The EU AI Act classifies numerous AI systems in law firms and financial companies as high-risk. What does this mean for compliance, risk management, and transparency obligations? An overview of requirements and the timeline through August 2026.
Artificial Intelligence Under the Regulatory Spotlight
Artificial intelligence has long permeated the daily work of law firms and financial companies: contract review, creditworthiness analysis, automated legal research, risk assessments in the insurance industry. What many decision-makers underestimate, however, is the regulatory framework that the European Union has established with Regulation (EU) 2024/1689 – the so-called AI Act. This regulation entered into force on 1 August 2024 and takes full effect in stages through August 2026.
For law firms and financial service providers, one central question arises: Which of the AI systems they use fall into the high-risk category – and what obligations result from this classification? This article provides a practice-oriented overview.
The AI Act's Classification System
The AI Act pursues a risk-based approach. AI systems are classified into four risk levels:
- Unacceptable risk (Art. 5): Completely prohibited practices, such as social scoring or subliminal manipulation
- High risk (Art. 6 in conjunction with Annex III): Systems with significant potential to endanger fundamental rights, health, or safety
- Limited risk: Systems with transparency obligations (e.g., chatbots that must identify themselves as AI)
- Minimal risk: Freely usable systems without special requirements
For practice in law firms and financial companies, it is primarily the second category that is relevant: high-risk AI systems.
Which AI Systems Are Classified as High-Risk?
Annex III of the AI Regulation lists eight areas in which AI systems are classified as high-risk. The following categories are particularly relevant for the financial sector and legal advisory professions:
Credit Scoring and Insurance (Annex III No. 5b)
AI systems used for assessing the creditworthiness of natural persons or for risk assessment and pricing in life and health insurance are classified as high-risk. This affects banks, insurers, and FinTech companies equally.
Employment and Human Resources Management (Annex III No. 4)
AI-supported recruiting, automated performance evaluation, and algorithmic promotion decisions also fall into the high-risk category. This concerns every law firm and financial company that uses corresponding tools in human resources.
Access to Essential Public and Private Services (Annex III No. 5a)
This includes AI systems that decide on access to basic services – including certain financial services.
Law Enforcement and Administration of Justice (Annex III Nos. 6 and 8)
Particularly relevant for law firms: AI systems used in the administration of justice and democratic processes. When AI tools are used to support judicial decision-making or for legal research with a decision-support function, they may fall under the high-risk category.
Obligations for Providers and Deployers of High-Risk AI
The AI Regulation distinguishes between providers and deployers of AI systems. Law firms and financial companies are typically deployers – yet significant obligations apply to them as well:
Risk Management (Art. 9)
Deployers must establish a risk management system covering the entire lifecycle of the AI system. Risks must be identified, assessed, and mitigated through appropriate measures.
Transparency and Information (Art. 13, 50)
Individuals affected by high-risk AI decisions must be informed. For law firms, this means: if an AI system is used in client matters, clients must be notified. In the financial sector, this applies, for example, to automated credit decisions.
Human Oversight (Art. 14)
High-risk AI systems must be designed to ensure effective human oversight. Humans must be able to understand, review, and, if necessary, correct AI decisions. The German Federal Bar Association (Bundesrechtsanwaltskammer, BRAK) emphasised in its guide to AI use in law firms that the lawyer's own professional responsibility must not be undermined by AI use.
Data Quality (Art. 10)
Training, validation, and test data must meet certain quality requirements. In particular, biases must be identified and addressed – a point that is especially critical in creditworthiness assessments.
AI Literacy (Art. 4)
Since 2 February 2025, all providers and deployers of AI systems must ensure that their personnel have sufficient AI literacy. Haufe points out that this requires training concepts tailored to different target groups.
BaFin as Supervisory Authority for the Financial Sector
The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) published in December 2025 guidance on ICT risks in the use of AI. This addresses the risks associated with using AI in regulated financial companies and clarifies the supervisory authority's expectations.
Key points of the BaFin guidance:
- Explainability: AI models must be as comprehensible as possible
- Bias control: Systematic distortions must be identified and addressed
- Governance: Clear responsibilities for AI use must be defined
- Outsourcing risks: When using external AI services, the usual supervisory requirements for outsourcing apply
BaFin will very likely serve as the market surveillance authority for high-risk AI systems in the financial sector.
The German Implementation Act: KI-MIG
Germany approved the draft of the AI Market Surveillance and Innovation Promotion Act (KI-MIG) on 11 February 2026. This law transposes the European AI Regulation's requirements into German law and establishes national supervisory structures. The Federal Network Agency (Bundesnetzagentur) is designated as the central coordination and competence centre.
Timeline: When Does It Get Serious?
Implementation of the AI Act occurs in stages:
| Date | Milestone |
|---|---|
| 1 August 2024 | Entry into force of the Regulation |
| 2 February 2025 | Prohibited AI practices (Art. 5) and AI literacy obligation (Art. 4) |
| 2 August 2025 | Obligations for general-purpose AI models (GPAI) |
| 2 February 2026 | EU Commission publishes guidelines on high-risk classification |
| 2 August 2026 | Full application of high-risk requirements (Annex III) |
This means: from August 2026, all companies that deploy or provide high-risk AI systems must meet the full compliance requirements. Preparation time is already running short.
Penalties: What Are the Consequences of Non-Compliance?
The AI Act provides for significant fines:
- Up to EUR 35 million or 7% of global annual turnover for prohibited AI practices
- Up to EUR 15 million or 3% of annual turnover for violations of high-risk obligations
- Up to EUR 7.5 million or 1% of annual turnover for providing incorrect information to authorities
For law firms and mid-sized financial service providers, these amounts can be existentially threatening.
Practical Steps for Law Firms and Financial Companies
Given the approaching deadline in August 2026, the following measures are recommended:
1. Conduct an inventory: Identify all AI systems in your organisation – from contract review software and chatbots to scoring models. Check against Art. 6 and Annex III whether these are classified as high-risk.
2. Build risk management: Establish a documented risk management system for all high-risk AI applications. This includes risk assessment, mitigation measures, and regular reviews.
3. Implement transparency processes: Ensure that affected individuals – clients, customers, employees – are informed about the use of AI.
4. Train AI literacy: Develop training concepts for all employees working with AI systems. This obligation has been in effect since February 2025.
5. Audit suppliers: If you use AI systems from third-party providers, ensure they meet AI Act requirements. Request appropriate conformity declarations and technical documentation.
6. Create governance structures: Designate those responsible for AI use in your organisation and establish clear processes for monitoring and documentation.
Conclusion: Seeing Regulation as an Opportunity
The EU AI Act presents law firms and financial companies with significant compliance challenges. But those who take regulation seriously early on can use it as a competitive advantage: clients and customers trust companies that can demonstrate responsible AI use. The structured examination of AI risks also strengthens internal governance and the quality of one's own services.
At compleneo, we support you in implementing the AI Regulation in your law firm or financial company – from inventory through risk assessment to implementing the required compliance structures. Get in touch with us.
