Are you confident that your legal team is ready to navigate the complex demands of the EU AI Act? Since August 2024, this groundbreaking regulation has established clear rules for the use of artificial intelligence, striking a balance between innovation and the protection of fundamental rights and societal values. The law focuses not on the technology itself but on the level of risk involved: the higher the risk posed by an AI system, the stricter the legal obligations. For law firms and legal departments, accurately classifying AI systems into one of four risk categories is essential and serves as the crucial first step toward effective and compliant AI governance. Each category carries specific requirements that must be understood and implemented to stay ahead.
AI applications that seriously infringe on rights or have such manipulative effects are prohibited from the outset (Art. 5 EU AI Act).These include social scoring systems, real-time biometric surveillance in public spaces, and AI techniques that influence people without their knowledge. Any development or import of such systems is illegal because they violate fundamental rights. It is therefore important for law firms not only to avoid such AI applications themselves, but also to point out the risks in their client work in a timely manner.
AI systems whose malfunctions can have serious implications for important fundamental rights are only permitted if they comply with legal requirements (Articles 6 to 29 and Annex III). Examples of this can be found in human resources (applicant selection), education (exam assessments), healthcare (diagnostic software), finance (credit checks), and the justice system (risk analyses in the prison system). Extensive obligations apply with ongoing risk management and quality assurance systems (traceability, quality, and transparency of data sets). Human oversight, cybersecurity, and EU database registration are mandatory. This presents a dual challenge for legal departments and law firms, as they must both review their own use of AI tools and take responsibility as advisors to their clients.
This includes chatbots (advisory tools on websites) and deepfakes (synthetic voice generation). Transparency requirements apply to systems that interact with users or generate content without making binding decisions on their own (Art. 50 AI Act). Users must be informed that they are interacting with AI. For law firms that use such interactive systems, e.g., in client contact, this is an obligation to clearly label and explain them so that there is no confusion with human advice.
Applications that pose little risk, such as spam filters or simple spell checkers, may be used freely without registration or documentation. Law firms benefit by using low-risk automation to increase efficiency. Smaller law firms in particular, which cannot implement complex compliance processes, thus find pragmatic access to the technology.
Risk classification is the starting point for compliance. It determines whether an AI system may be used at all and which legal obligations apply. An unclear or missing classification can therefore have far-reaching consequences:
Particularly for legal departments, risk classification is indispensable: it forms the basis for integration into existing compliance programs, feeds directly into supplier and partner contracts, and is critical for internal risk reporting to management and supervisory boards. In addition, legal departments play a central role as a bridge between technology and regulation and bear responsibility for preventing liability and reputational risks. Those who underestimate classification risk fines, liability issues, reputational damage, and compliance gaps – for law firms, legal departments, and clients alike. Those who address it systematically now minimize risks and lay the foundation for responsible AI use. Don’t jeopardize legal certainty, the quality of your advisory services, and your market position.
Accurate classification is key to legal certainty when working with AI. Only by understanding the risks and categories of AI systems can you effectively minimize risks and ensure compliance. Legal departments and law firms that start familiarizing themselves with classification now and take proactive steps will not only secure compliance but also gain a competitive advantage in this fast-evolving field. Begin today by mapping your AI systems and using digital tools to stay organized. Turn AI compliance from a challenge into a strategic opportunity.
________________________________________________________________________________________________________________________________
More about the impact of the EU AI Act: Our blog series at a glance (coming soon):
Download our free checklist and check whether your systems meet the requirements.