Four Regulatory Shifts That Change AI Compliance for UK Professional Services in 2026–2028

The EU AI compliance landscape is being redrawn at pace, and UK professional services firms cannot afford to treat it as someone else's problem. If you serve EU clients, process EU residents' data, or deploy AI tools built on EU-regulated infrastructure, these changes apply to you. Here are the four shifts that matter most — and what they demand in practice.

1. Fixed Deadlines Replace Vague Timelines Under the Digital Omnibus

The proposed Digital Omnibus on AI, adopted by the European Parliament in March 2026, does something regulators rarely do: it trades conditional application dates for hard deadlines. High-risk AI systems covered under Annex III — which includes HR tools, recruitment software, and credit scoring systems — must be fully compliant by 2 December 2027. Systems embedded in regulated products under Annex I face a deadline of 2 August 2028.

For UK accountancy firms using automated credit risk tools, HR consultancies deploying AI-assisted screening platforms, or marketing agencies running algorithmic audience profiling, these are not abstract EU concerns. If your tool processes data relating to EU individuals and falls within scope, the clock is running.

The Omnibus also removes the corporate AI literacy mandate, reducing one layer of administrative obligation. However, it shortens the compliance grace period for watermarking AI-generated content to 2 November 2026 — a deadline arriving far sooner than many firms have planned for. If your agency or consultancy produces client-facing content using generative AI, visible disclosure mechanisms need to be in place before the end of next year.

The practical takeaway: map your AI tools against Annex I and Annex III categories now. Waiting until 2027 to begin that exercise is not a strategy.

2. Executives Face Personal Liability — Not Just Fines for the Business

The Dutch Data Protection Authority's decision to pursue Clearview AI with a €30.5 million fine was notable enough. What followed was more significant still: the Dutch DPA initiated an investigation into whether the company's directors could be held personally liable for the compliance failures that enabled illegal biometric data scraping.

This is a meaningful escalation. For years, GDPR enforcement has targeted organisations. The emerging position is that systemic, wilful, or negligent AI compliance failures can expose the individuals at the top of those organisations to direct legal risk. That changes the calculus for any partner, managing director, or chief executive who has been content to treat AI governance as an IT or legal team issue.

Separately, the Spanish data protection authority has issued guidance confirming that organisations deploying agentic AI — systems capable of autonomous, multi-step decision-making — remain fully accountable as data controllers. The autonomy of the tool does not dilute the accountability of the firm operating it. If you are using AI agents to handle client onboarding, document review, or communications, you are responsible for every data flow those agents touch, including what they store in memory between sessions.

The message for UK professional services leadership is direct: AI governance is a board-level responsibility, and the regulatory environment is beginning to enforce that position.

3. Automated Decisions Require Plain-Language Explanations — Trade Secrets Are Not a Shield

In February 2025, the Court of Justice of the EU delivered its ruling in Dun & Bradstreet, and it has direct implications for any firm using algorithmic tools to make or inform decisions about individuals. The CJEU held that organisations cannot use trade secret protections as a blanket justification for refusing to explain automated decision-making to data subjects.

The right to a meaningful explanation exists. The existence of proprietary methodology does not extinguish it. Firms must find ways to balance legitimate IP protection with genuine transparency — which in practice means developing concise, plain-language summaries of how automated systems reach their outputs.

This is immediately relevant to accountancy firms using AI-driven credit assessments, solicitors using algorithmic risk scoring tools, and HR consultancies whose platforms produce automated candidate rankings. If a client or candidate asks how an automated decision was reached, "our algorithm is proprietary" is no longer a sufficient answer under EU law. You need an explanation that a non-specialist can understand, prepared in advance, and ready to be delivered on request.

Audit your ADM tools now. Identify which decisions they inform or produce. Draft the explanations. Do not wait for a subject access request or a regulatory inquiry to discover you have nothing coherent to say.

4. The Revised Product Liability Directive Puts AI Supply Chain Risk on Your Balance Sheet

Effective October 2026, the revised Product Liability Directive formally classifies AI software as a "product" under EU law. This introduces strict civil liability — meaning liability without the need to prove negligence — for damages caused by defective AI systems.

The implication that catches many firms off guard is this: if you deploy a third-party AI tool and make substantial modifications to it — through fine-tuning, custom configuration, or integration into your own workflows — you may inadvertently assume manufacturer-level liability for that system's outputs. You are no longer simply a user. You may have become, in legal terms, the producer.

For a marketing agency that has customised a large language model to generate client copy, or an HR consultancy that has configured an AI screening tool with proprietary criteria, this is not a theoretical risk. It is a supply chain and contractual risk that needs to be addressed before October 2026.

Practically, this means three things. First, audit the AI tools you use and document the extent to which you have modified them. Second, review your supplier contracts: does your vendor accept liability for defects in their base system, and does your agreement clearly delineate where their responsibility ends and yours begins? Third, consider whether your professional indemnity insurance covers AI-related civil liability claims — many policies written before 2024 do not.

An Ancillary Note on Data and the GDPR

One clarification worth noting: a September 2025 ECJ ruling confirmed that pseudonymised data does not automatically constitute personal data under the GDPR where the recipient has no reasonable means of re-identifying individuals. This provides measured flexibility for data sharing and AI model training, though it is not a broad exemption. The key test remains whether re-identification is reasonably possible in context.

What This Means for Your Firm

Taken together, these four shifts represent a structural change in how AI risk is allocated — across time, across organisational hierarchies, and across supply chains. The firms that will manage this well are those that treat compliance as an operational function rather than a periodic audit exercise.

That means maintaining a live AI tool register, establishing clear ownership of ADM explanations, reviewing supplier contracts in light of the revised PLD, and ensuring your senior leadership understands the personal exposure that now accompanies systemic failures.

Ops Intel works with UK professional services firms — accountants, solicitors, HR consultancies, and marketing agencies — to build practical, proportionate AI compliance programmes. If you are unsure where your current exposure sits, or need structured support ahead of the 2026 and 2027 deadlines, contact us to arrange a compliance review. There is enough time to act well — but not to delay.