The practical 2026 guide to the data, AI, pay, immigration, and classification rules that govern recruiting across borders.

Written by Yuma Heymans (@yumahey), founder of HeroHunt.ai. He has spent years building AI sourcing that has to operate in dozens of countries at once, which means living inside exactly the data-protection, AI, and employment rules this guide maps.

Sponsoring a new H-1B worker from outside the United States now carries a one-time $100,000 government charge, introduced almost overnight by a September 2025 presidential proclamation - USCIS. On the same calendar, an AI tool that screens or ranks candidates in Europe can expose its user to two separate fine regimes at once: up to EUR 35 million or 7% of global turnover under the EU AI Act, and up to EUR 20 million or 4% under the GDPR - EU AI Act, Article 99. Recruiting across borders in 2026 is no longer a logistics problem. It is a regulatory one.

Here is the uncomfortable core of it: a single job posting, a single automated screen, a single offer letter can be perfectly legal in one country and a finable offence in the next. A pay range you are required to publish in New York is optional in Texas and, from June 2026, mandatory across much of the European Union. A background check that is routine in Ohio is often unlawful in Germany. An AI that sorts resumes is lightly regulated federally in the US, audited by law in New York City, and classed as high-risk in Brussels. The rules do not converge. They multiply.

Most teams discover this the expensive way. They scale international sourcing first and learn the compliance map second, usually when a candidate complaint, a data-subject request, or a tax authority forces the issue. The enforcement backdrop is hardening fast: cumulative GDPR fines reached roughly EUR 6.11 billion by the March 2026 cut-off - CMS GDPR Enforcement Tracker, and employment-sector data fines alone now exceed EUR 360 million - CMS Enforcement Tracker (Employment).

This guide is the map. It explains who is actually liable and where the rules attach, then walks through the five domains that decide whether a cross-border hire is clean or catastrophic: candidate data protection, AI in hiring, pay transparency, immigration and right to work, and the question of how you employ someone abroad at all. It is written for recruiters and talent leaders, not lawyers, and it balances the 2026 changes that just landed with the foundational rules that have quietly governed this work for years and are not going anywhere.

Contents

1. The 2026 watershed: three regulatory waves at once
2. Who is actually liable, and where the rules attach
3. Candidate data protection: GDPR, UK GDPR, and the new divergence
4. Moving candidate data across borders
5. AI in hiring under the EU AI Act
6. AI in hiring in the US: the floor and the patchwork
7. Pay transparency and equal pay in the ad and the offer
8. Immigration and right to work in 2026
9. Background checks and vetting across borders
10. Hiring without a local entity: classification, EOR, and tax nexus
11. The rest-of-world snapshot: data laws beyond Europe
12. A practical compliance playbook for international recruiting

1. The 2026 watershed: three regulatory waves at once

The reason 2026 feels different is that three independent regulatory waves are cresting in the same eighteen months, and all three break directly on the recruiting function. The first is data protection, which has spread from a European concern to a global baseline as India, China, Brazil, and Canada each tighten their own regimes. The second is AI regulation, arriving through the EU AI Act and a thickening patchwork of US state laws that treat resume-screening software as a regulated decision system. The third is labor-market protectionism, visible in the restrictive turn on work visas and the steady expansion of pay-transparency and worker-classification rules. Any one of these would reshape how you hire abroad. Together they redraw the whole field.

What makes this hard is that the three waves do not coordinate. They have different triggers, different enforcers, different penalties, and different definitions of the same word. "Employer" means one thing to a US immigration officer and another to a French labor tribunal. "Pay range" is defined differently in Illinois than in the EU directive. An AI tool can be lawful under US federal guidance, audited under New York City law, and high-risk under the EU AI Act simultaneously, because each regime is asking a different question about the same software. A recruiter operating across five countries is therefore not following one rulebook with local footnotes. They are reconciling five rulebooks that occasionally contradict each other.

To make the stakes concrete, it helps to look at the ceilings. The maximum penalties across the main regimes are not symbolic, and they scale with company size because the headline figures are "the fixed amount or a percentage of global turnover, whichever is higher."

These ceilings reframe the whole conversation. For most recruiting teams, the instinct is to worry about the hiring-specific penalties: the per-violation fines under New York City's AI law, or the per-worker civil penalty for an immigration breach. Those matter, but they are small next to the data-and-AI exposure, where a serious GDPR or AI Act breach is measured in tens of millions or in percentage points of company revenue. The practical implication is that the riskiest thing a recruiter touches is not the visa or the offer letter. It is the candidate's personal data and the algorithm that processes it. That is why this guide spends its first chapters there before moving to pay, immigration, and engagement models.

The exposure is growing, not shrinking, because hiring itself is globalizing fast. In Remote's 2025 survey of HR leaders, 73% expected more than half of their new hires to be based outside their primary country by 2026 - Remote. Deel's 2026 data tells the same story from the platform side, with 82% of hires on its network filling remote roles and cross-border AI-trainer roles growing 283% in a single year - Deel. Every one of those cross-border hires is a new set of obligations attaching in a new place. The regulatory surface area expands with the talent map, which is exactly why a compliance approach that worked when hiring was domestic quietly breaks once a team spans three or more countries.

The same is true of the tooling. AI has moved from novelty to default in hiring: SHRM found 43% of organizations now use AI for HR tasks, up from 26% a year earlier, and a majority use it specifically in recruiting - SHRM. That matters for this guide because almost every regulator now treats resume-screening and candidate-ranking software as a regulated decision, so the mainstreaming of AI in recruiting is also the mainstreaming of AI compliance duties. The teams adopting these tools fastest are frequently the ones least aware that adoption carries legal obligations, which is the gap the rest of this guide is written to close.

The honest framing for 2026 is that nothing here is finished. The EU is actively trying to simplify its own AI rules mid-rollout, the US has reversed federal enforcement posture while states accelerate, and the durability of the main transatlantic data deal is being litigated. Treat every date in this guide as a live deadline that some lobby is trying to move, and build a program that survives whichever way each one settles.

2. Who is actually liable, and where the rules attach

Before any specific rule, get the mental model right, because it is the single thing that prevents the most expensive mistakes. The first principle is that you cannot outsource liability to a vendor. When you use an applicant-tracking system, an AI sourcing tool, or a background-check provider, you remain the party legally responsible for the outcome. Under the GDPR you are the controller and the vendor is your processor; under US discrimination law the employer, not the software company, answers for a biased screen; under the EU AI Act you are the deployer with your own non-delegable duties even when the tool's maker has done everything right. A vendor's compliance reduces your risk. It never erases it.

This is why the data processing agreement is not paperwork to skip. Whenever you hand candidate data to a vendor (an applicant-tracking system, a sourcing tool, a background-check provider), GDPR requires a written contract that binds the processor to act only on your instructions and to protect the data, and the absence of one is itself a breach. The same logic runs through every regime in this guide: the law attaches responsibility to whoever decides what happens to the candidate and the hire, and a contract can allocate work but not ultimate accountability. Treat each vendor relationship as something you are answerable for, and the rest of the controls follow naturally.

The second principle is that obligations attach based on facts about the candidate and the role, not on where your headquarters sits. European data-protection law follows the candidate's data, so a US company sourcing an engineer in Berlin is processing EU personal data and is squarely inside the GDPR. US pay-transparency laws can reach a fully remote role if it could be performed in, or reports into, the regulating state. Immigration duties attach the moment you employ someone in a country, regardless of where they were sourced. The practical consequence is that "we are a US company" or "we are a small startup" is almost never a defence. The rules find you through the person you are hiring and the place the work touches.

The diagram below shows the four questions that, answered in order, surface most of your obligations for any given hire.

Reading the diagram top to bottom, the first fork (candidate location) decides which privacy and AI regime governs the data. The second fork (are you using AI to screen or rank) layers on bias-audit, transparency, and human-oversight duties almost everywhere. The third, separate branch (are you employing without a local entity) opens the classification and tax questions that chapter ten covers. Most compliant programs are simply this flow, run deliberately, with the answers documented. Most failures are this flow skipped because someone assumed their home-country rules travelled.

A concrete example shows how fast the obligations stack. Picture a US company posting a fully-remote engineering role open to candidates in New York, Germany, and India, with applications scored by an AI ranking tool. The New York posting must carry a salary range. The German candidate's data is full GDPR territory and needs a valid transfer mechanism to reach the US applicant-tracking system. The Indian candidate's data triggers consent and notice duties under the new DPDP rules. And the AI screen is a high-risk decision system in the EU while also being an auditable tool under New York City law. One requisition, one tool, four overlapping regimes, none of which the company's home-state employment law addresses. In 2026 this is the normal case, not the edge case, which is why the four-question flow has to be a habit rather than a one-time legal review.

The third principle worth internalizing is that documentation is the product. In nearly every regime, the difference between a defensible decision and a liability is whether you can show your reasoning: the legitimate-interest assessment, the bias-test result, the good-faith pay range, the right-to-work check completed before the start date. Regulators rarely demand perfection. They demand evidence that you thought about the rule and acted reasonably. Build the habit of generating that evidence as a byproduct of the workflow, and most of what follows becomes manageable. Skip it, and even technically-correct decisions become impossible to defend.

3. Candidate data protection: GDPR, UK GDPR, and the new divergence

The foundational rule of recruiting in Europe is that every candidate is a data subject with full rights, and you need a lawful basis to touch their data at all. For active sourcing, the right basis is almost never consent. Consent in the recruiting context is fragile because of the power imbalance between employer and applicant, and because it can be withdrawn at any moment, which would force you to delete data mid-process. The defensible basis for sourcing and matching candidates to roles is legitimate interest under Article 6(1)(f), supported by a documented three-part assessment: identify the interest, show the processing is necessary for it, and balance it against the candidate's rights - Workable. Consent earns its place mainly in one spot: keeping a rejected candidate in a talent pool for future roles.

Beyond lawful basis, the principles that catch most recruiters are data minimization, purpose limitation, and storage limitation. You may collect only what is relevant and necessary for the specific role, you may not silently repurpose it, and you may not keep it forever. UK regulator guidance indicates that unsuccessful-applicant records should generally not be kept beyond the period in which a claim could be brought, which for discrimination is six months, making a six-to-twelve-month retention baseline a sensible default with secure deletion thereafter - ICO recruitment guidance. The "keep every CV forever just in case" habit is one of the most common and most avoidable breaches.

Two further duties turn principles into daily operations. The first is the heightened protection for special-category data (Article 9), covering health, ethnicity, religion, and trade-union membership. Recruiters rarely set out to collect it, but AI tools that infer it from names or photos, and diversity-monitoring forms that capture it, both pull you into a far stricter regime that needs its own additional legal condition. The second is the suite of data-subject rights: candidates can ask what you hold, demand correction, object to processing, or request erasure, and you must respond within a month. Mishandled access and erasure requests are one of the most common first dominoes in an enforcement action, because the candidate who is ignored is precisely the person most motivated to complain to a regulator.

The seven GDPR principles below are the backbone every recruiting data practice is measured against, and they apply to candidate data exactly as they apply to customer data.

The principle most relevant to a sourcing operation is data minimisation combined with storage limitation: collect the narrow set of data the role actually needs, and delete it on a schedule. The accountability principle in the bottom corner is the one that turns the others into work, because it requires you to be able to demonstrate compliance, not merely assert it. In practice that means a written retention schedule, a privacy notice, and records of what you process and why, which is the documentation theme from chapter two showing up again.

The 2026 wrinkle is that Britain has begun to diverge. The UK Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and is being commenced in stages through 2026, creating the first material gap between UK and EU data law - GOV.UK DUAA factsheet. Most consequentially for recruiters, its Section 80 replaces the old blanket restriction on solely automated decisions with a more permissive regime that broadly allows them (except where special-category data is involved), provided safeguards like human intervention and a right to contest are in place - legislation.gov.uk, DUAA s.80. The implication is concrete: a single "global GDPR policy" can now be simultaneously correct in the UK and wrong in the EU, because automated-screening rules, recognized legitimate interests, and data-request mechanics no longer line up.

Two enforcement signals make this chapter urgent rather than theoretical. First, the European Data Protection Board has made transparency the focus of its 2026 coordinated enforcement, which puts applicant and employee privacy notices directly in the regulator's sights. Second, the headline fines are landing on exactly the kind of professional-network and profiling activity that sourcing relies on: Ireland's regulator fined LinkedIn EUR 310 million in October 2024 for processing member data on an invalid consent basis and an overreaching legitimate-interest claim - Irish DPC. When the platform recruiters live on is itself fined nine figures over the lawful basis for using member data, the lesson for anyone scraping or enriching candidate profiles is not subtle.

To apply this well, treat candidate data the way a careful controller treats any sensitive dataset: pick legitimate interest and write the assessment down, publish a clear candidate-facing privacy notice that names any AI processing, set retention to months not years, honour access and erasure requests on time, and keep the UK and EU policies as deliberately separate documents. None of this is exotic, but the gap between teams that do it and teams that intend to is precisely the gap regulators are now funding audits to find.

4. Moving candidate data across borders

The moment candidate data leaves the European Economic Area, a second layer of rules applies, and it is the layer most recruiting stacks quietly violate. Almost every modern sourcing tool, applicant-tracking system, and AI model is hosted in the US or relies on US subprocessors, which means routine sourcing usually involves a transatlantic data transfer. Such transfers are only lawful if you have a valid mechanism. The two that matter are an adequacy decision (the regulator has blessed the destination country) and Standard Contractual Clauses backed by a transfer impact assessment. There is no third "we'll be careful" option, and the absence of a mechanism is exactly what regulators fine.

For US transfers specifically, the headline route is the EU-US Data Privacy Framework, which lets data flow to US companies that self-certify under it. The framework is valid in 2026: the EU General Court dismissed a challenge to it in September 2025 - IAPP. But it should be treated as durable-for-now rather than permanent, because that ruling is under appeal to the EU's top court, which has already struck down two predecessor deals (Safe Harbor and Privacy Shield). The practical caution is twofold: confirm your specific vendor is actively certified for HR data, and keep Standard Contractual Clauses ready as a fallback in case the framework wobbles again.

Where you fall back on Standard Contractual Clauses, the Schrems II judgment requires more than signing a template. You must perform a transfer impact assessment that evaluates whether the destination country's surveillance laws undermine the protection, and add supplementary measures where they do - IAPP, Schrems II. This sounds academic until you see what happens when it is skipped. The Dutch regulator fined Uber EUR 290 million in 2024 for transferring European drivers' data to US servers for over two years without an adequate transfer mechanism after it had dropped its clauses - CNIL. The data type was workforce data, the failure was procedural, and the penalty was nine figures.

Transfer failures are, in fact, the single most expensive category in the entire GDPR enforcement record. The largest fine ever issued, EUR 1.2 billion against Meta in 2023, was for transferring EU user data to the US without an adequate basis - CMS Enforcement Tracker, and large transfer-related penalties have continued to land since. The reason transfers attract the biggest numbers is structural: a faulty lawful basis taints one process, but a faulty transfer mechanism taints every record that ever crossed the border, so the violation is enormous by sheer volume. For a recruiter, the takeaway is reassuring in a backwards way: the dull vendor-mapping exercise in this chapter is what protects you against the most severe penalties in the framework, not a minor housekeeping rule.

There is one piece of genuinely good news in 2026. The European Commission renewed the UK's adequacy status on 19 December 2025, valid until 27 December 2031, so EEA-to-UK candidate data continues to flow freely without extra paperwork - Hunton. For the many recruiting teams that route European data through UK-based systems or staff, that removes a question mark that had been hanging since Brexit. It does not, however, change the US analysis, which remains the live risk for almost everyone using American SaaS.

The way to operationalize all of this is a short transfer map. List every tool that touches candidate data, note where each one (and its subprocessors) actually stores and processes that data, and record the legal mechanism for each transfer outside the EEA. For most teams the map reveals a handful of US vendors that need either a confirmed Data Privacy Framework certification or signed Standard Contractual Clauses with a documented assessment. Building that map once, and refreshing it when you add a tool, converts an invisible nine-figure risk into a maintained checklist. The Uber fine is what the missing checklist costs.

5. AI in hiring under the EU AI Act

If you use software to source, screen, filter, rank, or evaluate candidates in the EU, the EU AI Act almost certainly classifies that software as high-risk. Annex III, point 4 names recruitment and selection explicitly, including systems used to place targeted job ads, analyse and filter applications, and evaluate candidates - EU AI Act, Annex III. This is not a grey area you can argue your way out of, and the usual escape hatch does not help: a draft Commission guideline published on 19 May 2026 confirms that the carve-out for "narrow, preparatory" tasks does not apply where the tool profiles people, which screening tools inherently do - European Commission draft guidelines. Recruitment AI is the textbook high-risk case the law was written for.

High-risk status splits obligations between two parties, and understanding the split is what tells you what you must do. The provider (the vendor that builds the tool) carries the heavy engineering duties under Article 16: risk management, data governance, technical documentation, logging, a conformity assessment, CE marking, and registration in an EU database. The deployer (you, the recruiter or employer) carries Article 26 duties that cannot be delegated: use the tool per its instructions, assign competent human oversight, monitor it, keep its logs for at least six months, tell candidates they are subject to it, and inform affected workers and their representatives before deployment - EU AI Act, Article 26. A vendor with perfect paperwork does not discharge your deployer duties; it just makes them possible.

It helps to make the split concrete. If you buy an AI screening tool from a European vendor, that vendor must have run a conformity assessment, affixed a CE marking, and registered the system before selling it. You, in turn, must train the people who operate it, keep a human reviewer who can genuinely overrule it, retain its logs, disclose its use to candidates, and notify your works council before switching it on. One duty that often causes confusion is the fundamental-rights impact assessment (Article 27): it is mandatory only for specific deployers such as public bodies and credit or insurance providers, so a typical private-sector recruiter is generally not required to file one - EU AI Act, Article 27. That is not a free pass, though, because a GDPR data-protection impact assessment is almost always required for the very same tool, so the substantive documentation gets done regardless of which label it carries.

Two obligations are already live and frequently overlooked, because they took effect well before the high-risk regime. Since 2 February 2025, the Act bans AI that infers emotions in the workplace, which outlaws "sentiment" or "mood" analysis of candidates in video interviews and carries the top fine tier of up to EUR 35 million or 7% of turnover - EU AI Act, Article 5. Also since that date, every deployer of any AI system owes an AI-literacy duty to ensure the people operating it are adequately trained. These are in force now, with no grace period, and they apply regardless of any delay to the rest of the law.

The official timeline below is the framework recruiters should plan against, with one critical caveat that follows it.

The caveat is the biggest AI story of 2026, and it is unresolved. The high-risk obligations for recruitment AI were originally set to apply from 2 August 2026 - Commission AI Act timeline. Under a simplification package known as the "Digital Omnibus," EU negotiators reached a provisional political agreement in early May 2026 to postpone that deadline to 2 December 2027 - Council of the EU. But a provisional agreement is not law. Until it is formally adopted and published in the Official Journal, the original August 2026 deadline legally stands, which is why employment advisers are telling clients to keep preparing on the 2026 timeline rather than betting on the delay. Do not build your roadmap around a postponement that can still slip.

Running underneath the AI Act is a parallel rule that does not move: Article 22 of the GDPR, which restricts solely automated decisions that have a legal or similarly significant effect on a person. The EU's top court clarified in the 2023 SCHUFA ruling that an automated score a human then leans on heavily can itself be the "decision," which captures many AI ranking tools - IAPP. The combined effect is that a rubber-stamp human reviewer who simply confirms the algorithm's shortlist satisfies neither regime. To apply this, keep a genuine human decision step before any rejection, disclose AI use to candidates, retain the tool's logs, and consult worker representatives where required. Compliance-first sourcing platforms increasingly bake these controls in: the world's first AI Recruiter, HeroHunt.ai, is one example of a tool that pairs automated sourcing with human-in-the-loop review and candidate-facing transparency, which is the pattern the Act rewards. The deployer duties, though, always remain yours.

6. AI in hiring in the US: the floor and the patchwork

The American picture is the mirror image of Europe's, and recruiters consistently misread it. There is a permanent federal floor of anti-discrimination law that applies to AI hiring tools exactly as it applies to human decisions, and there is a fast-growing patchwork of state and city AI-specific laws on top. The floor is the durable part. Title VII bars discrimination in hiring based on race, colour, religion, sex, and national origin for employers with 15 or more staff - EEOC; the ADA requires assessments to be accessible and accommodated; the ADEA protects workers over 40. None of this cares whether the screen was run by a person or a model, and the employer, not the vendor, is liable for a discriminatory outcome.

The mechanism that catches AI tools is disparate impact: a neutral-looking screen that filters out a protected group at a substantially lower rate can be unlawful even without any intent to discriminate, unless the employer can show the criterion is job-related and consistent with business necessity. The long-standing rule of thumb for spotting it is the four-fifths rule, under which a selection rate for any group below 80% of the top group's rate is treated as a signal of adverse impact worth investigating - EEOC, Uniform Guidelines Q&A. It is a trigger for scrutiny, not a legal definition, but it is the number every bias audit revolves around, and a tool that quietly correlates with a protected trait is exactly how modern hiring software fails it at scale.

What changed at the federal level in 2025 is enforcement posture, not the law. The EEOC removed its dedicated AI-guidance pages in January 2025, and Executive Order 14281 (April 2025) directed agencies to deprioritize disparate-impact enforcement - Federal Register. This is the most misunderstood development of the year. An executive order cannot repeal a statute or rewrite case law, so Title VII, the ADA, the underlying disparate-impact doctrine, and the right of private plaintiffs and state agencies to sue all remain fully intact - K&L Gates. Reading the federal rollback as "AI hiring is now unregulated" is the trap; the liability simply shifts to state regulators, plaintiffs' lawyers, and class actions.

The state patchwork has filled the federal gap, and it is where the active compliance frontier sits for 2026. The differences in trigger and threshold are real, so a national applicant pool can attract several of these at once.

New York City's Local Law 144 is the template others borrow from: an employer using an automated employment decision tool must commission an independent bias audit within the prior year, publish a summary, and notify candidates at least ten business days ahead, with civil penalties of up to $500 for a first violation and $500 to $1,500 for each subsequent one, counted per day and per failed notice - NYC Rules. California's FEHA regulations, effective October 2025, add a four-year recordkeeping duty and make the presence or absence of bias testing admissible evidence - Mayer Brown. Illinois, effective January 2026, makes AI-driven discrimination a civil-rights violation and specifically bans using ZIP code as a proxy for a protected class - Ogletree.

Enforcement of these laws has been uneven so far, but that is a reason for more caution, not less. A New York State Comptroller audit released in December 2025 found NYC's enforcement of Local Law 144 "ineffective," identifying at least 17 likely non-compliant employers where the city had flagged only one, and discovering that 75% of complaint calls to the city hotline were misrouted and never reached the enforcing agency - DLA Piper. Light enforcement today often precedes a crackdown tomorrow, and it does nothing to stop the private lawsuits the underlying discrimination statutes still permit. The ADA dimension is a parallel live risk: timed assessments, video analysis, and voice tools must be accessible and accommodated, or they systematically screen out candidates with disabilities and create liability regardless of any AI-specific law.

The cautionary tale of the patchwork is Colorado, which shows how fast these rules move. Its pioneering AI Act was delayed, then gutted: Governor Polis signed SB26-189 on 14 May 2026, pushing the effective date to January 2027 and stripping out the duty of care, impact assessments, and risk-management obligations in favour of a narrower disclosure model - Hunton. Enforcement is even softer than the statute, with the state attorney general declining to enforce until rulemaking concludes - Troutman. The lesson for recruiters is not to chase every headline, but to build to the strictest live standard you operate under (usually NYC plus California), because that posture satisfies the floor everywhere and absorbs new state laws as they harden.

7. Pay transparency and equal pay in the ad and the offer

Pay transparency has crossed from a US-state curiosity to a global baseline that reshapes the job ad and the offer itself. The two things it almost universally requires are publishing a good-faith pay range and not asking about salary history. In the US, at least 14 to 15 states plus the District of Columbia now mandate ranges in postings, and roughly 22 states ban salary-history questions - GovDocs. The trajectory is one of relentless expansion, and the practical trap for international recruiters is that a single remote posting can trigger a state's law if the role could be performed there, even with no office in that state.

The European Union is about to make this a continent-wide obligation. The EU Pay Transparency Directive must be transposed into national law by every member state by 7 June 2026, after which employers must disclose a starting salary or range in the vacancy notice or before the first interview and may not ask candidates about pay history - Littler. It also shifts the burden of proof onto the employer in pay-discrimination cases and, from 2027, phases in gender-pay-gap reporting with a 5% unjustified-gap trigger for a mandatory joint pay assessment - European Commission. The crucial nuance is that this is not one rule but 27 national laws, and as of mid-2026 most member states had not fully transposed it, so employers face a patchwork of partial, inconsistent implementations rather than a clean single deadline.

This short employer-focused walkthrough of the EU directive is a useful primer on how the rules reshape recruitment, compensation, and offers ahead of the June 2026 deadline.

As the walkthrough stresses, the directive's salary-history ban and pre-interview disclosure are the parts that hit recruiting workflows first, and they apply even where the broader gender-pay-gap reporting is still phasing in. That sequencing matters for prioritization: the job-ad and first-contact changes are immediate operational work for talent teams, while the reporting obligations are a finance-and-HR project on a longer fuse. A recruiter's most urgent task is therefore to fix the posting template and the intake script, not to wait for the reporting deadline.

The pace of the US rollout is best seen as a trend rather than a snapshot, because any single map is outdated within months.

The exact count depends on how you treat on-request versus in-posting rules, but the slope is the point: the obligation roughly doubled between 2023 and 2026, with a cluster of laws taking effect across 2025 (Illinois and Minnesota in January, New Jersey in June, Vermont in July, and Massachusetts in October) and refinements continuing into 2026 with California's SB 642 - Jackson Lewis. The thresholds vary widely, from Vermont's 5-employee floor to Minnesota's 30, and several laws also cover internal promotions, not just external ads. Massachusetts even attaches an escalating penalty topping out at $25,000 for repeat offenders - Mass.gov.

The thresholds and edge cases are where multi-state employers actually get caught. Several of these laws reach internal moves, not just external ads: Illinois and Massachusetts both cover promotions and transfers, so a company that publishes external ranges but hides internal ones is still exposed. Remote roles are the other trap, because a posting that does not explicitly exclude a regulating state can be read as open to candidates there, pulling in that state's disclosure rule even with no local office. The defensive pattern most large employers have settled on is to publish a compliant range on every posting everywhere, rather than maintaining a fragile per-state matrix of who is and is not covered, since the cost of disclosing a range is trivial next to the cost of getting the geography wrong.

Two precision points keep recruiters out of trouble. First, the much-cited "4+ employees" New York threshold belongs to the local NYC, Ithaca, and Westchester ordinances; the statewide New York law (Labor Law 194-b) has no employee-count minimum and reaches remote roles that report into New York - Epstein Becker Green. Second, the salary-history ban is absolute in the places that have it, including California, and it covers indirect routes like application forms and recruiter intake calls. The compliant pattern is to template every posting with a jurisdiction-specific good-faith range, remove salary-history fields entirely, and log that a range was shown before the first interview, since under the EU directive the employer now has to prove it. This is exactly the kind of rule that automation enforces well: a sourcing system can inject the right range per location and block the prohibited question by default, turning a fast-moving patchwork into a configured control.

8. Immigration and right to work in 2026

Sponsored immigration in the two largest English-speaking markets became dramatically more expensive and restrictive in 2025 and 2026, and the changes are concrete enough to reshape who you can realistically hire. The headline is the US H-1B charge: a September 2025 proclamation attached a one-time $100,000 payment to new H-1B petitions for workers abroad, and a federal court upheld it in December 2025 - Goel & Anderson. The most important detail, and the one recruiters get wrong, is its narrow scope. The fee is one-time per petition, not annual, and it generally applies only to new petitions for people outside the US who need consular processing. It does not hit change-of-status, extension, amendment, or in-country change-of-employer petitions for workers already legally present, including F-1 students changing to H-1B - CDF Labor Law. Misreading this kills viable hires that are actually fee-exempt.

The second US change reshapes the lottery itself. A DHS final rule effective 27 February 2026 replaces the random H-1B cap selection with a wage-weighted process, giving higher-paid roles more entries, first applying to the FY2027 cap registered in March 2026 - Ogletree. The effect on sourcing strategy is direct, because a Level IV wage offer now has four times the selection odds of a Level I offer.

The strategic reading of that chart is that low-wage H-1B registrations are now a long shot, so for cap-subject roles it pays to register at the highest defensible wage level and to lean on alternatives that sidestep the lottery entirely, such as the O-1 for exceptional ability, the L-1 intracompany transfer, the TN under USMCA for Canadians and Mexicans, and increasingly Canada itself as a nearshore hub. The combined message of the fee and the weighting is that the H-1B is no longer the default path for junior international hires; it is an expensive, odds-weighted option best reserved for senior, well-paid roles.

It is worth naming the alternatives concretely, because for many roles they are now the better path. The O-1 suits genuinely exceptional candidates and has no cap or lottery; the L-1 moves an existing employee from an overseas office; the TN offers a fast, low-cost route for Canadian and Mexican professionals under the USMCA; and relocating a role to a Canadian hub sidesteps the US system entirely while keeping the worker in a compatible time zone. On the foundational side, the cost of sloppy paperwork has risen sharply, with I-9 paperwork violations now running from $288 to $2,861 per form after the 2025 inflation adjustment - Federal Register. The EU Blue Card, for its part, is more flexible than it looks: it grants simplified movement to a second member state after twelve months in the first, which makes it a genuine pan-European route rather than a single-country permit.

The United Kingdom tightened in parallel. From 22 July 2025 the Skilled Worker route returned to degree-level (RQF6) skills and raised the general salary threshold to GBP 41,700, while closing overseas care-worker recruitment - Morgan Lewis. From 8 January 2026 the English-language bar rose to B2 - House of Commons Library, the Immigration Skills Charge increased 32% in December 2025 - Morgan Lewis, and the government opened a consultation on doubling the settlement period to ten years under an "earned settlement" model - Morgan Lewis. Across the Channel, the EU Blue Card remains the core highly-qualified route, with salary thresholds set per member state (Germany's 2026 standard threshold is EUR 50,700, lower for shortage occupations) - Make it in Germany.

Underneath the visa headlines sit two foundational duties that have not changed and quietly carry the most day-to-day risk. In the US, employers must complete Form I-9 verification, signing Section 2 within three business days of the start date and retaining the form for the later of three years after hire or one year after termination - USCIS. In 2026, ICE reclassified many previously-correctable I-9 "technical" errors as substantive, fineable violations - Morgan Lewis. In the UK, an employer only earns a statutory excuse against a civil penalty by completing a prescribed right-to-work check before employment begins, with penalties up to GBP 60,000 per illegal worker for repeat breaches - GOV.UK. One discrimination warning rides on top of all this: screening or auto-rejecting candidates on the basis of nationality or "requires sponsorship" can edge into citizenship-status discrimination in the US and Equality Act risk in the UK, so flag work-authorization questions to be confirmed through the lawful checks rather than silently filtering people out.

9. Background checks and vetting across borders

The single most dangerous assumption in international vetting is that a background check that is routine at home travels with you. It does not. A standard US-style criminal-history check is frequently unlawful in the European Union, because GDPR Article 10 reserves criminal-conviction data to processing under official authority or specific national legal authorization, which ordinary employers usually lack - GDPR Article 10. Critically, candidate consent does not rescue you: in the EU employment context consent is generally not considered "freely given" because of the power imbalance, so a consent-based criminal check in countries like the Netherlands or Spain often has no valid basis at all. Spain's regulator fined a company EUR 2 million for collecting criminal-conviction certificates without a lawful basis - Sterling.

The same caution applies to social media. In the EU you may only screen a candidate's online presence where it is necessary and relevant to the specific role, which usually means a professional network is fair game while personal platforms are not, candidates must be told in advance, and the mere fact that a profile is public does not authorize you to process it - Mintz Group. The practical takeaway is that vetting must be built country by country from the ground up. The default question is not "what do we usually check" but "what is this specific role's necessity, and what does this candidate's jurisdiction allow."

The US runs on the opposite logic, but with its own strict procedure that trips up the unwary. The Fair Credit Reporting Act governs any background check run through a third-party provider, and it demands a precise sequence. Before pulling the report you must give a clear, stand-alone written disclosure (not buried in the application or combined with a liability waiver) and obtain written authorization - FTC. If the result might cost the candidate the job, you must follow a two-step adverse action process: a pre-adverse-action notice with a copy of the report and a summary of rights, then, after a reasonable wait, a final notice. Skipping the stand-alone disclosure is one of the most common sources of class-action exposure in US hiring.

The adverse-action timing is the other frequent stumble. The point of the two-step process is to give the candidate a real window, commonly treated as around five business days, to review the report and dispute errors before the rejection becomes final, and the final notice must name the reporting agency, state that it did not make the decision, and explain the right to a free additional report. Compressing or skipping that window is exactly what plaintiffs' firms look for, and enforcement here is not theoretical: the federal consumer-protection regulator has made background-check compliance a priority with multi-million-dollar settlements. The FCRA sequence therefore deserves the same operational discipline as the data-protection rules elsewhere in this guide, because the failure mode is identical: a defensible decision rendered indefensible by a missing procedural step.

Layered on top of FCRA is the ban-the-box movement, which restricts when you can ask about criminal history at all. More than 37 states, the District of Columbia, and over 150 cities and counties have adopted fair-chance policies - NELP, and the frontier keeps moving: Texas added a statewide ban-the-box rule for employers with 15+ staff effective 1 September 2025, and Philadelphia cut its misdemeanour lookback window in January 2026 - iprospectcheck. The pattern mirrors pay transparency: a US-wide process applied uniformly will violate the stricter local rules.

Pulling the two worlds together, the compliant vetting program has a simple shape but an unforgiving execution. Decide, per role and per country, what is genuinely necessary; confirm the local lawful basis before any check; in the EU, default to not pulling criminal or personal-social-media data unless a specific legal authorization exists; in the US, run the clean stand-alone FCRA disclosure and the full adverse-action sequence, and respect ban-the-box timing. Because automated sourcing tools can silently enrich profiles with exactly the data these rules restrict, the safest configuration suppresses criminal-history and personal-social signals by jurisdiction rather than collecting everything and sorting it out later.

10. Hiring without a local entity: classification, EOR, and tax nexus

Once you find talent abroad, you face the question that decides most of your liability: how do you actually employ them? The wrong answer, and the most common one, is to engage a long-term, full-time worker overseas as an independent contractor to avoid setting up an entity. Misclassification is the highest-stakes compliance risk in international hiring, because authorities look at the substance of the relationship (control, integration, economic dependence), not the label on the contract. Get it wrong and you owe back taxes, unpaid benefits, social charges, and penalties in every jurisdiction the worker sits in. US willful-misclassification penalties run to roughly 20% of wages plus 100% of FICA taxes, and states pile on: California's Labor Code 226.8 alone imposes $5,000 to $15,000 per violation, rising to $10,000 to $25,000 for a pattern or practice - California Labor Code 226.8.

These are not hypothetical numbers. In September 2025, Lyft paid New Jersey $19.4 million to resolve a single worker-misclassification dispute tied to employee benefits - Plante Moran, a reminder that the exposure scales with headcount and persists for years. There is some relief if you discover a past misclassification, since US programs like the IRS Voluntary Classification Settlement Program let employers reclassify workers going forward at reduced cost - IRS. But relief is a fallback, not a strategy. The durable answer is to classify correctly from the start, which for any long-term, full-time, integrated worker abroad almost always means an employment relationship, delivered either through your own entity or through an Employer of Record.

The 2026 landscape is moving in opposite directions on different continents, which makes a single global contractor policy untenable. In the EU, the Platform Work Directive hardens protection: by 2 December 2026 every member state must implement a rebuttable presumption of employment for platform workers and impose algorithmic-management transparency rules - Ogletree. In the US, the trend reversed: the Department of Labor stopped enforcing the Biden-era contractor rule and in February 2026 proposed a narrower, more employer-friendly "economic reality" test - Mayer Brown, though the old rule still governs private lawsuits and strict state tests like California's ABC test are unchanged. The UK, meanwhile, is loosening IR35's reach through higher small-company thresholds from April 2026 - Forvis Mazars.

There is also a tax trap that has nothing to do with employment law. A single senior or revenue-generating employee working abroad can create a permanent establishment, a taxable corporate presence that exposes the whole company to host-country corporate tax, registration, and filing duties even without a local entity. The OECD's November 2025 update introduced a helpful clarification, treating a home office as generally not a permanent establishment if the person works there less than 50% of their time over a 12-month period - EY. But this is guidance, not binding law, and several countries reject it, so the safe-harbour is a starting point, not a shield.

The mainstream solution to all of this is the Employer of Record, a provider that legally employs the worker through its own local entity and handles payroll, tax, benefits, and statutory compliance on your behalf. It is now a core part of the global-hiring stack, and the market reflects that: the EOR sector is roughly a $6 billion industry in 2026 and growing, with North America accounting for about 45% of revenue - Custom Market Insights. Adoption is broad, with around 41% of teams already using an EOR and roughly half more planning to, citing compliance-risk reduction and the cost of local entities as the top reasons - SelectSoftwareReviews.

As the regional breakdown suggests, this is a mature, well-capitalized category rather than a niche workaround, which is why most companies hiring their first employee in a new country now route it through an EOR instead of incorporating. This short overview from one of the largest providers explains the mechanics of how the model handles local compliance.

Pricing is the part to scrutinize, because the headline monthly fee is only part of the cost. EOR pricing in 2026 runs roughly $199 to $1,200 per employee per month on top of salary and the statutory employer burden, with a market median near $399 and published list prices clustering between about $599 and $699 for the major providers - Remote People. Two non-price factors deserve equal weight. First, provider stability and data security are real risks, vividly illustrated by the corporate-espionage lawsuit between Deel and Rippling that escalated into a reported criminal investigation - TechCrunch. Second, an EOR is not a permanent substitute for an entity where you grow a large local team, since some jurisdictions cap how long EOR employment can run and a large EOR workforce can itself raise tax-nexus questions. The model is the right default for entering a country and the wrong default for scaling deeply in one.

11. The rest-of-world snapshot: data laws beyond Europe

A guide that stopped at Europe and the US would mislead anyone hiring where the talent actually is, because the GDPR's influence has spawned a global patchwork of national privacy laws, each with its own cross-border-transfer mechanics. There is no single global regime to comply with. The world map below, from a widely-used legal handbook, shows just how broadly data-protection law now covers the planet, which is precisely why a US process cannot be assumed to travel.

The most important 2026 addition to that map is India, the single largest source of internationally-sourced tech talent. India notified the rules under its Digital Personal Data Protection Act on 13 November 2025, finalizing a consent-based framework with itemized notices and 72-hour breach reporting, phasing in toward full compliance by 13 May 2027 - Fisher Phillips. India takes a comparatively permissive "blacklist" approach to transfers (data may go anywhere except specifically restricted countries), but the consent, notice, and breach-notification duties are real, and penalties reach roughly USD 30 million per instance - EY India.

China runs the opposite logic, with a strict cross-border-transfer regime under PIPL that has, helpfully, been relaxed for HR data. China's 2024 provisions exempt transfers necessary for human-resources administration under a lawful employment policy regardless of volume, and exempt non-sensitive transfers below 100,000 individuals a year, while still requiring formal clauses or a security assessment above those thresholds - Greenberg Traurig. For a recruiter moving candidate or employee data out of China, the HR exemption is genuinely useful, but it does not cover large-scale sourcing databases, which can still trip the assessment requirement - Arnold & Porter.

Two more jurisdictions round out the practical map. Brazil's LGPD now requires that international transfers use regulator-approved Standard Contractual Clauses or another approved mechanism, since the grace period to adopt them ended on 23 August 2025 and Brazil recognizes no country, including the US, as "adequate" - Mayer Brown. Canada's Quebec, under Law 25, is stricter than the federal PIPEDA and mandates a privacy impact assessment before sending a Quebec resident's data outside the province, backed by penalties up to CAD 25 million or 4% of worldwide turnover - BCLP.

The unifying lesson across all four is that "we transfer candidate data globally" is a sentence that needs a per-country answer. China wants a transfer mechanism (with an HR carve-out), Brazil wants its specific clauses, Quebec wants an assessment, and India wants consent and notice. None of these is satisfied by a US privacy policy or by a single set of EU clauses. The workable approach is to geofence candidate data by region and apply the correct mechanism for each, which is far easier to design into a sourcing system upfront than to retrofit after a regulator asks how an Indian or Brazilian candidate's data reached a US server.

12. A practical compliance playbook for international recruiting

The gap between teams that comply and teams that intend to is rarely knowledge. It is operational habit, and the data shows the habit is mostly missing. SHRM found that 51% of organizations now use AI to support recruiting - SHRM, yet an analysis of more than 150 AI hiring tools found only 45% undergo independent bias audits and 40% of HR platforms do not disclose AI use to candidates - Warden AI. Regulators have noticed the gap: the UK ICO's 2024 audit of sourcing and screening tools issued nearly 300 recommendations after finding tools inferring gender or ethnicity from names and retaining candidate data indefinitely - ICO. The work of compliance is closing that operational gap deliberately.

A defensible international recruiting program rests on a small number of pillars that recur across every regime in this guide. They are unglamorous, which is exactly why they get skipped.

• Records and retention - keep a record of what candidate data you process and why, with a defined deletion schedule (months, not years)
• Candidate privacy notice - a clear notice that names any AI processing, served before you process
• Impact assessments - a DPIA for high-risk processing, which AI screening almost always is
• Vendor due diligence - a data processing agreement and a bias-audit request for every sourcing, ATS, and check provider
• Meaningful human oversight - a genuine human decision step before any rejection, never a rubber stamp

Each of these maps directly onto an obligation seen earlier: the record and retention pillars satisfy GDPR data-minimization, the privacy notice satisfies the transparency duty the EDPB is enforcing in 2026, the impact assessment is mandatory under both the GDPR and the EU AI Act, the vendor agreement is required wherever a processor touches candidate data, and human oversight is the common requirement of the AI Act, GDPR Article 22, and every US state AI law. Build these five once and you have most of the answer for most jurisdictions, with local additions (a US FCRA sequence, a UK right-to-work check, an EU pay range) layered on top.

The financial case for building these pillars is straightforward. Failing to carry out a required impact assessment alone can draw a UK fine of up to GBP 8.7 million or 2% of global turnover - ICO, and that is before any underlying discrimination or transfer breach is even counted. There is a commercial upside too. Only about half of HR buyers run a formal evaluation before purchasing an AI hiring system, so a team that can produce a bias audit, a DPIA, and a data processing agreement on request is not merely compliant, it clears enterprise procurement faster than competitors who cannot. Compliance artifacts have quietly become a sales asset, which is why the better vendors now ship them by default rather than on request.

The most important operational principle is human-in-the-loop by design. Across the EU AI Act, GDPR Article 22, and the US state laws, the dividing line between heavy obligations and lighter ones is whether software decides or merely assists a human who decides. A tool that auto-rejects candidates is a regulated decision system carrying the full weight of bias-audit, transparency, and oversight duties. A tool that surfaces and ranks candidates for a human who makes the call carries a lighter load and is far easier to defend. Designing your funnel so that automation never makes the final adverse decision is the highest-leverage compliance choice you can make, and it happens to be good hiring practice too.

This is also where the choice of tooling matters, because automation can be either the risk or the control. The same system that scales a cross-border sourcing operation can enforce the rules at scale: geofencing candidate data to the right transfer mechanism, injecting the correct pay range per jurisdiction, suppressing restricted background signals, preserving audit logs, and keeping a human review step before any rejection. Platforms built compliance-first turn the regulation into a feature rather than a liability; the world's first AI Recruiter, HeroHunt.ai, is one of the tools positioning around exactly this, sourcing across a large candidate pool while keeping the human-in-the-loop and transparency controls the law now expects. Whatever tool you choose, evaluate it on these compliance artifacts, not just its sourcing reach, and you can start testing that approach for free before committing.

Finally, accept that this map will keep moving. The EU is mid-way through simplifying its own AI rules, the US federal posture could reverse again with an election, the transatlantic data deal is under appeal, and new national privacy laws arrive every year. The teams that stay clean are not the ones that memorize today's rules; they are the ones that build the five pillars, default to human-in-the-loop, and treat every date in this guide as provisional. Recruiting internationally in 2026 is harder than it was, but it is governable. The cost of governing it is a fraction of the cost of the fines, the lost candidates, and the deals that collapse when a hire turns out to be a liability.

This guide reflects the international recruiting regulatory landscape as of June 2026. Laws, effective dates, and enforcement postures in this field change frequently (the EU AI Act timeline and several US state laws were in active flux as this was written), so verify the current position for your jurisdictions before acting, and treat this as practical orientation rather than legal advice.