← Insights / Compliance

EU AI Act 2026–2028 Timeline: What UK Professional Services Need to Do Now

The EU AI Act is no longer a distant regulatory horizon. It is here, it is moving fast, and for professional services businesses — whether you are an accountancy firm in London, a law practice in Dubai, an HR consultancy in Toronto, or a marketing agency in Singapore — the question is no longer *whe

Compliance 12 July 2026 6 min read

EU AI Act 2026–2028 Timeline: What Professional Services Firms Need to Do Now

The EU AI Act is no longer a distant regulatory horizon. It is here, it is moving fast, and for professional services businesses — whether you are an accountancy firm in London, a law practice in Dubai, an HR consultancy in Toronto, or a marketing agency in Singapore — the question is no longer whether this regulation applies to you, but how and when.

This briefing cuts through the complexity of the EU AI Act's phased implementation schedule, recent enforcement action under GDPR, and the emerging body of AI case law that is beginning to reshape accountability for anyone deploying AI tools in their operations or on behalf of clients.

What Has Already Come Into Force

The EU AI Act entered into force on 1 August 2024. Since then, two significant milestones have already passed.

From 2 February 2025, the Act's prohibited AI practices became enforceable. These include AI systems used for social scoring, real-time biometric identification in public spaces, and emotion recognition in workplace or educational settings. Alongside the prohibitions, general AI literacy obligations also became applicable — meaning organisations deploying AI must ensure relevant staff have a working understanding of how their AI tools function and what risks they carry.

From 2 August 2025, rules governing General-Purpose AI (GPAI) models came into effect. If your firm uses foundation models or tools built on them — which, at this point, covers the vast majority of AI-powered software — you are already operating within scope of these obligations.

If your business has not yet conducted an AI inventory or reviewed its AI tool usage against these provisions, it is behind where it needs to be.

The 2026 Deadlines You Cannot Afford to Miss

The next major cluster of obligations arrives in 2026, and professional services firms should treat these dates as hard planning milestones, not future problems.

From 2 August 2026, transparency obligations apply broadly. AI systems that interact with individuals — chatbots, virtual assistants, automated client-facing communications — will be required to disclose their AI nature to the people they engage with. Systems that generate synthetic content, including AI-written text, images, or audio, must clearly mark outputs as AI-generated. A short grace period runs until 2 December 2026 for existing systems to implement machine-readable marking of AI-generated content, but this is not a licence to delay planning.

Also by 2 August 2026, most of the AI Act's core rules — including those for high-risk AI systems listed under Annex III — are scheduled to apply. Annex III covers AI used in employment and recruitment, education and vocational training, critical infrastructure, and law enforcement, among others. For professional services firms using AI in CV screening, performance assessment, client risk profiling, or document review, these provisions carry direct relevance.

Additionally, new prohibitions on AI systems capable of generating non-consensual sexually explicit material or child sexual abuse material take effect, with providers required to implement technical safeguards by 2 December 2026.

The Extended Timelines: Do Not Confuse Delay With Exemption

The "Digital Omnibus on AI," provisionally agreed in May 2026 and adopted in November 2025, introduced targeted delays for certain high-risk AI obligations. Specifically:

  • Obligations for Annex III high-risk AI systems are now postponed until 2 December 2027
  • Obligations for high-risk AI systems embedded in regulated products (Annex I) are deferred to 2 August 2028

These extensions are worth understanding precisely, but they must not be mistaken for a general reprieve. The prohibitions, literacy requirements, transparency rules, and GPAI governance provisions are not delayed. The extensions apply to specific categories of high-risk system deployment. Firms that assume the Digital Omnibus means they can pause all AI Act preparation will find themselves exposed.

GDPR Enforcement Is Already Filling the Gap

While the AI Act's high-risk provisions phase in, regulators are not waiting. GDPR enforcement continues to be the primary tool for policing AI-related data protection failures, and the pace of action is accelerating.

In September 2024, the Dutch Data Protection Authority fined Clearview AI €30.5 million for scraping facial images from the internet without lawful basis. In December 2025, the Italian Garante fined Luka — the company behind the Replika chatbot — €5 million for collecting personal data without proper consent and failing to implement adequate age verification. A €15 million fine against OpenAI for ChatGPT-related GDPR violations, while subsequently overturned on appeal in March 2026, nonetheless signals the intensity of regulatory scrutiny on generative AI tools.

These are not abstract cases. They illustrate the regulatory expectations around consent, transparency, and data minimisation that apply when any business uses AI systems processing personal data — including client data, employee records, or marketing profiles.

Courts Are Starting to Define Accountability

Beyond regulatory fines, the courts are beginning to create binding precedent that will affect how AI developers and deployers are held liable.

In June 2026, a German court found Google liable for inaccurate information produced by its AI Overviews search feature, treating AI-generated summaries as the company's own editorial content. In November 2025, the Munich Regional Court found OpenAI liable in a case brought by GEMA for using copyrighted German song lyrics in ChatGPT's training data and outputs, significantly narrowing the interpretation of text and data mining exceptions.

For professional services firms, these rulings carry a practical warning: deploying AI tools in client-facing work does not insulate you from liability for the outputs those tools produce. If an AI-generated document contains inaccurate information, or if the model underlying your tool was trained on data it had no right to use, accountability questions can reach the firm deploying the tool, not only the firm that built it.

What This Means If You Are Outside the EU

The territorial reach of the EU AI Act follows a similar logic to GDPR. If your firm offers services to clients within the EU, processes data about EU individuals, or deploys AI systems that interact with EU-based users, these obligations are likely to apply to you regardless of where your business is headquartered.

For firms in the UK, US, Canada, the Middle East, and Asia-Pacific, this means the EU AI Act is not a European problem to monitor from a distance. It is a compliance obligation that requires active management now.

What You Should Be Doing Today

Firms that act now will be significantly better positioned than those waiting for further regulatory clarity. Practically, that means:

  • Conducting a structured audit of every AI tool in use across your business
  • Identifying which tools interact with clients, process personal data, or contribute to decisions affecting individuals
  • Assessing your role under the AI Act — developer, deployer, importer, or distributor — since obligations differ
  • Implementing AI literacy programmes for relevant staff
  • Reviewing client contracts for AI-related liability, disclosure, and data processing obligations

The regulatory window to prepare is narrowing. The firms that treat 2026 as the starting line, rather than the deadline, are the ones that will face enforcement unprepared.


Ops Intel helps professional services businesses understand and manage their AI compliance obligations across the EU AI Act, GDPR, and emerging frameworks globally. Whether you need a gap analysis, a full compliance programme, or guidance on a specific regulatory question, our team is ready to work with you.

Get in touch with Ops Intel to start your AI compliance review today.

Work with Ops Intel

Need help navigating AI compliance?

We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.

Call Now Claim Your Free Audit