EU AI Act Enforcement Timeline 2026–2028: What Professional Services Businesses Must Do Now

The EU AI Act's enforcement timetable has shifted again. Following political agreement on 7 May 2026 and formal European Parliament approval on 16 June 2026, several key compliance deadlines have been pushed back as part of the broader "AI Omnibus" package. For professional services businesses — whether you are an accountancy firm in London, a law practice in Dubai, an HR consultancy in Toronto, or a marketing agency in Singapore — this is not a signal to slow down. It is a moment to get ahead.

Here is what has changed, what it means in practice, and where your compliance effort should be focused right now.

What the Revised Timeline Actually Says

The EU AI Act entered into force on 1 August 2024. Some provisions are already live. The prohibition on unacceptable-risk AI systems — including social scoring by public authorities and most real-time remote biometric identification in public spaces — applied from 2 February 2025. The mandatory AI literacy requirement for staff also came into force on that date. Rules governing general-purpose AI (GPAI) models applied from 2 August 2025.

The recent amendments adjust what comes next:

• 2 August 2026: Transparency obligations for limited-risk AI systems apply. If your business uses customer-facing chatbots or produces AI-generated content, you must ensure users are informed when they are interacting with an AI system, and that AI-generated material, including deepfakes, is clearly labelled.
• 2 December 2026: A new prohibition on "nudifier applications" — tools that generate non-consensual intimate imagery — comes into force.
• 2 December 2027: Full obligations for high-risk AI systems listed under Annex III apply. This category includes AI used in employment decisions, access to education, credit scoring, and law enforcement. The original deadline of 2 August 2026 has been deferred by sixteen months.
• 2 August 2028: High-risk AI embedded in regulated products, such as medical devices and machinery, benefits from the longest transition period.

The delays on high-risk systems are material. But the underlying obligations — technical documentation, conformity assessments, human oversight mechanisms, risk management systems — remain exactly as drafted. The Act has not become less demanding. Businesses simply have more time to meet the same bar.

Why the Delays Do Not Reduce Your Risk

The temptation to deprioritise AI compliance because deadlines have moved is understandable. It is also a mistake.

Producing the technical documentation required for a high-risk AI system is not a week's work. It requires a thorough audit of the AI tools in use, an assessment of the data those tools process, an analysis of where human oversight is applied, and a governance structure that can be evidenced to a regulator. Organisations that begin this process in late 2027 will not be ready by the deadline. Those that begin now will be.

Fines for non-compliance are not symbolic. The Act sets maximum penalties of €35 million or 7% of global annual turnover, whichever is higher. For a mid-sized professional services firm with international revenues, that exposure is significant.

GDPR Enforcement Is Already Happening

While the AI Act's high-risk obligations remain future-dated, GDPR enforcement targeting AI-driven data processing is active and intensifying. Cumulative GDPR fines exceeded €7.1 billion by early 2026, with approximately €1.2 billion issued in 2025 alone.

The cases that professional services businesses should study carefully include:

• Clearview AI, fined €30.5 million by the Dutch Data Protection Authority in September 2024 for building a biometric database from scraped facial images without consent.
• LinkedIn Ireland, fined €310 million in October 2024 by the Irish Data Protection Commission for misusing behavioural data for advertising purposes.
• Kaspr, fined €200,000 in December 2024 for scraping professional profiles without a valid legal basis — a sharp reminder that publicly available data is not free data.

The OpenAI case adds further nuance. The Italian Garante fined OpenAI €15 million in November 2024 over ChatGPT's handling of personal data. The Court of Rome annulled that decision on 18 March 2026. The outcome matters less than what the sequence demonstrates: the legal frameworks are still being tested, and the results are not predictable. Businesses relying on AI tools to process personal data cannot assume they are insulated from regulatory scrutiny simply because enforcement outcomes vary.

Data Protection Authorities across the EU are increasingly examining not just large technology companies, but professional services firms using AI in client-facing or HR contexts. If your firm uses AI for recruitment screening, client data analysis, or automated communications, your data processing activities are in scope.

What Professional Services Businesses Should Prioritise

Regardless of your jurisdiction, if you provide services to EU clients, process data of EU residents, or use AI tools developed or deployed in the EU, the AI Act and GDPR apply to your operations. The geographic reach of EU regulation is broad, and national regulators in the UK, US, Canada, and beyond are developing parallel frameworks that are closely aligned in spirit if not always in detail.

The practical steps to take now are these:

Conduct an AI inventory. Map every AI tool in use across your business — client-facing systems, internal platforms, third-party software with embedded AI. Understand what each tool does, what data it processes, and where it sits on the risk classification spectrum.

Assess your data foundations. For each AI application processing personal data, confirm that you have a valid legal basis, that your purpose is defined and documented, and that your data retention practices are defensible.

Implement AI literacy training. The staff AI literacy requirement has been in force since February 2025. If your workforce has not received structured training on AI risks, capabilities, and compliance obligations, that gap should be closed immediately.

Begin technical documentation for high-risk systems. If you use AI in employment decisions, performance assessment, or access to services, start building the conformity documentation now. Do not wait for the 2027 deadline to approach.

Review your chatbot and content disclosures. Transparency obligations for limited-risk systems apply from August 2026. Audit your client communications for AI-generated content and ensure disclosure practices are in place.

The Compliance Window Is Narrower Than It Looks

The revised AI Act timeline offers additional runway, but it does not remove urgency. GDPR enforcement is live. Transparency obligations arrive within months. And the foundations for high-risk AI compliance — governance structures, risk assessments, technical documentation — take time to build properly.

Professional services businesses that treat compliance as a one-off exercise will find themselves repeatedly unprepared. Those that build systematic AI governance into their operations will be better placed to serve clients, win regulated contracts, and demonstrate accountability to partners and regulators alike.

Ops Intel helps professional services businesses navigate AI compliance across the EU AI Act, GDPR, and emerging national frameworks. Whether you need an AI audit, a compliance roadmap, or support building technical documentation for high-risk systems, our team works with accountants, solicitors, HR consultancies, and agencies to make compliance practical and proportionate.

Get in touch with Ops Intel to discuss your AI compliance obligations.