Compliance team reviewing EU AI Act requirements
Compliance
By eMonitor Editorial Team
12 min read

EU AI Act and Workplace Monitoring: A 2027 Compliance Guide

The EU AI Act treats AI-based workplace monitoring as a high-risk system under Annex III. High-risk system rules begin biting in August 2026 and intensify through 2027. If your monitoring software uses AI to evaluate performance, behavior, or personal characteristics, you have a compliance project. This guide breaks down what's in scope, what you have to do, and what happens if you don't.

What's In Scope

Annex III of the EU AI Act lists employment-related AI as high-risk. Workplace monitoring activities that fall within scope:

  • AI-based productivity scoring — algorithmic classification of employee output
  • Attrition / flight-risk prediction — AI inferring likelihood of departure
  • Burnout detection — AI inferring well-being state from activity patterns
  • Behavior anomaly detection — UEBA on employee actions
  • Promotion / performance evaluation AI — algorithmic input to advancement decisions
  • Allocation of work tasks — AI assigning workloads

Out of scope (plain monitoring without AI inference): raw activity logs, time tracking, screenshot capture without AI analysis.

Deployer Obligations (Companies Using Workplace AI)

Even if you're not the AI provider, as the deployer you must:

  1. Conduct a Fundamental Rights Impact Assessment (FRIA) — required for high-risk AI use in employment, public services, and law enforcement
  2. Ensure human oversight — meaningful, not rubber-stamp; person in the loop must be able to override
  3. Inform affected employees — clear, plain-language notice that AI is used and what it does
  4. Use systems that have undergone conformity assessment by the provider (CE marking)
  5. Monitor performance and report serious incidents to authorities
  6. Maintain logs — at least 6 months of automated logs for high-risk AI
  7. Cooperate with market surveillance authorities

Provider Obligations (AI Vendors)

Vendors of high-risk workplace AI must:

  • Implement risk management throughout the AI lifecycle
  • Use high-quality datasets minimizing bias
  • Maintain technical documentation
  • Enable transparency to users
  • Undergo conformity assessment + CE marking
  • Register the system in the EU database

Ask your vendor for their conformity assessment documentation and CE marking before deploying AI features in 2027.

Penalties for Non-Compliance

The EU AI Act has GDPR-level enforcement teeth:

  • Prohibited AI use: up to €35M or 7% of global annual turnover (whichever is higher)
  • High-risk AI non-compliance: up to €15M or 3% of global turnover
  • Incorrect / misleading information to authorities: up to €7.5M or 1.5% of global turnover

For multinationals with €1B+ turnover, the percentage-based ceiling typically dominates.

Compliance Timeline

  • February 2025: prohibitions and AI literacy obligations effective
  • August 2025: GPAI (General Purpose AI) rules effective
  • August 2026: high-risk system rules start enforcement for new systems
  • 2027 (full year): enforcement intensifies for all high-risk AI in workplace
  • August 2027: all transitional periods end; full compliance required

2027 Compliance Checklist

  1. Inventory all AI features in your monitoring stack (productivity scoring, attrition prediction, etc.)
  2. Map each AI feature to Annex III categories
  3. Request CE-marking documentation from vendors
  4. Conduct Fundamental Rights Impact Assessment per system
  5. Define human oversight role + escalation path
  6. Update employee privacy notice to disclose AI use
  7. Configure 6+ month log retention
  8. Establish quarterly review cadence with internal audit + DPO

If You're Outside the EU

The AI Act applies extraterritorially. If you have any EU-based employees subject to AI-driven monitoring, the Act applies to those operations. US, UK, India, APAC companies with EU staff are within scope for those staff.

Practical Posture for 2027

Three pragmatic steps that get most companies into compliance without panic:

  1. Pick AI vendors that have already done conformity assessment. Vendors with EU customer bases are likeliest to be ahead.
  2. Default to "human in the loop" for any AI-influenced people decision. Never let AI alone trigger termination, demotion, or denial of promotion.
  3. Be explicit with employees. Plain language: "We use AI to identify productivity patterns and flight-risk indicators. A human always reviews before any decision is taken."

This guide is informational, not legal advice. Consult EU employment counsel before finalizing your AI Act compliance program.

Frequently Asked Questions

Does the EU AI Act apply to monitoring?

Yes when monitoring uses AI to evaluate performance, behavior, or personal characteristics. Annex III lists employment AI as high-risk. Plain activity logging is out of scope.

Key compliance obligations?

Fundamental Rights Impact Assessment, human oversight, accuracy, 6+ month logs, employee notice, conformity-assessed systems only. Penalties up to EUR 35M or 7% of global turnover.

When does it apply?

Prohibitions Feb 2025, GPAI Aug 2025, high-risk workplace AI Aug 2026 onward, full enforcement through 2027.

Need to do anything if I just use vendor AI?

Yes. Deployer obligations independent of provider. Even if vendor is compliant, you must do FRIA, ensure human oversight, log usage, inform employees.

What if my company is outside EU?

Applies extraterritorially. Any EU-based employees subject to AI monitoring brings the Act into scope for those operations.

EU AI Act-Ready Monitoring

eMonitor's AI features include transparency reporting, human-in-the-loop overrides, and audit-grade logs sized for EU AI Act compliance.

Start Your Free Trial

7-day free trial. No credit card required.