EU AI Act compliance for LegalTech SaaS founders

LegalTech occupies an unusual position in the EU AI Act. Tools used in the administration of justice or by law enforcement sit on Annex III as high-risk. Commercial LegalTech (contract review, document automation, e-discovery for private parties) is largely out of high-risk scope. But Article 50 transparency rules apply across the board, and AI-generated legal output has specific risks beyond the Act itself. The penalty ceiling for high-risk failures is €15M or 3% of global turnover. Most enterprise law firms now require an AI Act attestation before deploying any AI tool, regardless of high-risk classification.

Is your product high-risk under Annex III?

Annex III point 8 covers AI used in administration of justice and democratic processes. The relevant use cases:

  • AI assisting a judicial authority in researching and interpreting facts and the law (research tools used inside courts)
  • AI assisting in alternative dispute resolution
  • AI for influencing the outcome of elections or referenda
  • AI used by law enforcement for assessing the reliability of evidence, profiling, predicting criminal behaviour, polygraph testing

Commercial contract review, e-discovery for private parties, deposition summarisation, contract automation, and standard legal research tools are NOT in Annex III. You are operating a non-high-risk AI system. Your main exposure is Article 50.

If your LegalTech is sold INTO courts, judiciary, ADR providers, or law enforcement, you ARE high-risk and Chapter III applies in full.

Article 50 transparency obligations

Article 50 transparency rules apply to all LegalTech:

Article 50(1): clients or counterparties interacting with your AI (chatbots, AI-drafted communications, AI legal triage) must be told they are interacting with AI.

Article 50(2): AI-generated legal text (contracts, memos, briefs, summaries) must be marked as AI-generated in a machine-readable way. This interacts with bar-association rules in several member states about competence in AI-generated work; check your jurisdiction.

Article 50(4): AI-generated synthetic voices in legal recordings or AI-modified video evidence must be disclosed as artificially generated.

Self-audit checklist before 2 August 2026

Seven checks before 2 August 2026:

  1. Identify your customers. Are any judicial authorities, ADR providers, or law enforcement agencies? If yes, high-risk applies.
  2. List every AI feature: contract review, e-discovery, document automation, legal research, drafting assistants, chatbot.
  3. For each feature, map to Article 50 sub-rules. Most LegalTech features will trigger 50(1) and 50(2).
  4. If high-risk: build the Article 43 conformity assessment file, document training data (particularly bias in legal text corpora), implement human oversight.
  5. If not high-risk: focus on Article 50 disclosures. Update product UI to surface AI-generated markers on every drafted output.
  6. Document training data provenance, particularly any legal text scraped from court archives or commercial legal publishers. Copyright exposure under Article 53 stacks here for fine-tuned models.
  7. Update terms of service and customer-facing documentation with Article 50 language. Note any bar-association reporting obligations in your jurisdiction.

Penalties and enforcement

Penalty ceilings: €15M or 3% of global turnover for high-risk failures or Article 50 failures, €7.5M or 1% for misinformation. Worked example: a LegalTech with €2M ARR and 20 staff sold to law firms (not courts) faces lower exposure since it is not high-risk; the practical max is €60,000 for an Article 50 failure under SME proportionality. The bigger cost is law-firm procurement: magic-circle and top-100 EU firms now require AI Act compliance attestation, and missing it blocks deployment.

Last updated: 2026-05-28