On August 2, 2025, the EU AI Act's provisions for General Purpose AI (GPAI) models under Article 53 became applicable, marking the first time the EU had imposed binding transparency and documentation obligations directly on the providers of large AI models. Legal AI platforms operating in the EU—including US-headquartered providers like Harvey AI and CoCounsel—became subject to requirements to publish technical documentation, maintain usage policies, and implement copyright compliance measures.
For law firms using these tools in EU jurisdictions, the transition created a new compliance dimension that sits alongside GDPR obligations: the EU AI Act's deployer obligations under Article 25. Law firms that deploy AI tools in professional contexts are "deployers" under the Act's framework, and they carry responsibilities that are distinct from—and in some cases not fully covered by—what AI providers are required to do.
As of mid-2026, EU regulatory guidance on Article 53's application to legal AI tools is still developing. This article provides the clearest analysis available of current requirements, with the caveat that enforcement priorities and interpretive guidance continue to evolve.
TL;DR
- EU AI Act Article 53 imposes GPAI provider obligations on companies releasing general purpose AI models in the EU—including US-headquartered legal AI providers operating in EU markets.
- Key Article 53 obligations: technical documentation of model capabilities and limitations, copyright compliance policies, and publication of model training data summaries.
- GPAI models with "systemic risk" (above 10^25 FLOPs training compute threshold) face additional obligations including adversarial testing and incident reporting.
- Law firms are "deployers" under Article 25 and must: ensure AI tools are used as intended, implement appropriate oversight measures, and not use AI tools in ways that violate EU fundamental rights.
- Harvey AI, CoCounsel, and other legal AI providers operating in the EU have published compliance documentation; verify this documentation before and after the August 2025 compliance date.
- The compliance timeline for GPAI obligations has a 12-month implementation window from the August 2025 applicability date for certain documentation requirements.
- Practical steps for law firms include: confirming vendor GPAI compliance status, reviewing vendor model cards and capability disclosures, and updating AI use policies to address Article 25 deployer obligations.
Background
The EU AI Act, formally adopted in July 2024, established the first comprehensive EU-wide regulatory framework for artificial intelligence. The Act takes a risk-based approach, with obligations proportionate to the risk level of AI systems: prohibited AI practices are banned outright; high-risk AI systems face extensive pre-market requirements; and GPAI models face transparency and documentation obligations regardless of the specific deployment context.
General Purpose AI models—defined in the Act as models trained on large amounts of data and capable of serving multiple purposes—include the foundation models that underpin most commercial legal AI tools. GPT-4, Claude, Gemini, and similar models are GPAIs; the legal AI applications built on top of them (Harvey AI, CoCounsel, and others) may or may not qualify as GPAIs themselves depending on whether the fine-tuned legal AI model meets the GPAI definition.
Article 53 establishes the core obligations for GPAI providers. These include:
- Drawing up and maintaining technical documentation describing the model's architecture, training methodology, and performance characteristics;
- Maintaining and making available information about training data, including copyright compliance measures;
- Establishing and implementing copyright policies;
- Publishing a sufficiently detailed summary of training data content.
For GPAI models classified as posing "systemic risk" (currently defined by a training compute threshold of 10^25 FLOPs), additional obligations apply: adversarial testing (red-teaming), incident reporting to the European AI Office, cybersecurity measures, and energy efficiency reporting.
The European AI Office, established under the Act, is responsible for enforcement of GPAI obligations. It can conduct investigations, require documentation, and impose fines of up to 3% of annual worldwide turnover for violations.
For law firms, the most immediately relevant provision is Article 25, which establishes deployer obligations. A deployer is any entity that uses an AI system under its own authority for professional purposes—which describes every law firm using a legal AI tool. Article 25 requires deployers to: use AI systems in accordance with the provider's instructions; implement appropriate human oversight measures; not deploy AI in ways that discriminate against individuals on protected grounds; and inform affected individuals when AI is used to make decisions affecting them in certain contexts.
Core Analysis
What Article 53 Requires from AI Providers
Article 53's documentation requirements are primarily obligations on AI model providers, not law firms. However, the documentation that providers must produce is directly relevant to law firm vendor evaluation:
Technical documentation: Providers must document the model's intended purposes, performance benchmarks, known limitations, and risks. For legal AI tools, this documentation should include accuracy benchmarks for legal research, known failure modes (e.g., hallucination rates in specific legal domains), and recommended human oversight practices.
Model cards: Article 53's documentation requirements align closely with the "model card" documentation practice that US AI companies have adopted voluntarily. A model card provides a structured description of a model's intended use, performance across relevant dimensions, and limitations. For law firms evaluating legal AI tools, model cards are now required for EU-deployed GPAI models—they should be requested as part of vendor due diligence.
Training data summaries: Providers must publish summaries of training data, including copyright compliance measures. For legal AI tools trained on legal documents, case law, and professional publications, the copyright compliance measures are specifically relevant—particularly for tools that may have trained on copyrighted legal research databases.
Usage policy: Providers must establish a usage policy that prohibits uses that violate EU law. For legal AI tools, this should address prohibited uses such as generating misleading legal information, discriminatory legal advice, or content that violates fundamental rights.
Impact on Harvey AI, CoCounsel, and US-Based Legal AI Tools in the EU
US-headquartered legal AI providers operating in EU markets are subject to Article 53 obligations if their underlying models meet the GPAI definition. The extraterritorial reach of the EU AI Act—which mirrors GDPR's extraterritorial scope—means that a US provider whose model is used in the EU must comply regardless of where the provider is headquartered.
Harvey AI: Harvey has EU operations and has engaged with EU AI Act compliance. As of mid-2026, Harvey has published compliance documentation addressing GPAI requirements for its EU deployments. Law firms using Harvey in EU jurisdictions should request and review this documentation.
CoCounsel (Thomson Reuters): Thomson Reuters has extensive compliance infrastructure from its existing GDPR compliance; its EU AI Act compliance approach builds on that foundation. CoCounsel's GPAI documentation should be available through Thomson Reuters' legal compliance channels.
Leya and Legora: EU-headquartered legal AI providers face the same Article 53 obligations but have the advantage of native EU regulatory familiarity. Both have engaged actively with EU AI Act compliance requirements.
The practical implication for law firms: request providers' Article 53 compliance documentation as part of vendor due diligence. This documentation—technical specifications, training data summaries, model cards—provides information about tool capabilities and limitations that is directly relevant to supervising AI-assisted legal work.
Transparency Requirements: Model Cards and Capability Disclosures
Model cards and capability disclosures required by Article 53 are valuable inputs to law firm AI governance. A model card for a legal research AI should include:
- Accuracy benchmarks for the specific legal research tasks the tool is designed for
- Jurisdiction coverage and limitations
- Known failure modes (e.g., lower accuracy in specific practice areas, hallucination frequency)
- Recommended human oversight practices
- Training data categories and copyright compliance measures
Law firms should use model card information to calibrate their supervision workflow: a model with documented lower accuracy in a specific practice area should receive more intensive attorney review in that area. Model cards turn abstract "AI has limitations" warnings into specific, actionable calibration of oversight.
Law Firm Obligations as Deployers Under Article 25
Article 25 deployer obligations are the provisions most directly applicable to law firm practice. The key requirements:
Use in accordance with instructions: Law firms must use AI tools as described in the provider's usage instructions. If a tool's documentation indicates it should not be used for final legal advice without attorney review, using it for final advice without review would violate Article 25.
Human oversight: Law firms must implement appropriate technical and organizational measures to ensure meaningful human oversight of AI tool use. This directly supports—and may require—the supervision workflows described in this guide's companion articles on AI-assisted drafting and research.
Non-discrimination: AI tools must not be used in ways that discriminate against individuals on grounds of race, sex, religion, or other protected characteristics under EU law. For legal AI tools used in client intake screening, case selection, or document analysis, this requires affirmative assessment of potential discriminatory effects.
Informing individuals: In certain contexts where AI makes or contributes to individual decisions, individuals must be informed that AI was used. The scope of this requirement in legal practice contexts is still being clarified through EU regulatory guidance.
Compliance Timeline
The EU AI Act's GPAI provisions became applicable August 2, 2025. Certain documentation requirements have a 12-month implementation period running to August 2026. The European AI Office has indicated a focused initial enforcement approach on systemic-risk GPAIs; enforcement on non-systemic-risk GPAI providers is expected to ramp through 2026–2027.
For law firms, the compliance urgency is primarily in: (1) confirming that legal AI vendors are aware of and addressing their Article 53 obligations; (2) reviewing and updating firm AI use policies to address Article 25 deployer requirements; and (3) requesting model card/capability disclosure documentation as part of the next vendor review cycle.
Walk-through
A 250-attorney EU-based firm updated its legal AI governance framework in Q4 2025 to address EU AI Act compliance:
Step 1: Inventoried all AI tools in use across the firm's EU offices. Identified four tools potentially subject to GPAI provisions and two tools deployed by the firm as deployer under Article 25.
Step 2: Requested Article 53 compliance documentation from each vendor: technical documentation, model card, training data summary, usage policy. Two vendors provided documentation promptly; two required follow-up. One vendor was unable to provide a training data summary, which the firm escalated to its procurement committee.
Step 3: Reviewed vendor documentation against Article 25 deployer requirements. Identified gaps in the firm's AI use policy: no explicit human oversight requirements, no non-discrimination assessment for client intake AI tool.
Step 4: Updated AI use policy to include: mandatory attorney review requirements keyed to tool-specific model card limitations; non-discrimination assessment for intake screening; training for all attorneys on Article 25 deployer obligations.
Step 5: Scheduled annual EU AI Act compliance review for each vendor, aligned with existing GDPR annual review cycle.
Recommended Tools
Leya – EU-headquartered with native EU AI Act compliance infrastructure; best choice for EU firms prioritizing regulatory compliance.
Legora – EU-based legal AI with proactive EU AI Act engagement; strong for Nordic and Continental European deployments.
Harvey AI – Active EU AI Act compliance program; documentation available for enterprise clients. Compare Harvey AI vs CoCounsel.
CoCounsel – Thomson Reuters compliance infrastructure provides foundation for EU AI Act documentation.
vLex – European legal research provider with established EU regulatory compliance; relevant for research-focused deployments.
FAQ
Q: Does Article 53 apply to all legal AI tools used in the EU, or only to the largest models?
A: Article 53 applies to GPAI models—models trained on large datasets for multiple purposes. The definition includes the foundation models (GPT-4, Claude, Gemini) underlying most legal AI tools. Whether a fine-tuned legal AI tool itself qualifies as a GPAI depends on whether it meets the definition; European AI Office guidance on this question is still developing.
Q: As a deployer, can our firm be held liable for an AI tool provider's failure to comply with Article 53?
A: Deployer obligations under Article 25 are distinct from provider obligations under Article 53. A deployer is not directly liable for a provider's Article 53 failures, but a deployer may face scrutiny if they continued to use a non-compliant tool after being aware of the compliance gap. Maintaining documentation of vendor compliance requests supports the firm's own compliance posture.
Q: How does the EU AI Act interact with our GDPR compliance obligations for AI tools?
A: They operate in parallel. GDPR governs personal data processing, which includes personal data processed by AI tools. The EU AI Act governs AI system development and deployment more broadly, including requirements that do not turn on personal data processing. A firm needs both GDPR-compliant data processing agreements and EU AI Act-compliant deployer practices for legal AI tools handling EU data.
Q: Our firm uses AI tools for internal legal research only, not for client-facing advice. Do Article 25 deployer obligations still apply?
A: Yes. Article 25 deployer obligations apply to professional use of AI systems, not just client-facing use. Internal research, document review, and drafting support all constitute professional AI deployment. The human oversight and non-discrimination requirements apply regardless of whether the output is delivered to clients.
Q: What happens if a legal AI vendor is not compliant with Article 53 by the implementation deadline?
A: The European AI Office can investigate, require compliance, and impose fines up to 3% of annual worldwide turnover. For law firms, the practical risk is that using a non-compliant AI tool creates uncertainty about whether the tool's outputs can be relied upon in EU legal practice and may be scrutinized by bar authorities. Confirming vendor compliance should be part of your vendor review cycle.
Key Takeaways
The EU AI Act's Article 53 requirements mark a new era of regulatory accountability for legal AI providers operating in European markets. For the first time, the firms and practitioners using these tools have access to required technical documentation—model cards, capability disclosures, training data summaries—that should inform how AI tools are supervised and used.
Law firms' Article 25 deployer obligations are not onerous for firms already operating with good AI governance practices: human oversight, use in accordance with instructions, non-discrimination assessment. The EU AI Act codifies what responsible AI deployment already requires.
The practical compliance steps are manageable: inventory your AI tools, request Article 53 documentation from vendors, review your firm's AI use policy against Article 25 requirements, and incorporate EU AI Act compliance into your annual vendor review cycle. Firms that have already built robust AI governance frameworks around attorney-client privilege protection, data handling, and supervision will find that EU AI Act compliance is largely an extension of what they are already doing.
The regulatory landscape will continue to evolve. The European AI Office's enforcement priorities, interpretive guidance on the GPAI definition, and case law on deployer liability are all still developing. Firms with proactive AI governance frameworks are better positioned to adapt as the requirements clarify.
This article reflects independent editorial analysis. LawyerAI does not accept payment for editorial coverage. Tool scores are based on methodology described in Our 5-Dimension Methodology. Last reviewed: 2026-08-18.