The Digital Omnibus and Executive Liability: What UK Professional Services Firms Must Do by December 2027

The EU's regulatory framework for artificial intelligence is being rewritten at pace, and the changes carry direct consequences for UK professional services firms serving European clients, processing EU residents' data, or operating within the European market. Two developments demand immediate attention: the proposed Digital Omnibus on AI, which restructures and clarifies the EU AI Act's compliance timeline, and a pattern of enforcement action that is now placing personal liability squarely on the shoulders of senior executives.

This is not a theoretical exercise. The deadlines are fixed, the fines are substantial, and the courts are actively shaping what compliance must look like in practice.

What the Digital Omnibus Actually Changes

The Digital Omnibus is a legislative proposal designed to resolve one of the EU AI Act's most significant practical problems: uncertainty around when compliance obligations actually bite. The proposal establishes two hard deadlines that firms must now build into their governance planning.

2 December 2027 is the compliance date for Annex III high-risk AI systems. This category covers AI used in human resources, credit scoring, and similar applications that directly affect individuals' opportunities and rights. For accountancy firms using automated tools to assess creditworthiness, HR consultancies deploying AI-assisted recruitment or performance management platforms, and marketing agencies using behavioural profiling, this deadline is the operative one.

2 August 2028 applies to Annex I systems — AI embedded within regulated products such as medical devices or industrial machinery. This is less immediately relevant for most professional services businesses, but firms advising clients in those sectors need to understand the distinction.

Two further changes in the Omnibus are worth noting. First, the obligation to provide AI literacy training has been shifted from individual businesses to Member States, reducing one direct compliance burden. Second, the processing of sensitive personal data for algorithmic bias detection has been explicitly permitted. This matters practically: firms that want to audit their AI tools for discriminatory outputs no longer need to construct elaborate legal justifications to process the data required to do so.

The Product Liability Directive: Strict Liability from October 2026

Before either Omnibus deadline arrives, the revised Product Liability Directive (PLD) takes effect in October 2026. This introduces strict civil liability for damage caused by defective AI systems — meaning claimants will not need to prove negligence, only that the system was defective and caused harm.

For professional services firms, the critical point is this: if you deploy a third-party AI tool, substantially customise it, or integrate it into your service delivery, you may carry liability exposure for its failures. This shifts the due diligence calculus significantly. Vendor audits are no longer a best practice recommendation — they are a liability management necessity. Firms should be reviewing their AI supplier contracts now, securing appropriate indemnities and establishing clear contractual allocation of responsibility before the directive comes into force.

Executive Liability Is No Longer Abstract

Enforcement activity across the EU should concern senior leaders directly. The Dutch Data Protection Authority's €30.5 million fine against Clearview AI for unlawful biometric data scraping was notable not just for its scale, but because the authority simultaneously opened an investigation into the company's directors for personal liability. This is a significant shift in regulatory posture. DPAs are no longer content to fine the corporate entity; they are examining whether individual executives bear personal accountability for systemic failures in AI governance.

The LinkedIn penalty — €310 million from the Irish Data Protection Commission for hidden behavioural profiling conducted without valid consent — reinforces that AI-adjacent data practices are being scrutinised with the same rigour as the underlying AI systems themselves.

UK firms with European operations, or those processing EU residents' data under GDPR Article 3 extraterritorial provisions, operate within this enforcement environment. C-suite executives and board members should not assume that corporate structure provides insulation from personal exposure.

What the Courts Are Telling You About Explainability

The CJEU's February 2025 ruling in Dun & Bradstreet has direct operational implications for firms using automated decision-making. The court held that organisations cannot use the protection of trade secrets as a blanket refusal to provide individuals with meaningful explanations of how automated decisions affecting them were reached. The ruling cements a right to genuine, intelligible explanation — not a formulaic disclosure that tells an individual nothing useful.

For solicitors using AI-assisted risk assessments, accountancy firms using automated credit or compliance checks, and HR consultancies deploying algorithmic screening tools, this demands a concrete response. You need documented, plain-language explanations of how your automated decision-making tools work, prepared in advance and capable of being provided to individuals on request. These explanations must be substantive. They must acknowledge the relevant inputs and logic without necessarily surrendering the proprietary detail of the underlying model. Achieving that balance requires deliberate legal and technical work — it does not happen by default.

Governing Agentic AI and Autonomous Systems

Regulators are beginning to grapple seriously with agentic AI — systems capable of taking sequences of actions with limited human intervention. Guidance from Spain's data protection authority, the AEPD, makes clear that organisations deploying such systems remain fully accountable as data controllers, regardless of how autonomously the agent operates. The accountability does not transfer to the AI.

This has immediate relevance for any firm that has begun experimenting with AI agents for client research, document drafting, workflow automation, or internal operations. You must be able to demonstrate oversight of data flows, understand what the agent retains in memory, and ensure that its actions remain within defined and auditable parameters. Deploying an agent and assuming it will manage its own compliance is not a defensible position.

The Pseudonymisation Ruling: A Practical Opportunity

Not all of the recent developments create burdens. A September 2025 ECJ ruling established that pseudonymised data is not automatically personal data if the recipient cannot reasonably re-identify the individuals concerned. This gives firms greater flexibility to share and use de-identified data for AI analytics, model training, and internal research purposes — provided the pseudonymisation is technically robust and the re-identification risk is genuinely negligible for the recipient.

For accountancy practices and HR consultancies that hold large volumes of structured data, this creates a legitimate pathway to use that data for AI development and improvement without triggering GDPR obligations in every instance. Legal and technical teams should assess current data architectures in light of this ruling.

What Needs to Happen Before December 2027

The December 2027 deadline for Annex III systems is closer than it appears. Achieving compliance with the EU AI Act's high-risk provisions requires foundational governance work: risk classification of all AI tools in use, technical documentation, conformity assessments, human oversight procedures, and incident logging systems. None of this can be assembled in the final months before a deadline.

The firms that will meet this deadline without disruption to their operations are the ones that begin structuring their AI governance frameworks now — with clear ownership at executive level, documented accountability for each system in use, and a compliance programme that can be audited and evidenced.

How Ops Intel Can Help

Ops Intel works with UK professional services firms — accountants, solicitors, HR consultancies, and marketing agencies — to build AI governance frameworks that are practical, proportionate, and audit-ready.

Whether you need to classify your AI systems against the EU AI Act's risk tiers, prepare explainability documentation following Dun & Bradstreet, audit your vendor contracts ahead of the PLD, or brief your board on executive liability exposure, we provide structured, expert-led support without the consultancy overhead.

Contact Ops Intel today to arrange an initial compliance review and understand exactly where your firm stands before the deadlines arrive.