LawyerAILawyerAIIndependent Reviews
  • Search
  • Categories
  • Tag
  • Collection
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
LawyerAILawyerAI
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. EU AI Act

EU AI Act

Regulation 2024/1689, the world's first comprehensive AI law, classifying AI systems into four risk tiers with obligations applying to providers and deployers including law firms.

Last reviewed: 2026/05/22

Definition

Why It Matters for Lawyers

How AI Tools Handle It

Frequently Asked Questions

Does the EU AI Act apply to a US law firm that only has US offices?
It depends on whether the firm's AI-assisted work produces outputs used within the EU. If the firm uses an AI legal research tool while advising an EU-incorporated client on an EU-law matter, the AI system's output is used within the EU, and the Act's deployer obligations apply under Article 2(1)(c). US firms with no EU clients and no EU-based personnel are less likely to be directly subject to the Act, though they may encounter it through vendor compliance requirements or client contractual demands. Any firm that regularly advises on EU law or EU client matters should treat the Act as applicable.
What is the difference between the EU AI Act and GDPR for law firm purposes?
GDPR governs the processing of personal data of EU residents — it applies whenever a law firm processes personal data, regardless of whether AI is involved. The EU AI Act governs the deployment and use of AI systems — it applies when a law firm uses AI tools, regardless of whether personal data is involved. The two regulations overlap when an AI tool processes personal data (which is common in legal work), and in that case both sets of obligations apply concurrently. A Data Processing Agreement under GDPR is required; a fundamental rights impact assessment under the AI Act may also be required for high-risk AI use.
Will the EU AI Act require us to disclose AI use to clients?
Article 50 requires transparency to users when they interact with AI systems that could be mistaken for human output. In the lawyer-client context, this means disclosing when AI-generated analysis, advice, or documents are provided to clients in a way that might be mistaken for entirely human-authored work. The duty of candor and competence obligations under national bar rules may impose similar or additional disclosure requirements independent of the AI Act. As a practical matter, proactive disclosure of AI use in client work is increasingly standard in firms' engagement letters.

Related Concepts

Security

AI Act Article 53 (GPAI Transparency)

EU AI Act Article 53 requires general-purpose AI providers to publish training data summaries, copyright policies, and technical documentation for EU market access.

Security

GDPR (General Data Protection Regulation)

EU Regulation 2016/679 governing personal data collection, processing, and transfer for EU residents — directly applicable to law firms using AI tools on EU client matters.

Security

Harmonised Standards (EU AI Act Compliance)

Harmonised standards are voluntary EU technical specifications that, when followed, create a legal presumption that an AI system complies with the EU AI Act's requirements.

Related Tools

  • Legalfly

    European-compliant AI legal platform with built-in GDPR safeguards for contract review and research.

  • Harvey AI

    The most expensive legal AI in the market — Am Law 100 firms only.

  • Luminance

    Enterprise AI for portfolio-level contract analysis and institutional memory.

  • Legora

    Modern AI workspace for collaborative legal work, EU-grown.

  • Definely

    Word-native AI drafting with definition tracking and risk markup.

Related Reading

  • The EU AI Act and Legal AI: What Law Firms Must Know in 2026

Last reviewed: 2026/05/22. Definitions are written by the LawyerAI Editorial team. We do not accept affiliate commissions; Featured placement is clearly labeled and does not influence editorial content.

← All glossary terms
LawyerAILawyerAI

Independent Reviews

The independent directory of AI tools for lawyers — reviewed by methodology, not by ad budget.

X (Twitter)
Tools
  • Search
  • Categories
  • Tag
  • Collection
Resources
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
  • Suggest a Tool
  • Newsletter
Company
  • About Us
  • Studio
Legal
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Refund Policy
  • Editorial Independence
  • Sitemap
Editorially independent. Methodology open and versioned.
© 2026LawyerAI Editorial

The EU AI Act (Regulation 2024/1689 of the European Parliament and of the Council) is the world's first comprehensive horizontal regulation of artificial intelligence systems. It classifies AI systems into four risk tiers — unacceptable risk, high risk, limited risk, and minimal risk — and imposes differentiated compliance obligations on providers (those who develop or place AI systems on the market) and deployers (those who use AI systems in a professional context). It entered into force on August 1, 2024.

For law firms, the Act's significance is twofold. First, as deployers of AI tools, law firms bear compliance obligations — particularly when using AI in activities that fall within Annex III's high-risk categories, which include AI used in the administration of justice and legal research. Second, as advisors to clients in regulated industries, law firms need to understand the Act's requirements to counsel clients who are themselves subject to it as AI providers or deployers.

The EU AI Act's territorial reach extends well beyond EU borders. Under Article 2, the Act applies to: providers placing AI systems on the EU market; providers located outside the EU whose AI systems produce outputs used within the EU; deployers of AI systems located within the EU; and deployers located outside the EU when the output of the AI system is used within the EU. A US-headquartered law firm that uses an AI legal research tool while advising EU clients — or that operates EU offices — is caught by the Act's deployer obligations for any AI system that falls within the regulated risk categories.

The compliance timeline has been phased. The regulation entered into force on August 1, 2024. Prohibitions on unacceptable-risk AI practices became enforceable from February 2, 2025. Obligations for General Purpose AI (GPAI) models take effect August 2, 2026. Obligations for high-risk AI systems listed in Annex III take effect August 2, 2027. Law firms that delay compliance assessment until 2027 will be starting from a standing position when enforceable obligations arrive.

The penalty structure is significant. Violations of the prohibited practices provisions (Article 5) carry fines of up to €35 million or 7 percent of total worldwide annual turnover, whichever is higher. Violations of other requirements — high-risk system obligations, transparency obligations, GPAI compliance — carry fines up to €15 million or 3 percent of turnover. Providing false or misleading information to authorities carries fines up to €7.5 million or 1 percent of turnover. These are maximum figures subject to proportionality, but the thresholds signal that enforcement against large law firms is within scope of regulators' mandate.

The ABA has not yet issued formal guidance on how US model rules interact with EU AI Act obligations, but several state bar ethics committees have issued preliminary guidance indicating that competence under Model Rule 1.1 requires lawyers who use AI tools to understand the applicable legal framework governing those tools — which, for EU client matters, includes the AI Act.

How It Works (Technical)

The Act's risk classification operates as a cascade.

Unacceptable risk (prohibited) — Article 5 lists AI practices that are permanently banned from the EU market. These include: AI systems that deploy subliminal or manipulative techniques to distort behavior in a way that causes harm; AI systems that exploit vulnerabilities based on age, disability, or social/economic situation; social scoring systems by public authorities; real-time remote biometric identification systems in publicly accessible spaces (with narrow law enforcement exceptions); AI systems used to infer emotions in the workplace or educational institutions; and AI systems used to create or expand facial recognition databases through untargeted scraping. Most commercial legal AI tools do not implicate these prohibitions.

High risk (Annex III) — The high-risk category is the operationally significant one for legal AI. Annex III lists eight areas where AI systems are presumptively high-risk. Area 8 is directly relevant: "AI systems intended to be used in the administration of justice and democratic processes." This includes AI systems used by or on behalf of courts or judicial authorities to research the law, assess evidence, predict case outcomes, or assist in legal analysis. Deployers of high-risk AI must: conduct a fundamental rights impact assessment; maintain logs of system use; ensure human oversight by qualified personnel; implement transparency measures toward end users; register the system in an EU database; and conduct conformity assessments.

Limited risk — AI systems that interact with humans (chatbots, AI-generated content) have transparency obligations under Article 50: users must be informed they are interacting with an AI. An AI legal research assistant that generates written analysis must disclose that the output is AI-generated if it could be mistaken for human-authored content.

Minimal risk — AI systems such as spam filters or AI in video games face no specific obligations under the Act.

General Purpose AI (GPAI) — Article 53 — Large foundation models (such as GPT-4, Claude, Gemini) are subject to special GPAI obligations regardless of their downstream classification. Providers of GPAI models must maintain technical documentation, comply with EU copyright law, and publish summaries of training data. Models with "systemic risk" (above a compute threshold currently set at 10^25 FLOPs) face additional requirements including adversarial testing and incident reporting. Legal AI tools built on top of GPAI foundation models inherit some of these requirements at the provider level, which passes indirectly to deployers through vendor contracts.

How Legal AI Vendors Address It

LegalFly is built as an EU-native platform with AI Act compliance as a first-class design requirement. It maintains documentation required for high-risk AI deployers and is designed to support law firms in meeting their Annex III obligations. LegalFly's legal basis for processing is documented in its DPA and terms of service with explicit reference to AI Act Article 6 and Annex III requirements. The limitation is primarily market scope: LegalFly is strongest for European legal workflows and may lack coverage depth for US legal research.

Legora is EU-native and has incorporated AI Act compliance into its platform architecture, including the GPAI transparency obligations under Article 53 for its foundation model integrations. Its legal research and drafting features are designed with Annex III high-risk awareness. Like LegalFly, its primary market is EU-based law firms, and US-centric legal practice workflows are not its core competency.

Harvey AI is US-based and deployed on US infrastructure by default. Harvey's EU compliance path runs through its enterprise agreement structure — large law firm clients can negotiate EU-specific DPAs, regional deployment on EU Azure infrastructure, and AI Act deployer compliance documentation. Harvey has announced EU entity formation and European partnerships to address the compliance gap. However, law firms that signed standard Harvey agreements before mid-2025 and have not negotiated AI Act compliance addenda may not have adequate documentation for Annex III purposes. Verify the current state of Harvey's EU compliance offering directly with the vendor before using it for AI Act-regulated activities.

Luminance is UK-based. Post-Brexit, UK law firms using Luminance for UK-only matters are not subject to EU AI Act obligations as deployers. However, Luminance has EU clients and EU operations, which brings portions of its activity within the Act's scope. Luminance has published general compliance documentation but has been more guarded than EU-native competitors about specific AI Act conformity details. UK-based law firms advising EU clients or operating EU offices should assess their Luminance use against EU AI Act deployer obligations independently.

Definely is a UK-based contract review platform. Its AI Act exposure as a tool used primarily for contract markup and review depends on whether its use in a given matter falls within the Annex III administration-of-justice category. For contract review in a transactional context — not judicial proceedings — the high-risk classification is less likely to apply, but the transparency obligations of Article 50 (AI disclosure) and the general GPAI obligations of Article 53 (through the foundation models Definely uses) remain relevant. Definely has publicly committed to monitoring EU AI Act developments but has not yet published formal conformity documentation.

How Lawyers Should Verify and Apply EU AI Act Exposure

  1. Map every AI tool used by your firm against the Annex III list. Identify each AI system in use (legal research assistants, document review platforms, contract analysis tools, predictive outcome tools) and assess whether its intended use falls within any of the Annex III high-risk categories, with particular attention to Area 8 (administration of justice). Document this mapping in writing — it is the starting point for any compliance assessment.

  2. Request AI Act compliance documentation from each vendor. Ask vendors to provide: a description of the AI system's intended purpose, its risk classification under the Act, its conformity assessment (for high-risk systems), its GPAI compliance documentation (if built on a foundation model above the systemic risk threshold), and its fundamental rights impact assessment. Absence of documentation is itself a compliance signal.

  3. Assess your role: are you a deployer or a provider? If your firm uses off-the-shelf legal AI tools, you are a deployer. If your firm develops proprietary AI tools for internal use or client delivery, you may also be a provider with additional obligations. Most law firms are deployers only, but firms with significant legal technology practices or in-house AI development should assess both roles.

  4. Review client contracts for AI Act representations. Clients in regulated industries (financial services, healthcare, critical infrastructure) may contractually require outside counsel to certify that AI tools used on their matters comply with applicable AI regulations. Review existing engagement letters and outside counsel guidelines for such provisions; they are appearing in new agreements with increasing frequency.

  5. Monitor the European AI Office's implementing guidance. The AI Act framework is elaborated by technical standards from European standardization bodies (CEN, CENELEC) and guidance from the European AI Office established under Article 64. High-risk conformity assessment methodologies and fundamental rights impact assessment templates are being published on a rolling basis through 2026 and 2027. Assign responsibility within your firm for tracking these developments.