professional context.

HireVue (the provider under Article 16) must:

  • Conduct a conformity assessment under Article 43 (Annex VI internal self-assessment route applies to employment AI, since Annex III point 4 is not the biometrics category that requires a notified body).
  • Compile technical documentation meeting the Article 11 / Annex IV requirements, covering system architecture, training data composition, performance metrics, and known limitations.
  • Register the system in the EU database under Article 49 before it is placed on the market.
  • Provide the deployer with adequate information under Article 13 — instructions for use, intended purpose, performance characteristics, and known risks.
  • Maintain a post-market monitoring system under Article 72 and report serious incidents under Article 73.

As the employer using HireVue, you are the deployer under Article 26. Your duties are lighter than the provider's, but they are not trivial. They include:

Use the system only as HireVue intends (Article 26)

HireVue's instructions for use define the system's intended purpose — the types of roles, candidate populations, and assessment processes it was designed and validated for. Using it outside those parameters (for example, applying a tool validated for corporate-role screening to assess warehouse operatives) shifts liability toward you and may constitute a substantial modification under Article 25 that triggers provider duties.

Ensure human oversight (Article 14)

No automated hiring decision. HireVue's ranking is input to a human recruiter's judgment, not the decision itself. Article 14 requires that the system be designed to allow human override, and Article 26 requires that you actually exercise that capacity. In practice:

  • Do not configure HireVue to auto-reject below a threshold score.
  • Ensure every candidate shortlist or rejection has a qualified human reviewing the recommendation before any communication goes out.
  • Train recruiting staff to understand what the score means, what it does not mean, and when to override.

Monitor performance and keep logs (Article 26)

You must monitor the system in use, identify risks or incidents, and — if you find a serious incident — report it to HireVue (who has the statutory duty to escalate to authorities under Article 73). Keep deployment logs for at least six months.

Notify workers' representatives and candidates (Article 26)

This is the obligation employers most often miss. Before deploying an AI system that affects employment decisions, you must inform workers' representatives (works council, staff committee, or equivalent body) that the system is in use. Candidates who interact with HireVue must also be informed that an AI system is evaluating them — this is both an Article 26 duty and a transparency obligation that intersects with Article 14's human-oversight requirement.

Practically: update your job advertisement and application confirmation email to state that HireVue is used in the interview process and that a human reviews all recommendations. Document when you notified your works council.

Article 27 FRIA: does it apply?

The Fundamental Rights Impact Assessment under Article 27 is mandatory for certain deployers — primarily public bodies and deployers of creditworthiness or life/health-insurance systems (Annex III points 5(b) and 5(c)). Private employers using HireVue for recruitment are not automatically required to complete a FRIA. However, if you are a public-sector employer or a body exercising public authority, Article 27 applies and you must complete the assessment before deployment.

Private employers with a meaningful GDPR Data Protection Impact Assessment (DPIA) under GDPR Article 35 are in a good position: Article 27(4) explicitly allows the FRIA to build on an existing DPIA, which avoids duplicating work.

The Bias-Testing Obligation: Articles 10 and 15

Article 10 governs data and data governance for high-risk systems. It requires that training, validation, and test datasets be appropriate for the intended purpose, free from errors, and representative of the population the system will encounter. For an employment-AI provider like HireVue, this means demographic representation in training data and documented bias testing across protected characteristics.

As a deployer, you do not control HireVue's training data — but you can and should ask HireVue to provide:

  • A fairness report showing selection rates across gender, age group, and ethnic origin in validation datasets.
  • Documentation of what bias testing was conducted pre-deployment and at what intervals post-deployment.
  • The adverse impact ratios for any job families or assessment types you plan to use.

Article 15 (accuracy, robustness, and cybersecurity) reinforces this. The system must perform consistently and resist foreseeable misuse. Monitoring output data across your own hiring cohorts is both good practice and increasingly expected by data-protection regulators — the GDPR Article 22 right not to be subject to solely automated decisions of legal or similarly significant effect is directly engaged when candidates are screened by AI.

Label that last obligation clearly: GDPR Article 22 (not the AI Act) gives candidates a right to request human review of any solely automated decision that significantly affects them. Your HireVue deployment process must accommodate that right.

The Compliance Deadline

Under the Digital Omnibus — the Commission proposal of 19 November 2025, with political agreement between Parliament and Council reached 7 May 2026 — the application of obligations for stand-alone high-risk AI systems under Annex III has been deferred. The date is now 2 December 2027, not 2 August 2026. (That earlier date covered general application including limited-risk transparency under Article 50; the Annex III high-risk regime specifically has moved.)

The Art 5 prohibition on emotion recognition in employment is already in force as of 2 February 2025. Do not treat December 2027 as a grace period for the affect-recognition question.

Eighteen months is enough time to get compliant if you start now. It is not enough time if you wait until mid-2027 to begin the technical documentation and oversight-structure work.

GDPR Intersections

HireVue processes personal data — video recordings, voice data, competency scores, and often information that touches protected characteristics. Several GDPR obligations stack on top of the AI Act duties:

  • Special-category data (GDPR Article 9): Video interview data may reveal health status, ethnic origin, or disability. Processing special-category data requires an explicit legal basis — typically explicit consent or a necessity ground under Article 9(2)(b) for employment law compliance.
  • Automated decisions (GDPR Article 22): If HireVue's output constitutes a solely automated decision with significant effect on candidates, they have a right to human intervention, an explanation, and the ability to contest the decision. Your process must make this available.
  • Retention: Define and document retention periods for interview recordings and scores. Most employers have no legitimate need to retain rejected candidates' video data beyond the period needed to handle any challenge to the hiring decision.
  • Data subject access (GDPR Articles 13–15): Candidates can request their data. If HireVue generates a score, candidates may be entitled to receive that score and the logic behind it.

Run the AI Act compliance process and the GDPR impact assessment in parallel, not sequentially.

How Confir Helps

Classifying HireVue correctly is the first step — but most employers' challenge is turning that classification into a structured, documentable compliance programme.

Confir's rule-based intake walks you through the Article 6 classification in plain English: you describe what the system does, who uses it, and what decisions it feeds. The deterministic engine maps your answers to the Annex III point and derives your role (deployer, Article 26). It then scopes the exact obligation set — Article 14 human oversight, Article 26 log retention, notification duty, bias-test requests — and flags Article 5(1)(f) if any emotion-recognition features are present.

For companies that need to document deployer compliance, Confir generates the structured assessment across its four areas (AIRC, AITR, AITO, AIGM) and produces a print-ready Datasheet covering the Article 11 / Annex IV content elements relevant to your deployment context. Where Article 27 applies (public-sector deployers), Confir runs the FRIA workflow.

From €600/year, no consultants required.

Frequently Asked Questions

Is HireVue automatically high-risk under the EU AI Act?

Yes, for employers using it for recruitment or candidate evaluation. Annex III, point 4(a) of Regulation (EU) 2024/1689 covers AI systems used to screen, evaluate, or rank candidates in hiring processes. HireVue's core assessment functionality falls within that scope. The classification is determined by the use, not by the tool's name — but an AI-scored video interview is an archetypal Annex III, point 4(a) system. The Article 6(3) exemption is not available for a system that profiles natural persons or influences hiring outcomes.

What are the penalties for non-compliance?

Non-compliance with the high-risk obligations — including failing to ensure human oversight (Article 14), failing to notify workers' representatives (Article 26), or failing to use the system within its intended purpose — is subject to fines up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher, under Article 99(4). Any use of prohibited emotion/affect recognition in the employment context (Article 5(1)(f)) sits in the top tier: up to €35,000,000 or 7% under Article 99(3). For SMEs and start-ups, Article 99(6) caps fines at the lower of the percentage or the fixed sum — a meaningful protection, but not an exemption.

Is emotion recognition by HireVue prohibited?

Yes, in the employment context. Article 5(1)(f) prohibits AI systems that infer the emotions or affective states of natural persons in the workplace. This has been in force since 2 February 2025. HireVue discontinued its facial-expression analysis feature in 2021, but deployers must confirm in writing with HireVue that no emotion or affect inference is active in their current deployment. If vocal-tone scoring or any other affect-inference feature is enabled, it must be switched off or the tool replaced.

What must an employer do before using HireVue in the EU?

Before going live, an employer (deployer under Article 26) must: verify HireVue holds or is pursuing conformity under Article 43 and is registered under Article 49; review HireVue's instructions for use and confirm the deployment is within the intended purpose; establish human review of every recommendation before any hiring decision is communicated; inform workers' representatives that the system will be used; update candidate-facing communications to disclose AI assessment; and define a log-retention process for at least six months. Public-sector employers must also complete the Article 27 Fundamental Rights Impact Assessment.

When does the high-risk compliance deadline apply?

The deadline for stand-alone high-risk AI systems under Annex III is 2 December 2027, under the Digital Omnibus agreed in May 2026 (deferred from the original 2 August 2026 date). This covers the full Article 9–15, 26, and 43 obligation set. The Article 5(1)(f) prohibition on emotion recognition is already in force and does not benefit from any deferral. Article 50 limited-risk transparency obligations apply from 2 August 2026.

How does GDPR Article 22 interact with HireVue?

GDPR Article 22 gives candidates the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. An AI-scored interview that determines whether a candidate advances or is rejected is a decision with significant employment effect. Employers must ensure a human meaningfully reviews AI recommendations before those decisions are finalised, and must inform candidates of their right to request human intervention and to contest the outcome. This is a GDPR obligation that sits alongside — not inside — the EU AI Act.

Does HireVue trigger a Fundamental Rights Impact Assessment?

For private-sector employers, no — the FRIA under Article 27 is mandatory for public bodies and deployers of creditworthiness or life/health-insurance systems (Annex III points 5(b) and 5(c)), not for private employers using recruitment AI. Public-sector employers or bodies exercising public authority that deploy HireVue do owe a FRIA before deployment. Article 27(4) allows the assessment to build on an existing GDPR Data Protection Impact Assessment, which reduces the additional documentation burden.

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Guide

AI Bill of Materials (AI-BOM): What It Is and How It Supports EU AI Act Compliance

AI-BOM is an emerging practice, not a statutory term. Structures base models, datasets and GPAI dependencies to feed Article 11 / Annex IV docs.

Template

AI Inventory Template: Field-by-Field Guide for EU AI Act Compliance

EU AI Act AI inventory template — every field explained: role, risk tier, Annex III category, GPAI dependency, and key dates. Deadline 2 Dec 2027.

Complete Guide

AI System Inventory for EU AI Act Compliance: The Complete Register Guide

Build an EU AI Act-compliant AI inventory: discover shadow AI, classify each system under Article 6, and prepare for Art 49 registration by 2 Dec 2027.