EU AI Act: What UK Law Firms with EU Clients Must Know

The EU AI Act is not UK law. But for a significant number of UK law firms, it applies anyway. Understanding which firms are in scope, which obligations apply to them, and how this interacts with the SRA and UK GDPR obligations that apply to every UK firm is now a matter of commercial and regulatory urgency.

Which UK Law Firms Are in Scope of the EU AI Act?

The EU AI Act applies on a market-based rather than location-based principle — similar to GDPR before it. A UK firm is in scope if it meets any of the following conditions:

• The firm places AI systems on the EU market — meaning it makes AI tools available to clients, staff, or third parties located in the EU
• The firm uses AI systems that produce outputs affecting individuals located in EU member states — including EU-based clients receiving AI-assisted legal advice
• The firm has offices, branches, or affiliated entities operating within EU member states
• The firm is a provider or deployer of AI systems used in connection with legal proceedings, enforcement, or the administration of justice affecting EU residents

In practice this means: any UK law firm with EU clients, EU offices, or EU-facing transactional, litigation, or advisory work should treat the EU AI Act as applicable to that portion of its business.

What the EU AI Act Requires — For Deployers

Law firms using AI tools in their practice are classified as deployers under the EU AI Act — not providers. Deployer obligations are less extensive than provider obligations but remain significant. For high-risk AI systems — which may include AI used in legal research, document analysis, or decision-support in legal proceedings — deployers must:

• Conduct a fundamental rights impact assessment before deploying high-risk AI systems — assessing the system's potential impact on individuals' rights
• Implement appropriate human oversight measures — ensuring qualified legal professionals review and take responsibility for AI-assisted outputs
• Ensure staff have adequate AI literacy — Article 4 requires deployers to ensure personnel using AI have sufficient knowledge of its capabilities, limitations, and risks
• Maintain logs of high-risk AI system use — where the system generates logs, these must be maintained for at least six months
• Report serious incidents to the relevant national authority — including malfunctions that cause or risk causing harm to EU residents
• Cooperate with market surveillance authorities on request

Is Legal AI High-Risk Under the EU AI Act?

This is the question every EU-facing UK law firm must answer. The EU AI Act Annex III lists categories of high-risk AI systems. Relevant to law firms:

• Administration of justice and democratic processes (Annex III, point 8): AI systems intended to assist judicial authorities in researching, interpreting, or applying the law — or in predicting legal outcomes — are explicitly classified as high-risk.
• Employment and workers management (Annex III, point 4): AI used in recruitment, performance assessment, or task allocation within the firm may also be in scope.

The August 2026 Deadline — What It Means

Full application of EU AI Act obligations for high-risk AI systems applies from August 2026. For EU-facing UK law firms this means the following must be in place before that date:

• AI system inventory covering all tools used in EU-facing work
• Risk classification of each system against EU AI Act Annex III categories
• Fundamental rights impact assessment for any systems classified as high-risk
• Human oversight protocols documented and implemented
• AI literacy training delivered to all staff using AI systems in EU-facing work
• Provider due diligence — confirming EU AI Act compliance documentation from each AI tool vendor
• Incident reporting pathway established

How This Interacts with SRA and UK GDPR

UK GDPR and SRA obligations apply to every UK law firm regardless of EU exposure. The EU AI Act does not replace these — it adds to them for in-scope firms. The practical implication is that EU-facing firms must satisfy three regulatory regimes simultaneously:

• SRA Code of Conduct — competence, confidentiality, supervision. Applies now. No deadline.
• UK GDPR / ICO — data protection in AI deployments. Applies now. Actively enforced.
• EU AI Act — AI system governance for EU-facing work. Full high-risk obligations from August 2026.

A well-structured AI governance programme addresses all three simultaneously. Firms that build governance frameworks solely around one regime — typically the EU AI Act because it has a visible deadline — while ignoring SRA and UK GDPR are solving the wrong problem first.

Five Actions for EU-Facing UK Law Firms — Now

• Map all AI tools currently in use across your EU-facing practice areas
• Commission a risk classification assessment against EU AI Act Annex III before the August deadline
• Engage your AI tool vendors to obtain EU AI Act compliance documentation — technical documentation (Article 11) and declarations of conformity (Article 47) where applicable
• Implement AI literacy training for all fee earners using AI in EU-facing work — Article 4 obligation
• Appoint an AI Governance Lead with responsibility for both EU AI Act and UK regulatory compliance