AI Act 2026: what changes for Italian law firms and SMEs and how to prepare

ai act for law firms and SMEs

Summary

In 2026, the European AI Act really enters the daily routine of Italian law firms and SMEs: many of the provisions of EU Regulation 2024/1689, effective from 2024, become fully operational, with concrete obligations and penalties for those who develop or use artificial intelligence systems. This article, designed by Lanpartners, explains in operational language what changes, what the impacts are on artificial intelligence in law firm, document management, ERP and IT services, and how to set up a sustainable compliance plan, valid for firms and businesses in any Italian city.

In summary, in this in-depth study you will find:

  • A clear overview of the AI Act and the timetable leading up to 2026
  • What “AI” means for law firms and SMEs, even when it is “hidden” in management, switchboards, and the cloud
  • The specific impacts on law firms (lawyer software, lawyer console, document management, computer data security)
  • The impacts for SMEs using ERP management, IT services, cloud switchboard, business intelligence and complex technology infrastructure
  • Two separate operational plans: one for law firms, one for SMEs
  • Lanpartners' role as a bridge between law, technology, and organization, and as a starting point for building a compliance and innovation strategy consistent with the AI Act, GDPR, and NIS2 regulations

In 2026 the’European AI Act stops being just a “conference topic” and becomes an operational reality for law firms and SMEs throughout Italy: in fact, EU Regulation 2024/1689, which came into force in 2024, provides for a gradual implementation, with several obligations becoming fully applicable just by 2026. For law firms, the AI Act means they need to measure themselves on two fronts: as users of AI tools (case law research, document management, internal automations, telematic civil process and telematic tax process integrated with AI) and as consultants supporting business clients in adapting to the new European framework and accompanying Italian law. For Italian SMEs, the regulation requires a shift from the often experimental use of chatbots, scoring and automations to a structured approach, with systems mapping, risk classification, updating of contracts, policies and IT training of staff, also consistent with GDPR, NIS2 standard and rules on digital security, data theft, and computer data security.

For Lanpartners - a firm working at the intersection of law, artificial intelligence, IT consulting, digital transformation, business and business IT services-the AI Act is an opportunity to bring order to the way law firms and SMEs choose, integrate and govern smart solutions: from law firm management to PEC storage, from cloud backup to disaster recovery and business continuity, through to business networking and computer network design. This guide is intended to offer an operational tool that is valid for all of Italy, with examples that can apply as much to a provincial firm as to a more ambitious entity operating in more complex contexts.

 AI Act in brief: the framework that comes into effect in 2026

The AI Act is the first European regulation to horizontally regulate the development, marketing, and use of artificial intelligence systems in the EU, with an explicitly risk-based approach. The objective is twofold: on the one hand, to foster innovation and adoption of AI-based solutions; on the other hand, to ensure that these systems do not compromise security, fundamental rights, non-discrimination, and transparency towards citizens and users.

The regulations distinguish between:

  • Prohibited practices (e.g., generalized social scoring, some forms of real-time biometric recognition)
  • High-risk AI systems, subjected to very stringent requirements on data management, technical documentation, monitoring, human supervision
  • Limited risk systems, so the emphasis is on transparency (e.g., chatbots and software assistant having to declare themselves as AI)
  • Minimal risk systems, for which there are no specific obligations but best practices are recommended

Entering into force in 2024, the AI Act has a phased timetable: prohibitions and transparency requirements are triggered earlier, while more advanced provisions (especially for high-risk systems and different operators-suppliers, distributors, users) become fully applicable by 2026, with a dedicated system of oversight and penalties.

What “AI” means for law firms and SMEs (even if they don't develop software)

The regulation affects not only those who develop AI models or platforms, but also those who integrate or use them in existing processes and services. This is the case for many Italian companies:

  • Law and notary firms using law firm management systems, lawyer management, lawyer console, notary console, notary software, iManage and document management software with intelligent search functions, automatic classification, text suggestions
  • SMEs that have introduced ERP management (SAP companies, SAP Business One, Microsoft ERP, Microsoft management software, management range, PLM software, PDM software), personnel management software, and time and attendance software with predictive or behavioral analysis modules
  • Companies with a strong IT component using tools such as virtual desktops, virtual pcs, cloud for Mac, SharePoint, Power BI business intelligence, cloud PBX or 3CX PBX Integrated with chatbots, digital concierge or intelligent call routing systems

Often the AI component is “embedded” in third-party solutions, so the first step is to realize it exists and understand what data it works with, what decisions it supports, and what impacts it may have on the rights and expectations of customers, employees, and suppliers. The AI Act calls for just that: mapping systems, classifying risk, ensuring transparency, human oversight, and consistency with GDPR, NIS2 regulations, and rules on enterprise cybersecurity, identity theft, and data theft.

AI Act and law firms: concrete impacts

Artificial intelligence law firm: tools and limitations

L’Artificial intelligence in law firms is not (anymore) science fiction: many lawyer software already includes advanced search modules, clause suggestions and contract analysis, linked to document management systems and often integrated with telematic civil process and telematic tax process. The AI Act does not prohibit the use of these tools, but it does require:

  • Awareness Of which functions are actually AI-based
  • Risk assessment (e.g., can they affect customers' rights? Do they introduce risks of bias?)
  • Guarantee of human supervision: the advocate remains responsible and must be able to understand and, if necessary, deviate from the output of the IA

For Lanpartners, this means suggesting that firms have policies on the uses of artificial intelligence in the law firm: what can be done (research, drafting support), what cannot be done (automated decisions on the content of a case), how to document the review (annotations in lawyer's consoles, office management, law firm management).

Privacy, digital identity theft and computer data security

The AI Act complements GDPR, not replaces it. Firms and enterprises using cloud (counter cloud run BC, virtual PC, virtual desktop, cloud backup, VMware backup, Nakivo, system data center) must:

  • Knowing where client data are hosted
  • Understanding whether these data can be used to train models (a critical issue for digital identity theft, identity theft and data theft)
  • Integrate security controls (enterprise firewall, hardware or software firewall, email security, enterprise router, enterprise networking) into a design consistent with NIS2 and “by design” and “by default” security logic”

Incidents involving data also processed by AI-for example, a document management manager experiencing a breach - can have aggravated consequences, with implications for civil liability, ethics and penalties. This is where collaboration between the law firm, IT team and IT service providers is crucial.

IT training and professional development

Article 4 of the AI Act imposes a digital AI literacy requirement on those who develop or use AI systems, including regulated professions. This complements mandatory continuing education for lawyers.

  • Courses On AI Act and accompanying Italian law
  • Modules On bias, explainability, limits of generative AI.
  • Focus on cybersecurity360, NIS2, digital security, incident and data breach management

Lanpartners can structure IT and legal training paths specifically for law firms, with practical cases covering the use of personnel management software, document management, notary digital signatures, PEC storage, and the use of AI tools in daily practice.

AI Act and SMEs: mapping systems, risks and responsibilities

From ERP management to cloud switchboard: where AI lurks

Many Italian SMEs already use AI without calling it that:

  • Recommendation engines in e-commerce, vertical integrations with CRM and ERP management systems
  • Scoring modules for leads and customers linked to Power BI business intelligence or analytics informatics software
  • Scheduling, predictive maintenance and PLM software systems integrated with forecasting algorithms

These functions are often “hidden” in contracts with software houses, IT companies and business IT service providers. The AI Act asks SMEs to survey these systems, to understand which ones use AI, with what data and for what purposes, and to rank them according to risk (high, limited, minimal).

NIS2, enterprise information security and business continuity

The NIS2 directive-with its Italian transposition-imposes enhanced security requirements for many business categories for networks and information systems. The use of AI fits into this context:

  • A misconfigured AI system can open avenues to data theft
  • Unredundant infrastructure can make access to key functionality impossible if AI “stops”
  • The combination of AI, cloud backup, system data center, PEC journaling and virtual desktop should be thought of from the perspective of disaster recovery and business continuity, not just efficiency

For many SMBs, especially those that rely on IT companies or other local partners for IT support and computer network design, the transition will be to build a minimum of governance: periodic vulnerability assessments and penetration tests, business continuity plans, policies on computer operating rentals, computer leasing, iPhone operating rentals, and enterprise device management.

How to prepare: operational plan for law firms

A concrete approach to a law firm can be broken down into five steps:

  1. Mapping the tools
    List law firm management systems, such as attorney management, attorney console, and cloud solutions, and understand what AI functions they integrate.
  2. Assess risk and impacts
    Determine whether the use of AI may directly affect customer rights (e.g., automated decisions, profiling), or whether it functions only as a support (research, suggestions), and define level of control and documentation accordingly.
  3. Update contracts and policies
    Review engagement letters, terms and conditions, privacy policies, vendor agreements, including clauses on the use of AI, on the storage of PECs, on the DAT format, digital security, limitations of use, and responsibilities.
  4. Define internal rules on AI
    Prepare a policy on what is allowed (e.g., AI for research and drafts) and what is not (the entry of sensitive data on unauthorized tools), indicating human review obligations and tracking audits in office management or attorney software.
  5. Education and culture
    Plan periodic IT and legal training on AI Act, GDPR, NIS2, cybersecurity360, digital identity theft, with practical focus and typical firm use cases.

How to prepare: operational plan for SMEs

For Italian SMEs, an essential but effective plan can follow these steps.

  1. Census systems and suppliersi
    Mapping ERP management systems (such as SAP Business One, Microsoft ERP), VOIP switchboards , business intelligence tools.
  2. Classify by risk
    Apply AI Act logic (high risk, limited risk, minimal risk) to census systems, starting with the most sensitive areas: HR, credit, vendor selection, automated assessments with significant impacts.
  3. Review contracts and governance
    Update contracts with software houses, IT companies, and enterprise IT service providers to ensure transparency, audits, security, clear accountability for incidents, and consistency with AI Act, GDPR, and NIS2 regulations.
  4. Strengthening security, backup and continuity
    Verify that AI use is embedded in an architecture that includes enterprise firewalls, appropriate enterprise routers, cloud backups, disaster recovery plans, and business continuity, particularly when AI affects core processes.
  5. IT training and digital literacy
    Set up differentiated IT training paths for management and operational staff, in line with the Art. 4 AI Act and Italian initiatives on digital literacy, digital security, data theft, and proper use of tools such as Microsoft 365 and SharePoint.

The role of Lanpartners: law, technology and infrastructure in the same strategy

Lanpartners positions itself at the intersection of legal, artificial intelligence, and IT consulting, offering services that include computer network design and IT solutions for businesses. Their main focus is on the application of AI in law firms, document management, enterprise IT security, and digital transformation.

This synergy allows us to view the AI Act not as a mere additional burden, but as a valuable opportunity. The goal is to realign nationwide contracts, technology infrastructure (such as enterprise networks and firewalls, system data centers), operational processes (including office management, document management software, and PLM software), and training in line with the new regulations.

In concrete terms, Lanpartners can:

  • Helping law firms to build internal policies, update contracts with law firm management, attorney console, iManage, cloud, and security vendors, and define specific training paths on AI Act and law firm artificial intelligence
  • Supporting SMEs in mapping and classifying AI systems, reviewing agreements with software houses and IT teams, integrating AI Act, GDPR, NIS2, and digital security and business continuity strategies
  • Designing IT training interventions that speak to both decision makers (business owners, top management) and those who use management, BI tools, cloud switchboard, virtual PCs, and IT services on a daily basis

How to get started, without getting overwhelmed

The first step is not to “redo everything,” but to understand where you are today: what AI systems you use (often integrated into ERP, CRM, document management tools or VOIP switchboards), what data they process, what decisions they support and how they are contractually regulated. From this snapshot, Lanpartners can help you build a adjustment plan to the gradual and realistic AI Act, holding together European obligations, Italian legislation, NIS2 and the specifics of your firm or SME, wherever it is located in the country.

If you are a law firm that wants to secure the use of artificial intelligence and, at the same time, offer your clients up-to-date advice on the AI Act, or an SME that already uses “smart” tools in its processes such as ERP management, a preliminary comparison can make the difference between chasing regulations and using them as leverage to improve procedures, contracts, and infrastructure. The AI Act 2026 should not just be an obligation to be subjected to: it can become the right time to align law, technology and business and build, with the help of Lanpartners, a solid foundation on which to grow the responsible use of artificial intelligence in the coming years. We invite you to contact us for any information. 

Related articles

Learn about our IT consulting and support services

We want to offer you a different technology experience. You can have premium IT support from a trusted partner at your fingertips whenever you need it. Whether you want one person or an entire project team, for short-term or long-term commitments, make your life easier and rely on us.

Contact us