Local AI for Law Firms: §43e BRAO, §203 StGB and the RAG Path

AI in the firm without risking confidentiality? We build local, §203-compliant AI on your hardware - see AI for law firms and AI for confidentiality professionals, or book an initial consultation.

Summarising client emails, drafting briefs, researching precedent - AI can save a lot of time in a law firm. The problem is not the AI but where the data flows. Anyone entering client data into ChatGPT or Copilot transmits it to third-party servers. That can breach attorney confidentiality, with consequences under both criminal and professional law.

The good news: since the §203 reform of 2017 and with §43e BRAO there is a clear, legal path. It runs through a contractually bound service provider - and most cleanly through local AI that never leaves the firm. This article frames the current legal situation, shows the permitted operating models, and explains how we build a RAG pipeline on your case knowledge.

Table of contents

• The legal situation in 2026: §43e BRAO and §203 StGB
• Why cloud AI becomes a risk for law firms
• Operating models for law-firm AI
• The RAG pipeline: components step by step
• Connecting multiple knowledge sources securely
• How we work at WZ-IT
• Further guides

The legal situation in 2026: §43e BRAO and §203 StGB

Attorney confidentiality is anchored in §43a (2) BRAO and criminally sanctioned via §203 StGB; §2 BORA specifies it further. The unauthorised disclosure of a client secret is a criminal offence - up to one year of imprisonment, and up to two years when acting for payment.

For the use of external IT, the attorney-specific norm §43e BRAO has applied since 2017. It explicitly permits engaging service providers, but ties this to clear conditions:

• Careful selection and a duty to terminate (para. 2): the service provider must be selected carefully; in case of violations the cooperation must be ended without delay.
• Contract in text form with mandatory content (para. 3): a confidentiality obligation with a warning about the criminal consequences, a restriction to the information required for the service (purpose limitation), and clear rules on whether and how subprocessors are involved - who must then also be bound in text form.
• Foreign service providers (para. 4): a foreign provider may only be granted access if the confidentiality protection there is comparable to the domestic level.
• Mandate-specific services (para. 5): here the client's consent is required.

The German Federal Bar's guidance on AI use (December 2024) made clear: an AI tool that stores or forwards client data for model improvement violates §43a (2) BRAO. Transmitting client data to public AI services is regularly not necessary, because the task can be solved differently - for example locally.

On top of this comes the EU AI Act: from 2 August 2026, transparency obligations for deployers of AI systems apply (Art. 50). Typical firm applications such as drafting briefs or research are generally not high-risk systems; governance structures should nevertheless be in place early (as of June 2026, European Commission). This article is general information and not legal advice.

Why cloud AI becomes a risk for law firms

Cloud AI is not banned per se under §43e BRAO - but with US providers it is hard to map cleanly in practice. Three points stand in the way:

1. The subprocessor chain. An AI provider itself uses subprocessors (Azure, AWS, and others). Under §43e (3) all of them would have to be bound in text form. With a long, opaque chain this is not practically feasible.
2. The CLOUD Act. US providers are subject to the US CLOUD Act, which enables access by US authorities. An EU region does not protect against this as long as a US parent company stands behind it - which calls into question §43e (4) (comparable confidentiality protection).
3. Training on your data. Many consumer AI services process inputs further. That is exactly what the Federal Bar flagged as a breach of confidentiality.

The data processing agreement (DPA) does not solve this: it governs data protection under Art. 28 GDPR, not the criminally sanctioned confidentiality. The DPA and the §43e/§203 obligation are two separate layers - both must be satisfied.

With local AI on your hardware most of this chain disappears: the data does not leave the firm. Because we retain remote-maintenance and admin access, we remain a participating person - which is why we supply the §43e/§203 contract package for the build and maintenance phase.

Operating models for law-firm AI

Not every firm needs the same setup. We implement three models - with a clear link to our services:

• On-premise appliance (AI Cube). A turnkey AI box in your firm. Open WebUI, Ollama/vLLM and local models are pre-installed; ideal for sole practitioners and small partnerships. The data stays in-house, optionally even air-gapped.
• Dedicated GPU server or LLM hosting. For larger firms with more users and throughput. Operated on your own hardware or in a German data centre, with an OpenAI-compatible API for integration into your practice software.
• Managed fallback. If you do not (yet) want to operate your own hardware, you can have AI run in our EU infrastructure. That is the second-best but practical option - with a short, controllable provider chain instead of a US hyperscaler.

In all models only open-source building blocks are used (no vendor lock-in), and the §43e/§203 contract package (confidentiality obligation with criminal-consequence warning plus DPA) is standard. More on the cross-industry framework under AI for confidentiality professionals.

The RAG pipeline: components step by step

The real value comes not from a bare language model but from Retrieval-Augmented Generation (RAG): the AI answers questions from your own documents instead of from generic training knowledge - with source references. This is how we build the pipeline (more under Custom RAG):

1. Ingestion. Documents are read in from the source systems (PDF, Word, emails, scans with OCR) and normalised.
2. Chunking. Content is split into meaningful sections - for legal texts oriented around sections, marginal numbers and outline levels, so context is preserved.
3. Embeddings + vector database. Each section is translated into a vector and stored in a vector database (Qdrant). The access and client-separation metadata live here too.
4. Retrieval and re-ranking. For a query, the most relevant sections are retrieved (semantic plus keyword) and sorted by re-ranking, so that the genuinely most relevant passages reach the context.
5. Generation. A local model (Ollama or vLLM, e.g. Mistral) formulates the answer - based solely on the retrieved passages, with source references.
6. Observability and quality. With Langfuse we measure quality, latency and cost and make answers traceable - important for audits and continuous improvement.

We run exactly this stack ourselves: our AI offer finder on wz-it.com is a production RAG system on Qdrant, LiteLLM/Mistral and Langfuse. So we do not build a demo RAG, but one we operate in real life.

Connecting multiple knowledge sources securely

A law-firm AI is only as good as the sources it can access. We connect multiple knowledge sources into the same RAG pipeline - with enforced access rights:

• Case files and the DMS. Connection to your document management so the AI can research within the concrete case knowledge.
• Brief and contract templates. Your own samples and text blocks as a basis for consistent drafts.
• Internal knowledge base. Firm know-how, checklists and processes searchable from one place.
• Case law and commentary literature. Where permitted by licence, external sources can be added.

The decisive factor is client separation: through access rights and payload filters in the vector database, every query only sees the sources it is allowed to see. This preserves confidentiality even within the firm - a requirement generic cloud tools do not meet.

How we work at WZ-IT

We deliver law-firm AI as a lifecycle, not as a device purchase:

1. Advise and design. Workshop, sizing, data classification and the §43e/§203 contract framework - before any hardware arrives.
2. Build and integrate. On-premise setup, RAG on your documents with access control, integration into your practice software, confidentiality obligation plus DPA.
3. Operate and maintain (optional). Updates, monitoring, model upgrades and RAG curation as a contract - or you operate it fully yourself after handover and training.

The operational contract texts (confidentiality agreement with criminal-consequence warning) are drafted by a lawyer; this article does not replace case-specific legal advice.

Further guides

• AI for law firms - the solution page with use cases and hardware options.
• AI for confidentiality professionals - the cross-industry §203 framework (also for tax advisors, doctors and notaries).
• Custom RAG - how we build RAG pipelines end to end.
• AI hub - local AI infrastructure, LLM hosting and RAG at a glance.

Ready for AI that protects your clients? We build it locally, §43e/§203-compliant, and operate it on request. Book your initial consultation now.

Sources

• §43e BRAO (engaging service providers)
• §43a BRAO (basic duties / confidentiality)
• §203 StGB (violation of private secrets)
• §2 BORA (confidentiality)
• German Federal Bar (BRAK): guidance on the use of AI (as of December 2024)
• European Commission: Regulatory framework on AI (EU AI Act)