Legal tech AI compliance under the EU AI Act

Legal tech AI compliance under the EU AI Act

AI tools are reshaping legal work across contract analysis, due diligence, legal research, document review, and court outcome prediction. But legal tech sits in a particularly sensitive zone under the EU AI Act. Systems that assist in the administration of justice are explicitly classified as high-risk, meaning the obligations that come with them are substantial for both vendors and law firms.

What the EU AI Act says about legal tech AI

Annex III of the EU AI Act lists the categories of AI systems that are automatically classified as high-risk. Item 8 covers AI used in the administration of justice and democratic processes. This includes AI systems intended to assist judicial authorities in researching and interpreting facts and the law, and in applying the law to a concrete set of facts.

Article 6 of the Act establishes that any AI system falling under Annex III is a high-risk AI system and must comply with the requirements set out in Chapter III, Section 2 of the regulation. This is not a grey area. Legal AI that supports decisions in legal proceedings, assists in legal research used as evidence or advice, or predicts court outcomes falls squarely within scope.

Beyond judicial settings, AI used by in-house legal teams at companies may also be in scope, particularly when used to advise on regulatory obligations, flag legal risk in contracts, or support compliance determinations that carry significant consequences for individuals or organisations.

Article 14 specifically addresses human oversight requirements for high-risk AI systems. The Act requires that high-risk AI systems be designed and developed in a way that allows natural persons to effectively oversee and, where necessary, override or disregard their outputs. This is not a box-ticking exercise. The human oversight requirement demands genuine capability, not just a nominal review step.

Who this applies to

The EU AI Act distinguishes between providers (those who develop or place AI systems on the market) and deployers (those who use AI systems in a professional context).

Legal tech vendors acting as providers carry the heavier compliance burden. They must conduct conformity assessments, establish risk management systems, implement data governance measures, provide detailed technical documentation, maintain logs of system operation, and register their systems in the EU database for high-risk AI. They must also provide instructions for use that give deployers the information they need to operate the system safely.

Law firms and legal departments acting as deployers have their own distinct obligations. They must use the AI system in accordance with the provider's instructions, ensure relevant staff have adequate AI literacy, implement human oversight measures appropriate to the context, and monitor the system's operation for performance issues or unexpected outputs. Deployers cannot simply assume that vendor compliance covers their own obligations. The Act makes clear that deployers in regulated professional contexts carry real responsibility.

If a law firm customises a legal AI tool, integrates it with proprietary data, or significantly modifies its intended purpose, it may also take on provider obligations under the Act.

What compliance requires concretely

For legal tech providers, the core requirements include:

  • A risk management system maintained throughout the AI system's lifecycle, identifying and mitigating foreseeable risks to health, safety, and fundamental rights
  • Data governance controls ensuring training data is relevant, representative, and free from significant errors or bias that could affect legal outputs
  • Technical documentation sufficient to demonstrate compliance and support conformity assessment
  • Automatic logging of system operation, retained for at least six months after use
  • Transparent instructions for deployers covering intended purpose, performance limitations, and human oversight requirements
  • Registration in the EU AI Act database before placing the system on the market

For law firm and in-house legal deployers, practical steps include assigning named oversight responsibility for each AI tool in use, establishing review procedures that go beyond rubber-stamping AI outputs, documenting how AI-assisted work products are reviewed before being relied on, and conducting periodic assessments of whether the AI system is performing as expected in the firm's specific context.

Key deadlines

The EU AI Act has a staggered implementation timeline. Article 5 prohibitions on unacceptable risk AI have been in force since February 2 2025. Rules for General Purpose AI models, including significant fines (up to EUR 15 million or 3% of global turnover), took effect August 2 2026. Article 50 transparency obligations also applied from August 2 2026.

The most significant date for legal tech is December 2 2027, when the full requirements for Annex III high-risk AI systems become enforceable. This includes all the provider and deployer obligations described above. Two years sounds comfortable, but conformity assessments, technical documentation, and organisational change take longer than expected. Legal tech vendors selling into the EU market need to begin compliance work now to be ready.

What to do now

If you are a legal tech vendor, start by mapping every product against Annex III to determine which systems are high-risk. For those that are, initiate a gap assessment against the Chapter III, Section 2 requirements. Build the risk management and documentation infrastructure early, as retrofitting these processes is significantly harder than building them in from the start.

If you are a law firm or in-house legal team using AI tools, review every AI system in use and ask your vendors for their compliance roadmap. Do not assume that because a vendor is well-known, they have their EU AI Act obligations covered. Ask for documentation. Implement human oversight procedures for any legal AI output that informs advice, contracts, or regulatory submissions.

For both providers and deployers, the Article 14 human oversight requirement deserves particular attention. In legal contexts, where AI errors can have serious consequences for clients or counterparties, the Act's expectation of meaningful human control is not just a compliance checkbox. It reflects a genuine expectation that professionals remain responsible for the outputs they rely on.

Use the free ActComply risk screener to check your obligations under the EU AI Act: https://www.getactcomply.com/check. The screener identifies whether your AI systems are high-risk and outlines the specific obligations that apply to your role as provider or deployer.

Related reading: EU AI Act Annex III explained, EU AI Act guide for legal counsel, Article 14 human oversight requirements.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener