Employer Update: AI in Workforce Practices – Navigating the EU AI Act

Introduction

The EU AI Act (in force since 1 August 2024) takes a risk-based approach to regulating Artificial Intelligence (“AI”) systems. With AI increasingly used in recruitment, performance management, and workforce decision-making, employers should be aware of their obligations under the Act and related Irish employment and data protection law.

Risk Categories Under the AI Act

The AI Act classifies AI systems into four risk categories:

1. Unacceptable Risk (prohibited): Includes AI that infers emotions in the workplace (unless for medical/safety reasons) and biometric categorisation/social scoring systems.
2. High Risk: Systems which can have a significant harm on the health, safety and fundamental rights of people and under the AI Act such systems must have mandatory risk mitigating functions. High risk AI systems include those which impact access to employment opportunities, recruitment, and performance evaluation at work.
3. Limited Risk: Systems which are intended to perform a repetitive procedural task and which include general-purpose AI systems.
4. Minimal/No Risk: Systems which are largely unregulated (for example, spam filters).

Key Dates

There is a staggered approach to the implementation of the AI Act in Ireland and the key dates which employers should be aware of are as follows:

• 1 August 2024 : AI Act entered into force
• 2 February 2025: Provisions on prohibited AI and AI literacy came into force
• 2 August 2025: Provisions of the AI Act which relate to penalties and the rules of the general purpose models came into force
• 2 August 2026: The majority of the other provisions will come into force including obligations relating to certain high-risk AI. There is however a draft regulation progressing through the EU institutions known as the Digital Omnibus which will extend this date to 2 December 2027, if passed.

Employer Obligations

Looking at the day to day use of AI in the workplace, many employers are already using AI in recruitment processes.
Employers will likely fall into the deployer category of the roles under the AI Act. The obligations for deployers of high risk AI systems are outlined in detail at Article 26 of the AI Act, at a high level, these obligations include:

• Implementing technical and organisational measures to comply with instructions for use
• Assigning human oversight to competent, trained persons with appropriate authority
• Ensuring input data is relevant and sufficiently representative
• Monitoring the AI system on an ongoing basis
• Retaining automatically generated logs for at least 6 months
• Informing employees if they will be subject to a high-risk AI system
• Conducting data protection impact assessments
• Cooperating with competent authorities

AI Literacy

AI literacy obligations have applied since 2 February 2025 (as set out in Article 4 of the AI Act). Employers must ensure employees can make informed decisions about AI systems in use and understand the context around AI outputs.

Irish Employment Law Considerations

It is important to note that if employers are found to be using discriminatory practices, even unintentionally, in the recruitment process, they can be found guilty of indirect discrimination regardless of the intention of the AI system.

The Employment Equality Acts 1998–2024 prohibit discrimination on nine grounds. AI-driven recruitment bias (e.g. screening out candidates with career gaps) can constitute indirect discrimination. Employers are liable for discriminatory outcomes regardless of intention.
Candidates can complain to the WRC within 6 months and may be awarded compensation of up to €13,000 for recruitment discrimination.

Fair procedures and natural justice under the Unfair Dismissals Acts 1977–2015 require genuine human decision-making. Employers cannot simply defer to AI recommendations when making disciplinary, dismissal, or performance decisions.

Practical Steps for Employers

• Conduct a risk assessment of all AI systems currently in use to determine the applicable risk category and obligations. Repeat on an ongoing basis.
• Carry out a gap analysis to identify areas of non-compliance.
• Consider whether a data protection impact assessment is required, particularly for AI used in HR and recruitment.
• Update or implement AI usage policies and procedures and share these with employees. Organise training on the AI Act for HR teams, those responsible for AI oversight, and employees generally — including training on recognising output bias and discrimination risk.