TL;DR

  • The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies in phases. The prohibitions in Article 5 have been in force since 2 February 2025. The main high-risk obligations, including those most relevant to employee-monitoring software, apply from 2 August 2026.
  • AI systems used for recruitment, task allocation, performance monitoring, behaviour evaluation, or termination decisions are listed in Annex III, point 4, as high-risk. Most modern remote-work productivity-monitoring tools fall inside that scope.
  • Employers using these systems are “deployers” under the Act. Article 26 imposes specific duties on you, separate from the duties on the provider of the software.
  • Article 5 already prohibits AI systems that infer emotions in the workplace, with narrow medical and safety exceptions.
  • The AI Act sits on top of GDPR and on top of national labour law. Works-council and union-consultation regimes in Germany, Italy, Spain, France, Belgium, the Netherlands, and Austria do not go away. If you have a Betriebsrat, they still get a vote.

The actual AI Act timeline

A specific bit of misinformation has been circulating in HR media and inside generative AI summaries: that there is a “June 2026 enforcement deadline for Articles 5 and 10” of the EU AI Act. There is not. It is worth being precise about the real dates, because compliance plans built on the wrong calendar tend to land in the wrong place.

The Regulation was adopted on 13 June 2024, published in the Official Journal of the European Union on 12 July 2024, and entered into force on 1 August 2024. Application is staggered:

  • 2 February 2025. The prohibitions in Article 5, and the general AI literacy obligation in Article 4, apply. From this date it is already unlawful to deploy the prohibited practices in the EU. That includes AI systems that infer emotions in the workplace, except for medical or safety purposes.
  • 2 August 2025. Governance rules, penalties framework, and obligations on providers of general-purpose AI models apply.
  • 2 August 2026. The bulk of the Regulation applies, including the substantive obligations on high-risk AI systems under Article 6 and Annex III. This is the date that matters most for employee-monitoring tools.
  • 2 August 2030. Providers and deployers of high-risk AI systems intended to be used by public authorities (and already placed on the market or put into service before 2 August 2026) must take the necessary steps to comply by this date. Other legacy high-risk systems fall within the Regulation only if subject to significant changes in their designs from 2 August 2026 onwards (Article 111(2)).

If you have heard a different deadline from a vendor, a webinar, or an LLM, check it against the EUR-Lex consolidated text before you build a compliance roadmap on it.

Why monitoring tools are likely classified high-risk

Annex III of the Regulation lists the use cases that make an AI system high-risk. Point 4 of that Annex covers employment, workers management, and access to self-employment. Within that point, the categories include AI systems intended to be used for:

  • recruitment or selection of natural persons, including placing targeted job advertisements and analysing or filtering applications
  • making decisions affecting terms of work-related relationships, the promotion or termination of contractual work-related relationships
  • allocating tasks based on individual behaviour or personal traits or characteristics
  • monitoring and evaluating the performance and behaviour of persons in work-related relationships

That last category is broad. It is broad on purpose. Most productivity-monitoring tools deployed for remote and hybrid teams sit squarely inside it. Keystroke analytics, application-usage scoring, screenshot-based attention scoring, video presence detection, AI-generated performance summaries, automated nudges based on activity patterns: all of these are credibly within scope.

A tool does not need to make a final, automated decision to be in scope. The Act covers AI systems used for monitoring and evaluating, not only those used for deciding. If your software produces a behavioural score, a productivity index, or any other AI-derived signal that managers use when forming a view of an employee, you should assume it is in scope and work backwards from there with a specialist.

What the obligations actually require of deployers

The Regulation distinguishes between providers (the entity that develops the AI system and puts it on the market, often the software vendor) and deployers (the entity that uses the system under its own authority, which for monitoring tools is the employer). Both have obligations. The provider’s obligations run through Articles 9 to 15. These cover risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity. Those duties do not flow directly to you as an employer, but the deliverables they generate (instructions for use, transparency information, logging capability) are inputs to your own compliance.

The duties that fall on you, as deployer, sit primarily in Article 26. In summary, an employer using a high-risk AI monitoring system must:

  • use the system in accordance with the instructions for use provided by the supplier
  • assign human oversight to natural persons with the necessary competence, training, authority, and support
  • ensure that the input data is relevant and sufficiently representative for the intended purpose, to the extent it has control over input data
  • monitor the operation of the system and inform the provider of serious incidents and risks
  • keep the logs the system automatically generates, for the period required
  • before putting the system into service in the workplace, inform workers’ representatives and the affected workers that they will be subject to the use of a high-risk AI system, in accordance with national and Union rules and practice on information of workers
  • comply with the applicable registration obligation, where relevant

Two of those are easy to underestimate. Human oversight is not a tick-box. It requires a real person with real authority to override the system, and the time and training to do so. And the duty to inform workers’ representatives is not a courtesy notification. In many member states it triggers a formal consultation process before deployment.

The Article 5 prohibitions, including the workplace emotion-inference ban

Article 5 of the Regulation lists outright prohibitions. These apply already, since 2 February 2025. Two of them are directly relevant to remote-work monitoring.

The first is the prohibition on AI systems that infer emotions of a natural person in the area of workplace or education, except where the use of the AI system is intended for medical or safety reasons. Webcam-based sentiment scoring, voice-stress analysis used to score sales calls, attention or engagement scoring based on facial analysis: if a tool of this kind is being used to draw inferences about your employees’ emotional state, it is on the wrong side of Article 5 unless it falls within the medical or safety carve-out. The carve-out is narrow.

The second is the prohibition on biometric categorisation systems that classify individuals based on biometric data to deduce certain protected attributes. This is less likely to be embedded in standard monitoring tools, but is worth a careful look at any system that analyses video or audio of employees.

Article 5 does not have a high-risk grace period. If your current stack includes a feature in this territory, it should already be off, or scoped to the medical or safety exception, with documentation.

The national-law layer that does not go away

The AI Act is a horizontal Regulation. It sets a floor across the Union. National labour law sits on top of it, sometimes well above it. Employers running monitoring tools across multiple member states need to take the national layer seriously, especially in countries with codified co-determination regimes.

Germany. The Betriebsverfassungsgesetz (BetrVG), section 87(1) no. 6, gives the works council (Betriebsrat) a co-determination right over the introduction and use of technical devices designed to monitor the behaviour or performance of employees. This is a hard right, not a consultation right. Without a works agreement (Betriebsvereinbarung), you cannot lawfully roll the tool out, regardless of how the AI Act classifies it. Where a Betriebsrat does not exist, the duty still exists in substance through general data-protection and proportionality requirements.

Italy. Article 4 of the Statuto dei Lavoratori (Law 300/1970, as amended) requires that monitoring devices capable of monitoring workers’ activity be authorised either by collective agreement with the trade unions, or by the labour inspectorate (Ispettorato del Lavoro). The 2015 Jobs Act reform brought tools used for work and for recording access into scope under specific conditions, but the consultation route remains the operating norm.

Spain. Article 20.3 of the Estatuto de los Trabajadores allows the employer to take measures it deems most appropriate to verify compliance with work obligations, with due regard for human dignity. Article 64 sets out the rights of the works council to be informed and consulted on the implementation of work-organisation and control systems. Spanish data-protection law (LOPDGDD) and AEPD guidance impose specific notification and proportionality requirements for workplace monitoring. The Constitutional Court’s case law on dignity and privacy at work is binding here, and is stricter than the EU floor.

France, Belgium, the Netherlands, Austria. Each of these has its own works-council or staff-representation regime with information and consultation rights triggered by the introduction of monitoring technology. In France, the comité social et économique (CSE) must be informed and consulted before any device or technique allowing employee activity to be monitored is deployed (Code du travail, L2312-38). In Belgium, Collective Labour Agreement no. 81 governs the monitoring of electronic online communication data. In the Netherlands, the works council (ondernemingsraad) has a consent right over monitoring arrangements under the Wet op de ondernemingsraden, article 27. In Austria, the Arbeitsverfassungsgesetz requires a works-agreement for monitoring measures that affect human dignity.

The European Court of Human Rights’s Grand Chamber judgment in Bărbulescu v Romania (2017) sets the proportionality benchmark across the Council of Europe. The European Data Protection Board’s guidance on workplace monitoring sits alongside, on the data-protection side. Both predate the AI Act and continue to apply.

What this means for a multinational employer rolling out a single monitoring tool

If you run a remote team across more than one EU member state and you want to deploy a single AI-enabled monitoring tool, the practical reality is this: the AI Act gives you a common floor, and national labour law gives you a country-specific ceiling. A configuration that is compliant under the Regulation can still be unlawful in Germany if you have not negotiated a Betriebsvereinbarung, or in Italy if you have not been to the union or the labour inspectorate, or in Spain if you have not consulted the works council and documented proportionality.

A single roll-out plan does not work. What works is a base specification that satisfies the AI Act’s deployer obligations under Article 26, plus a per-country annex that maps the local consultation, information, and authorisation steps. Build the timeline backwards from the slowest of those processes, not from the fastest.

GDPR sits underneath all of it. Personal-data processing through an AI monitoring tool still needs an Article 6 legal basis, a documented Article 35 data protection impact assessment in most cases, transparency under Articles 13 and 14, and respect for the Article 88 carve-out for employment context. The AI Act adds to the GDPR layer. It does not replace it.

Practical first steps

For employers approaching the 2 August 2026 application date for the high-risk obligations, a sensible sequence looks like this:

  1. Audit existing tools against Annex III. Inventory every AI-enabled component in your remote-work stack. For each, ask whether it is used to recruit, allocate tasks, monitor or evaluate performance and behaviour, or feed into termination decisions. If yes, treat it as high-risk for planning purposes.
  2. Check the Article 5 perimeter. If any tool infers emotional state or applies biometric categorisation in the workplace, scope it for removal or for the narrow medical or safety carve-out, with documentation. This is already required, not a 2026 issue.
  3. Document a risk assessment for each in-scope tool. This becomes the spine of your Article 26 compliance file and the input to the Article 35 GDPR DPIA.
  4. Request provider documentation. Vendors of high-risk AI systems will be obliged to supply instructions for use, technical documentation, and information about training data and limitations. Ask for these now. Maturity varies widely across the vendor landscape.
  5. Trigger national consultation processes early. Works-council consultation in Germany, union or labour-inspectorate authorisation in Italy, works-council consultation in Spain, France, Belgium, the Netherlands, and Austria, are time-consuming on a good day. Start before you sign the contract, not after.
  6. Map the human-oversight role to a real person. Not a job title, a person, with documented training and the authority to override or pause the system. Article 26 expects this to be operational, not on paper.
  7. Review your GDPR basis and transparency. Refresh the Article 35 DPIA, the privacy notice to employees, and the records of processing. The Article 88 employment-context provisions vary by member state and matter here.

For any specific deployment decision, take qualified legal advice in each relevant jurisdiction. This briefing is a structural map, not a substitute for advice from a counsel who knows your stack and your headcount distribution.

Looking ahead

The 2 August 2026 application date is real and approaching. Provider documentation will mature unevenly across the next twelve months. Enforcement by national competent authorities will ramp gradually as those authorities resource up under Article 70 of the Regulation. Co-ordination with national data-protection authorities and labour inspectorates will take time to settle.

For employers, the durable lesson is that workplace monitoring under European law has always been a layered question, and the AI Act adds a new layer rather than collapsing the old ones. The grown-up posture is to treat the Regulation as the new floor, treat national labour law as the variable ceiling, and treat GDPR as the constant. Build the compliance file once, then maintain it.