TL;DR: As of mid-2026, the EU AI Act is no longer a future event — prohibitions and AI literacy duties have applied since February 2025, general-purpose AI model obligations since August 2025, and the next big wave, covering much of the high-risk regime, is scheduled from August 2026. For law firms the practical position is manageable: most legal AI use is not high-risk, but firms are deployers with real duties — an AI inventory, documented staff literacy, appropriate oversight, and vendor diligence. The bigger change is commercial: AI Act advisory has become a genuine practice area.
When the AI Act was adopted in 2024, most law firm commentary treated it as a client problem. Two years on, it is both a client problem and a firm problem: firms deploy AI systems themselves, the literacy duty covers their staff, and clients now expect their outside counsel to model the compliance they advise on. This update sets out what has actually applied by mid-2026, what remains ahead, and what a sensible firm does about each piece. For the article-by-article foundations, start with our EU AI Act explainer; this piece focuses on what changed and what to do.
The timeline so far: what applies as of mid-2026
The Act's obligations arrive in waves, and by July 2026 three have landed:
| Date | What began applying | Relevance to firms |
|---|---|---|
| August 2024 | Act entered into force | Clock started; no operative duties yet |
| February 2025 | Prohibited practices; AI literacy (Article 4) | Literacy duty covers firms deploying AI; banned practices rarely touch legal work |
| August 2025 | General-purpose AI model obligations; governance structures | Falls on model providers, not firms — but shapes vendor transparency you can demand |
| August 2026 | Most remaining provisions, including much of the high-risk regime | Matters for firms deploying anything that could be classified high-risk; some obligations extend into 2027 |
One caveat belongs in every firm's tracking file: through late 2025 and 2026 the European Commission explored simplification measures for parts of the digital rulebook, including elements of AI Act implementation. As of mid-2026 firms should treat the published timeline as the operative one while watching for final adjustments — a reminder that compliance programmes need an owner, not a one-off memo.
Are law firms in scope at all?
Yes — almost every firm using AI in EU-connected practice is a deployer: an organisation using an AI system under its authority in the course of professional activities. That is the lightest-touch operative role in the Act, but it is not zero. Deployers must use systems in accordance with provider instructions, ensure appropriate human oversight, and — since February 2025 — ensure a sufficient level of AI literacy among staff operating AI systems. Firms with EU offices, EU clients, or outputs used in the EU should assume the framework is relevant even where a specific matter sits elsewhere.
Provider vs deployer: why the label matters
The heavy obligations — conformity assessments, technical documentation, registration — fall on providers: those who develop and place AI systems on the market. A firm buying a legal AI platform is not a provider. The nuance arrives when a firm builds client-facing AI products or substantially modifies a system and brands it as its own: that can shift the firm toward provider territory. If your innovation team is shipping AI tools to clients, that classification question deserves real analysis, not a footnote.
The AI literacy duty nobody budgeted for
Article 4's literacy requirement has applied since February 2025 and is the piece most firms under-scoped. It requires deployers to ensure staff using AI systems have sufficient AI literacy — measured against their role and the systems they use. For a law firm that means practical training: what generative AI does and fails at, why outputs must be verified, what may and may not be uploaded, and how the firm's approved tools differ from consumer chatbots. Done properly, this doubles as the training bar guidance already expects — one curriculum satisfying both the regulator and the profession's competence duty. Our guide to AI governance for law firms includes a training outline that maps cleanly onto Article 4.
The high-risk question for legal AI
The Act's high-risk list includes AI in the administration of justice — systems intended to assist judicial authorities in researching, interpreting, and applying the law to concrete facts. Read carefully, that entry targets tools used by or for courts in adjudication, not the ordinary research, review, and drafting assistance lawyers use in private practice. As of mid-2026, the sensible working position is: standard legal AI platforms used by law firms are generally not high-risk, but classification follows intended use, so a firm should document a short classification note for each system it deploys — especially anything used in court-connected processes, employment decisions, or credit-adjacent work, where other Annex entries can bite.
How the AI Act interacts with the GDPR
The AI Act layers on top of data protection law; it does not replace it. In practice the two regimes ask complementary questions: the GDPR asks what personal data you process and on what basis; the AI Act asks what the system does and how it is overseen. For a firm deploying legal AI, the operational consequences converge on familiar controls — vendor terms that prohibit training on your data, defined retention, EU data-residency options where mandates require them, and access controls with audit trails. A tool that already satisfies a rigorous GDPR review is most of the way to deployer comfort under the AI Act. See GDPR for law firms for that half of the analysis.
The client-advisory opportunity
Every obligation above lands harder on clients than on firms — providers building AI products, enterprises deploying high-risk systems, boards needing governance frameworks. Firms that operationalised their own compliance first have found the credibility to advise on it: the inventory templates, classification memos, literacy curricula, and vendor-diligence checklists a firm builds internally become client deliverables with modest adaptation. As of mid-2026, AI Act advisory has moved from novelty to a steady workstream in technology, employment, product, and disputes practices alike.
A practical mid-2026 checklist for firms
- Inventory: list every AI system in use — including the unofficial ones lawyers adopted themselves. You cannot classify what you have not found.
- Classify: a short note per system on risk tier and role (deployer vs provider), reviewed when use changes.
- Train: document AI literacy training for everyone operating AI systems; refresh as tools change.
- Contract: vendor commitments on training, retention, residency, and transparency in writing.
- Oversee: human review of AI output as standing policy — verification before reliance, everywhere.
- Track: assign an owner to monitor implementing measures and any timeline adjustments through 2026-27.
How Judicio approaches EU AI Act readiness
Judicio is built to make the deployer's job straightforward. Outputs are designed for human oversight — every research answer, review finding, and extracted date is cited to its page and passage so a lawyer can verify before relying, as documented on our methodology page. Your documents and prompts are never used to train AI models, encryption and role-based access with a full audit trail are standard, and EU data residency is available on enterprise plans — with GDPR and UK GDPR listed alongside SOC 2 and ISO/IEC 27001 on our Trust Centre. For European practice specifically, Research connects directly to EUR-Lex and other European sources among its 33 dedicated databases (see our Europe jurisdiction page), and Translation handles the EU's multilingual reality across 100+ languages with layout preserved. Firms advising clients on the Act use the same workspace to run the research — try it with a 7-day free trial, 500 credits, no credit card.
This overview is general information as of mid-2026, not legal advice. The Act's implementing measures continue to evolve — verify the current state of the law before advising or relying on it.
