TL;DR: The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive AI law, and it sorts systems into four risk tiers: unacceptable practices are banned, high-risk systems face strict obligations, limited-risk systems owe transparency, and minimal-risk systems are largely untouched. General-purpose AI has its own rules, and the obligations phase in from 2025 to 2027. It affects lawyers both as advisers to clients and as users of AI tools.
For years, AI governance in Europe was a patchwork of guidance and general data-protection law. The EU AI Act changes that with a single, risk-based regime that applies across sectors. For legal teams, it is doubly relevant: clients who build or deploy AI will need advice on where they fall, and firms themselves are buyers and users of AI tools subject to the Act's transparency and diligence expectations. This guide explains the structure - the risk tiers, the rules for general-purpose AI, the timeline, and the practical implications for both hats a lawyer wears. It is general information, not legal advice.
What is the EU AI Act?
The EU AI Act is Regulation (EU) 2024/1689, the European Union's horizontal law for artificial intelligence. It entered into force in August 2024 and applies in phases. Its core idea is proportionality: rather than regulating every AI system identically, it scales obligations to the risk a system poses to health, safety, and fundamental rights. The official text is on EUR-Lex, and the European Commission maintains explanatory material through its digital strategy pages. Like GDPR, it has extraterritorial reach, applying to providers and deployers whose systems are used in the EU regardless of where they are based.
How does the risk-based approach work?
The Act sorts AI into four tiers, and the obligations follow the tier. Crucially, the classification depends on how a system is used, not just what it is - the same underlying model can sit in different tiers depending on the application.
| Tier | Treatment | Examples |
|---|---|---|
| Unacceptable | Prohibited | Government social scoring, certain manipulative or biometric practices |
| High-risk | Strict obligations | Systems used in employment, education, or the administration of justice |
| Limited | Transparency duties | Chatbots and generative systems that must disclose AI use |
| Minimal | No new obligations | Spam filters and most everyday software features |
Unacceptable-risk systems
A small set of practices is banned outright as incompatible with EU values - for example, government social scoring, certain manipulative techniques that exploit vulnerabilities, and some uses of biometric categorisation and untargeted facial-image scraping. These prohibitions are the sharpest edge of the Act and were the first obligations to take effect. For most legal teams they are a compliance check to run on clients rather than a description of the tools the firm uses day to day.
High-risk systems
High-risk systems are permitted but heavily regulated. They include AI used in sensitive areas such as employment and worker management, education, essential services, certain biometric uses, and the administration of justice. Providers of high-risk systems must meet obligations around risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity, and deployers have their own duties. This is where most of the Act's substantive compliance burden sits.
The obligations split between two actors. Providers - those who develop a high-risk system or place it on the market under their own name - carry the heaviest load, including conformity assessment before launch and ongoing post-market monitoring. Deployers - the organisations that put a high-risk system to use - have lighter but real duties: use the system in line with its instructions, ensure meaningful human oversight, monitor how it performs in their context, and keep the logs it generates. The distinction matters for advice, because many clients will be deployers of a third-party system rather than builders of their own, and their compliance task is correspondingly different. Identifying which role a client occupies for each system is usually the first analytical step.
Limited and minimal risk
Limited-risk systems carry transparency obligations: people should be told when they are interacting with an AI system, and certain AI-generated or manipulated content - such as deepfakes - must be labelled. Minimal-risk systems, which include most everyday software features like spam filters, face no new obligations under the Act. The majority of consumer and productivity AI sits in these two tiers.
What are the obligations for general-purpose AI?
General-purpose AI (GPAI) models - the large models that can be adapted to many tasks - have a dedicated set of rules. Providers of GPAI models must supply technical documentation and information to those who build on them, put in place a policy to respect EU copyright law, and publish a summary of the content used for training. Models deemed to present systemic risk face additional obligations, including model evaluation, risk mitigation, and incident reporting. For legal teams, the GPAI rules matter mainly when advising clients who develop or fine-tune such models, or who build products on top of them.
When do the obligations take effect?
The Act does not switch on all at once. The obligations phase in over several years, which gives organisations time to prepare but also creates a sequence of deadlines to track. The table sketches the headline dates; confirm the current position as you plan, since implementation detail continues to develop.
| Date | What applies |
|---|---|
| August 2024 | The Regulation enters into force |
| February 2025 | Bans on unacceptable-risk practices take effect |
| August 2025 | Obligations for general-purpose AI models begin |
| August 2026 | Most high-risk and transparency obligations apply |
| August 2027 | Remaining high-risk rules for regulated products apply |
Could legal AI tools be high-risk?
A natural question for our field is whether legal AI tools are high-risk. The Act lists the administration of justice as a sensitive area, and it specifically flags AI intended to be used by a judicial authority - or on its behalf - to research and interpret facts and the law and to apply the law to a concrete set of facts. That framing centres on systems used in judicial decision-making, not on every tool a lawyer uses. A platform that helps a lawyer search authority, review documents, build a timeline, or draft is generally not high-risk on that basis alone. But classification turns on the specific use, so a firm deploying AI should assess its own context rather than assume, and providers should be transparent about how their systems are intended to be used. Outputs from any such tool are aids, not legal advice.
What transparency duties apply?
Even outside the high-risk tier, transparency is a recurring theme. Deployers should be able to tell people when they are dealing with an AI system, and providers of generative systems must enable the labelling of synthetic content. For a firm, the practical implications are modest but real: be honest with clients about where AI is used in your work, keep a human in the loop on anything that matters, and prefer tools that make their behaviour and sources transparent. Our guide to AI governance for law firms covers building these habits into a policy.
How does the Act affect lawyers - as advisers and as users?
The Act lands on lawyers in two distinct ways, and it helps to separate them.
Advising clients
Clients who develop, sell, or deploy AI need to know their tier and their obligations, and the timeline gives them deadlines to plan against. Lawyers will be asked to classify systems, review provider and deployer duties, draft and negotiate AI clauses, and align AI compliance with GDPR and sector rules. The Act is detailed and phased, so structured advice - what applies, when, and what to document - is valuable. For research into EU instruments, our note on AI legal research in the EU is a useful companion.
A useful first deliverable for many clients is an inventory: a list of the AI systems they build or use, each mapped to a tier, a role of provider or deployer, and the obligations and deadlines that follow. That inventory becomes the backbone of a compliance programme and the document a regulator or counterparty is most likely to ask to see. It also surfaces where attention is genuinely needed - the handful of systems that may be high-risk - versus the majority that are limited or minimal risk and need little more than transparency. Pairing the inventory with the phased timeline turns a sprawling regulation into a manageable, dated work plan.
Using AI tools in your own practice
As users, firms should apply the same diligence they would advise a client to use: understand what a tool does, keep humans in the loop, be transparent with clients, and vet the vendor's data practices. None of this requires treating an ordinary research-and-drafting assistant as a high-risk system; it does mean choosing tools you can explain and stand behind.
Where does Judicio fit?
Judicio is a research, review, drafting, timeline, and translation workspace used by lawyers - the kind of professional tool that generally sits outside the high-risk tier, while still being built for transparency. Every finding, answer, and date is cited to the exact page and quoted passage, so a human can verify rather than trust; outputs are clearly not legal advice; and the platform does not train on your data, hosts on Google Cloud Platform, and provides role-based access with a full audit trail. Those properties - verifiability, human oversight, and disciplined data handling - are exactly what the Act's spirit rewards. As with any vendor, request the documentation you need to satisfy your own assessment.
How do you get started?
If you advise clients on AI, build a simple classification worksheet - tier, role (provider or deployer), applicable obligations, and deadline - and apply it matter by matter. If you are adopting AI internally, fold the Act's themes into your vendor checklist alongside GDPR: transparency, human oversight, and data governance.
You can evaluate Judicio against those themes on your own work with a 7-day free trial - 500 credits, no credit card required. Professional access is $200 per month for 5,000 credits, and you can contact us for a walkthrough. For the data-protection backdrop the Act sits alongside, read GDPR for law firms and our overview of AI for regulatory compliance. This article is general information, not legal advice.
