Five Enforcement Tracks, One Liability: How UK Professional Services Must Adapt to EU AI Compliance in 2026

The question is no longer whether AI regulation will affect your firm. It already has. For UK professional services — accountants, solicitors, HR consultancies, marketing agencies — the EU's rapidly maturing AI compliance framework is creating concrete operational and legal obligations that cannot be deferred until a more convenient moment. If your firm uses AI tools to serve clients, draft documents, assess candidates, or make pricing decisions, you are already operating inside this regulatory perimeter.

Here is what the landscape looks like now, and what your firm must do about it.

A Multi-Layered Regulatory Regime Is Taking Shape

The EU's approach to AI governance has moved well beyond the AI Act as a standalone instrument. European co-legislators are currently in trilogue negotiations over the Digital Omnibus on AI, with a final agreement targeted for May 2026. The package sets fixed compliance deadlines for high-risk AI systems — December 2027 and August 2028 — providing some relief from immediate administrative pressure whilst making the eventual obligations unavoidable.

At the same time, the revised Product Liability Directive (PLD), which Member States must transpose into national law by December 2026, formally classifies AI software as a product. This is not a technicality. It introduces a strict liability framework for defective AI systems and, critically, a "presumption of defectiveness" mechanism that significantly reduces the burden of proof for individuals claiming AI-induced harm. In plain terms: if your firm's AI tool produces an output that damages a client, the onus will increasingly fall on you to prove the system was not defective, rather than on the claimant to prove that it was.

Enforcement Has Evolved Into Five Parallel Tracks

Many firms still think about AI compliance primarily through the lens of GDPR and data protection. That framing is now dangerously incomplete. Enforcement has evolved into what practitioners are calling a "five-track" framework: the AI Act, GDPR, product liability, consumer protection, and professional conduct. Each track operates independently, and a single AI-related incident can trigger scrutiny across several of them simultaneously.

Consumer protection is emerging as a particularly active front. Italy's antitrust authority, the AGCM, has launched proceedings against DeepSeek and Mistral AI for failing to provide users with clear, immediate disclosure that their models may generate invented or misleading information — AI hallucinations. This is now being prosecuted as an unfair commercial practice. The precedent is plain: deploying a client-facing AI tool without adequate hallucination disclosures is not merely a reputational risk. It is an enforceable regulatory violation.

Meanwhile, in the courts, the CJEU's February 2025 ruling in Dun & Bradstreet has closed a loophole that many organisations were quietly relying upon. The court established that firms cannot use trade secrets as a blanket refusal to explain automated decision-making (ADM) processes to affected individuals. Where trade secrets are legitimately claimed, the underlying logic must still be disclosed to a competent court or supervisory authority. Opacity is no longer a defensible compliance strategy.

Courts Are Reassigning Liability to Supervising Professionals

Perhaps the most consequential development for professional services firms is a global judicial shift in where AI liability lands. Rulings in the UK, Singapore, and Argentina in 2026 have each reached the same conclusion: legal responsibility for AI-generated errors does not rest with the junior staff member who ran the query. It rests with the supervising professional who authorised the output.

This is not an abstraction. A solicitor who submits an AI-drafted document containing fabricated case citations, a financial adviser who relies on an AI-generated client assessment without verification, or an HR consultant who uses an automated shortlisting tool without documented review — each of these individuals is now personally exposed. The AI did not fail in isolation. The professional failed to verify.

The implication is structural. Firms must implement mandatory, documented human verification workflows before any AI output is used, submitted to a client, or acted upon internally. "We used AI to draft it" is not a defence. "Our senior adviser reviewed and signed off the verified output" is.

What Your Firm Must Do Now

The regulatory picture above translates into five practical obligations that professional services firms should be addressing immediately.

Implement documented verification workflows. Every AI output that informs a client-facing decision, document, or recommendation needs a documented human review step. The review must be recorded. Supervision without documentation provides no protection when liability is contested.

Disclose hallucination risk prominently. If your firm uses AI tools in any client-facing context — whether that is a chatbot, a document drafting tool, or a data analysis platform — you must include specific, clear disclosure that AI-generated content may be inaccurate. Burying this in a privacy policy will not satisfy consumer protection standards. The disclosure must be immediate and prominent.

Deploy privilege-safe internal environments. Uploading sensitive client information to public or open-source AI models creates serious confidentiality exposure. Firms must use internal, isolated AI environments where client data is not used to train external models and where audit trails link AI outputs to verified primary sources. This is not optional for firms handling legally privileged or commercially sensitive material.

Develop explainability protocols for automated decisions. If your firm uses ADM in any capacity — client credit assessments, candidate screening, pricing algorithms, risk scoring — you need a plain-language explanation of how those systems work, ready to provide to affected individuals. You also need a secure protocol for sharing proprietary logic with regulators or courts if your methodology is challenged. The Dun & Bradstreet ruling has made this a legal expectation, not merely good practice.

Document AI literacy training now. The AI Act's AI literacy obligations came into force in February 2025 and many firms have not yet acted. Regulators will look for evidence that staff across all levels understand the AI tools they are using, their limitations, and the firm's policies for their deployment. Training must be implemented, recorded, and auditable. Informal awareness is insufficient.

The Compliance Window Is Narrowing

The firms that will navigate this environment successfully are not those waiting for UK domestic legislation to mirror EU obligations. They are the ones recognising that EU enforcement reaches across borders when EU clients, EU data, or EU-derived tools are involved — and that professional indemnity cover, regulatory standing, and client trust are all at stake.

This is not a compliance exercise to delegate entirely to your IT team. It is a governance question that sits at board and partnership level.

Ops Intel works with UK professional services firms to implement practical, proportionate AI compliance frameworks — from verification workflow design and staff training programmes to explainability protocols and privilege-safe deployment assessments. If your firm is ready to get ahead of these obligations rather than respond to them after the fact, get in touch with our team for an initial compliance consultation.