Law Firms and the EU AI Act: Are You Ready for December 2027 ?

Last updated: June 2026 · Reading time: 8 minutes

---

AI has moved into the legal profession faster than most firms anticipated. Research platforms, contract review tools, document drafters, and predictive analytics are now standard features of a competitive practice. Yet the EU AI Act — Regulation (EU) 2024/1689 — creates obligations that most law firm management teams have not yet mapped.

This is not about the AI Act as a subject of legal advice. It is about the AI Act as a compliance obligation that applies directly to law firms themselves, in their capacity as users — and in some cases developers — of AI systems. The two questions are distinct, and both matter.

This guide works through each dimension: what AI law firms are currently using, what the AI Act requires, where the specific risks lie, and how DILAIG helps — both for firms managing their own compliance and for those advising clients who are AI providers.

---

The AI Tools Already Embedded in Legal Practice

Before addressing obligations, it is worth being precise about what counts as AI in the legal sector. The relevant tools fall into four categories.

Legal research platforms — Harvey (built on GPT-4), Westlaw Edge with its AI-assisted research layer, and Lexis+ AI all use large language models to surface case law, identify relevant statutes, and draft research memoranda. These tools have moved from early adopter status to mainstream within major firms in under three years.

Contract review and due diligence tools — Kira Systems, Luminance, and Juro AI automate the extraction of key clauses, flag deviations from standard positions, and accelerate due diligence on large document sets. A tool that previously required a team of associates working overnight now completes the same task in hours.

Document drafting and generation — Multiple platforms assist in generating first drafts of standard agreements, court filings, and legal opinions. The output requires review, but the starting point is no longer a blank page.

Predictive analytics — A smaller but growing category includes tools that assess the probability of success in litigation, analyse judicial decision patterns, or score the risk profile of a legal position. These tools operate closest to the boundary of what the EU AI Act considers high-risk.

Many firms are deploying all four categories simultaneously, often without a central registry of the AI tools in use across practice groups and offices.

---

What the EU AI Act Actually Requires of Law Firms

The AI Act creates obligations based on role. A law firm can hold two distinct roles: deployer and provider. Each carries different obligations.

The Law Firm as Deployer

Most law firms are deployers: they purchase or license AI systems developed by third parties and use them in their professional activities. Under Article 3(4), a deployer is any natural or legal person that uses an AI system under its authority.

When a law firm deploys a high-risk AI system — as classified under Article 6 and Annex III of the AI Act — it faces mandatory obligations under Article 26. These include:

• Implementing appropriate human oversight measures during use
• Ensuring staff who operate the system have sufficient competence to do so
• Monitoring the system for risks and reporting serious incidents to the provider and, where required, to national authorities
• Conducting a Fundamental Rights Impact Assessment (FRIA) before deployment, if the firm qualifies as a public body or provides public interest services

The critical question for any law firm is therefore: does any tool currently in use qualify as a high-risk AI system under Annex III?

For most legal research and contract review tools, the answer is likely no — these systems assist lawyers but do not make or materially influence decisions about natural persons in the categories listed in Annex III. However, tools that produce assessments bearing on employment decisions, creditworthiness, or — most relevantly — the administration of justice fall under Annex III §8. This provision specifically covers AI systems intended to assist judicial authorities in researching and interpreting facts and the law, and applying the law to a specific set of facts.

A tool that produces legal risk scores, predicts litigation outcomes, or influences settlement strategy based on judicial pattern analysis sits within the scope of Annex III §8 analysis. Whether it crosses the high-risk threshold depends on its specific intended use and the degree to which its output materially influences legal decisions affecting individuals. This requires a proper classification exercise — not a presumption either way.

The Law Firm as Provider

Some firms have developed proprietary AI tools — internal research assistants, bespoke document automation systems, custom contract risk scoring engines. A firm that deploys an AI system it developed itself, or that commissioned a third party to develop to its specifications, may qualify as a provider under Article 3(3) of the AI Act.

Provider obligations are significantly more extensive than deployer obligations. They include completing an Annex IV technical documentation file, drafting an EU Declaration of Conformity, registering the system in the EU AI Act database, and — for high-risk systems — either completing a third-party conformity assessment or an internal conformity assessment with full audit trail documentation.

The FRIA, where applicable, must be completed before the system is put into service. The EU Declaration of Conformity must be updated whenever the system is materially modified.

---

The Specific Risks for Law Firms

The legal profession carries professional responsibility obligations that interact with AI Act compliance in ways that do not apply to most other sectors.

Professional liability exposure from AI errors. When a lawyer relies on AI-generated research or a predictive analytics output that turns out to be incorrect, and that error informs advice given to a client, the professional liability question does not disappear because the AI was involved. Bar associations in France, Germany, and the UK have issued guidance in 2025 making clear that AI-assisted advice remains fully subject to professional responsibility standards. A firm that cannot demonstrate appropriate oversight of its AI tools — including the oversight measures required by Article 26 — will face a harder argument in any negligence claim.

Client confidentiality and data sent to third-party LLMs. When a lawyer uploads client documents to a cloud-based AI drafting or research tool, those documents are typically processed on third-party infrastructure. If the AI provider is not contractually bound by adequate data processing terms — and if the model uses that data for training — the firm may have exposed client confidential information in breach of both professional conduct rules and GDPR obligations. The AI Act does not resolve this risk, but its transparency obligations (Article 13) require providers to disclose the conditions under which data is processed. Deployers — including law firms — must review this disclosure before deployment.

Professional secrecy and LLM data flows. In jurisdictions including France, professional secrecy (secret professionnel) is a public order obligation, not merely a contractual one. Sending client data to a US-headquartered AI provider that falls under US surveillance legislation creates a specific legal exposure that goes beyond standard GDPR transfer analysis. The combination of AI Act deployer obligations and professional secrecy requirements creates a double compliance constraint that many firms have not yet addressed formally.

Reputational pressure from clients auditing their advisers. Large corporate clients — particularly those who are themselves subject to the AI Act as providers — are beginning to include AI compliance clauses in their outside counsel engagement terms. A law firm advising a client on AI Act compliance while running undisclosed or non-compliant AI tools itself is exposed to a credibility problem that extends well beyond any regulatory sanction.

---

How DILAIG Helps Law Firms

DILAIG's platform addresses two distinct use cases for law firms.

For firms managing their own compliance as deployers or providers, DILAIG's 50-question audit covers the full scope of the AI Act classification exercise. It identifies which tools in a firm's stack meet the high-risk threshold, maps the applicable deployer or provider obligations article by article, and — where high-risk classification applies — generates the four mandatory documents required under the AI Act: the Technical Documentation (Annex IV), the EU Declaration of Conformity, the Fundamental Rights Impact Assessment, and the Transparency Notice. The process takes approximately 20 minutes per AI system assessed.

For a firm running five or six material AI tools across practice groups, this provides the compliance foundation in a fraction of the time and cost of a manual legal review.

For firms advising clients who are AI providers, DILAIG offers a concrete, structured tool to recommend as part of the compliance engagement. A client developing or placing a high-risk AI system on the EU market needs exactly the four documents DILAIG generates. Rather than billing hours to produce these documents from scratch, the advising firm can recommend DILAIG as the document generation layer — and focus its advisory work on the legal review and gap analysis where professional judgement is indispensable.

This "prescriber" positioning is already being used by AI-specialised practices in France and Germany: the law firm advises on strategy and legal exposure; DILAIG produces the compliance documents; the firm reviews and certifies them. The result is a faster, lower-cost compliance outcome for the client, and a higher-value engagement for the firm.

DILAIG generates the 4 mandatory EU AI Act documents — Technical Documentation (Annex IV), EU Declaration of Conformity, FRIA, and Transparency Notice — from a 50-question audit. Law firms use it to manage their own compliance and to recommend to clients who are AI providers.

→ Start your free AI Act audit — 20 minutes, no credit card required.

See all generated documents · Contact us

---

FAQ: Law Firms and the EU AI Act

Does the EU AI Act apply to law firms?

Yes, in their capacity as deployers of AI systems. If a law firm uses a third-party AI tool that qualifies as high-risk under Annex III, the deployer obligations of Article 26 apply. If the firm developed or commissioned a proprietary AI tool, provider obligations may also apply.

Which legal AI tools might qualify as high-risk under Annex III?

Most legal research and contract review tools do not meet the high-risk threshold. However, tools that assist in judicial decision-making or that materially influence decisions about natural persons in areas covered by Annex III (administration of justice, employment, essential services) require a formal classification analysis. Predictive litigation tools warrant particular scrutiny under Annex III §8.

What is the deadline for compliance?

The main body of high-risk AI obligations — including Article 26 deployer obligations — applies from 2 August 2026. Under the AI Omnibus agreement reached in late 2025, this deadline has been extended to 2 December 2027 for most Annex III systems. Firms should treat 2027 as the hard compliance deadline while using 2026 to complete classification and documentation work.

Does the AI Act interact with GDPR for law firms?

Yes. The AI Act's data governance requirements (Article 10) and the GDPR's lawful basis and data minimisation requirements both apply to AI systems processing personal data. For law firms, this interaction is particularly acute around cloud-based AI tools that process client documents, given professional secrecy obligations layered on top.

Can a law firm recommend DILAIG to its AI provider clients?

Yes. DILAIG is designed for AI providers — companies placing high-risk AI systems on the EU market. Law firms advising such clients can recommend DILAIG as the structured document generation layer, allowing the legal team to focus on review, gap analysis, and strategic guidance rather than first-draft document production.

---

Key Takeaways

• Law firms are deployers of AI systems and face Article 26 obligations when using high-risk AI tools
• Firms that developed proprietary AI systems may also face provider obligations, including Annex IV technical documentation and an EU Declaration of Conformity
• Predictive legal analytics tools may qualify as high-risk under Annex III §8 (administration of justice) — classification requires individual analysis
• Professional liability, client confidentiality, and professional secrecy create compliance obligations that run alongside and compound AI Act requirements
• The compliance deadline is 2 December 2027 under the AI Omnibus agreement; classification and documentation work should begin now
• DILAIG helps law firms manage their own compliance and serves as a tool for practices advising AI provider clients

---

Sources

• Regulation (EU) 2024/1689 — EU AI Act, Official Journal of the EU, 12 July 2024
• Article 26: Obligations of deployers of high-risk AI systems
• Article 27: Fundamental Rights Impact Assessment for deployers
• Annex III §8: Administration of justice and democratic processes
• Annex IV: Technical documentation requirements for high-risk AI systems
• AI Omnibus agreement (Council and Parliament, late 2025) — extended deadlines for Annex III systems
• Council of Bars and Law Societies of Europe (CCBE): Guidance on AI and professional responsibility (2025)