Regulation (EU) 2024/1689, known as the AI Act, entered into force on August 1, 2024, and represents the world's first comprehensive regulatory framework for artificial intelligence. Built on a risk-based approach, it imposes differentiated obligations on providers, deployers, importers, and distributors, with sanctions reaching up to €35 million or 7% of global annual turnover. The provisional agreement on the Digital Omnibus, reached on May 7, 2026 and confirmed by the European Parliament on June 16, 2026, has revised certain key deadlines without altering the substantive architecture of the Regulation. This article provides a practical guide to the obligations, risks, and documentation requirements that law firms and their clients need to understand.
1. The Risk Framework: The Regulatory Pyramid
The AI Act classifies artificial intelligence systems into four risk tiers, each with a distinct legal regime. From the prohibited tier at the top to minimal risk at the base, the compliance burden decreases progressively while the range of affected organisations broadens.
2. The Application Timeline (Updated: Digital Omnibus 2026)
The AI Act does not apply all at once: its provisions enter into force in progressive waves, calibrated to the severity of risk. The Digital Omnibus — a provisional agreement reached on May 7, 2026 between the EU Council and the European Parliament, confirmed in plenary on June 16, 2026 — has postponed deadlines for high-risk systems without modifying the substantive content of the obligations.
Practical note for law firms: The Digital Omnibus deferral is not a regulatory amnesty. AI Literacy obligations (Art. 4), bans on prohibited practices (Art. 5), and transparency rules for chatbots and AI-generated content are already fully operative. The time gained should be invested in preparing the technical file — not in delay.
3. Obligations by Risk Category: Reference Table
The following table, compiled from the text of Regulation (EU) 2024/1689, summarises the main obligations by risk tier and by role (provider or deployer). It is a first-orientation operational tool and does not replace specialist legal advice.
| Tier | Use Case Examples | Key Obligations (Provider) | Obligations (Deployer) | Deadline |
|---|---|---|---|---|
| ⛔ Unacceptable | Social scoring, subliminal manipulation, real-time biometric ID in public spaces (with exceptions) | Absolute ban on placing the system on the market | Absolute ban on use | From 2.2.2025 |
| 🔴 High Risk | CV screening, credit scoring, critical infrastructure, student assessment, biometrics | Technical documentation (Art. 11), risk management (Art. 9), data governance (Art. 10), EU registration (Art. 49), CE marking, human oversight (Art. 14) | Compliant use per instructions, FRIA (Art. 27), operational monitoring, incident reporting | 2.12.2027 (Annex III) · 2.8.2028 (Annex I) |
| 🟡 Limited | Chatbots, virtual assistants, AI-generated content (text, images, video, audio) | Disclose AI interaction to users (Art. 50), watermarking of synthetic content by Dec 2026 | Disclosure to end users, labelling of deepfakes and AI-generated texts on matters of public interest | From 2.8.2026 · Watermarking: 2.12.2026 |
| 🟢 Minimal | Spam filters, AI video games, generic productivity tools, content recommendation engines | No specific obligations (voluntary codes of conduct, Art. 69) | AI Literacy mandatory for staff (Art. 4 — already in force) | AI Literacy: already in force |
| 🔵 GPAI | ChatGPT, Gemini, Claude, Copilot, Llama (general-purpose AI models) | Technical documentation, copyright transparency, training data summary, systemic risk assessment if FLOP ≥ 10²⁵ | Transparency obligations toward users (as deployer of the GPAI model) | From 2.8.2025 |
4. Technical Documentation: The Core of Compliance
Article 11 of the Regulation requires that technical documentation for a high-risk AI system be prepared before the system is placed on the market and kept continuously up to date. The minimum content is set out in Annex IV and covers elements that law firms and their clients must master in order to structure the compliance file correctly.
5. Providers and Deployers: Distinct Obligations, Shared Accountability
One of the most critical distinctions in the AI Act concerns the qualification of the obligated party. A law firm that integrates third-party AI tools into its workflows is, in almost all cases, a deployer — with its own autonomous set of obligations separate from those of the system manufacturer.
| Criterion | Provider (Manufacturer) | Deployer (User) |
|---|---|---|
| Definition | Develops and places the AI system on the market under its own name or brand | Uses the AI system under its own authority in a professional context |
| Documentation | Technical file (Annex IV), EU declaration of conformity, EU database registration | Usage logs, FRIA (if public authority or financial/insurance scoring), instructions for use |
| Risk of becoming a Provider | N/A | A deployer that affixes its own brand or substantially modifies the system becomes a Provider in all respects (Art. 25) |
| AI Literacy | Must ensure adequate training for staff interacting with AI (Art. 4) | Identical obligation (Art. 4) — already in force. Absence is treated as an aggravating factor |
| Human oversight | Must design the system to allow effective human oversight (Art. 14) | Must ensure that competent persons actually exercise oversight (Art. 26) |
6. The Sanctions Regime: A Three-Tier System
Article 99 of the Regulation structures sanctions into three graduated bands, proportionate to the severity of the infringement. For SMEs and start-ups, the proportionality principle applies: the sanction imposed is the lower of the absolute amounts and the turnover percentages.
| Band | Infringement | Maximum Sanction | Legal Reference |
|---|---|---|---|
| Band I — Maximum | Use of prohibited AI practices (social scoring, manipulation, unlawful biometric ID) | € 35,000,000 or 7% of global annual turnover |
Art. 99 §3 · Art. 5 |
| Band II — High | Breach of high-risk system obligations (documentation, data governance, transparency), GPAI obligations | € 15,000,000 or 3% of global annual turnover |
Art. 99 §4 |
| Band III — Base | Supplying false, incomplete, or misleading information to competent authorities or notified bodies | € 7,500,000 or 1% of global annual turnover |
Art. 99 §5 |
7. Operational Checklist: What to Do Now
The deferral of high-risk system deadlines does not remove the need to begin the compliance journey immediately. The actions listed below are independent of the calendar and form the foundation of any AI governance strategy for a law firm or the clients it advises.
| # | Action | Urgency | Reference |
|---|---|---|---|
| 01 | AI Systems Inventory — Map all AI systems in use (proprietary or third-party) | IMMEDIATE | Art. 26 · Art. 49 |
| 02 | Risk Classification — Verify whether systems fall under Annex III or Annex I | IMMEDIATE | Art. 6 · Annex III |
| 03 | AI Literacy — Launch a documented training programme for all staff interacting with AI | ALREADY IN FORCE | Art. 4 |
| 04 | Prohibited Practices Check — Categorically exclude the use of systems classified as unacceptable risk | ALREADY IN FORCE | Art. 5 |
| 05 | Technical File — Begin preparing the file for high-risk systems now (do not wait until 2027) | BY END 2025 | Art. 11 · Annex IV |
| 06 | AI Content Watermarking — Ensure AI-generated content is identifiable by December 2026 | DEC 2026 | Art. 50 §2 |
| 07 | Internal AI Governance Policy — Adopt a company policy governing the use of AI tools | HIGH PRIORITY | Art. 26 · GDPR |
| 08 | GDPR Coordination — Verify synergies between AI Act obligations and GDPR (esp. Art. 10 and FRIA/DPIA) | HIGH PRIORITY | Art. 27 · GDPR |
8. Conclusions: Compliance as Competitive Advantage
The AI Act is not merely a set of bureaucratic constraints: it is the regulatory framework within which the competitiveness of law firms and businesses will be determined over the coming years. The Digital Omnibus has shifted certain deadlines, but it has not altered the direction of travel. Organisations that use this time to structure their AI governance — mapping systems in use, training staff, preparing the technical file and aligning obligations with the GDPR — will reach 2027 with a significant advantage over those who have treated the deferral as authorisation to delay.
For law firms, AI Act compliance is also a strategic positioning opportunity: clients seeking advice on AI governance look for counterparts who have already gained direct, practical experience in the field. Being compliant — and being able to demonstrate it — is the most compelling professional credential available.
Transparency notice: This article has been prepared on the basis of Regulation (EU) 2024/1689 (official EUR-Lex text), the provisional Digital Omnibus agreement of May 7, 2026 (confirmed by the European Parliament on June 16, 2026), and verified specialist legal sources. The information reflects the regulatory position as of July 2026. For specific compliance matters, specialist legal advice is essential.

// Commenti