Vol. III · No. 128 Independent LegalTech Analysis Wednesday, June 17, 2026

The Legal Stack

← Analysis Analysis · Regulatory Technology

The EU AI Act Is Law. Does Your Firm Know What That Means?

The EU AI Act entered into force in August 2024. Most prohibited-use provisions kicked in last February. The high-risk requirements — the ones that will reshape how law firms procure and deploy AI — become enforceable in August 2026. That gives your firm roughly three...

Andy Armstrong
May 15, 2026 · 7 min read

The EU AI Act entered into force in August 2024. Most prohibited-use provisions kicked in last February. The high-risk requirements — the ones that will reshape how law firms procure and deploy AI — become enforceable in August 2026. That gives your firm roughly three months to stop treating this as someone else's problem.

Most firms haven't. A survey published by the International Bar Association in late 2025 found that fewer than 30% of law firms operating in EU-adjacent markets had conducted any formal AI Act compliance audit. That number should alarm managing partners. It doesn't seem to.

What the Act Actually Requires of High-Risk Systems

The AI Act operates on a tiered risk model. At the top are prohibited systems — real-time biometric surveillance, social scoring — that no legitimate firm should be touching. Below that sits the high-risk category, and this is where legal practice gets complicated.

Annex III of the Act lists high-risk AI use cases by sector. Two categories directly implicate legal work. First, AI systems used in the "administration of justice and democratic processes" — specifically, systems that assist judges, courts, or prosecutors in researching facts and interpreting law. Second, AI systems used in employment and workforce management, which sweeps in any tool that influences hiring, performance evaluation, or termination decisions at the firm itself.

For systems that qualify as high-risk, the obligations are substantial. Providers must implement a conformity assessment before deployment. They must maintain technical documentation under Article 11, establish a quality management system under Article 17, register the system in the EU's new AI database, and ensure meaningful human oversight under Article 14. Deployers — meaning law firms that put these systems to work — carry their own obligations: conducting fundamental rights impact assessments, monitoring systems in operation, and maintaining logs that demonstrate compliance. None of this is bureaucratic window-dressing. Each requirement has teeth.

Which Legal AI Tools Sit in the High-Risk Zone?

Here is where the industry needs an honest conversation, and isn't having one.

The major legal AI vendors — Thomson Reuters with its CoCounsel platform, LexisNexis with Lexis+ AI, Harvey AI, and others — have largely marketed their products as research and drafting assistants. That framing matters legally. A tool that surfaces relevant cases and drafts a memo lives closer to the general-purpose end of the spectrum. A tool that predicts litigation outcomes, recommends settlement values, or informs judicial decision-making crosses into territory that regulators will scrutinize.

The Act's definition of "placing on the market" is broad enough that a vendor deploying a model fine-tuned specifically for legal outcome prediction faces a genuine conformity assessment obligation. More importantly, if a firm deploys a general-purpose AI tool in a context that functionally makes it high-risk — think: a document review system whose outputs directly determine which employees face disciplinary proceedings — the firm as deployer acquires compliance obligations regardless of how the vendor classified the product.

The European AI Office has indicated it will look at actual use, not just vendor labeling. Firms that assume their vendor's terms of service insulate them from liability are reading the Act selectively.

The Compliance Timeline Is Not Forgiving

The Act's phased rollout has created false comfort. Here is the actual schedule that matters for legal practice:

  • February 2025: Prohibited AI practices banned
  • August 2025: Rules applying to general-purpose AI models (including GPAI) became applicable
  • August 2026: High-risk AI system requirements fully enforceable
  • August 2027: Certain embedded AI systems in existing products come into scope

August 2026 is the critical deadline for most law firms. Conformity assessments take time. Technical documentation requirements under Article 11 require firms — or their vendors — to have model architecture descriptions, training data governance records, and performance metric documentation ready. Building those records retroactively is difficult. Building a defensible audit trail for a system you've already deployed without documentation is nearly impossible.

Firms operating in the UK have a separate but related concern. The UK government's AI regulation approach remains principles-based and sector-led rather than rules-based, but the UK-EU data bridge and cross-border practice mean that firms serving EU clients or operating EU offices are subject to the Act regardless of where their headquarters sit.

The Penalty Structure Is Designed to Concentrate Minds

The EU AI Act's enforcement structure mirrors GDPR in important ways, including the part that gets attention in board meetings: the fines.

Violations involving prohibited AI practices carry fines up to €35 million or 7% of global annual turnover, whichever is higher. Violations of high-risk system requirements — including deployer obligations — carry fines up to €15 million or 3% of global turnover. Providing incorrect information to national supervisory authorities carries fines up to €7.5 million.

For a Global 50 law firm with revenues above $3 billion, a 3% fine means potential exposure exceeding $90 million. Regulators will pursue exemplary cases. The legal sector, given its sensitivity to client confidentiality and its role in the justice system, is a natural target for early enforcement action. The GDPR experience shows that regulators often choose visible, sophisticated defendants specifically because those cases generate compliance behavior across sectors.

What Your Firm Should Be Doing Now

Three months is not enough time to build compliance from scratch. It is enough time to make meaningful progress if work begins immediately.

Start with an inventory. Every AI tool in use across the firm — procurement systems, HR platforms, document review, legal research, contract analysis — needs to be catalogued and assessed against the Annex III criteria. Vendor agreements need review; many current contracts predate the Act and allocate compliance obligations ambiguously.

Then conduct a genuine fundamental rights impact assessment for any tool in contested territory. Not a checkbox exercise — a documented analysis of who is affected by the system's outputs and how errors could cause harm.

The firms that treat EU AI Act compliance as a competitive differentiator rather than a regulatory burden will be better positioned with European clients, better insulated from enforcement risk, and better prepared for the AI governance frameworks that other jurisdictions are actively building. The firms that wait for a regulator to force the issue will find it considerably more expensive.

The Act is law. The clock is running.

More Analysis