Skip to main content
Try Lexiel for freeTry now →
EU AI Act: Key compliance obligations for lawyers and law firms 2026
Compliance9 minEquipo Lexiel

EU AI Act: Key compliance obligations for lawyers and law firms 2026

Regulation (EU) 2024/1689 (AI Act) enters into force in phases from 2024. We analyse which AI systems are high-risk in the legal sector, transparency obligations and fines of up to 3% of global turnover.

EU AI ActAI Regulation 2024/1689Legal complianceHigh-risk AIAI fines

What is the AI Act and when does it bind law firms?

The EU AI Regulation 2024/1689 (AI Act) is the world's first horizontal AI framework. It entered into force on 1 August 2024, with obligations phased in:

  • February 2025: Prohibition of unacceptable AI systems (Art. 5), subliminal manipulation, social scoring, mass biometric surveillance.
  • August 2025: Application to general-purpose AI models (GPAI), obligations for providers like OpenAI, Anthropic.
  • August 2026: Full application to high-risk systems (Annex III), including those used in justice administration.

High-risk AI systems in the legal sector

Annex III, point 8 of the AI Act classifies as high-risk AI systems used by public authorities (and, under certain conditions, private parties) in the administration of justice and democratic processes:

  • Judicial decisión support systems (evidence assessment, outcome prediction).
  • Recidivism risk assessment or procedural credit scoring tools.
  • Remote biometric identification systems (Art. 26 AI Act).

Law firms using AI tools to manage cases, draft documents or assess matters are not generally "high-risk entities" if they act as mere end-users of general-purpose models. However, if they deploy or adapt a model for decisions affecting individuals' rights, they may become subject to provider obligations (Art. 25 AI Act).

Transparency obligations (Arts. 50-52)

Even for low-risk systems, the AI Act requires:

  1. Duty to inform: when an AI system interacts with people (chatbots, virtual assistants), it must identify itself as AI.

  2. Watermarking synthetic content: deepfakes or AI-generated documents must be labelled.
  3. End-user information: if the firm uses an AI assistant to draft pleadings, consider whether clients have a right to know (especially under GDPR transparency obligations, Art. 5.1.a).

Sanctions

The AI Act enforcement regime (Art. 99) provides:

InfringementMaximum fine
Prohibited systems (Art. 5)€35,000,000 or 7% global turnover
High-risk non-compliance€15,000,000 or 3% global turnover
Incorrect information to authorities€7,500,000 or 1% global turnover

For SMEs and start-ups, fines will be proportionately reduced.

Compliance roadmap for law firms

  1. AI tool inventory (including those embedded in case management software, CRM or legal databases).

  2. Risk classification of each tool (Art. 6 + Annex III).
  3. Provider due diligence: require technical documentation (Art. 11), declaration of conformity (Art. 47) and EU database registration (Art. 71).
  4. Update engagement letters to include clauses on AI use in the matter.
  5. Team training on responsible use of generative AI.

Research AI regulation with Lexiel →

Try Lexiel free · 28 days

Use code LEX-BLOG for double the standard trial period. Cancel anytime, no commitment.

LEX-BLOG
Get started free

Weekly legal updates

Legislative changes, relevant case law, and Lexiel news. No spam. Unsubscribe anytime.

GDPR compliant. We never share your email with third parties.