EU AI Act obligations for legal firms: what law offices must do before August 2026 The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, and its first wave of obligations begins in August 2026 — less than six weeks away. For legal firms and law offices across the European Union, the regulation is not an abstract compliance exercise: it directly governs AI tools used for contract review, legal research, document drafting, client-facing chatbots, and predictive litigation analysis. Failing to comply carries fines of up to €35 million or 7% of global annual turnover, whichever is higher. WHAT IS THE EU AI ACT: Regulation (EU) 2024/1689, known as the EU AI Act, is the world's first comprehensive legal framework for artificial intelligence. It classifies AI systems by risk level — unacceptable, high, limited, and minimal — and imposes obligations on providers, deployers, importers, and distributors of AI systems placed on the EU market. Law firms acting as deployers of third-party AI tools face obligations under Articles 26–29 of the Regulation. €35M / 7%"Maximum fines under the EU AI Act for deployers or providers of prohibited AI practices: the higher of €35 million or 7% of total worldwide annual turnover. For violations related to high-risk AI systems, the ceiling is €15 million or 3% of turnover. Mid-size law firms with significant international turnover face material financial exposure."— Regulation (EU) 2024/1689, Article 99, 2024 The AI Act timeline: key deadlines for legal firms The AI Act does not come into force all at once. It applies in phases, and understanding the timeline is the most critical first step for any law office compliance programme: DeadlineWhat appliesRelevant ArticleRisk for legal firms2 February 2025 (already in force)Prohibited AI practices banArt. 5No subliminal manipulation, no social scoring2 August 2025 (already in force)GPAI model rulesArt. 51–55LLM-based tools may be affected2 August 2026High-risk AI system obligations FULL APPLICATIONArts. 6, 10, 13, 26–29HIGH — most legal AI tools2 August 2027General-purpose AI systems (existing)Art. 111Medium — legacy systems Article 6: Is the AI your firm uses classified as high risk? Article 6 of the AI Act defines high-risk AI systems by reference to Annex III, which lists specific use cases. For legal firms, the most directly relevant entry is Annex III, point 8: AI systems intended to be used in the administration of justice and democratic processes. This includes AI tools that assist judges, lawyers, or legal professionals in interpreting facts, applying law, or making or preparing judicial or quasi-judicial decisions. Practically speaking, the following tools are likely to fall within or near this category: Predictive litigation tools that estimate case outcomes or judicial tendencies. Contract analysis AI that identifies legal risks and recommends modifications. Automated legal research systems that generate legal opinions or summaries. Client-facing chatbots that provide advice on legal rights and obligations. By contrast, AI tools used purely for internal administrative purposes — scheduling, invoicing, HR — are unlikely to qualify as high-risk under Annex III unless they involve biometric identification or employee monitoring. Article 10: Data governance obligations If the AI your firm uses (or if your firm provides AI as a service) falls within the high-risk category, Article 10 requires that training, validation, and testing data meet specific quality criteria. For law firms acting as deployers (not providers), the most relevant obligations are those in Article 26, which requires deployers to: Ensure that AI is used in accordance with the instructions for use provided by the provider (Art. 26.1). Assign human oversight of the AI system (Art. 26.5), including the ability to pause or override AI outputs. Carry out a fundamental rights impact assessment before deploying high-risk AI (Art. 27). Register the use of high-risk AI in the EU database (Art. 49). Article 13: Transparency and explainability Article 13 of the EU AI Act requires that high-risk AI systems be sufficiently transparent to allow deployers to understand and use them appropriately. For legal firms, this translates to three concrete obligations: 1. User documentation. The AI provider must supply technical documentation explaining how the system works, its limitations, and circumstances where it may not perform reliably. Law firms must read this documentation, not merely click through licence terms. 2. Explainable outputs. When an AI system assists in a legal decision (for instance, a case risk assessment), the firm must be able to explain to the client how the conclusion was reached. Relying on a black-box output without the ability to audit the reasoning chain is non-compliant. 3. Logging. High-risk AI systems must keep logs sufficient to ensure traceability of decisions. Law firms must retain these logs for the period required by applicable national law, and in any event for at least six months (Art. 12). Article 50: Transparency obligations for AI-generated content Article 50 introduces transparency obligations for AI-generated content. When a law firm uses AI to draft legal documents, correspondence, or client-facing communications, and that content could reasonably be mistaken for human-generated output, the firm must disclose that the content was AI-generated. This obligation applies even when the AI is used for limited assistance (for example, generating a first draft of a contract clause). How IgeraLegal handles AI Act complianceLaw firm partner asks:"We use an AI contract review tool. Are we required to register with the EU AI Act database before August 2026?"IgeraLegal responds:"Yes, if the contract review tool qualifies as a high-risk AI system under Art. 6 and Annex III of Regulation (EU) 2024/1689, you as a deployer must register its use in the EU AI Act public database (Art. 49) before 2 August 2026. You must also carry out a fundamental rights impact assessment (Art. 27) and ensure human oversight is in place (Art. 26.5). I can generate your compliance checklist and draft the impact assessment template. Shall I proceed?" Is your law firm's AI usage compliant with the EU AI Act by August 2026?IgeraLegal maps your AI tools to the correct risk category, generates your compliance checklist, and drafts your impact assessmentStart free 14-day trial — no credit card GPAI models and law firm exposure (Articles 51–55) General-Purpose AI (GPAI) models — large language models such as GPT-4o, Gemini, Claude, or Llama — are subject to specific obligations under Articles 51 to 55 of the AI Act. These rules apply primarily to the providers of such models, not to law firms that use them via API or third-party products. However, law firms that fine-tune a GPAI model on their own legal data or that integrate GPAI capabilities into a product they distribute may acquire provider obligations. The distinction between deployer and provider matters enormously: deployers face proportionate obligations (impact assessments, oversight, registration); providers face extensive technical requirements (data governance, testing, conformity assessments, transparency measures). Most law firms are deployers, but the line can blur rapidly when firms customise AI tools. Prohibited practices: what legal firms must never do (Art. 5) Article 5, which has been in force since February 2025, prohibits a number of AI practices outright. For legal firms, the most relevant prohibitions are: Using AI to exploit vulnerabilities of individuals based on age, disability, or socioeconomic status — for instance, tools that identify financially vulnerable opposing parties and suggest aggressive tactics targeting their weaknesses. AI-based social scoring that classifies individuals based on their behaviour or personal characteristics in ways that cause unjustified harm. Real-time remote biometric identification in public spaces (save for narrowly defined law-enforcement exceptions). In summary: EU AI Act obligations for legal firmsMost AI tools used in legal research, contract review, and client advice likely qualify as high-risk under Art. 6 and Annex III, point 8.Deployers must complete a fundamental rights impact assessment (Art. 27), assign human oversight (Art. 26.5), and register in the EU database (Art. 49) before 2 August 2026.AI-generated client communications must be disclosed as such under Art. 50.High-risk AI outputs must be auditable: retain logs for at least six months (Art. 12).IgeraLegal automates your compliance checklist, maps your AI inventory to the correct risk tier, and generates audit-ready documentation. Frequently asked questions Does the EU AI Act apply to law firms outside the EU that advise EU clients? The AI Act applies to providers placing AI systems on the EU market and to deployers using AI systems in the EU. A non-EU law firm whose AI tools process the data of EU clients or whose AI outputs are used within the EU may fall within the Regulation's territorial scope under Art. 2.1(c). International firms advising EU clients should seek specific legal advice on their exposure. Are legal research databases (such as Westlaw or LexisNexis) considered high-risk AI? Traditional legal research databases that retrieve documents based on keyword or boolean search are not AI systems under the AI Act. AI-enhanced features — such as predictive search, automatic case summarisation, or outcome prediction — may qualify as AI systems and, if used for legal advice, could fall within Annex III. Firms should audit each AI-enhanced feature separately. What is a fundamental rights impact assessment and how long does it take? A fundamental rights impact assessment (FRIA) under Art. 27 is a structured review of the potential impact of a high-risk AI system on the rights enshrined in the EU Charter of Fundamental Rights, including the right to a fair trial, privacy, and non-discrimination. For a law firm deploying a contract review AI, a FRIA typically takes two to four weeks with proper templates and should be reviewed annually or whenever the AI system is significantly updated. Can law firms be fined for using an AI tool provided by a non-compliant vendor? Yes. Deployers (law firms) have independent obligations under the AI Act. Even if the AI provider is non-compliant, the law firm as deployer can be fined for failing to conduct due diligence, failing to assign oversight, or using the AI system in a manner inconsistent with the instructions for use. Vendor compliance does not extinguish deployer liability. How does the AI Act interact with legal professional privilege? The AI Act does not override professional privilege, but it creates new tensions. Logging requirements (Art. 12) may generate records of AI-assisted legal work that could, in theory, be subject to disclosure obligations in litigation. Law firms should consider whether AI interaction logs are covered by privilege and should address this in their data governance policies before August 2026. What is IgeraLegal and how does it help with AI Act compliance? IgeraLegal is a RAG-based AI platform designed specifically for legal firms. Unlike generic AI tools, IgeraLegal retrieves information exclusively from your firm's approved document corpus — client files, case law, internal precedents — with full auditability of every response. This architecture is specifically designed to meet the transparency and traceability requirements of Articles 13 and 12 of the AI Act, making compliance documentation significantly easier to produce. August 2026 is weeks away. Is your firm's AI inventory mapped and compliant?IgeraLegal generates your AI risk assessment, impact assessment templates, and EU database registration checklist in one workflowStart free 14-day trial — no credit card Last updated: June 2026 | Author: IgeraSolutions Team | Sources: Regulation (EU) 2024/1689 (EU AI Act), Arts. 5, 6, 10, 12, 13, 26, 27, 49, 50, 51–55, Annex III; European Commission AI Act Implementation Guide 2025; European Data Protection Board Opinion 28/2024 | IgeraLegal — free 14-day trial.
