Legal industry news | February 2026

25 Feb, 2026

Anthropic announced a legal plugin

On 3 February, Anthropic announced specialized legal plugins for Claude Cowork, its agentic desktop application. The plugins automate contract review, NDA triage, compliance checklists, legal brief drafts, and templated responses — without requiring users to switch between tools.

Several major European data and information services companies saw falls ranging between 8 and 14 percent on the same day. Investors were not reacting to what the plugin does today. They were reacting to the direction of travel.

Claude Cowork is agentic — it plans and executes multi-step tasks on its own, rather than responding to individual prompts. Anthropic is clear that outputs must be reviewed by a licensed attorney before being relied upon. But that caveat already frames the core tension: if AI is doing the drafting and structuring, and a lawyer is reviewing and signing off, how does that change billing, liability, and professional responsibility? Industry analysts have started calling the downstream workload the "Verification Tax" — the time cost of checking and defending AI-generated work product before it can reach a client.

On 24 February, Anthropic announced enterprise agents integrating with Slack, DocuSign, LegalZoom, Figma, and Microsoft Office, extending its reach into the operational layer of most mid-size firms. The more immediate question for anyone running EU operations is not whether these tools are useful. It is whether a compliant data processing agreement is in place, where client data goes when an agent runs a workflow, and how professional liability standards apply when an autonomous system takes a consequential step without direct human approval.

Source

• Anthropic

Italy pulled DeepSeek from app stores. The lesson goes further than DeepSeek.

In January 2025, Italy's data protection authority sent DeepSeek a short list of standard GDPR questions: what personal data do you collect, from which sources, on what legal basis, and is any data stored outside the EU? DeepSeek's response was that it was not subject to EU regulation and therefore not required to answer. Italy's Garante called the response "totally insufficient" and removed the app from Italian stores within 24 hours, instructing Apple and Google to act.

DeepSeek's argument — that having no EU establishment means GDPR does not apply — is one that has been rejected consistently since 2018. GDPR Article 3(2) is direct: if you process personal data of people in the EU, the regulation applies regardless of where your company is based. Italy used the same emergency mechanism against ChatGPT in 2023; that situation was resolved within weeks. DeepSeek took a different approach.

Germany, Ireland, and France all opened parallel investigations in the aftermath. Regulators moved from question to removal in a single day, forming a new pattern off response. Any AI tool processing personal data that cannot clearly explain its data flows, legal basis, and storage location carries real compliance exposure. That risk sits with the deployer, not just the vendor.

Source

• Garante requests information from DeepSeek — press release

German firms have nine days left to register under NIS2

Germany's NIS2 (Network and Information Security) Implementation Act entered into force on 6 December 2025. Affected entities must register with the Federal Office for Information Security (BSI) by 6 March 2026 — nine days from today.

Roughly 30,000 companies and public institutions are in scope: energy, transport, finance, healthcare, cloud services, managed service providers, data centres, digital marketplaces, waste management, chemical and food industries, research organizations, and manufacturers of medical technology and electronics. The size thresholds are broader than many expect. An "important entity" is any organization with 50 or more employees and annual turnover or balance sheet above €10 million — and scope is assessed at group level, which can pull in subsidiaries that would not otherwise qualify independently.

Violations carry fines of at least €10 million or 2 percent of global annual turnover. Management is personally liable for implementing the required measures — not just the IT team. The registration process itself requires an ELSTER organization certificate, which can take several days to obtain, so firms with German operations or clients in affected sectors may want to start that process without delay.

The Netherlands has still not transposed NIS2 into national law, with implementation now expected in Q2 2026. That gap does not make the underlying obligations go away. The directive is clear enough in practice, and firms that build NIS2-ready incident response and reporting processes now will be in a much better position when Dutch legislation arrives.

Source

• NIS-2-Pflichten — Registration obligations
• Implementatie NIS2 en CER in Nederland vertraagd

Key events: March and beyond:

• British Legal Technology Forum — 10 March 2026, London. Europe's largest dedicated legal tech conference, with 90+ European suppliers and sessions on AI governance, data security, and workflow change. 
• Legal Geek Europe — 14 April 2026, Amsterdam. A compact, practical format with a genuinely EU-focused agenda. Speakers include senior figures from CMS Netherlands and Docplanner, among others.
• LAIR Conference (Law, AI and Regulation) — 11–12 June 2026, Erasmus University Rotterdam. An academic and practitioner forum specifically examining AI Act implementation, the Digital Omnibus, and fundamental rights in algorithmic decision-making. Worth following for anyone building internal AI policy or advising clients on compliance strategy.