EU AI Act for lawyers: what you need to know before 2 August 2026

Q: Is my law firm's AI use an 'AI system' under the AI Act?

As a user of an AI tool (e.g. a general-purpose chatbot or LexCodex) you are a 'deployer' under the regulation. The obligations rest primarily on the provider of the AI system. As a deployer you have Art. 26 obligations only if you use a high-risk system, which most legal AI tools are NOT.

Published 3 May 2026 · 8 min read · By GD · LexCodex

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 but applies in stages. For law firms and in-house teams, the biggest milestone is 2 August 2026, when transparency requirements and high-risk-system obligations begin to apply.

For lawyers, two practical questions follow:

Are the AI tools I use myself "AI systems" under the regulation, and do I as a user have any obligations to meet?
How do I classify my clients' AI systems when they ask?

This text answers both.

Timeline: what applies when?

Date	What starts to apply
1 Aug 2024	AI Act entered into force
2 Feb 2025	Prohibited AI practices (Art. 5)
2 Aug 2025	GPAI obligations (Art. 51-55)
2 Aug 2026	High-risk systems + transparency obligations (Art. 50)
2 Aug 2027	High-risk systems under Annex I products

For most lawyers, 2 August 2026 is the milestone that matters. That is when all limited-risk systems must meet the Art. 50 transparency requirements.

The risk classes in brief

The AI Act sorts AI systems into four risk classes:

Prohibited (Art. 5): Subliminal manipulation, social scoring by public authorities, real-time biometric identification in public spaces, emotion recognition in workplaces and schools, among others. Penalty: up to EUR 35 million or 7 percent of global turnover.
High-risk (Annex III): AI systems in recruitment, education, credit scoring, critical infrastructure, law enforcement, the judiciary (for courts) and border control. Requires extensive documentation, risk management, human oversight and registration in an EU database. Penalty: up to EUR 15 million or 3 percent of turnover.
Limited risk (Art. 50): AI systems that interact directly with natural persons or generate synthetic content. The requirements are to inform the user about AI interaction and label AI-generated content. No other mandatory requirements.
Minimal risk: Everything else. No AI Act-specific obligations, though GDPR and other legislation still apply.

Important nuance about Annex III point 8 (judiciary): The text covers "AI systems intended to be used by a judicial authority or on their behalf". That means courts and judicial authorities, not private law firms or in-house lawyers. An AI tool that helps you analyse contracts is not automatically high-risk just because the subject matter is legal.

Is your AI tool an AI system under the regulation?

Short answer: yes, but the provider carries the main responsibility.

When you as an attorney or in-house lawyer use an AI tool, you are a "deployer" under the regulation. The provider of that tool carries the heavier obligations around making the system available.

As a deployer:

For minimal- or limited-risk systems, you essentially have no AI Act-specific obligations. GDPR, confidentiality, professional ethics and other rules apply regardless.
For high-risk systems, if you use any, Art. 26 imposes requirements on monitoring, documentation, human oversight and incident reporting. Most legal AI tools are not high-risk.

In practice: if you use a legal AI tool to review contracts, draft NDAs or research case law, the classification is most likely limited risk. The provider's transparency information then needs to be in place. That is the provider's job, not yours.

How do you classify clients' AI systems?

Clients will ask about their own systems. A simple process:

Is it prohibited under Art. 5? If yes: stop the system.
Does it fall under Annex III points 1–8? Common relevant areas are HR and recruitment (point 4), credit scoring (point 5), and education (point 3).
Does it interact with humans or generate synthetic content? Then it is limited risk with Art. 50 requirements.
Otherwise it is minimal risk.

The most common pitfall is clients classifying their system as high-risk to be safe. It is expensive. High-risk means extensive documentation requirements, a risk management system, quality management, registration in an EU database and ongoing monitoring. Classify correctly, not conservatively.

Checklist before 2 August 2026

Inventory the AI tools used at the firm or in-house function. What is used for what?
Verify that the provider's transparency information is in place. Are you and your clients told that the result is AI-generated?
Review client agreements. Do clauses about AI use need to be added? Clients will start asking.
Set the routine for client information. Privileged documents should not pass through AI without ZDR and DPA.
Use a structured classification tool when clients ask about their own systems. Document the result.
Train colleagues. A short walkthrough goes a long way in building shared understanding.
Track the Commission's delegated acts. Specific technical requirements will be set out there during 2026 and 2027.

Summary

The AI Act is not the end of AI in legal practice. It is a framework for responsible use. For most firms and in-house teams using established tools, the picture is manageable:

The tool is most likely limited risk or minimal risk.
The provider carries the main responsibility for compliance.
As a deployer you have lighter obligations: inform clients, document use.
When clients ask about their own systems, use a structured classification method rather than guessing.

If you want to see how the classification looks for a specific system, the AI Act tool takes around 10 minutes to complete. The result is a formal report you can share with a client or use internally.

Frequently asked questions

When does the EU AI Act take effect?

The AI Act entered into force on 1 August 2024. Prohibited AI practices began applying on 2 February 2025. GPAI obligations apply from 2 August 2025. High-risk systems plus transparency obligations apply from 2 August 2026. High-risk systems under Annex I products apply from 2 August 2027.

Is my law firm's AI use an "AI system" under the AI Act?

As a user of an AI tool you are a "deployer" under the regulation. The obligations sit primarily with the provider. As a deployer you have Art. 26 obligations only if you use a high-risk system — which most legal AI tools are NOT.

How do I classify an AI system under the AI Act?

Four steps: (1) Is the system prohibited under Art. 5? (2) Does it fall under Annex III (high-risk)? (3) Does it fall under Art. 50 transparency requirements (limited risk)? (4) Otherwise it is minimal risk with no extra requirements. For lawyer-facing AI tools the most common outcome is limited risk.

What does "limited risk" mean under the AI Act?

Limited-risk systems have transparency requirements under Art. 50: users must be informed that they are interacting with AI, and AI-generated content must be labelled. No other mandatory requirements. For legal AI tools that produce analysis, limited risk is the most common outcome.

Classify an AI system with our tool

3-minute question flow, formal classification report on demand. Free during the Pro trial.

Open the AI Act tool → Back to blog