Three Compliance Deadlines UK Professional Services Must Meet by 2028: AI Act, Product Liability, and GDPR Enforcement

The regulatory ground beneath AI is shifting fast, and professional services firms — accountants, solicitors, HR consultancies, marketing agencies — are squarely in the path of it. Between now and 2028, three distinct but interconnected compliance frameworks will mature into enforceable obligations with real financial and reputational consequences. None of them can be addressed at the last minute.

This briefing sets out what is happening, when it applies, and what your firm needs to do about it.

Deadline One: EU AI Act GPAI Rules — August 2025

The EU AI Act's prohibitions on unacceptable-risk AI systems came into force in February 2025. The next significant milestone arrives on 2 August 2025, when the governance rules for General-Purpose AI (GPAI) models become applicable. These rules cover the large foundation models — GPT-4, Claude, Gemini and their successors — that underpin the AI tools your firm almost certainly already uses.

Even if your firm is based in the UK, this matters. If you are processing data relating to EU clients, marketing into EU markets, or using AI tools that themselves fall under GPAI governance, you are operating within the Act's reach. More practically, your AI vendors will be scrambling to demonstrate compliance, and you need to know whether the tools you rely on will still function as promised once those obligations apply.

The Digital Omnibus on AI, adopted by the European Parliament and Council in March 2026, has introduced some welcome breathing room on the high-risk side. Fixed compliance deadlines have now been established: 2 December 2027 for Annex III high-risk systems (which include HR tools, credit scoring, and recruitment automation), and 2 August 2028 for Annex I systems embedded in regulated products. The Omnibus also extends SME compliance reliefs to "small mid-caps," which will benefit a significant portion of the professional services market.

However, breathing room is not the same as no obligation. The Omnibus removes the corporate AI literacy mandate at EU level, deferring it to Member States — but the underlying expectation that firms understand and govern the AI they deploy has not gone away.

What to do now: Audit your third-party AI vendors ahead of the August 2025 GPAI deadline. Understand which systems you are using, what data they process, and whether they qualify as high-risk under Annex III. If you use AI for recruitment screening, client risk assessment, or automated billing, that work needs to start immediately.

Deadline Two: Revised Product Liability Directive — October 2026

The revised Product Liability Directive (PLD) takes effect in October 2026, and it represents a fundamental shift in how liability for AI failures is allocated. For the first time, AI software is explicitly classified as a "product." That means firms that deploy or substantially modify AI systems can face strict civil liability for damages caused by defective AI — including harms arising from post-deployment software updates.

Let that land: if you integrate a third-party AI tool into your client-facing workflows, and that tool subsequently introduces a defect through an update you did not control, you could be held liable for the resulting damage. The burden of proof is eased for claimants under the revised Directive, and the categories of recoverable loss are broad.

For professional services firms, the risk is concentrated in a few specific areas. Legal practices using AI for document review or contract analysis, HR consultancies using automated candidate screening, accountancy firms relying on AI-assisted audit tools — all of these represent scenarios where a defective output could cause measurable financial harm to a client.

What to do now: Review every AI vendor contract you hold. If those agreements do not contain robust indemnity clauses that clearly allocate liability for AI defects and update-related failures, renegotiate them before October 2026. Do not assume that standard SaaS terms are adequate — they almost certainly are not. Your firm also needs a clear internal record of where AI is embedded in client-facing processes, so that liability exposure can be mapped and managed.

Deadline Three: GDPR Enforcement and the Coming Transparency Reckoning — Ongoing

GDPR enforcement of AI data processing is not a future concern — it is happening now, and the jurisdictional picture is becoming clearer in ways that affect UK firms directly.

In early 2026, an Italian court annulled the €15 million fine issued to OpenAI by Italy's Garante, ruling that the Irish Data Protection Commission (DPC) holds lead supervisory authority under GDPR's one-stop-shop mechanism. The Irish DPC has since launched a formal inquiry into X (formerly Twitter) over the lawful basis for using EU users' public posts to train its Grok AI model. These cases are reshaping where enforcement lands — but they are not reducing its intensity.

Critically for UK firms, the UK Upper Tribunal has confirmed that UK GDPR applies globally to offshore monitoring companies such as Clearview AI. Extraterritorial reach is not a theoretical risk; it is settled law.

The more immediate concern for professional services is algorithmic transparency. A pending referral to the Court of Justice of the EU — Yettel Bulgaria (C-806/24) — asks whether consumers can demand access to "black box data, the source code and the algorithm" under Article 86 of the AI Act to verify automated invoicing decisions. If the Court rules in favour of disclosure, firms using automated systems for client billing, risk scoring, or recruitment will face real pressure to explain how those systems work.

What to do now: Do not wait for the CJEU to rule. If your firm uses automated decision-making in any client-facing context — billing, credit assessments, candidate screening — develop plain-language explanations of how those systems reach their conclusions. The explanation does not need to expose proprietary source code, but it does need to be meaningful. Alongside this, harmonise your GDPR Data Protection Impact Assessments (DPIAs) with the AI Act's Fundamental Rights Impact Assessments (FRIAs). Running these as separate exercises is inefficient and creates gaps. A unified governance framework reduces duplication and demonstrates regulatory maturity.

The Unifying Thread: Governance Cannot Be Bolted On

Across all three deadlines, the common failure mode is the same: firms treating AI compliance as a one-off project rather than an embedded governance function. With 89% of B2B buyers now using generative AI in some capacity, the software supply chain is a compliance risk in its own right. Every AI tool your firm uses is a potential vector for liability, data breach, or regulatory scrutiny.

The firms that will navigate 2025 to 2028 without incident are those building governance infrastructure now — vendor audits, contractual protections, impact assessments, and documented transparency frameworks — rather than reacting to enforcement actions after the fact.

Work With Ops Intel

Ops Intel helps UK professional services firms build practical, proportionate AI compliance programmes. We map your AI exposure, review vendor contracts, align your DPIAs and FRIAs, and help you develop the algorithmic transparency documentation your clients and regulators will increasingly expect.

If you are unsure where your firm stands against these deadlines, the right time to find out is now — not six months before they apply.

Contact Ops Intel to book a compliance readiness review.