Executive Summary

In November 2025, the European Commission proposed through the "Digital AI Omnibus" to push the deadline for high-risk AI obligations from August 2, 2026 to December 2, 2027. For an industry pleading the burden of compliance, that was welcome news. But the extension was not confirmed automatically. It needed agreement in the trilogue where the Parliament, the Council, and the Commission meet — and the first round broke down.

Laying out what followed by date looks like this. A provisional deal was reached, but for that deal to take effect it has to clear formal adoption and be published in the Official Journal. Until that process is complete, the original deadline stays alive.

The point worth holding onto is that "extension" and "exemption" are not the same thing. Even if the deadline moves, the obligations are not reduced. And the transparency provision (Article 50) that takes effect on the same August 2 is not part of this deferral. The duty to label AI-generated content still applies on schedule. Two kinds of obligation hang on one date, and only the high-risk one has a deadline in flux.

The EU AI Act classifies AI by level of risk and places the heaviest obligations on the "high-risk" category. Annex III enumerates those high-risk use cases by domain, and employment and labor make up one of them. If the AI your organization uses falls into one of the following, it may be subject to high-risk obligations.

• • Recruitment and candidate selection — including CV-sorting and résumé-screening software.
• • Performance evaluation — systems that score or rank an employee's work performance.
• • Task allocation — algorithms that decide who is assigned which work.
• • Worker monitoring — tools that track and analyze behavior and productivity.
• • Promotion and termination decisions — systems that intervene directly in HR decision-making.

The European Commission describes this category as "AI tools for employment, management of workers, and access to self-employment (e.g., CV-sorting software for recruitment)." The thing to watch is that it does not catch only dedicated products labeled "hiring AI." If the HR management SaaS a company has adopted contains performance-scoring or task-distribution features, those features can fall under the high-risk scope. If you operate it for EU users or workers in the EU, it falls within scope even when your headquarters sit in Korea.

High-risk AI carries several obligations at once — risk management (Article 9), technical documentation (Article 11), transparency (Article 13), and more. On the data side, the most direct requirement is Article 10, data governance. The provision requires that training, validation, and testing data be "relevant, sufficiently representative, and to the best extent possible free of errors and complete." And it explicitly says you must hold the documentation to prove it.

Article 10 calls for documentation across eight items: design choices; data collection and origin; preprocessing; assumptions behind data selection; the availability and suitability of the data; bias examination; bias mitigation; and the gaps and shortcomings that remain. If you outsourced labeling, the qualifications of your annotators and inter-annotator agreement metrics become part of the record too. Saying "we reviewed the data" does not count as evidence. What regulators want to see is a traceable trail running from source records through preprocessing steps, quality checks, bias analysis, and remediation history.

3.1Five Pieces of Evidence in Practice

Translating the legal text into the working language of an organization that runs hiring AI, the evidence to prepare boils down to these five.

• • A data-source statement — where the training data came from. Generated internally, purchased externally, or collected from the web.
• • A data-quality record — which filtering criteria you applied and what you excluded.
• • A bias-analysis report — for hiring AI especially, analysis broken down by protected attributes such as gender, age, and nationality.
• • Labeling-methodology documentation — who labeled the data, by what criteria, and how consistently.
• • An update history — a record refreshed every time you retrain. Not a document you write once and put away.

There is a common misconception around bias analysis: that touching sensitive information like gender or race trips privacy regulation, so it is safer not to touch it at all. The provisional deal made the opposite clear. For the purpose of detecting and reducing bias, you may process special-category data such as race, health, and sexual orientation. In hiring AI, bias analysis is less a risk to avoid than an obligation the regulation has actually opened the door to.

The cost of non-compliance is not small either. A breach of high-risk obligations draws a fine of up to €35 million or 6% of global turnover, whichever is higher, and it reaches non-EU companies when their AI is used in the EU market. The more an area — like hiring and HR — shapes people's opportunities, the more deeply the regulator's gaze turns toward the data.

Asking about data provenance first is not the EU's approach alone. In the United States, Colorado's SB 26-189 (ADMT) requires impact assessments and algorithmic audits for automated decision-making technology. The Office of the Privacy Commissioner of Canada's PIPEDA Findings #2026-002 held that retroactive consent for training data is impossible — the principle being that if you cannot obtain consent for the data, you cannot train on it.

The wording and the jurisdiction differ, but the question all three regulations open with is the same: "What data was this AI system trained on?" Add the EU's Article 50 labeling obligation, which takes effect on the same day, and it becomes clear that the center of gravity in AI regulation is shifting from a model's performance to the source and record of its data. That is why getting your data governance in order for one regulation resolves much of the response to the others.

So even if the high-risk AI deadline slides 16 months, the direction in which to spend that time is settled. Better to use it building the records that prove what data your AI in operation was trained on and how you validated it, than chasing a better model. After August 2, when someone asks "where did the data this hiring AI learned from come from," the distance between an organization ready to answer and one that is not will be decided not by the model, but by data governance.

Official Documents

• 1.European Commission. "Regulatory Framework for AI." Shaping Europe's Digital Future.
• 2.EU AI Act. "Article 10: Data and Data Governance."
• 3.EU AI Act. "Annex III: High-Risk AI Systems."

Legal & Industry Analysis

• 4.DLA Piper. (2026). "The Digital AI Omnibus: Proposed Deferral of High-Risk AI Obligations under the AI Act."
• 5.Gibson Dunn. (2026). "EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes."
• 6.Covington (Global Policy Watch). (2026). "EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions."
• 7.AI Governance Desk. (2026). "Article 10 Decoded: EU AI Act Data Governance Rules for High-Risk AI."