Compliance

    The EU AI Act Explained for Legal Teams

    JE
    Judicio Editorial TeamLegal Technology Experts
    Jun 9, 2026Updated Jun 24, 20269 min read
    A legal team mapping the EU AI Act risk tiers and compliance timeline for AI systems

    TL;DR: The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive AI law, and it sorts systems into four risk tiers: unacceptable practices are banned, high-risk systems face strict obligations, limited-risk systems owe transparency, and minimal-risk systems are largely untouched. General-purpose AI has its own rules, and the obligations phase in from 2025 to 2027. It affects lawyers both as advisers to clients and as users of AI tools.

    For years, AI governance in Europe was a patchwork of guidance and general data-protection law. The EU AI Act changes that with a single, risk-based regime that applies across sectors. For legal teams, it is doubly relevant: clients who build or deploy AI will need advice on where they fall, and firms themselves are buyers and users of AI tools subject to the Act's transparency and diligence expectations. This guide explains the structure - the risk tiers, the rules for general-purpose AI, the timeline, and the practical implications for both hats a lawyer wears. It is general information, not legal advice.

    What is the EU AI Act?

    The EU AI Act is Regulation (EU) 2024/1689, the European Union's horizontal law for artificial intelligence. It entered into force in August 2024 and applies in phases. Its core idea is proportionality: rather than regulating every AI system identically, it scales obligations to the risk a system poses to health, safety, and fundamental rights. The official text is on EUR-Lex, and the European Commission maintains explanatory material through its digital strategy pages. Like GDPR, it has extraterritorial reach, applying to providers and deployers whose systems are used in the EU regardless of where they are based.

    How does the risk-based approach work?

    The Act sorts AI into four tiers, and the obligations follow the tier. Crucially, the classification depends on how a system is used, not just what it is - the same underlying model can sit in different tiers depending on the application.

    TierTreatmentExamples
    UnacceptableProhibitedGovernment social scoring, certain manipulative or biometric practices
    High-riskStrict obligationsSystems used in employment, education, or the administration of justice
    LimitedTransparency dutiesChatbots and generative systems that must disclose AI use
    MinimalNo new obligationsSpam filters and most everyday software features

    Unacceptable-risk systems

    A small set of practices is banned outright as incompatible with EU values - for example, government social scoring, certain manipulative techniques that exploit vulnerabilities, and some uses of biometric categorisation and untargeted facial-image scraping. These prohibitions are the sharpest edge of the Act and were the first obligations to take effect. For most legal teams they are a compliance check to run on clients rather than a description of the tools the firm uses day to day.

    High-risk systems

    High-risk systems are permitted but heavily regulated. They include AI used in sensitive areas such as employment and worker management, education, essential services, certain biometric uses, and the administration of justice. Providers of high-risk systems must meet obligations around risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity, and deployers have their own duties. This is where most of the Act's substantive compliance burden sits.

    The obligations split between two actors. Providers - those who develop a high-risk system or place it on the market under their own name - carry the heaviest load, including conformity assessment before launch and ongoing post-market monitoring. Deployers - the organisations that put a high-risk system to use - have lighter but real duties: use the system in line with its instructions, ensure meaningful human oversight, monitor how it performs in their context, and keep the logs it generates. The distinction matters for advice, because many clients will be deployers of a third-party system rather than builders of their own, and their compliance task is correspondingly different. Identifying which role a client occupies for each system is usually the first analytical step.

    Limited and minimal risk

    Limited-risk systems carry transparency obligations: people should be told when they are interacting with an AI system, and certain AI-generated or manipulated content - such as deepfakes - must be labelled. Minimal-risk systems, which include most everyday software features like spam filters, face no new obligations under the Act. The majority of consumer and productivity AI sits in these two tiers.

    What are the obligations for general-purpose AI?

    General-purpose AI (GPAI) models - the large models that can be adapted to many tasks - have a dedicated set of rules. Providers of GPAI models must supply technical documentation and information to those who build on them, put in place a policy to respect EU copyright law, and publish a summary of the content used for training. Models deemed to present systemic risk face additional obligations, including model evaluation, risk mitigation, and incident reporting. For legal teams, the GPAI rules matter mainly when advising clients who develop or fine-tune such models, or who build products on top of them.

    When do the obligations take effect?

    The Act does not switch on all at once. The obligations phase in over several years, which gives organisations time to prepare but also creates a sequence of deadlines to track. The table sketches the headline dates; confirm the current position as you plan, since implementation detail continues to develop.

    DateWhat applies
    August 2024The Regulation enters into force
    February 2025Bans on unacceptable-risk practices take effect
    August 2025Obligations for general-purpose AI models begin
    August 2026Most high-risk and transparency obligations apply
    August 2027Remaining high-risk rules for regulated products apply

    A natural question for our field is whether legal AI tools are high-risk. The Act lists the administration of justice as a sensitive area, and it specifically flags AI intended to be used by a judicial authority - or on its behalf - to research and interpret facts and the law and to apply the law to a concrete set of facts. That framing centres on systems used in judicial decision-making, not on every tool a lawyer uses. A platform that helps a lawyer search authority, review documents, build a timeline, or draft is generally not high-risk on that basis alone. But classification turns on the specific use, so a firm deploying AI should assess its own context rather than assume, and providers should be transparent about how their systems are intended to be used. Outputs from any such tool are aids, not legal advice.

    What transparency duties apply?

    Even outside the high-risk tier, transparency is a recurring theme. Deployers should be able to tell people when they are dealing with an AI system, and providers of generative systems must enable the labelling of synthetic content. For a firm, the practical implications are modest but real: be honest with clients about where AI is used in your work, keep a human in the loop on anything that matters, and prefer tools that make their behaviour and sources transparent. Our guide to AI governance for law firms covers building these habits into a policy.

    How does the Act affect lawyers - as advisers and as users?

    The Act lands on lawyers in two distinct ways, and it helps to separate them.

    Advising clients

    Clients who develop, sell, or deploy AI need to know their tier and their obligations, and the timeline gives them deadlines to plan against. Lawyers will be asked to classify systems, review provider and deployer duties, draft and negotiate AI clauses, and align AI compliance with GDPR and sector rules. The Act is detailed and phased, so structured advice - what applies, when, and what to document - is valuable. For research into EU instruments, our note on AI legal research in the EU is a useful companion.

    A useful first deliverable for many clients is an inventory: a list of the AI systems they build or use, each mapped to a tier, a role of provider or deployer, and the obligations and deadlines that follow. That inventory becomes the backbone of a compliance programme and the document a regulator or counterparty is most likely to ask to see. It also surfaces where attention is genuinely needed - the handful of systems that may be high-risk - versus the majority that are limited or minimal risk and need little more than transparency. Pairing the inventory with the phased timeline turns a sprawling regulation into a manageable, dated work plan.

    Using AI tools in your own practice

    As users, firms should apply the same diligence they would advise a client to use: understand what a tool does, keep humans in the loop, be transparent with clients, and vet the vendor's data practices. None of this requires treating an ordinary research-and-drafting assistant as a high-risk system; it does mean choosing tools you can explain and stand behind.

    Where does Judicio fit?

    Judicio is a research, review, drafting, timeline, and translation workspace used by lawyers - the kind of professional tool that generally sits outside the high-risk tier, while still being built for transparency. Every finding, answer, and date is cited to the exact page and quoted passage, so a human can verify rather than trust; outputs are clearly not legal advice; and the platform does not train on your data, hosts on Google Cloud Platform, and provides role-based access with a full audit trail. Those properties - verifiability, human oversight, and disciplined data handling - are exactly what the Act's spirit rewards. As with any vendor, request the documentation you need to satisfy your own assessment.

    How do you get started?

    If you advise clients on AI, build a simple classification worksheet - tier, role (provider or deployer), applicable obligations, and deadline - and apply it matter by matter. If you are adopting AI internally, fold the Act's themes into your vendor checklist alongside GDPR: transparency, human oversight, and data governance.

    You can evaluate Judicio against those themes on your own work with a 7-day free trial - 500 credits, no credit card required. Professional access is $200 per month for 5,000 credits, and you can contact us for a walkthrough. For the data-protection backdrop the Act sits alongside, read GDPR for law firms and our overview of AI for regulatory compliance. This article is general information, not legal advice.

    Frequently Asked Questions

    It is Regulation (EU) 2024/1689, the European Union's horizontal law for artificial intelligence, which sorts AI systems into risk tiers and imposes obligations that scale with the risk - from outright bans on certain practices to transparency duties for everyday tools.

    Unacceptable-risk practices are prohibited; high-risk systems face strict obligations around data, documentation, oversight, and accuracy; limited-risk systems carry transparency duties such as disclosing that a user is interacting with AI; and minimal-risk systems face no new obligations. The tier depends on how a system is used, not just what it is.

    The Regulation entered into force in August 2024 and applies in phases. Bans on unacceptable-risk practices began in February 2025, general-purpose AI obligations from August 2025, and most high-risk and transparency obligations from August 2026, with some product-related high-risk rules from August 2027. Confirm the current dates as you plan.

    Not automatically. The Act flags AI used in the administration of justice as a sensitive area, particularly where used by a judicial authority to research or apply the law. Tools that help a lawyer research, review, or draft are generally not high-risk on that basis alone, but classification depends on the specific use, so assess your own deployment.

    Yes, in two ways. You may advise clients who develop or deploy AI and need to map their obligations, and you have transparency and diligence considerations when you use AI in your own practice. Knowing the tiers and timelines helps on both fronts. This overview is general information, not legal advice.

    TopicsComplianceEU AI ActAI RegulationLegal AIRisk Management

    Ready to Transform Your Legal Workflow?

    Try Judicio free for 7 days — no credit card required.

    Start Free Trial

    Related Articles

    Get started

    Bring cited AI to your practice

    Run your first review free in minutes — or book a demo and see Judicio on your own matters.

    Free trial · No credit card required