← Insights / Compliance

AI Compliance for Professional Services: What the GEMA Ruling and EU AI Act Mean for Your Firm

If your firm uses AI tools for legal analysis, contract drafting, recruitment, or financial reporting, the European Union's evolving compliance landscape demands your attention — regardless of where you are headquartered. The EU is setting the pace for AI governance globally, and the consequences of

Compliance 19 July 2026 6 min read

AI Compliance for Professional Services: What the GEMA Ruling and EU AI Act Mean for Your Firm

If your firm uses AI tools for legal analysis, contract drafting, recruitment, or financial reporting, the European Union's evolving compliance landscape demands your attention — regardless of where you are headquartered. The EU is setting the pace for AI governance globally, and the consequences of inaction are escalating.

Two developments in particular define the current moment: a landmark copyright ruling from Munich that holds AI developers liable for training on protected works, and the progressive enforcement of the EU AI Act, which places direct obligations on businesses that deploy AI in high-stakes contexts. Together, they signal a new phase — one in which AI use in professional services carries genuine legal and financial exposure.

In November 2025, the District Court of Munich I ruled against OpenAI in a case brought by GEMA, the German music rights society. The court found that ChatGPT had infringed the copyrights of GEMA's members by using protected works to train its models and by generating AI-produced music without the required licences.

This is the first major European ruling to hold an AI developer liable for training on copyright-protected material without explicit authorisation. The court's reasoning is what makes it significant: it found that an AI model "memorising" lyrics constitutes reproduction, and the subsequent output of that content through a chatbot amounts to public communication. Both acts infringe copyright. OpenAI was ordered to cease the relevant activities, disclose the scope of use, and pay damages.

The immediate implications go well beyond the music industry. If the same logic is applied to legal texts, financial reports, proprietary methodologies, or client documents — all of which may have been used to train or fine-tune AI models — professional services firms face a new category of risk. Law firms using AI for legal research, accountancy practices deploying AI for document analysis, and HR consultancies using AI trained on employment case law should be asking a straightforward question: do we know what data trained the tools we rely on, and can we verify it was licensed appropriately?

This is not a hypothetical concern. It is a live and precedent-backed legal risk.

The EU AI Act: Where Your Obligations Stand Now

The EU AI Act is being implemented in stages, and several milestones have already passed. Since 2 February 2025, prohibitions on unacceptable AI practices have been in force, alongside AI literacy obligations — meaning organisations must already ensure that staff using AI tools have an appropriate level of understanding of how those systems work. Since 2 August 2025, governance rules and obligations for General-Purpose AI (GPAI) models have also applied.

The broader framework — covering the majority of the Act's provisions — becomes fully applicable and enforceable from 2 August 2026. That is not a distant deadline.

For professional services specifically, the classification of AI systems as "high-risk" is the central concern. Under Annex III of the Act, AI used in employment contexts — including employee selection, performance monitoring, and task allocation — is explicitly categorised as high-risk. AI systems used in access to essential private services, and those influencing the administration of justice or legal processes, also fall within this category. In practical terms, this captures a significant proportion of the AI tools currently in use across legal, accountancy, HR, and advisory functions.

Obligations for Annex III high-risk systems (use-based) have been deferred under the AI omnibus political agreement to 2 December 2027. For AI embedded into regulated products under Annex I, obligations apply from 2 August 2028. These extensions provide breathing room — but they do not eliminate the compliance work required. Firms that treat the deferral as an excuse to delay preparation will find themselves compressed against hard deadlines with insufficient time to build the documentation, governance structures, and monitoring protocols the Act demands.

The penalties are unambiguous. Violations of prohibited AI practices carry fines of up to €35 million or 7% of global annual turnover. Breaches relating to high-risk AI systems attract penalties of up to €15 million or 3% of global turnover. These figures exceed GDPR maximums, which itself should communicate the seriousness with which the EU is approaching AI enforcement.

GDPR Enforcement Is Not Standing Still

It would be a mistake to focus solely on the AI Act while assuming that GDPR enforcement has plateaued. The past 18 months have demonstrated otherwise.

In September 2024, the Dutch Data Protection Authority fined Clearview AI €30.5 million for unlawfully building a biometric database from scraped facial images. In October 2024, LinkedIn Ireland received a €310 million fine from the Irish Data Protection Commission for misusing user data in targeted advertising. The Irish DPC also took proactive action against X (formerly Twitter), leading the platform to suspend the use of EU users' public posts for training its Grok AI model.

These cases illustrate a consistent enforcement posture: regulators are scrutinising data collection practices, consent mechanisms, and the lawful basis for using personal data in AI development and deployment. For professional services firms handling client data — which is almost all of them — this is directly relevant.

It is worth noting that enforcement is not always final. An Italian court overturned a €15 million fine against OpenAI in March 2026, reversing a decision made by the Italian Garante in November 2024. This illustrates the legal complexity of applying established data protection frameworks to generative AI. However, the cost of defending regulatory decisions — in time, resources, and reputational exposure — should not be mistaken for a reason to avoid compliance.

What This Means for Firms Operating Internationally

Professional services businesses operating outside the EU should not assume these developments are irrelevant to them. The GEMA ruling creates copyright precedent that will inform litigation strategies in other jurisdictions. The EU AI Act applies to any firm that places AI systems on the EU market or whose AI outputs affect EU-based individuals — a threshold that captures many international practices serving EU clients.

In the UK, the post-Brexit regulatory path remains distinct, but UK firms with EU exposure face direct obligations under the AI Act. In the US, Canada, and the Asia-Pacific region, regulators are actively observing European enforcement and incorporating similar principles into emerging domestic frameworks. The direction of travel is consistent across jurisdictions: AI use in high-stakes professional contexts will be regulated, documented, and audited.

Firms that build compliant AI governance now are not only managing risk — they are establishing a competitive advantage in an environment where clients and regulators alike will increasingly demand evidence of responsible AI deployment.

Take the Next Step With Ops Intel

The compliance requirements outlined above are not theoretical. They require concrete action: mapping your AI systems, assessing risk classifications, reviewing training data provenance, establishing technical documentation, and embedding ongoing monitoring into your operations.

Ops Intel works with professional services businesses globally to navigate AI compliance obligations — from EU AI Act readiness and GPAI governance to GDPR alignment and copyright risk assessment. Whether you are at the start of your compliance journey or stress-testing an existing framework, we can help.

Contact Ops Intel today to speak with one of our AI compliance specialists and understand exactly where your firm stands.

Work with Ops Intel

Need help navigating AI compliance?

We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.

Call Now Claim Your Free Audit