What do law firms and accountancies need to know about the EU AI Act and GDPR when using AI?
EU AI Act compliance for professional services is now an operational reality, not a future planning exercise. The EU Artificial Intelligence Act entered into force in August 2024, with obligations phasing in across 2025 and 2026. Simultaneously, the General Data Protection Regulation continues to govern how personal data is processed — including by AI systems. For Dutch law firms, accountancy practices, notaries, tax advisers, and other professional-services firms, these two regulatory frameworks interact in ways that demand careful, early attention.
Professional-services firms are not technology companies, but they are becoming increasingly reliant on AI tools for document review, contract analysis, legal research, client communication, compliance screening, financial modelling, and administrative automation. Each of those use cases carries its own risk profile under the EU AI Act and its own obligations under the GDPR. Getting the classification wrong — or assuming that an off-the-shelf AI tool purchased from a reputable vendor is automatically compliant — can expose the firm to regulatory risk, reputational harm, and potential liability to clients whose data was processed unlawfully.
This article provides a structured, practical overview of the key obligations. It is general information only and does not constitute legal advice. Law firms and accountancies should obtain specific legal advice from qualified counsel before making compliance decisions.
Crux Digits is a vendor-neutral AI consultancy based in Utrecht. We help Dutch law firms and accountancies adopt AI compliantly — conducting EU AI Act audits, designing GDPR-compliant AI architectures, and implementing systems that protect client confidentiality and professional privilege. Our starting point is always the firm's regulatory obligations, not a technology preference.
The EU AI Act in Brief: Why It Matters to Professional-Services Firms
The EU AI Act is a regulation — directly applicable in all EU member states, including the Netherlands — that imposes obligations on providers and deployers of AI systems. The distinction between provider and deployer matters for professional-services firms.
A provider is an entity that develops an AI system and places it on the market. A large language model vendor, a legal-tech company selling a contract review tool, or a firm that builds a bespoke AI system internally — all of these are providers in the Act's terminology.
A deployer is an entity that uses an AI system in the course of its professional activities. When a law firm subscribes to a contract review AI built by a legal-tech company, the law firm is the deployer. When an accountancy firm uses an AI assistant to prepare tax filings, the accountancy is the deployer. Deployers have their own obligations under the Act, distinct from — but complementary to — the obligations on providers.
The Act classifies AI systems into four risk tiers: unacceptable risk (prohibited), high risk (strictly regulated), limited risk (transparency obligations), and minimal risk (no specific obligations beyond the general framework). Understanding which tier applies to each AI tool used by the firm is the foundational compliance step.
The EU AI Act (Regulation 2024/1689) is publicly available in full. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published guidance on the intersection of AI and the GDPR that is directly relevant to professional-services firms operating in the Netherlands.
EU AI Act Risk Tiers: How They Apply to Professional-Services AI
The risk classification is the engine of the EU AI Act. Each tier carries a different compliance burden, and the classification depends on the purpose and context of deployment — not on the underlying technology alone. The same large language model can be a minimal-risk tool in one context and a high-risk system in another, depending on what it is used for and who makes decisions on the basis of its output.
Prohibited AI practices
Certain AI practices are outright prohibited under the Act from 2 February 2025. These include AI systems that use subliminal or manipulative techniques to distort behaviour, systems that exploit vulnerabilities of specific groups, biometric categorisation systems that infer sensitive characteristics from biometric data, and social scoring systems operated by public authorities. These categories are unlikely to be directly relevant to mainstream professional-services AI tools, but firms should confirm that any tool used for client screening, creditworthiness assessment, or behavioural profiling does not fall into a prohibited category.
High-risk AI systems
High-risk AI systems are listed in Annex III of the Act and in Annex I (AI embedded in certain regulated products). The high-risk categories most directly relevant to professional-services firms include:
- AI used in administration of justice and democratic processes. AI systems intended to assist judicial authorities in researching, interpreting, or applying the law to concrete facts are expressly listed as high-risk. A law firm that deploys an AI system to advise on the likely outcome of litigation, to draft pleadings that will be submitted to a court, or to interpret the application of statute to a client's facts is deploying a high-risk AI system if that system materially influences the legal conclusion reached.
- AI used in employment and workers management. AI tools used for recruitment, performance evaluation, or workforce management decisions within the firm itself may fall into the high-risk employment category.
- AI used for creditworthiness assessment and credit scoring. Accountancy and financial advisory firms using AI to assess client creditworthiness, produce credit opinions, or model credit risk are deploying high-risk systems under this category.
- AI used in essential private and public services. AI systems used to evaluate eligibility for services or to take decisions that significantly affect individuals' access to important services may be high-risk depending on the nature of those services.
High-risk AI systems attract the Act's most demanding obligations: conformity assessments, technical documentation, logging and monitoring requirements, human oversight obligations, accuracy and robustness standards, and — for deployers — fundamental rights impact assessments, staff training requirements, and an obligation to assign human oversight to a named responsible person within the organisation. Deployers of high-risk systems must also register those systems in the EU database where required.
Limited-risk AI systems
Limited-risk AI systems are primarily subject to transparency obligations. If a law firm uses an AI system to draft client-facing communications — letters, emails, reports — without the client knowing that AI was involved, the firm may be required to disclose that AI assistance was used, particularly where the output could be mistaken for human-generated content. AI chatbots used to interact with clients or prospective clients on the firm's website must be identified as AI systems. These transparency obligations are relatively straightforward to implement but require deliberate process design.
General-purpose AI models (GPAIs)
The Act also introduces obligations specifically for providers of general-purpose AI models — the large language models that underpin many commercial AI tools. Professional-services firms that use commercial AI tools built on GPAIs (such as tools built on top of large language model APIs) should understand that their vendor's obligations as a GPAI provider do not relieve the firm of its obligations as a deployer. Deployer obligations remain regardless of the vendor's compliance status.
GDPR Obligations When Using AI in Professional Services
The GDPR — the Algemene verordening gegevensbescherming (AVG) in the Netherlands — does not mention AI by name, but every AI system that processes personal data is subject to its full requirements. For professional-services firms, personal data is pervasive: client names, financial information, health data (in some legal and advisory contexts), employment records, tax information, correspondence, and the substance of legal matters all typically constitute personal data.
Establishing a lawful basis
Every processing activity — including AI-assisted processing — requires a lawful basis under Article 6 GDPR. For most professional-services AI use cases, the relevant bases are:
- Contract (Article 6(1)(b)). Processing necessary for the performance of a contract with the client, or to take steps at the client's request before entering a contract. Document analysis, matter management, and billing automation are typically covered here where the processing is directly necessary for the engagement.
- Legitimate interests (Article 6(1)(f)). The firm's legitimate interest in operational efficiency, quality control, or risk management, balanced against the rights and interests of the data subjects affected. Legitimate interests requires a balancing test and cannot be relied upon where the processing significantly overrides the data subject's interests.
- Legal obligation (Article 6(1)(c)). Processing required to comply with a legal obligation — relevant where AI tools are used for anti-money-laundering screening, KYC obligations, or mandatory reporting duties.
- Consent (Article 6(1)(a)). Explicit consent of the data subject. In professional-services contexts, consent is often problematic as a sole basis because of the power imbalance between the firm and clients or employees; it is also fragile (consent can be withdrawn). Consent alone is rarely the right basis for embedded AI processing.
Where special-category data is involved — health data, data revealing racial or ethnic origin, religious or philosophical beliefs, trade union membership, or data relating to criminal convictions — Article 9 applies and a specific exception must be identified in addition to the Article 6 basis.
Data Protection Impact Assessments
Article 35 GDPR requires a Data Protection Impact Assessment (DPIA) before undertaking processing that is likely to result in a high risk to the rights and freedoms of natural persons. AI processing in professional-services contexts frequently meets the threshold for a DPIA. Indicators include: systematic and extensive evaluation of personal aspects (such as AI-driven client risk scoring); large-scale processing of sensitive data; and the use of innovative technologies where the nature of the processing makes it difficult for data subjects to know what is happening.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published a list of processing activities that always require a DPIA under Dutch law. Firms should check this list before deploying any new AI-assisted processing activity, regardless of whether the vendor has conducted its own DPIA. The firm's DPIA must assess the risks of the specific deployment in the firm's specific context — a vendor's generic DPIA does not substitute for this.
Processor relationships and contracts
When a law firm or accountancy uses a third-party AI tool — a cloud-based contract review platform, an AI legal research tool, a document summarisation service — the third-party provider typically processes personal data on behalf of the firm. This makes the provider a data processor under Article 28 GDPR, and the firm the controller. A compliant data-processing agreement (DPA) must be in place before any personal data is shared with the provider. The DPA must cover, at minimum, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
Critically, the DPA must prohibit the processor from using the firm's data — including client matter data — for purposes beyond those specified, including model training. Not all commercial AI providers offer DPAs that meet GDPR standards as standard; firms must check and negotiate where necessary. This is a due diligence obligation that cannot be delegated to IT procurement alone. Crux Digits assesses vendor GDPR AI data processing arrangements as part of our AI implementation engagements.
International data transfers
Many AI tools are provided by US-headquartered companies and process data on servers outside the EEA. International transfers of personal data to third countries are restricted under Chapter V GDPR and require an appropriate transfer mechanism: an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another approved mechanism. The EU-US Data Privacy Framework provides an adequacy basis for transfers to certified US organisations, but firms should verify that their AI vendor is certified under the Framework and should assess whether the specific processing is covered. Transfers to countries without an adequacy decision require SCCs and a Transfer Impact Assessment (TIA).
AI Confidentiality, Professional Privilege, and the Duty of Secrecy
For law firms and notaries, the duty of professional confidentiality — beroepsgeheim — is not merely a contractual obligation or a GDPR requirement. It is a fundamental principle of the legal profession, protected under Dutch law and enforced by the Dutch Bar Association (Nederlandse Orde van Advocaten). The duty extends to all information obtained in the course of representing a client and does not expire when the matter closes.

The AI confidentiality professional privilege question is therefore: when a law firm uses an AI tool that processes client matter data, does that processing breach the duty of confidentiality? The answer depends on how the tool is deployed.
If the AI tool sends client matter data to a third-party cloud service — even under a GDPR-compliant DPA — there is a real question about whether that transmission constitutes a disclosure of privileged information. The Dutch Bar Association's guidance on cloud services and confidentiality requires that lawyers exercise particular care when using cloud services that may involve data leaving the firm's own infrastructure. Firms should obtain legal advice on whether their specific AI deployment is compatible with their confidentiality duties, and should not assume that a GDPR-compliant DPA automatically satisfies the professional confidentiality obligation.
For accountancy firms and registered accountants under the Wet op het accountantsberoep, a similar professional duty of confidentiality applies. The professional rules require that accountants maintain the confidentiality of information obtained from clients, and any AI processing of that information must be assessed against those rules as well as the GDPR. Our LLM optimisation services include architectural design specifically aimed at keeping sensitive data within controlled environments that satisfy both GDPR and professional confidentiality requirements.
The practical implication is that professional-services firms considering AI tools should, as a first step, determine whether client matter data needs to leave the firm's controlled infrastructure at all. In many cases, it does not. On-premises or private-cloud deployment of AI models — or the use of AI APIs with appropriate contractual protections that prohibit data retention and training use — can enable the benefits of AI whilst keeping privileged information within the firm's control.
Practical Steps: A Compliance Checklist for Professional-Services Firms
- Inventory every AI tool currently used or under consideration across the firm — including tools embedded in existing software products (e-mail platforms, document management systems, practice management tools) that may have added AI features without a formal procurement decision.
- For each AI tool, determine the EU AI Act risk classification: does it fall into a prohibited category, a high-risk category under Annex III, the limited-risk transparency tier, or the minimal-risk tier? If classification is uncertain, seek legal advice before deployment or continuation of use.
- For high-risk AI systems: implement the deployer obligations — fundamental rights impact assessment, human oversight assignment, staff training, logging and monitoring, and registration where required. Do not rely solely on the vendor's conformity assessment documentation.
- For all AI tools processing personal data: confirm the lawful basis for each processing activity, check that a GDPR-compliant DPA is in place with every third-party provider, and conduct a DPIA where the processing meets the threshold.
- Assess whether any AI processing involves international data transfers and, if so, confirm that an appropriate transfer mechanism is in place and documented.
- Review each AI tool against the firm's professional confidentiality obligations — not only the GDPR — and obtain advice on whether the deployment architecture is compatible with AI beroepsgeheim AVG requirements.
- Implement AI governance documentation: a record of processing activities (Article 30 GDPR) that includes AI-assisted processing, DPIAs for high-risk processing, and an EU AI Act compliance log for high-risk systems.
- Establish an internal policy on AI use that covers: permitted and prohibited use cases, data minimisation requirements, human oversight obligations, and the firm's approach to transparency with clients about AI use.
- Train staff on the policy — particularly on the obligation not to input privileged or sensitive client data into AI tools that have not been approved through the firm's compliance process.
- Schedule periodic reviews of the AI tool inventory and compliance documentation, noting that the EU AI Act's provisions continue to phase in through 2026 and beyond, and that regulatory guidance from the Autoriteit Persoonsgegevens and the EU AI Office continues to develop.
High-Risk AI in Legal Practice: Document Review, Research Tools, and Advice-Assistance Systems
The most common AI use cases in law firms and professional-services firms cluster around document work: reviewing and summarising contracts, researching case law and statutory provisions, drafting correspondence and opinions, extracting key clauses from disclosure documents, and screening due diligence materials. Understanding where each of these sits in the EU AI Act framework requires attention to the purpose and consequence of the AI output.
An AI tool used purely to summarise a document for a lawyer who then applies independent legal judgement to the summary is different in regulatory character from an AI tool used to produce an opinion that is delivered directly to a client as legal advice. The former is closer to a research tool that assists the professional; the latter is a system whose output directly affects the client's legal position and potentially influences consequential decisions.
The EU AI Act's high-risk category for administration of justice covers AI systems intended to assist judicial authorities, but the broader principle — that AI systems whose outputs materially influence legal conclusions affecting individuals warrant higher scrutiny — is consistent with GDPR risk assessment methodology and with professional conduct obligations. Firms should apply this lens when assessing their own AI tools: is this system augmenting my professional judgement, or is it making a determination that I am then ratifying without independent analysis?
For GDPR compliant AI tools in legal contexts, the key safeguard is human oversight: a qualified professional reviews the AI output, applies independent judgement, and takes responsibility for the conclusion. This is not merely a regulatory compliance mechanism — it is the foundation of the lawyer-client relationship and the source of the firm's professional value. AI that erodes genuine professional judgement is not a compliance problem alone; it is a professional risk.
Crux Digits builds AI systems for professional-services firms with human oversight designed in from the start — not bolted on as an afterthought. We also conduct EU AI Act audit consultancy engagements for firms that want an independent assessment of their existing AI tools' risk classification and compliance posture. See our data engineering capabilities and sector expertise for the financial and professional-services context in which we operate.
GDPR and AI in Accountancy: Tax, Audit, and Financial Advisory Contexts
Accountancy firms face a distinctive version of the AI compliance accountancy Netherlands challenge. Their work involves processing large volumes of personal financial data — tax returns, payroll records, financial statements, audit evidence, and client correspondence — much of which is sensitive and subject to both the GDPR and to sector-specific confidentiality rules under Dutch accountancy regulation.
AI tools are increasingly used in accountancy for anomaly detection in financial data, automated data extraction from documents and receipts, preliminary tax analysis, audit sampling and risk assessment, and client onboarding KYC screening. Each of these use cases requires its own GDPR analysis.
Anomaly detection and risk scoring applied to individual clients' financial data can constitute profiling under Article 22 GDPR if the output is used to make an automated decision — or a decision with significant effect — about that individual. Firms must ensure that any such automated or semi-automated decision-making process has an appropriate legal basis, is disclosed to the data subject, and gives the data subject the right to obtain human review of the decision, to express their point of view, and to contest the decision.
For audit work, the processing of client personnel data — payroll records, expense claims, individual transaction data — requires careful scoping to ensure that personal data is processed only to the extent necessary for the audit purpose. AI tools used in audit should be configured to minimise personal data exposure: where aggregate financial analysis can be conducted without individual-level personal data, it should be. Where individual-level data is necessary, access controls, audit logging, and retention limits must be implemented.
Data governance is the foundation of GDPR compliant AI for professional services. Crux Digits designs AI data governance frameworks for professional firms as part of our AI implementation service — ensuring that data flows are documented, access is controlled, retention is defined, and processing activities are legally grounded before any AI system goes live.
The EU AI Act Timeline: What Is In Force Now and What Is Coming
The EU AI Act entered into force on 1 August 2024. Key dates for professional-services firms to note include:
- 2 February 2025: Prohibited AI practices (Title II) became applicable. Firms should confirm no tools in use fall into these categories.
- 2 August 2025: Obligations relating to general-purpose AI models (Title VIII) and governance provisions (Title III, Chapter 4 and Chapter 5, and Title VII) became applicable.
- 2 August 2026: High-risk AI obligations (Annexes I and III) become fully applicable, including deployer obligations for firms using high-risk AI systems.
- 2 August 2027: Certain Annex I obligations relating to AI in regulated products apply from this date.
The phase-in timeline means that the window for firms to conduct their AI inventory, classify their tools, and implement necessary changes is not unlimited. High-risk AI deployer obligations — including fundamental rights impact assessments, human oversight protocols, and staff training — need to be in place by August 2026. Firms that begin this process in 2025 or early 2026 will have adequate time; firms that defer will face a compressed compliance sprint. These dates are based on the text of the regulation as published; firms should verify the current status of any implementing measures or transitional provisions with legal counsel, as regulatory guidance continues to evolve.
How Crux Digits Supports Professional-Services Firms on EU AI Act and GDPR Compliance
Crux Digits is a vendor-neutral AI consultancy. We do not have commercial relationships with AI vendors that create incentives to recommend particular tools. Our only interest is in helping our clients deploy AI in ways that are effective, compliant, and sustainable.
For law firms and accountancies navigating EU AI Act compliance for professional services, we offer structured support across three areas.
First, compliance assessment and AI audit. We conduct a structured review of the firm's existing and planned AI tools — mapping each tool to the EU AI Act risk classification, identifying GDPR obligations for each processing activity, and producing a prioritised action plan. This assessment gives the firm a clear picture of its current compliance posture and a practical roadmap to address gaps. We treat this as a legal and technical exercise, working alongside the firm's own legal and data protection advisers rather than substituting for them. For firms that need an independent perspective on tools they have already deployed, we also offer focused technical audits of specific AI systems.
Second, compliant AI implementation. Where the firm wants to implement AI tools — for document review, research assistance, compliance screening, data extraction, or administrative automation — we design and build the implementation with compliance embedded from the start. This includes architecture design that keeps privileged data within controlled environments, DPA review and negotiation support, DPIA scoping, data minimisation engineering, access control implementation, and audit logging. We bring together our AI implementation and LLM optimisation capabilities to build systems that are both technically capable and legally sound.
Third, ongoing governance and monitoring. AI compliance is not a one-time exercise. The regulatory landscape continues to evolve, AI tools are updated (sometimes in ways that change their risk profile), and the firm's own processing activities change. We help firms establish internal AI governance frameworks — policies, registers, review processes — that keep compliance current without creating unmanageable administrative overhead. Our data engineering work includes building the audit logging and monitoring infrastructure that EU AI Act high-risk obligations and GDPR accountability obligations both require.
If your firm is at the start of its AI compliance journey, the pricing page sets out how our engagements are structured, and the case studies give examples of AI systems we have built for professional-services clients. If you have a specific question or want to discuss your firm's situation directly, the best starting point is a conversation — get in touch and we will respond promptly.
Frequently Asked Questions
Is AI document review in a law firm classified as high risk under the EU AI Act?
The classification depends on the purpose and consequence of the AI output. An AI tool that summarises documents for a lawyer who then applies independent professional judgement is more likely to be limited-risk or minimal-risk than one whose output directly determines a legal conclusion affecting a client. However, AI systems intended to assist in researching, interpreting, or applying the law to concrete facts are listed in Annex III of the Act as high-risk when used by or on behalf of judicial authorities. Law firms should seek legal advice on the classification of their specific tools, particularly those used for litigation support, regulatory advice, or opinions delivered directly to clients. Crux Digits provides EU AI Act audit consultancy to help firms make this determination accurately.
Frequently asked questions
Does the EU AI Act apply to law firms and accountancies as deployers of AI?
Yes. The EU AI Act imposes obligations on both providers (those who develop and place AI systems on the market) and deployers (those who use AI systems in professional activities). When a law firm or accountancy uses a third-party AI tool, the firm is the deployer and has its own obligations under the Act, independent of the vendor's compliance status. These deployer obligations include conducting fundamental rights impact assessments for high-risk systems, ensuring human oversight, training relevant staff, and maintaining logs of AI-assisted decisions. General information only — obtain specific legal advice for your firm's situation.
What GDPR obligations apply when a law firm uses an AI tool that processes client data?
Several obligations apply simultaneously. The firm must identify a lawful basis for the AI-assisted processing under Article 6 GDPR (and Article 9 for special-category data). A GDPR-compliant data-processing agreement must be in place with the AI vendor before any client data is shared. A Data Protection Impact Assessment is required where the processing is likely to result in high risk. International transfer mechanisms must be confirmed if data leaves the EEA. The record of processing activities under Article 30 must include the AI-assisted processing activity. And the processing must respect data minimisation, purpose limitation, and retention obligations. Crux Digits reviews these obligations as part of AI implementation engagements for professional-services firms. This is general information, not legal advice.
Can using an AI tool breach a law firm's duty of professional confidentiality even if GDPR is complied with?
Yes, potentially. The GDPR and professional confidentiality obligations are separate legal frameworks. A data-processing agreement that satisfies GDPR does not automatically satisfy the duty of professional secrecy (beroepsgeheim) under Dutch professional conduct rules. The Dutch Bar Association has published guidance requiring lawyers to exercise particular care when using cloud services that involve data leaving the firm's controlled infrastructure. Law firms should obtain specific advice from their professional body and from legal counsel on whether a proposed AI deployment is compatible with their confidentiality duties, independently of the GDPR analysis. This is general information only.
What is a fundamental rights impact assessment and when does a professional-services firm need one?
A fundamental rights impact assessment (FRIA) is a requirement under the EU AI Act for deployers of high-risk AI systems. It requires the deployer to assess the impact of the AI system on fundamental rights — including privacy, non-discrimination, access to justice, and other protected rights — before the system is put into use. The FRIA must also identify measures taken to mitigate identified risks. For professional-services firms, a FRIA is required if the AI tool is classified as high-risk under Annex III — for example, an AI system used to assist in legal analysis affecting individual clients, or an AI system used for credit or risk scoring. The FRIA obligation for deployers of Annex III systems applies from 2 August 2026. This is general information — consult legal counsel for your firm's specific obligations.
How can Crux Digits help our firm become EU AI Act and GDPR compliant when using AI?
Crux Digits provides vendor-neutral AI compliance support for Dutch law firms and accountancies across three areas: compliance assessment and AI audit (inventorying your AI tools, classifying their risk tier under the EU AI Act, and identifying GDPR obligations); compliant AI implementation (designing and building AI systems with legal safeguards built in — including data-processing agreements, DPIAs, data minimisation, access controls, and audit logging); and ongoing governance and monitoring (establishing internal AI governance frameworks, review processes, and the technical infrastructure required for EU AI Act and GDPR accountability). We work alongside your own legal and data protection advisers rather than replacing them. Get in touch via the contact page to discuss your firm's situation.