AI Act Enforcement Begins: What Professional Services Businesses Need to Know Now

The EU AI Act is no longer a future concern. Enforcement has started, deadlines are moving, and regulators across Europe are demonstrating through significant GDPR fines that they are willing to act. For professional services businesses — whether you are an accountancy firm in London, a law practice in Dubai, an HR consultancy in Toronto, or a marketing agency in Singapore — if you use AI tools that touch EU data or EU clients, this framework has implications for how you operate today.

This briefing sets out what has changed, what is coming, and where your compliance gaps are most likely to sit.

The AI Act Is Now in Force — Here Is What Has Already Applied

The EU AI Act entered into force on 1 August 2024, making it the world's first comprehensive legal framework for artificial intelligence. It takes a risk-based approach, categorising AI systems across a spectrum from minimal risk through to high-risk and outright prohibited.

The phased enforcement schedule means obligations are not all landing at once, but the clock is running:

February 2025 brought the first hard obligations. Prohibitions on unacceptable-risk AI practices — including social scoring systems and real-time biometric identification in public spaces — became enforceable. Critically for professional services, AI literacy obligations also came into force at this point. Businesses are now expected to ensure their staff possess sufficient understanding of AI systems they use or deploy. This is not a soft expectation. Failure to meet AI literacy requirements sits within the second tier of fines.

August 2025 introduced governance rules for General-Purpose AI (GPAI) models — the large-scale foundation models that underpin tools like ChatGPT, Microsoft Copilot, and others that professional services firms routinely use. Providers of these models must now meet transparency and copyright-related requirements, and those with highly capable or widely used models must assess and mitigate systemic risks. The European Commission published supporting guidelines in July 2025. If your firm is integrating GPAI-powered tools into client-facing workflows, you need to understand how those providers are meeting these obligations and what that means for your own accountability.

August 2026 is the next major milestone. This is when comprehensive rules for high-risk AI systems take effect. These cover AI used in employment processes — including CV screening, performance monitoring, and workforce management tools — as well as systems used in education, critical infrastructure, and law enforcement. For HR consultancies and professional services businesses with significant workforce operations, this deadline demands attention now, not in twelve months.

Some high-risk AI systems embedded in regulated products have extended transition periods running to December 2027 and August 2028, but firms should not use those extended timelines as a reason to delay broader compliance planning.

The Fines Are Substantial and Tiered

The AI Act's penalty structure is deliberately significant. Breaches of the prohibited practices provisions carry fines of up to €35 million or 7% of worldwide annual turnover — whichever is higher. Violations concerning high-risk AI systems attract fines of up to €15 million or 3% of worldwide turnover. Other non-compliance matters, including the AI literacy failures mentioned above, carry fines of up to €7.5 million or 1% of worldwide turnover.

These are not token amounts. For a mid-sized professional services firm with global revenues, 3% of worldwide turnover is a material financial exposure.

GDPR Enforcement Confirms the Direction of Travel

Before the AI Act penalties become fully operational, GDPR enforcement is already providing a clear signal about regulatory intent. Cumulative GDPR fines reached approximately €5.88 billion by January 2025, with over €1.2 billion issued in 2024 and 2025 alone.

The AI-related cases are instructive. The Dutch DPA fined Clearview AI €30.5 million in September 2024 for scraping facial images without consent. LinkedIn received a €310 million fine from the Irish Data Protection Commission in October 2024 for misusing user data for behavioural analysis and targeted advertising. Italy's data protection authority fined OpenAI €15 million in November 2024 over ChatGPT's handling of personal data, including failures in transparency and age verification. Amazon was fined €32 million by the French CNIL for AI-powered employee monitoring.

The pattern is consistent: regulators are targeting the intersection of AI and personal data, with particular focus on consent, transparency, and lawful basis for processing. These are precisely the areas where professional services firms — which routinely process client personal data through AI-assisted tools — carry meaningful risk.

What This Means if You Are Outside the EU

The territorial reach of both the GDPR and the AI Act extends well beyond EU borders. If your firm processes personal data relating to EU individuals, or if you provide services to EU-based clients, you are within scope. This applies whether you are headquartered in the UK, the United States, Canada, the Gulf, or Asia-Pacific.

For UK firms specifically, the post-Brexit regulatory position means GDPR obligations persist through the UK GDPR, while the EU AI Act applies separately to any EU-facing activities. The UK government is developing its own AI regulatory approach, but it does not remove EU obligations from firms serving European clients.

The compliance burden falls on the businesses using AI tools, not only on the technology providers building them. If you are deploying an AI system in client work, in recruitment, in document review, or in marketing automation, ownership of that compliance decision sits with your firm.

The Immediate Priorities for Professional Services Firms

Given where enforcement currently stands, the most pressing actions are:

Conduct an AI inventory. Identify every AI tool in use across your business — including third-party platforms and embedded features within software you already use. Many firms underestimate how many AI-assisted processes they have already adopted.

Address AI literacy now. This obligation is already in force. Ensure your staff understand the AI systems they work with, including their limitations, risks, and the decisions they are informing. Document your training approach.

Assess your GPAI tool integrations. If you are using tools built on large language models, review the provider's compliance posture under the August 2025 GPAI rules and ensure your usage aligns with your own GDPR obligations.

Prepare for August 2026. If your firm uses AI in recruitment, employee management, or any process that could be classified as high-risk under the Act, begin your readiness assessment now. High-risk AI systems will require documented risk management, human oversight mechanisms, and ongoing monitoring.

How Ops Intel Can Help

The AI Act is complex, the timelines are live, and the penalties for non-compliance are serious. Ops Intel works with professional services businesses globally to navigate AI compliance obligations — from initial gap assessments and AI inventories through to policy development, staff training programmes, and ongoing monitoring frameworks.

If you are uncertain where your firm stands, or if you want to move from awareness to a structured compliance plan, contact Ops Intel today. We will help you understand your obligations clearly and act on them with confidence.