EU AI ACT: Deadline: 2 August 2026
Why the EU AI Act forces every law firm to act
On 2 August 2026, the last major grace period of the EU Artificial Intelligence Act expires. What has so far been discussed in white papers and compliance workshops will become law – with fines of up to 15 million euros or three percent of global annual turnover. For law firms and tax advisory practices that deploy or plan to deploy AI agents, this marks a regulatory moment of truth for which the vast majority of the industry is still unprepared. A stocktake.
| 2. August 2026 | €15 million | 70 % |
| HIGH-RISK OBLIGATIONS DEADLINE Art. 113 AI Act | MAXIMUM FINE or 3% of annual turnover | OFFICE TASKS AUTOMATABLE WEF, cited by DStV |
What actually happens on 2 August 2026
The AI Act entered into force on 1 August 2024, but the European legislator built in a staggered transition period to give businesses time to adapt. In February 2025, the prohibited practices took effect first – such as social scoring or certain forms of emotion recognition in the workplace. In August 2025, the transparency obligations for general-purpose AI models like GPT, Claude or Gemini followed. 2 August 2026 is the next and by far the most consequential step: from that date, Articles 8 to 15 of the Regulation become fully enforceable. They govern risk management, technical documentation, logging and human oversight for so-called high-risk AI systems.
What many practitioners underestimate: the obligations are not directed solely at the manufacturers of the models but also at the organisations that deploy them. As soon as a law firm integrates an AI agent into its client processes, it becomes, from a regulatory perspective, the operator of an AI system – with all the associated documentation and oversight obligations.
Who is affected – and in which risk class
The Regulation classifies AI systems not by technology but by use case and impact. For law firms and tax advisory practices, this creates two distinct sets of obligations that are frequently confused. The specialist publisher Haufe clarifies: conventional office tools such as chatbots, generative text models or extraction software are generally classified as low-risk systems. From 2 August 2026, these are primarily subject to the transparency and labelling obligations under Article 50 of the Regulation – AI-generated text, images, audio and video content must be marked accordingly. An exemption applies where content has been editorially reviewed by a human before use; in that case, the labelling obligation does not apply.
The situation changes as soon as an AI system falls within one of the eight high-risk areas listed in Annex III. Particularly relevant for the advisory industry is point 8(a): it covers systems intended to “assist a judicial authority in researching and interpreting facts and the law and in applying the law to a concrete set of facts” or used comparably in alternative dispute resolution. Point 5(b) – creditworthiness assessment of natural persons – may also apply when an agent automatically evaluates the credit standing of clients or their business partners.
“Due to their highly autonomous, goal-driven nature, agentic AI systems inherently exhibit an elevated risk profile.”
— CMS Law, Analysis “Agentic AI, Risk and Compliance Under the EU AI Act”
The international law firm CMS explicitly warns in its analysis that the autonomy of agentic systems makes compliance with transparency and oversight obligations particularly challenging. As soon as an agent independently searches client files, calculates deadlines and prepares briefs, the assessment shifts rapidly – at the latest when it is also used in judicial or regulatory contexts. Many firms have crossed precisely this threshold in the past year without realising it.
The four pillars of compliance
Any organisation operating high-risk AI within the meaning of the Regulation must fulfil four specific obligations. They may appear technical at first glance – in practice, they reshape the architecture of every seriously deployed AI agent.
| Legal basis | Obligation | What matters |
| Article 9 | Continuous risk management | Ongoing, iterative process across the entire lifecycle, including reasonably foreseeable misuse. |
| Article 11 + Annex IV | Technical documentation | Complete file before deployment: description, training data, design decisions, validation, accuracy and robustness metrics. |
| Article 12 | Automatic logging | Audit-proof recording of events over the system’s lifetime – more than the standard debug logs of today’s frameworks. |
| Article 14 | Effective human oversight | Natural persons must understand the system, know its limitations and be able to stop it at any time – a tension inherent in high autonomy. |
The logging obligation under Article 12 is particularly demanding. Standard debug logs from today’s agent frameworks – such as LangChain, CrewAI or the Microsoft Agent Framework – were built for developers, not for regulators. What is required is an audit-proof, long-term audit trail that makes every decision of the agent traceable. Those who do not build this into the architecture from the start will end up building twice.
The Bundesnetzagentur, KI-MIG and the German approach
While Brussels sets the framework, Berlin defines the responsibilities. As early as July 2025, the Bundesnetzagentur opened its AI Service Desk – the central point of contact for companies seeking clarity on their obligations. Federal Digital Minister Karsten Wildberger presented the service at an AI conference in Frankfurt; at its core is the AI Compliance Compass, an interactive tool that allows users to determine in a few steps whether an existing system falls under the Regulation and which risk class it belongs to.
The decisive regulatory step was taken by the German Federal Government on 11 February 2026. On that day, the Federal Cabinet approved the AI Market Surveillance and Innovation Promotion Act, known as KI-MIG. It assigns the Bundesnetzagentur the role of central market surveillance authority for all AI systems not already subject to sector-specific supervision. For law firms, this means: they have a specific point of contact – and in a worst case, a specific auditor.
What the industry itself says
The professional associations of German tax advisory have not left the topic to IT consultants. The German Tax Advisors’ Association (DStV) published, together with digitalisation expert Ahmed Mowafek, the white paper “AI Agents – The Next Evolutionary Step in Law Firm Automation?”. The association draws a clear line between conventional, reactive AI assistants that respond to specific inputs, and a new generation of autonomous AI agents that independently plan tasks, use tools and make decisions within defined guardrails.
The tone is noteworthy: the most conservative profession in the country refers to AI agents as an “evolutionary step” – a term that, in the vocabulary of a professional association, comes close to a recommendation. The accompanying guide includes a self-assessment for orientation, a tool landscape with specific providers such as Dr. Mailo, Candis and Finmatics, as well as a 90-day pilot model. The DStV also references World Economic Forum forecasts according to which a significant share of typical office tasks could be taken over by capable AI by 2030 – an efficiency lever that no law firm should ignore.
What a specialised automation partner can deliver
The four compliance pillars cannot be fulfilled on the side in any law firm. They demand a combination of legal expertise, regulatory experience and the ability to build AI systems that are audit-proof from the architecture up. It is precisely at this intersection that the need arises for specialised automation partners – providers who have been automating high-risk processes in regulated industries for years, combining established platforms such as Microsoft and UiPath with independent compliance frameworks.
FOUR SERVICES THAT MAKE THE DIFFERENCE
Inventory and classify. Structured audit of all deployed AI tools – including shadow IT where employees copy client data into public models. Every system is checked against Annex III and Article 50 and assigned a risk class.
Build compliance by design. Audit trails, human-in-the-loop interfaces, escalation paths and logging are built as part of the architecture – not as a retrofit on top of frameworks designed for developers.
Select platforms carefully. Microsoft, UiPath and specialist providers differ significantly in their regulatory maturity. An experienced partner matches platform strengths to specific use cases – vendor-neutral rather than sales-driven.
Enable, don’t lock in. The result is a running system, trained staff, documented processes and a clear accountability plan. The firm can represent its operations to regulators – without permanent dependence on external consultants.
Over recent months and years, Lunatec has developed expertise specifically tailored to law firms and tax advisory practices. It combines the regulatory logic of the AI Act with the implementation practice of agentic systems – from initial assessment to ongoing audit trail. Those who cannot unite architecture, law and platform knowledge on their own gain a decisive advantage over firms that attempt to tackle 2 August 2026 with internal resources alone.
What needs to happen now
The four and a half months remaining until the deadline are sufficient – provided preparation begins without delay. Three steps have proven robust in practice.
THREE STEPS TO 2 AUGUST 2026
1. Inventory. Complete stocktake of all deployed AI applications – including shadow IT where employees copy client data into public models.
2. Classify. Check every system with the Bundesnetzagentur’s AI Compliance Compass and document the risk class.
3. Operationalise. For every high-risk system, plan out the four compliance pillars, appoint responsible persons and establish an audit-proof audit trail.
Those who begin this preparation in earnest over the coming weeks can treat 2 August 2026 for what it should be: a deadline, not a day of reckoning. Those who wait risk more than a fine. They risk the trust of their clients in the reliability of a profession that has traditionally stood for precisely that.
ABOUT LUNATEC
Lunatec, headquartered in Frankfurt am Main, supports law firms and tax advisory practices, among others, in the adoption of agentic automation. As a UiPath Diamond Partner and Microsoft Partner, we combine technical implementation with regulatory understanding – so that 2 August 2026 remains a deadline and does not become a day of reckoning.
lunatec.de · Frankfurt am Main · Shape the Automated World