OrdoLux

· Risk & Governance

The EU AI Act and UK Law Firms: A Practical 2025 Playbook

UK law firm reviewing EU AI Act compliance requirements

The EU AI Act affects UK firms using AI tools with European clients or systems. Here's what you actually need to do — policies, supplier checks and risk inventories explained.

The EU AI Act is finally real legislation rather than a moving target. Many UK firms assume it is “someone else’s problem” – either because they are not based in the EU or because they think their vendors will take care of compliance.

In practice, the Act will touch a lot of the tools UK firms already use, particularly where:

  • clients or counterparties are in the EU;
  • staff use AI tools hosted in EU data centres; or
  • vendors market their products into the EU legal sector.

This article gives a practical 2025 playbook for UK firms. It is not a full commentary on the Act. Instead, it focuses on what a sensible firm can do over the next 6–18 months.

1. Understand the basic structure in plain English

The AI Act:

  • defines what counts as an “AI system”;
  • classifies use cases by risk (unacceptable, high, limited, minimal); and
  • imposes obligations on providers, importers, distributors and users (called “deployers”).

For most UK law firms, the key point is that you are normally a user / deployer, not a system provider. Your responsibilities are about how you choose and use tools, rather than building models from scratch.

In broad terms:

  • “High-risk” systems (such as those used in certain credit, employment or law-enforcement contexts) come with detailed requirements.
  • “Limited” and “minimal” risk systems need transparency and common-sense governance.

Many legal use cases – drafting, research, internal knowledge tools – are likely to sit in the limited or minimal categories, but each deployment still needs thought.

2. Map where EU AI Act exposure might arise

Start with a simple AI inventory, covering:

  • the tools your firm uses that incorporate AI (including features inside existing products);
  • what each tool is used for (research, drafting, document review, marketing, HR, etc.);
  • where the vendor and main data centres are located; and
  • whether the tool is used in relation to EU clients, matters or data subjects.

You can usually get the last two points from vendor documentation, DPAs and sales material.

Flag as higher priority:

  • anything used in HR or recruitment processes involving EU candidates;
  • tools that profile individuals or help make decisions about them; and
  • services clearly marketed as “high‑risk” under the Act.

3. Clarify roles with your vendors

The AI Act distinguishes between:

  • providers – those who develop and place AI systems on the market; and
  • deployers – those who use them in their own activities.

Most law firms will be deployers. In contractual terms, that means you should:

  • check whether your vendor claims compliance with the AI Act for relevant modules;
  • understand what information, logs or documentation they will make available; and
  • ensure your contracts do not leave you with impossible obligations (for example, promising controls that depend on vendor features that do not exist).

It is worth folding a short AI Act section into your vendor due diligence checklist alongside GDPR, security and uptime.

4. Update your internal governance

Even where the AI Act does not apply directly, it nudges firms towards better governance which is useful in any event.

A proportionate approach might involve:

  • a short AI use policy that references high‑level regulatory expectations (SRA, ICO and, where relevant, the EU AI Act);
  • an approval pathway for new AI tools, including privacy and security checks; and
  • an AI register recording key information:
    • what the tool does;
    • where data goes;
    • main risks; and
    • who owns it internally.

For higher‑risk use cases – for example, tools that help evaluate individuals – you may want to record a structured risk assessment that looks much like a DPIA, supplemented with AI‑specific questions.

5. Pay particular attention to transparency

One of the themes of the AI Act is that people should know when they are dealing with an AI system.

For UK firms this feeds into:

  • how you describe your use of AI in client care documentation;
  • how you explain AI‑assisted processes in privacy notices; and
  • when you tell individuals that profiling or automated assessment tools are in play.

Even where you are not legally required to make a specific disclosure, being transparent avoids uncomfortable conversations later.

6. Coordinate AI Act work with UK regulatory expectations

The EU AI Act does not replace:

  • UK GDPR
  • the SRA Principles and Codes
  • sectoral rules on financial crime, consumer protection or employment

Instead, it sits alongside them. When planning your response, it is useful to:

  • fold AI Act thinking into your existing data protection and risk frameworks;
  • check that your AI inventory aligns with your records of processing; and
  • ensure that your approach to ethics, supervision and duty to the court remains front and centre.

The safer route is to treat AI Act work as part of a broader AI governance programme, not an isolated compliance project.

7. A phased plan for the next 12–18 months

A realistic plan for a small or mid‑sized UK firm might look like:

  1. 3 months – complete an AI inventory; tidy up your internal AI policy; identify obviously higher‑risk tools.
  2. 6–9 months – refresh vendor due diligence questionnaires; update client‑facing documents; formalise an AI register.
  3. 12–18 months – perform deeper assessments on any tools that look close to high‑risk territory; document governance decisions and mitigations.

None of this requires a large project team, but it does require someone to own the work and report periodically to partners or the risk committee.

OrdoLux is legal case management software built for UK solicitors, with AI tools integrated directly into the matter workspace.

Where OrdoLux fits

OrdoLux is a legal case management platform for UK solicitors. It includes a built-in AI legal research tool for case law and legislation research, with citations for human verification.

The platform handles matter management, time recording (via keyboard, automatic Outlook email capture, and WhatsApp), document storage with SharePoint, billing, KYC via Checkboard, Stripe payments, and electronic signatures — all in one place.

See all features or book a demo.

Limited offer

6 months free — founding firm access

We're inviting a small number of UK law firms to join OrdoLux as founding customers. Full platform access, completely free for 6 months. No credit card. No catch. When we have enough firms on board, this offer closes.

Apply for founding access →

Try OrdoLux — legal case management software built for UK solicitors

Matter management, time capture, billing and AI tools in one platform. Rolling monthly, no lock-in, £50 + VAT per fee earner.

Book a free demo Learn more

← Back to the blog

Explore related guides