EU AI Act guide for in-house legal counsel
EU AI Act guide for in-house legal counsel
The EU AI Act creates a new layer of statutory obligations that in-house legal counsel must understand, interpret for their business, and translate into contracts, policies, and internal governance. The Act is directly applicable across all EU member states, meaning there is no national implementation delay of the kind that complicated early GDPR rollout. If your company places an AI system on the EU market or uses one in an EU context, the Act applies now, with the most demanding obligations phased in by 2027.
What the EU AI Act requires
The Act distinguishes between providers (those who develop or place AI systems on the market) and deployers (those who use AI systems in a professional context). This distinction is central to legal analysis. Under Article 25, deployers take on additional provider-like obligations in certain circumstances: when they substantially modify a high-risk AI system, place it under their own name, or use a general purpose AI model to build a high-risk system. For high-risk AI systems under Annex III, the conformity obligations in Articles 9 to 17 include risk management, data governance, technical documentation, transparency, and human oversight. Providers must complete a conformity assessment before placing the system on the market (Article 43) and register the system in the EU database (Article 49). For GPAI models, Article 53 obligations apply from August 2, 2026, including technical documentation, training data summaries, and cooperation with downstream deployers. Fines for GPAI violations reach EUR 15 million or 3% of global annual revenue. The Annex III compliance deadline for high-risk AI systems is December 2, 2027. Article 50, governing AI-generated content labelling and disclosure, applies from August 2, 2026.
What this means for your business
For in-house counsel, the Act creates work in four areas. First, contract review: any agreement covering AI system procurement, integration, or use needs to be assessed against the Act. Article 25 obligations mean that deployer contracts must now allocate responsibility for conformity documentation, technical files, and post-market monitoring. Many existing SaaS agreements will not address these requirements. Second, liability analysis: the Act's fine structure (up to EUR 30 million or 6% of global annual revenue for high-risk violations under Article 99) requires an assessment of exposure and appropriate insurance or indemnification terms in supplier agreements. Third, governance documentation: the quality management system required under Article 17 is a legal instrument as much as an operational one. Counsel should be involved in its design and review to ensure it provides adequate legal protection. Fourth, regulatory engagement: national market surveillance authorities will enforce the Act, and in-house counsel will be the primary contact for regulatory inquiries. Establishing a compliance file before any investigation begins is a fundamental risk mitigation step.
Steps to get compliant
1. Conduct a provider versus deployer analysis for every AI system your company develops or uses. This determines which obligations apply to your organisation and where Article 25 creates additional exposure.
2. Review and update AI-related vendor contracts to include representations on conformity, technical documentation, and cooperation obligations under Article 25. Prioritise contracts covering high-risk AI systems and GPAI model access.
3. Advise on and document the Article 43 conformity assessment process for any high-risk AI systems your organisation places on the market before the December 2, 2027 deadline.
4. Build an internal legal opinion file covering your organisation's AI system classifications, the rationale for each classification, and the compliance steps taken. This file is your primary defence in any regulatory inquiry.
Free EU AI Act risk assessment
Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.