Does the EU AI Act apply to my firm if we only have US offices?

Yes, if your AI tools produce outputs used in the EU — meaning if you use AI on matters involving EU clients, EU citizens' rights, or EU-connected transactions. The Act's extraterritorial provisions follow the same logic as GDPR: it's about where the impact occurs, not where your offices are located.

Are Westlaw AI and Lexis+ AI compliant with the EU AI Act?

Both Thomson Reuters and LexisNexis are working toward compliance, but as of early 2026, neither has published comprehensive AI Act conformity documentation for their legal AI tools. The responsibility is split: the vendor (as provider) handles technical compliance, but your firm (as deployer) is responsible for human oversight, transparency, and risk management in how you use the tools. Demand compliance documentation from your vendors now.

What's the difference between a 'provider' and 'deployer' under the AI Act?

A provider develops or commissions an AI system and places it on the market (Thomson Reuters, LexisNexis). A deployer uses an AI system under their authority for professional purposes (your law firm). Both have compliance obligations, but they're different. Deployers are primarily responsible for human oversight, using the system according to instructions, monitoring operations, and maintaining usage logs.

Can we just stop using AI on EU-nexus matters to avoid compliance?

Technically yes, but practically that puts your firm at a competitive disadvantage. Your competitors who achieve compliance will use AI to work faster and more cost-effectively on international matters. The better approach is to implement compliance frameworks that allow continued AI use. Most of the requirements — human oversight, documentation, risk assessment — are practices firms should be doing regardless of regulatory obligation.

How does the EU AI Act interact with existing GDPR obligations?

They're complementary, not redundant. GDPR governs personal data processing — including data used in AI systems. The AI Act governs the AI systems themselves — their risk classification, oversight, and transparency. If your AI tool processes personal data of EU residents on a legal matter, both frameworks apply simultaneously. Firms that already have GDPR compliance infrastructure have a head start, but AI Act compliance requires additional measures beyond data protection.

EU AI Act Us Law Firms

The EU AI Act classifies legal AI systems as "high-risk," and US law firms with European clients face compliance obligations starting August 2, 2026. This isn't a European regulation you can ignore because your offices are in New York or Chicago. Like GDPR before it, the AI Act has extraterritorial reach — if your AI tools process matters involving EU citizens or EU-based entities, the Act applies to you.

The compliance deadline is real, the requirements are specific, and the penalties mirror GDPR: up to 35 million euros or 7% of global annual turnover, whichever is higher. Most US firms with international practices haven't started preparing. The ones that have are discovering that compliance requires changes to how they select, deploy, and monitor every AI tool that touches client work with an EU nexus.

Why Legal AI Is Classified as "High-Risk"

The EU AI Act creates a risk-based classification system. AI systems used in the administration of justice and democratic processes — which includes legal research, document analysis, and case outcome prediction — fall into the high-risk category. This isn't a gray area. Annex III of the Act explicitly lists AI systems used to "assist a judicial authority in researching and interpreting facts and the law and in applying the law to a concrete set of facts."

The classification triggers a comprehensive set of obligations that go far beyond what most US firms currently do with their AI tools. High-risk AI systems require documented risk assessments, human oversight mechanisms, transparency obligations, data governance practices, and ongoing monitoring. These aren't aspirational guidelines — they're legally binding requirements with enforcement mechanisms.

The August 2, 2026 Deadline: What's Required

The AI Act entered into force in August 2024, with a phased implementation schedule. The high-risk provisions — the ones that hit legal AI — become enforceable on August 2, 2026. Here's what compliance requires:

Risk management system. A documented, iterative process for identifying, analyzing, and mitigating risks associated with each AI tool. Not a one-time assessment — an ongoing system that's updated as tools and usage evolve.

Data governance. Training data and input data must meet quality criteria. For law firms, this means understanding what data your AI tools were trained on and ensuring that data you feed into AI tools meets specified standards.

Technical documentation. Detailed records of how each AI system works, its intended purpose, its limitations, and its performance metrics. Your vendor should provide most of this, but you're responsible for documenting how you deploy and use the system.

Human oversight. AI systems must be designed to allow effective human oversight. In practice, this means documented workflows showing that human lawyers review and approve AI outputs before they're used in client matters.

Transparency. Users (your attorneys) must be informed that they're interacting with an AI system, and the system must be sufficiently transparent for them to understand and properly use its outputs.

How Extraterritorial Reach Hits US Firms

The AI Act applies to providers and deployers of AI systems. US law firms are typically "deployers" — they don't build the AI tools, but they deploy them in their practice. The extraterritorial provisions state that the Act applies when "the output produced by the AI system is used in the Union."

This means if your firm uses AI tools to draft documents, conduct research, or analyze matters for clients in EU member states, the Act applies. If your AI-assisted legal analysis affects the rights of EU citizens, the Act applies. If your AI tools process data subject to EU jurisdiction, the Act applies.

The GDPR analogy is instructive. When GDPR took effect in 2018, many US firms initially assumed it didn't apply to them. They were wrong, and the firms that delayed compliance faced costly scrambles when enforcement began. The AI Act follows the same jurisdictional logic, and the penalties are even steeper.

The Compliance Checklist for US Firms

Step 1: Inventory your AI tools. List every AI system used in your firm — not just the obvious ones (Westlaw AI, Lexis+ AI) but also embedded AI features in document management, e-discovery platforms, and practice management software.

Step 2: Map EU-nexus matters. Identify which practice areas and client matters have EU connections — EU-based clients, matters affecting EU citizens' rights, cross-border transactions involving EU entities.

Step 3: Classify risk levels. Determine which AI tools are used on EU-nexus matters and therefore fall under the Act's high-risk requirements.

Step 4: Conduct vendor due diligence. Request AI Act compliance documentation from every vendor whose tools touch EU-nexus work. Major legal tech vendors are preparing compliance packages — demand them.

Step 5: Implement human oversight documentation. Create workflow records showing that AI outputs on EU-nexus matters receive human review before use. This is likely the easiest requirement to meet if you already have verification workflows.

Step 6: Build the risk management system. Document your risk identification, assessment, and mitigation process for each high-risk AI deployment. Update it as tools and usage evolve.

Step 7: Train your attorneys. Everyone working on EU-nexus matters needs to understand the transparency and oversight obligations. Document the training.

What Happens If You Don't Comply

The enforcement framework includes fines up to 35 million euros or 7% of global annual turnover for the most serious violations. National authorities in each EU member state will handle enforcement, which means the specifics will vary by jurisdiction.

But financial penalties aren't the only risk. EU-based clients are going to start asking about AI Act compliance the same way they started asking about GDPR compliance in 2018. For US firms competing for international work, compliance is becoming a business development issue — not just a regulatory one. Firms that can demonstrate AI Act compliance will have an advantage in winning and retaining EU-connected work.

There's also the professional liability angle. If a US firm's AI tool produces defective output on an EU-nexus matter, and the firm can't demonstrate compliance with applicable AI regulations, that non-compliance becomes evidence of negligence in any resulting malpractice claim.

The Bottom Line: The EU AI Act is doing for artificial intelligence what GDPR did for data privacy: creating a compliance framework with global reach that US firms can't ignore. The August 2, 2026 deadline for high-risk AI obligations — which explicitly includes legal AI systems — gives US firms with international practices roughly four months to prepare. The firms that treated GDPR as a European problem learned that lesson expensively. Don't repeat it with the AI Act.

AI-Assisted Research. This piece was researched and written with AI assistance, reviewed and edited by Manu Ayala. For deeper takes and the perspective behind the research, follow me on LinkedIn or email me directly.

Eu Ai Act Us Law Firms

Why Legal AI Is Classified as "High-Risk"

The August 2, 2026 Deadline: What's Required

How Extraterritorial Reach Hits US Firms

The Compliance Checklist for US Firms

What Happens If You Don't Comply

Frequently Asked Questions

Related Across AI Vortex

Need help with AI infrastructure?

Why Legal AI Is Classified as "High-Risk"

The August 2, 2026 Deadline: What's Required

How Extraterritorial Reach Hits US Firms

The Compliance Checklist for US Firms

What Happens If You Don't Comply

Frequently Asked Questions

More from Concepts

Related Across AI Vortex

Need help with AI infrastructure?