Many Norwegian businesses are already using AI in recruitment. Some know it. Others do it without thinking about it — through LinkedIn Recruiter, automated email replies, or an ATS system that ranks candidates.
That is not a problem in itself. But from August 2026, new legal requirements for AI in recruitment apply — and most Norwegian SMBs are not ready.
What the EU AI Act Actually Requires for AI in Recruitment
The EU AI Act — or the AI Act — entered into force in 2024 and is being phased in gradually. On 2 August 2026, the requirements for what the law defines as high-risk AI become enforceable.
Recruitment is explicitly named. The law lists CV screening and candidate ranking as high-risk use cases — because the decisions directly affect people's access to employment.
That does not mean you cannot use AI in recruitment. It means you must be able to document that you are doing it responsibly.
What Happens on 2 August 2026?
From that date, systems that use AI to sort, rank, or filter job applicants must meet a range of requirements:
- Candidates must be informed that AI is used in the process
- Human oversight of decisions must be in place
- The system must be auditable — meaning selections and rejections must be explainable and traceable
- A Data Protection Impact Assessment (DPIA) must be completed before the system is deployed
Businesses that are not ready risk regulatory scrutiny and sanctions. More importantly: they risk treating applicants in a way that cannot withstand scrutiny.
What Can You Actually Automate — and What Can You Not?
There is a lot of confusion here. Let us clear it up.
Safe to Automate
These tasks are administrative and do not involve evaluating candidates. They can be automated without triggering the high-risk requirements:
- Confirmation emails and status updates to applicants
- Interview invitations based on calendar integration
- Forwarding applications to the right person internally
- Standardised replies to common questions about the role
- Collecting and structuring application documents
This is process automation — not decision support. And this is where most of the time savings actually come from.
Requires Human Control
These tasks can be supported by AI, but not delegated to it:
- Ranking and prioritising candidates
- Assessing whether an applicant is qualified
- Deciding who advances in the process
- Providing feedback with reasons for rejection
AI can flag, suggest, and structure. But a human must make the final decision — and it must be documented that this is the case.
Three Requirements That Always Apply
Regardless of which tools you use, there are three requirements you cannot avoid when AI is involved in recruitment:
1. Transparency
Candidates have the right to know that AI is being used. A small paragraph in a privacy policy is not sufficient. The information must be clear and accessible — ideally directly in the job posting or application form.
2. DPIA
A Data Protection Impact Assessment is not optional when you are processing personal data in a high-risk system. The DPIA requirement in the AI Act mirrors what you already know from GDPR — you map which data is collected, how it is used, and what measures are in place to protect applicants.
Many Norwegian SMBs skip this step. It is a mistake that can come back to bite.
3. Logging and Audit Trail
The system must be able to answer the question: "Why was this candidate rejected?" Not just in theory — but with actual documentation. That means all actions the system performs should be logged in a way that makes them verifiable.
The Responsibility Is Yours — Not the Vendor's
This is a point many underestimate.
If you use an AI tool purchased from a third party — an ATS system, a LinkedIn add-on, a CV screening tool — you are still the legally responsible party as the employer. It is your business using the system in relation to your applicants. The vendor cannot take responsibility on your behalf.
That means you must ask hard questions of your vendor: What does the system actually do? What data does it train on? Can you get an explanation of why a candidate was ranked the way they were?
If the vendor cannot answer that, it is a problem — regardless of what the contract says.
What Governance-Ready Recruitment Looks Like
Checklist: Governance-ready AI recruitment
- Applicants are informed about AI use in the process (in the job posting or application form)
- DPIA has been completed and documented
- All AI suggestions undergo human review before a decision is made
- Logging is enabled — selections and rejections are traceable
- Access control (RBAC) is set up — only the right people see candidate data
- Vendor agreements have been reviewed for liability allocation
- A process for handling subject access requests from candidates is in place
Not all of these are equally straightforward. But they are all achievable — and they are all necessary.
Example: 83% Time Saving — Done Correctly
A Norwegian SMB went from 122 to 23 hours per recruitment after implementing AI support in the process. That is an 83% time saving.
What did they do? They used Recruitment-Roy to automate what is safe to automate: confirmation emails, interview booking, structuring applications, and forwarding them internally in Teams. AI was used to gather and present information — not to rank or reject.
Human review was kept where it belongs. And the entire process was documented with DPIA and an audit trail in place from day one.
This is not a theoretical model. It is what structured implementation looks like in practice — and how it can be done without running a legal risk into 2026.
What Should You Do Now?
The deadline is 2 August 2026. That is four months away.
There is enough time to do this correctly — if you start now. There is not enough time if you wait until July.
A natural next step is to map which AI tools you are already using — and assess them against the requirements. Many businesses discover they have more AI in their recruitment process than they realised.
Are you already using AI in recruitment — or considering it? We offer a free review of where you stand relative to the requirements coming into force in August. Get in touch.