OrdoLux

15 Dec 2025 · Risk & Governance

The EU AI Act and UK Law Firms: A Practical 2025 Playbook

Photo: Risk & Governance and legal AI for UK solicitors – The EU AI Act and UK Law Firms: A Practical 2025 Playbook.

What the EU AI Act means in practice for UK law firms that use AI tools inside and outside the EU, and how to prepare sensible policies, inventories and contracts.

The EU AI Act is finally real legislation rather than a moving target. Many UK firms assume it is “someone else’s problem” – either because they are not based in the EU or because they think their vendors will take care of compliance.

In practice, the Act will touch a lot of the tools UK firms already use, particularly where:

  • clients or counterparties are in the EU;
  • staff use AI tools hosted in EU data centres; or
  • vendors market their products into the EU legal sector.

This article gives a practical 2025 playbook for UK firms. It is not a full commentary on the Act. Instead, it focuses on what a sensible firm can do over the next 6–18 months.

1. Understand the basic structure in plain English

The AI Act:

  • defines what counts as an “AI system”;
  • classifies use cases by risk (unacceptable, high, limited, minimal); and
  • imposes obligations on providers, importers, distributors and users (called “deployers”).

For most UK law firms, the key point is that you are normally a user / deployer, not a system provider. Your responsibilities are about how you choose and use tools, rather than building models from scratch.

In broad terms:

  • “High-risk” systems (such as those used in certain credit, employment or law-enforcement contexts) come with detailed requirements.
  • “Limited” and “minimal” risk systems need transparency and common-sense governance.

Many legal use cases – drafting, research, internal knowledge tools – are likely to sit in the limited or minimal categories, but each deployment still needs thought.

2. Map where EU AI Act exposure might arise

Start with a simple AI inventory, covering:

  • the tools your firm uses that incorporate AI (including features inside existing products);
  • what each tool is used for (research, drafting, document review, marketing, HR, etc.);
  • where the vendor and main data centres are located; and
  • whether the tool is used in relation to EU clients, matters or data subjects.

You can usually get the last two points from vendor documentation, DPAs and sales material.

Flag as higher priority:

  • anything used in HR or recruitment processes involving EU candidates;
  • tools that profile individuals or help make decisions about them; and
  • services clearly marketed as “high‑risk” under the Act.

3. Clarify roles with your vendors

The AI Act distinguishes between:

  • providers – those who develop and place AI systems on the market; and
  • deployers – those who use them in their own activities.

Most law firms will be deployers. In contractual terms, that means you should:

  • check whether your vendor claims compliance with the AI Act for relevant modules;
  • understand what information, logs or documentation they will make available; and
  • ensure your contracts do not leave you with impossible obligations (for example, promising controls that depend on vendor features that do not exist).

It is worth folding a short AI Act section into your vendor due diligence checklist alongside GDPR, security and uptime.

4. Update your internal governance

Even where the AI Act does not apply directly, it nudges firms towards better governance which is useful in any event.

A proportionate approach might involve:

  • a short AI use policy that references high‑level regulatory expectations (SRA, ICO and, where relevant, the EU AI Act);
  • an approval pathway for new AI tools, including privacy and security checks; and
  • an AI register recording key information:
    • what the tool does;
    • where data goes;
    • main risks; and
    • who owns it internally.

For higher‑risk use cases – for example, tools that help evaluate individuals – you may want to record a structured risk assessment that looks much like a DPIA, supplemented with AI‑specific questions.

5. Pay particular attention to transparency

One of the themes of the AI Act is that people should know when they are dealing with an AI system.

For UK firms this feeds into:

  • how you describe your use of AI in client care documentation;
  • how you explain AI‑assisted processes in privacy notices; and
  • when you tell individuals that profiling or automated assessment tools are in play.

Even where you are not legally required to make a specific disclosure, being transparent avoids uncomfortable conversations later.

6. Coordinate AI Act work with UK regulatory expectations

The EU AI Act does not replace:

  • UK GDPR
  • the SRA Principles and Codes
  • sectoral rules on financial crime, consumer protection or employment

Instead, it sits alongside them. When planning your response, it is useful to:

  • fold AI Act thinking into your existing data protection and risk frameworks;
  • check that your AI inventory aligns with your records of processing; and
  • ensure that your approach to ethics, supervision and duty to the court remains front and centre.

The safer route is to treat AI Act work as part of a broader AI governance programme, not an isolated compliance project.

7. A phased plan for the next 12–18 months

A realistic plan for a small or mid‑sized UK firm might look like:

  1. 3 months – complete an AI inventory; tidy up your internal AI policy; identify obviously higher‑risk tools.
  2. 6–9 months – refresh vendor due diligence questionnaires; update client‑facing documents; formalise an AI register.
  3. 12–18 months – perform deeper assessments on any tools that look close to high‑risk territory; document governance decisions and mitigations.

None of this requires a large project team, but it does require someone to own the work and report periodically to partners or the risk committee.

Where OrdoLux fits

OrdoLux is being developed on the assumption that firms will need:

  • a clear view of where AI is used inside case management;
  • sensible controls over which models and providers are available; and
  • an audit trail to demonstrate how AI was used on particular matters.

The goal is to make it easier for firms to show that their AI use is deliberate, documented and proportionate, whether the questions come from clients, regulators or internal stakeholders.

This article is general information for practitioners — not legal advice.

Looking for legal case management software?

OrdoLux is legal case management software for UK solicitors, designed to make matter management, documents, time recording and AI assistance feel like one joined‑up system. Learn more on the OrdoLux website.

Further reading

← Back to the blog

Explore related guides