Compliance Published May 5, 2026 11 min read

EU AI Act & Employee Time Tracking: Compliance Checklist for August 2026 Enforcement

The EU AI Act’s high-risk-system obligations for workplace AI begin to apply on August 2, 2026. Time tracking, productivity scoring, idle classification, and shift-allocation AI are squarely in scope. Here is the prohibited-vs-high-risk distinction, the 14-point compliance checklist, and which legacy tools flip from quietly compliant to high-risk overnight.

By gStride Editorial Team · Reviewed May 5, 2026

The short answer — what the AI Act covers in time tracking

The EU AI Act covers any AI system that makes or materially informs employment decisions about people working in the EU — and that includes a large slice of modern time tracking. The law splits AI into four risk tiers: prohibited (Article 5), high-risk (Article 6 + Annex III), limited-risk transparency obligations, and minimal-risk. Workplace AI for recruitment, evaluation, promotion, termination, task allocation, and behavior monitoring sits in the high-risk tier. Productivity scoring, performance ranking, AI-classified idle time used in HR review, and AI-driven shift allocation all fall in scope. A plain timer with a manual timesheet does not.

The August 2, 2026 date matters because it is when the high-risk obligations begin to apply for workplace AI systems already on the market. By that date, providers and deployers must have transparency notices, human oversight design, technical documentation, logging, post-market monitoring, and (for providers) registration in the EU database. Vendors who marketed AI features under a “just analytics” framing now have to pick: either prove the AI does not make or materially inform employment decisions, or accept the high-risk obligations. Most cannot prove the first.

Article 5 (prohibited) vs Article 6 (high-risk) for workplace AI

Most AI used in workforce platforms lands in the high-risk tier (Article 6 + Annex III). A narrower band — emotion recognition in employment and certain manipulative or social-scoring use cases — is outright prohibited under Article 5. The split matters because the legal exposure is different in kind, not degree.

TierWhat it covers in workforce AIWhat you must do
Prohibited (Art. 5)Emotion recognition in employment (mood/stress/engagement from keystrokes, webcam, microphone, mouse jitter); social-scoring of employees; subliminal or manipulative AIDo not deploy. Remove from product. The reframing as “wellbeing” does not move it out of scope.
High-risk (Art. 6 + Annex III)AI used for recruitment, evaluation, promotion, termination, task allocation, performance/behavior monitoring — productivity scoring, AI idle classification, AI shift allocation, AI rankingRisk-management system, technical documentation, logging, transparency notice to employees, human oversight, conformity assessment, EU database registration (providers), post-market monitoring
Limited-risk transparencyChatbots, deepfakes — narrow workplace overlap (e.g., AI assistant chat in a workforce tool)Tell users they are interacting with AI. Document it.
Minimal-riskPlain timer + manual timesheet, simple productivity dashboards without inference, basic reportingNo specific obligations beyond GDPR baseline

The most expensive vendor mistake of 2026 is going to be products that bolted “AI insights” onto a screenshot tool, then discovering that the inference layer (productivity score, ranking, idle classification used by HR) drags the entire product into Annex III. The marketing copy that sold the AI feature is now the evidence the regulator reads.

What “high-risk” employment AI obligations actually are

The Article 6 obligations are not abstract. They translate into engineering, documentation, and process work that must be in place by the enforcement date. The four categories that hit time tracking and productivity tools hardest:

Transparency to affected employees

Employees must be informed when high-risk AI is being used to evaluate, score, or make decisions about them. Generic privacy-policy language does not satisfy this — the notice must be specific, accessible, and given before the AI is used on them. Vendors need to ship deployer-ready notice templates; deployers (the employer) are responsible for delivering them. See GDPR-compliant employee monitoring for the data-protection layer that sits underneath.

Human oversight

The AI cannot be the final decision-maker on employment outcomes. A human must be able to review, override, or refuse to act on the AI’s output, and the system must be designed so that human review is meaningful (not a rubber stamp). Productivity scoring that auto-feeds into a performance-improvement plan with no human review step in the middle is non-compliant by design.

Conformity assessment & technical documentation

Providers of high-risk AI must run a conformity assessment before placing the system on the EU market and maintain detailed technical documentation: training data sources, design choices, performance metrics, foreseeable misuse, mitigation measures, and post-market monitoring plan. For most workplace AI this is internal self-assessment, but the documentation burden is real.

Logging, post-market monitoring, EU database registration

High-risk systems must keep activity logs sufficient to investigate incidents and detect drift. Providers must register the system in the EU database (a public-facing registry). Post-market monitoring means you have to detect, log, and report serious incidents and significant performance drift. This is the obligation most legacy time-tracker vendors are least prepared for, because they have no concept of “model drift” in their roadmap.

Tools that flip from compliant to high-risk in August 2026

The category most affected is the “classic time tracker with bolted-on AI features” cohort. These tools were sold as productivity boosters and operated quietly under GDPR for years. The AI Act’s high-risk classification turns the AI features that used to be selling points into compliance load:

  • Hubstaff, Time Doctor, Insightful, ActivTrak — to the extent each ships AI-driven productivity scoring, AI activity classification used in HR review, or AI-based ranking, those features are likely Annex III. The plain timer is fine; the score that sits next to it is the issue. EU customers should ask each vendor for a written AI Act readiness statement and an Annex III scope letter before August 2026. See our gStride vs Hubstaff and gStride vs Time Doctor comparisons for the feature-by-feature read.
  • Keystroke and mouse-jitter “engagement” tools — any vendor inferring mood, stress, or engagement from input cadence in an employment context is in Article 5 territory, not Article 6. The wellbeing reframing does not change the legal classification. Switching to a non-inferring alternative is the only safe path; see the alternative to keystroke tracking.
  • Webcam emotion / video sentiment vendors — same as above. Article 5 prohibition. Several vendors quietly removed these features in 2025; some still ship them.
  • AI shift allocation and AI ranking platforms — high-risk Annex III. Allocation that materially affects compensation or workload (and ranking used for promotion or termination) requires the full obligation set.
  • BPO “agent productivity” AI — AI scoring of contact-centre agents on speech/keystroke/screen-share patterns is high-risk where it informs employment decisions. India-based BPOs serving EU clients fall under the AI Act when EU employees are scored or when decisions about EU employees are taken. See BPO workforce management software for India for the cross-border angle.
Hubstaff alternative for AI Act compliance: if your team is in the EU and you depend on AI-driven productivity classification, the cleanest path is a platform that already separates capture from inference, treats inference as a recommendation to a human (not a decision), and ships AI Act deployer-side documentation (notices, oversight workflow, logs). gStride is built around exactly that separation; see the security & compliance posture.

14-point AI Act compliance checklist for time tracking deployments

For an employer (deployer) preparing a time tracking and productivity AI rollout in the EU under the AI Act, these are the 14 questions that have to land before August 2, 2026. Treat each as pass/fail.

  1. Inventory the AI. List every AI inference your time tracking tool produces — scoring, classification, ranking, idle inference, allocation, anomaly detection. Do not let “just an algorithm” off the hook.
  2. Classify each AI feature. Map every inference to a tier: prohibited, high-risk, limited-risk transparency, or minimal. Keep the mapping in writing.
  3. Confirm the Annex III scope. For each high-risk inference, name the specific Annex III category (recruitment, evaluation, performance monitoring, task allocation). Vague is non-compliant.
  4. Get a vendor AI Act readiness statement. Written. Dated. Names the conformity-assessment route. Names the technical documentation. Names the EU database registration entry (or planned date).
  5. Verify no Article 5 features are active. Switch off emotion/sentiment/engagement-from-keystroke inferences. Confirm in writing.
  6. Deliver employee-facing transparency notices. Specific, accessible, before the AI is applied. Generic privacy-policy text does not satisfy this.
  7. Design human oversight. Who reviews AI outputs that feed into employment decisions, with what authority to override, on what cadence, with what training. Document it.
  8. Run a DPIA + AI Act risk assessment together. The AI Act risk-management system is broader than a DPIA; do not assume your existing DPIA covers the AI obligations. Reference: GDPR checklist.
  9. Set a logging policy. What activity is logged, how long it is retained, who has access, how the logs are used to detect incidents and drift.
  10. Define post-market monitoring. How you and the vendor will detect serious incidents and significant model drift, and the reporting path.
  11. Train managers and HR. Anyone using AI outputs in evaluation, ranking, or termination decisions needs documented training on the limits of the AI and the duty to apply human judgment.
  12. Update employment contracts and works-council notice. In jurisdictions with works councils, AI-based monitoring is consultation-required; do not skip.
  13. Map cross-border data flows. If the AI processes data outside the EU/EEA, confirm the transfer mechanism and that the AI Act obligations follow the data.
  14. Set a re-review cadence. Annual at minimum; sooner if the vendor adds new AI features or changes inference behaviour. The AI Act treats material changes as triggering reassessment.
  15. Keep an audit trail. Each step above with a date, an owner, and a document. The first sign of regulator-readiness is “we can show our work in 30 minutes.”

The checklist looks long because the AI Act is genuinely a new regulatory layer on top of GDPR. But for most mid-market deployers the work is concentrated: inventory, classification, vendor statement, transparency, oversight, and audit trail. Get those six anchored and the rest snaps into place.

gStride’s AI Act readiness statement

gStride is built as a productivity intelligence platform with the AI Act categories in mind from the architecture up — not retrofitted. The short statement of how we sit relative to the obligations:

  • No Article 5 features. No emotion, mood, stress, or engagement inference from keystrokes, mouse, webcam, or microphone. The category is excluded by design, not by toggle.
  • Inference is recommendation, not decision. Where gStride uses AI (idle classification, focus signal, meeting-overhead patterns, burnout-risk indicators), the output is presented as a recommendation to a human reviewer with full override and the option to dismiss without consequence. See how gStride AI assistance works.
  • Surveillance components are configurable. Screenshots, keystroke logging, and similar capture are off by default and configurable per role/team/per feature. The platform can run productivity intelligence without surveillance entirely; see productivity monitoring without surveillance.
  • Transparency notices ship with the deployer kit. Customers get template notices, oversight-workflow defaults, and the logging policy as part of onboarding, sized for AI Act employee transparency. Companion: is employee monitoring legal in 2026 for the jurisdictional baseline and the AI time tracking buyer’s guide for the category context.
  • AI Act readiness work is in progress. Risk-management documentation, technical documentation of inferences, post-market monitoring plan, and EU database registration where applicable are tracked against the August 2026 enforcement date. The customer-facing readiness page is being kept current.

The honest framing: AI Act compliance is not a feature you ship. It is an architecture decision plus an operating discipline. Vendors who built around the assumption that the AI is a helper to a human reviewer have less to retrofit than vendors who built around the assumption that the AI replaces the human. gStride is in the first group.

Frequently asked questions

Does the EU AI Act apply to time tracking software?

Yes, when the time tracking software uses AI to make or materially inform employment decisions — productivity scoring, performance ranking, automated idle classification used in HR review, or task allocation. Plain timer + manual timesheet without AI inference is not in scope. The trigger is the AI inference layer, not the timesheet itself.

What is the August 2026 deadline?

The AI Act became law in 2024 and is being phased in. The high-risk-system obligations relevant to workplace AI begin to apply from August 2, 2026 (24 months after entry into force). This is the date by which providers and deployers of high-risk employment AI must have transparency, human oversight, conformity assessment, registration, and risk management in place. Verify the exact dates and the staged enforcement timeline with legal counsel for your jurisdiction.

Is productivity scoring AI considered high-risk?

Yes. Annex III of the AI Act lists AI used for recruitment, evaluation, promotion, termination, task allocation, and monitoring/evaluation of performance and behavior in employment as high-risk. Productivity scoring and performance ranking AI used by managers for evaluation decisions falls inside that scope. Tools that surface raw activity to a manager who decides on their own may sit lower on the risk spectrum, but most platforms producing scores cross the line.

What about emotion or stress inference from keystrokes?

Emotion-recognition AI in the workplace is restricted under Article 5 of the AI Act outside of narrow safety/medical exceptions. Vendors that infer mood, stress, or engagement from keystroke cadence, mouse jitter, webcam, or microphone in an employment context are now in the prohibited category, not just high-risk. The fact that the inference is presented as “wellbeing” or “burnout” does not change the prohibition. See the alternative to keystroke tracking for non-inferring signals that work.

What changes for tools that already comply with GDPR?

GDPR compliance is necessary but not sufficient. The AI Act adds AI-specific obligations on top of GDPR: a documented risk-management system, technical documentation of training data and model behavior, logging, transparency notices to affected employees, human oversight design, post-market monitoring, and EU database registration for high-risk systems. A tool with a clean DPIA still has work to do on the AI Act side. See GDPR-compliant employee monitoring for the GDPR baseline.

What is a Hubstaff alternative that is EU AI Act compliant?

The compliant path is a platform that separates capture from inference, treats AI output as a recommendation to a human (not a decision), avoids Article 5 features (no emotion or stress inference), and ships deployer-side transparency notices and oversight workflow defaults. gStride is built around that separation; the comparison vs Hubstaff specifically is in gStride vs Hubstaff. The fastest validation question for any vendor: ask for a written AI Act readiness statement that names Annex III scope and registration status.

How does gStride handle EU AI Act compliance?

gStride is built as a productivity intelligence platform with the AI Act categories in mind. Surveillance components (screenshots, keystrokes) are configurable or off by default. AI inferences are framed as recommendations to humans, not autonomous decisions. We avoid emotion inference entirely. Our AI Act readiness work — risk-management documentation, transparency notices, human oversight design, and customer-facing deployer guidance — is in progress ahead of August 2026 enforcement; the public statement page is being kept current. See gStride security & compliance posture.

What are the penalties under the AI Act?

The AI Act provides for tiered penalties: up to EUR 35 million or 7% of global annual turnover for prohibited-AI violations, up to EUR 15 million or 3% for other significant violations, and up to EUR 7.5 million or 1% for misleading information to authorities. The exact figure depends on the violation tier and the size of the entity. Verify current penalty schedules with counsel — the figures are subject to revision in implementing regulations.

Related reading on gStride

See an AI Act-aware productivity platform

Capture and inference separated. AI as recommendation to a human, not decision. No emotion inference. Transparency and oversight defaults shipped with the platform.

See gStride compliance posture See how gStride AI works

This article describes the EU AI Act as it applies to workplace time tracking and productivity AI as of May 2026, ahead of the August 2, 2026 high-risk-system enforcement date. AI Act implementing regulations and guidance are still being finalised; verify specific obligations, deadlines, conformity assessment routes, registration scope, and penalty schedules with legal counsel for your jurisdiction. The gStride AI Act readiness statement reflects work in progress; ask for the current customer-facing statement before relying on it for procurement decisions.