If you have heard that "the EU AI Act deadline moved," that is true — but it is also the most dangerous half-fact in legal AI right now, because it is being used as a reason to do nothing. Here is what actually changed, what did not, and why the new timeline is an argument for starting now.
What actually changed
In November 2025 the European Commission tabled the Digital Omnibus on AI, a simplification package, and a political agreement was reached in May 2026. It moved several deadlines:
- High-risk (use-case) obligations under Annex III: postponed from 2 August 2026 to 2 December 2027.
- High-risk (product-embedded) obligations under Annex I: postponed to 2 August 2028.
- Transparency/"watermarking" for AI-generated content (Article 50): moved from 2 August 2026 to 2 December 2026.
So the big "August 2026" date that dominated last year's commentary is gone. If your firm's AI plan was built around it, the plan is out of date.
What did NOT change (this is the part firms miss)
- General-purpose AI (GPAI) obligations have been live since 2 August 2025. They were not delayed. The large models most firms actually use sit underneath these rules.
- The prohibited-practices ban and AI-literacy duties (from early 2025) remain in force.
- The penalty architecture is unchanged: up to €35 million or 7% of global turnover for prohibited practices (Art. 99(3)), and up to €15 million or 3% for high-risk non-compliance (Art. 99(4)).
The Act did not get weaker. Its hardest deadline got a longer runway, while the foundational obligations are already operating.
Are law firms actually "high-risk"? Be honest about this
A lot of legal-AI marketing implies every firm is swept into the high-risk regime. That is not accurate, and sophisticated buyers know it. Annex III, point 8 covers AI used in the "administration of justice" — by, or on behalf of, a judicial authority. That targets courts, not ordinary private-practice research or drafting tools.
Where a firm genuinely deploys a high-risk system, Article 26 deployer duties apply: human oversight by a competent person, keeping system logs for at least six months, transparency, and monitoring. And many firms will be caught indirectly — through GPAI transparency obligations, and through EU clients who must understand how their outside counsel use AI.
The honest framing is this: most firms are not in the high-risk category by default, but every firm using AI has live obligations today and a credibility expectation from clients and regulators that it can show how that AI is governed.
Why the runway is the reason to start now
A deadline that moves from 2026 to 2027 feels like permission to wait. It is the opposite, for three reasons.
First, governance is a build, not a purchase. A defensible audit trail, human-oversight records, citation verification, and an inventory of where AI runs in your firm cannot be assembled the week before an inspection. Firms that start in the calm build something real; firms that wait will scramble.
Second, your clients are not waiting. EU in-house teams are already asking outside counsel how they use AI and whether outputs are governed. That is a procurement question now, not a 2027 question. Firms that can answer it win the work.
Third, the UK overlap. UK firms with any EU client exposure face the Act's extraterritorial reach and their own SRA obligations simultaneously. Building one governance layer that satisfies both is far cheaper than retrofitting two.
What "ready" looks like
A firm that is genuinely prepared can show, for its AI use: an inventory of where AI is used and for what; records of human oversight on outputs that matter; verification that cited sources are real and current; data-handling that keeps client and personal data appropriately contained (including where it is hosted); and an audit trail it can produce on request. EU-based clients, in particular, will ask where the data sits — so an EU-hosting or self-hosted option is not a nice-to-have, it is the first question.
How LegalAI Space helps
LegalAI Space is built so governance is the product, not an add-on. Workflows run against an approved plan; citations are re-fetched and verified against source; every step is captured in a signed, tamper-evident audit record; and the platform is designed for EU-hosted and self-hosted/bring-your-own-key deployment so the data-sovereignty question has a clean answer. That gives a firm one governance layer that speaks to both the EU AI Act's live obligations and its SRA duties — built during the runway, not after the deadline.
FAQ
Has the EU AI Act been delayed? Partly. High-risk (Annex III) obligations moved to 2 December 2027 and content-watermarking to 2 December 2026 under the Digital Omnibus. GPAI obligations have been live since 2 August 2025 and were not delayed.
Are law firms classified as high-risk under the EU AI Act? Generally no. Annex III point 8 targets the administration of justice by judicial authorities, not ordinary private-practice tools. Firms deploying a high-risk system take on Article 26 deployer duties, and GPAI transparency duties apply broadly.
Do UK firms need to comply with the EU AI Act? If your AI's output is used in the EU, or you serve EU clients, the Act can reach you extraterritorially, alongside your SRA obligations. One governance layer can address both.
What are the penalties? Up to €35M or 7% of global turnover for prohibited practices; up to €15M or 3% for high-risk non-compliance (Article 99).
LegalAI Space is built for EU-hosted, audit-ready AI governance — for what's live today and the 2027 runway. Book a 30-minute pilot call with Daman.