All articles
·9 min

EU AI Act: what law firms using AI need to know

The EU AI regulation applies in phases, and several deadlines have just been pushed back. Here is what truly applies to a law firm in 2026.

EU AI Act: what law firms using AI need to know

Regulation (EU) 2024/1689, known as the AI Act, is the world's first horizontal framework dedicated to artificial intelligence. It entered into force on 1 August 2024 and applies in stages. Law firms wear two hats: deployers of AI tools in their own practice, and counsel to clients confronted with the text.

A risk-based approach

The AI Act does not regulate AI as such, but its uses, classified into four risk levels. The same technology can be free, supervised, heavily regulated or banned depending on the context.

  • Unacceptable risk (prohibited): social scoring, cognitive manipulation, emotion recognition in the workplace, predictive assessment of criminal risk based on profiling alone.
  • High risk: uses listed in Annex III, including the administration of justice and certain HR or biometric processes.
  • Limited risk: transparency obligations (chatbots, generated content, deepfakes).
  • Minimal risk: no specific obligation.

The timetable, and its postponement

Several blocks are already fully applicable: the prohibitions (Article 5) and the AI literacy obligation (Article 4) since 2 February 2025, and the rules on general-purpose AI models (GPAI) since 2 August 2025.

The heaviest obligations were due to apply on 2 August 2026. The 'Digital Omnibus' package, on which the European Parliament took position in June 2026, postpones them: Annex III high-risk systems are pushed to 2 December 2027, and those integrated in regulated products (Annex I) to 2 August 2028.

A word of caution: this postponement is not yet final at the time of writing. It must be approved by the Council and published in the Official Journal, an expected deadline before 2 August 2026. Until that publication, the original dates remain, strictly speaking, the applicable text. The prudent position is to retain the original timetable, subject to the entry into force of the Omnibus.

Administration of justice: a high-risk use

Annex III classifies as high risk systems designed to assist a judicial authority in researching and interpreting facts and the law, as well as comparable uses in alternative dispute resolution. The nuance matters: the text targets decision-making bodies, not the lawyer as such.

A tool used by a firm to draft pleadings, summarise a file or search case law is not, by construction, a high-risk system. Conversely, a tool designed to assist a judge or an arbitrator to decide falls within the heavy regime: technical documentation, risk management, human oversight, robustness, cybersecurity. The AI Act does not turn a lawyer using AI into a high-risk operator, but it does require understanding the qualification of every deployed tool and training the teams.

Generative AI and transparency

Since August 2025, providers of general-purpose models (GPT-4, Claude, Mistral Large, Gemini, etc.) bear specific obligations: technical documentation, public summary of training data, respect for EU copyright. For a firm that does not train its own models, the direct impact is limited, but the indirect effect is major: contracts signed with a legal AI vendor must pass these requirements through.

Added to this are the transparency obligations of Article 50: informing the user of a chatbot, marking AI-generated content, labelling deepfakes. In practice, an email generated by AI on behalf of the firm does not have to be labelled to the recipient, because the lawyer endorses and assumes responsibility for it. By contrast, a public chatbot deployed on the firm's website must clearly indicate that it is not a human.

AI literacy, already in force

Since February 2025, Article 4 requires every AI deployer to ensure a sufficient level of literacy among the people who use these systems. For a firm, this means at minimum:

  • documented training of staff;
  • an internal policy on authorised tools and forbidden uses;
  • a traceable regular update;
  • awareness of the risks of hallucination, bias and data leakage.

Interaction with the GDPR and professional secrecy

The AI Act does not replace the GDPR, it adds to it, and professional secrecy imposes its own constraints. A tool that is AI Act-compliant but not GDPR-compliant remains unlawful, and vice versa. The two regimes are not triggered by the same criterion: the GDPR presupposes processing of personal data, the AI Act applies as soon as a system is placed on the market or used in the Union, regardless of where it is hosted. European hosting is an asset for the GDPR and professional secrecy, but it does not exempt anyone from AI Act obligations.

Penalties

The regime is deterrent: up to EUR 35M or 7% of worldwide turnover for prohibited uses, EUR 15M or 3% for breaches of the main obligations, EUR 7.5M or 1% for the supply of inaccurate information. For large companies, the higher amount applies; for SMEs and startups, the lower one applies, a nuance favourable to young vendors. In France, the CNIL is expected to become the reference authority, supported by the DGCCRF and several sectoral authorities.

Choosing a legal AI tool

Before the AI Act, the dominant criterion was the GDPR. Three questions are now added: what AI Act qualification does the provider claim, and is the documentation available? Which underlying GPAI models are used, and has their compliance been verified? How does the vendor support your AI literacy obligation?

KAIUS's position

KAIUS is designed and hosted in Europe, which primarily serves the GDPR and professional secrecy. With regard to the AI Act, the decisive asset is not hosting but positioning: KAIUS is an assistant for lawyers, not a judicial decision-support system. That is what keeps it outside the high-risk perimeter of Annex III, whose item on the administration of justice targets tools designed to assist a judicial authority. The GPAI models used are selected from providers whose obligations are publicly documented.

Each client firm receives, on request, an AI Act sheet summarising the qualification of the system, its scope of use, the underlying models and the training materials available to satisfy Article 4.

Ready to put it into practice?

Try KAIUS free for 14 days, no credit card.

Start my trial