EU AI Act revisions expected next week: why your technology stack assessment matters more than ever
The European Commission is set to unveil significant amendments to the EU AI Act on November 19, 2025, as part of its Digital Omnibus package. While these changes aim to simplify compliance and address industry concerns, they underscore a critical reality for law firms: thorough technology stack assessments are no longer optional and they are essential for navigating regulatory uncertainty.
What is changing
In an interview at the Web Summit tech conference in Lisbon on November 11, EU Tech Commissioner Henna Virkkunen confirmed that the proposed amendments will focus on procedural and governance reforms rather than fundamental changes to the Act's objectives. Key proposals include:
- Grace periods for enforcement: Companies deploying high-risk AI systems may receive a one-year extension before fines take effect, potentially pushing full enforcement to August 2027. This reflects pressure from Germany and Denmark, which formally requested delays due to incomplete technical standards.
- Centralized oversight: The EU AI Office's mandate will expand beyond general-purpose AI models to oversee all AI systems based on GPAI and conduct conformity assessments for certain high-risk applications.
- Standards delays: Harmonized technical standards, which are critical for demonstrating compliance, are now expected only by December 2026, well past the original August 2025 target. As Virkkunen stated: "We don't have the technical standards yet, and they need to be ready one year before the next phase".
The Commission has emphasized it remains "very committed to the main principles" of the AI Act, but acknowledges the need to "create legal certainty for our industries" while standards are being finalized.
Why this matters for legal firms
The ongoing revisions highlight a fundamental challenge: compliance requirements are shifting, but obligations remain. For law firms using AI tools for document review, contract analysis, or legal research, this regulatory flux creates both risk and opportunity.
Legal AI is high-risk by definition: Under Annex III.8 of the AI Act, AI systems used for legal interpretation and case application are classified as high-risk, triggering strict documentation, human oversight, and conformity assessment requirements.
Vendor compliance gaps are widespread: Nearly 50 percent of German companies admit they are unprepared for the August 2025 GPAI rollout. Many legal tech vendors lack complete data processing agreements, conformity documentation, or EU-only data residency guarantees, gaps that place liability on the deploying law firm.
Multiple regulations intersect: The AI Act does not replace GDPR, it complements it. Law firms must ensure vendor agreements meet both Article 28 GDPR processor requirements and AI Act deployer obligations, including Fundamental Rights Impact Assessments (FRIA) for high-risk systems.
The case for proactive assessment
While regulatory timelines may shift, the underlying requirements will not disappear. Firms that conduct comprehensive technology stack assessments now position themselves to:
- Identify compliance gaps before enforcement: With standards delayed and grace periods uncertain, documenting your current vendor landscape, data flows, and AI usage provides a baseline for adapting to final requirements.
- Reduce vendor-related liability: A systematic review of vendor contracts, DPAs, and conformity documentation ensures you are not unknowingly deploying non-compliant AI systems. This is particularly critical for tools from non-EU providers.
- Demonstrate professional diligence: As clients become more sophisticated about AI regulation, firms that can articulate their compliance posture gain competitive advantage and client trust.
- Prepare for 2026 enforcement: Even with proposed delays, August 2026 remains the key deadline for high-risk AI systems. Firms starting assessments now have runway to remediate gaps systematically rather than scrambling under enforcement pressure.
Looking ahead
The proposed extensions and timeline adjustments may provide extra time to develop a deeper understanding of the risks your technology stack poses to your firm and your clients.