EU AI Act in Belgium: Authorities, Obligations, and Federal Complexity

Belgium occupies a singular position in the EU AI Act story. It is home to the European Commission, the Council of the EU, and the EU AI Office itself — the body that supervises general-purpose AI model providers across all twenty-seven Member States. Yet Belgium is also a federal state with a layered constitutional architecture that distributes regulatory competence across federal and regional levels in ways that make designating a single national authority genuinely complicated. The EU AI Act — Regulation (EU) 2024/1689 — does not wait for that complexity to be resolved.

The Regulation is directly applicable under Article 288 TFEU. Belgium did not need to pass a transposing law. What Belgium did need to do by 2 August 2025 was designate its national competent authorities and notify the European Commission. It did not complete that designation by the deadline. The institutional picture is still being assembled — and Belgian companies subject to the Act need to understand what that means for their compliance obligations, and for how enforcement will eventually land.

---

A Regulation, Not a Directive: No Belgian Transposition Required

Under Article 288 TFEU, an EU Regulation binds all Member States directly and in its entirety the moment it enters into force. Regulation (EU) 2024/1689 entered into force on 1 August 2024. That date is not when Belgian companies first faced obligations — obligations have been rolling in since then on a staggered timeline — but it is when the legal basis was established. Belgian legislators were not required to, and could not, modify the substantive rules.

What is required of Belgium at the national level is the enforcement infrastructure: designated market surveillance authorities, a notifying authority, and a single point of contact for the EU AI Office. These are organisational obligations on the Belgian state, not substantive obligations on companies. Belgian companies have been bound by the Act's substantive rules since the application dates came into effect. The Article 5 prohibited practices have been enforceable since 2 February 2025. GPAI model obligations under Chapter V have applied since 2 August 2025. The prohibition on subliminal manipulation, real-time remote biometric identification in public spaces outside permitted law-enforcement exceptions, and biometric categorisation by sensitive characteristics — all of that is live and enforceable regardless of whether Belgium has a fully designated enforcement apparatus.

---

Belgium's Designation Is Still Being Assembled

Belgium missed the 2 August 2025 deadline for designating its national competent authorities under Article 70 of the Regulation. This is not unique among Member States — several did not complete their designation processes in time — but it is worth flagging clearly because it shapes the enforcement landscape.

The Federal Government Agreement for the 2025–2029 legislature identifies the BIPT/IBPT (Belgian Institute for Postal Services and Telecommunications / Belgisch Instituut voor Postdiensten en Telecommunicatie) as the proposed market surveillance authority for the EU AI Act. As of mid-2026, this designation is proposed and emerging, not finally notified to the Commission. Companies should watch for formal notification, which will confirm BIPT/IBPT's mandate, the scope of its powers, and the domestic legal basis on which it acts.

Belgium's federal structure adds a further layer. Regulatory competence in Belgium is divided not just across the federal level but across regional governments — Flanders, Wallonia, and the Brussels-Capital Region — with their own public administrations deploying AI in areas such as employment services, welfare benefits, and education. An AI system used by Wallonia's public employment service or by a Flemish educational institution may fall under a different authority's supervision than the same system deployed by a federal agency. Until the Belgian framework is formally settled, companies operating across sectors should map which level of government their counterpart is and consider which authority could plausibly supervise their deployment.

The Article 77 Fundamental-Rights Bodies

Under Article 77 of the Regulation, Member States must designate the national authorities responsible for protecting fundamental rights as the bodies empowered to supervise the deployment of high-risk AI systems where fundamental rights are at stake. Belgium has implemented this in detail: approximately 21 bodies have been designated at the federal and federated-entity level with Article 77 mandates. These include the Belgian Data Protection Authority (APD/GBA), equality bodies, ombudsmen, and sector-specific supervisory bodies covering areas from labour relations to children's rights.

This granular list reflects Belgium's approach: distributed oversight by existing institutions with domain expertise, rather than concentration in a single new regulator. It also means that a Belgian deployer of a high-risk AI system may face scrutiny from more than one Article 77 body simultaneously, depending on the rights at stake. A municipality deploying an AI tool for social-benefit eligibility decisions could find itself accountable to the APD/GBA on data-protection grounds, to a welfare-rights body on access-to-services grounds, and to a federal ombudsman on administrative-fairness grounds.

---

Who Will Enforce the EU AI Act in Belgium?

BIPT/IBPT: Proposed Market Surveillance Authority

The BIPT/IBPT is positioned as Belgium's primary market surveillance authority and single point of contact for the EU AI Office, under the terms of the 2025–2029 Federal Government Agreement. It is an existing federal regulator, already responsible for telecoms and postal services, with technical and regulatory capacity for complex product supervision.

When formally designated, BIPT/IBPT would hold the core enforcement powers: reviewing technical documentation, assessing conformity assessments, ordering corrective measures, requiring withdrawals from the market, and imposing administrative fines under Article 99. The formal designation has not yet been notified to the Commission as of mid-2026; the legislative and procedural steps to complete it are in progress.

BOSA and AI4Belgium: Federal Digital Coordination

The Federal Public Service Policy and Support (BOSA / FOD Beleid en Ondersteuning) leads federal digital transformation in Belgium. BOSA coordinates the AI4Belgium coalition — a cross-sector initiative bringing together government, research, and industry to develop Belgium's AI strategy and governance capacity. BOSA does not have enforcement powers under the Regulation but plays a coordination and capacity-building role: developing shared tools, guidance, and training programmes that support public and private bodies in preparing for their EU AI Act obligations.

For a company looking to understand the Belgian government's interpretation of the Regulation, BOSA and the AI4Belgium initiative are the primary points of contact for policy-level guidance while the enforcement machinery is being assembled.

Centre for Cybersecurity Belgium (CCB)

The Centre for Cybersecurity Belgium (CCB) is the national authority for cybersecurity and monitors security and robustness aspects of digital systems, including AI. Article 15 of the Regulation requires providers of high-risk AI systems to ensure accuracy, robustness, and cybersecurity throughout the system's lifecycle. The CCB's technical standards and guidance on secure-by-design principles — and Belgium's transposition of the NIS2 Directive — are relevant reference points for providers and deployers assessing compliance with Article 15. Where an AI system is also a critical infrastructure component, both CCB oversight and AI Act obligations will apply concurrently.

APD/GBA and the Article 77 Bodies

The Belgian Data Protection Authority (APD/GBA) is among the approximately 21 bodies designated under Article 77. It has jurisdiction wherever high-risk AI deployments involve significant risks to data-protection rights. The APD/GBA already enforces the GDPR with real investigative capacity and has published guidance on AI and data protection. Belgian companies should treat APD/GBA as an active supervisory presence for any high-risk AI system that processes personal data at scale — which, in practice, is most of them.

EU AI Office (Brussels): GPAI Supervision

The EU AI Office — physically located in Brussels — supervises general-purpose AI model providers directly under Chapter V. If your company develops a GPAI model and places it on the market, the EU AI Office, not BIPT/IBPT, is your primary regulator. The obligations under Articles 53 and 55 — technical documentation, downstream information, copyright policy, training-data summaries, model evaluation and risk mitigation for systemic-risk models — are enforced at the EU level. Belgium-based GPAI providers have the EU AI Office on their doorstep; that proximity does not reduce compliance obligations but does make engagement with the codes-of-practice process more accessible.

---

How Belgium's Framework Interacts with the GDPR

The GDPR and the EU AI Act run in parallel and do not displace each other. For Belgian companies, the practical interaction points are well-defined.

The most direct overlap concerns impact assessments. The GDPR requires a Data Protection Impact Assessment under GDPR Article 35 before any processing likely to produce high risks to natural persons — automated profiling, large-scale processing of sensitive data, systematic monitoring of public spaces all trigger it. The EU AI Act, under Article 27, requires certain deployers to complete a Fundamental Rights Impact Assessment (FRIA) before putting a high-risk AI system into service. The FRIA applies to deployers who are public bodies or who deploy high-risk Annex III systems in the creditworthiness (Annex III 5(b)) or life and health insurance (Annex III 5(c)) categories. Article 27(4) explicitly allows the FRIA to build on an existing GDPR Article 35 DPIA — the two assessments share factual ground on data flows, risk factors, and the population of affected persons.

Logs are a second overlap point. Article 12 of the EU AI Act establishes record-keeping requirements for high-risk systems; GDPR Article 22 governs automated decision-making and requires meaningful information about the logic involved when decisions are made solely by automated means. A Belgian financial institution using an AI credit-scoring tool has documentation obligations under both instruments simultaneously. The compliance workload is real, but the documentation built under one framework serves the other — a DPIA under GDPR Article 35 and a FRIA under Article 27 can largely share their evidence base.

Belgian companies should label their references precisely: GDPR Article 35 (not AI Act Article 35), GDPR Article 22 (not AI Act Article 22). The two Regulations each have their own article numbering, and cross-wiring the citations is a material error in regulatory documentation.

---

The EU AI Act Timeline as It Applies in Belgium

The high-risk deadline is no longer August 2026. Under the Digital Omnibus — the Commission amendment package for which the European Parliament and Council reached political agreement on 7 May 2026, with formal adoption expected before 2 August 2026 — stand-alone high-risk Annex III systems now have until 2 December 2027, and high-risk AI embedded in Annex I products (medical devices, machinery, vehicles) until 2 August 2028. The original August 2026 date was deferred.

That deferral is not a licence to postpone. Building the Article 9 risk management system, Annex IV technical documentation, Article 14 human oversight controls, and an Article 27 FRIA, then passing a conformity assessment under Article 43, takes most organisations six to twelve months of serious work. For Belgian public bodies and regulated-sector companies, starting in late 2026 is already cutting it close.

---

Penalties: What Companies in Belgium Face

The penalty framework is Article 99 of Regulation (EU) 2024/1689. Three tiers, each applying the higher of a fixed sum or a percentage of total worldwide annual turnover:

• €35,000,000 or 7% — violation of the Article 5 prohibitions. This ceiling has applied since 2 August 2025 (when Article 99 penalties became live), covering prohibited practices that have themselves been enforceable since 2 February 2025.
• €15,000,000 or 3% — non-compliance with most other obligations: high-risk AI requirements (Articles 9–15), provider obligations (Article 16), deployer obligations (Article 26), and Article 50 limited-risk transparency duties.
• €7,500,000 or 1% — supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.

For SMEs and start-ups, Article 99(6) provides a proportionality protection: the fine is capped at the lower of the fixed amount or the applicable percentage. A Belgian company with €10 million in worldwide turnover cannot face a €15 million fine for a high-risk obligation breach — 3% of €10 million is €300,000, and that becomes the ceiling.

An example to make the tiers concrete: a mid-size Belgian HR software company that ships a recruitment screening tool (Annex III point 4(a)) without completing conformity assessment under Article 43, without generating Annex IV technical documentation, and without implementing Article 14 human oversight controls faces the middle tier: up to €15 million or 3% of global turnover. The BIPT/IBPT, when formally designated, will apply proportionality factors — duration, cooperativeness, prior record, severity — before arriving at a specific figure. But the ceiling is real, and the middle tier covers the bulk of high-risk AI compliance failures.

GPAI-specific fines are a separate mechanism: the Commission can impose up to €15 million or 3% of worldwide turnover on GPAI model providers under Article 101.

---

Belgium-Specific Compliance Considerations

Mapping Your Regulatory Counterpart

Belgium's federal complexity is not merely an administrative curiosity — it directly affects who supervises your AI deployment. A Flemish social enterprise deploying an AI tool for employment matching faces a different regulatory context than a federal public institution deploying the same tool for the Bundesagentur equivalent. Before your Article 27 FRIA or your Article 43 conformity assessment, identify which level of government your counterpart is, which Article 77 bodies have mandate over the rights at stake, and whether regional-level data protection guidance applies alongside federal rules.

The distributed Article 77 architecture means that, for a single deployment, multiple bodies may have standing to investigate. That is not a reason to slow down compliance work — it is a reason to make sure your documentation holds up to scrutiny from more than one angle.

Regulatory Sandboxes: Deadline 2 August 2026

Under Article 57(1), each Member State must establish at least one AI regulatory sandbox by 2 August 2026. Belgium is required to have its sandbox operational before that date. Sandboxes provide a supervised testing environment where companies — particularly smaller ones, who receive priority access under Article 58 — can develop and test AI systems under conditions that relax some compliance requirements while supervisory oversight is maintained. Belgium's federal complexity may result in federated or sector-specific sandbox structures. Watch for announcements from BOSA and from BIPT/IBPT as the deadline approaches; early access can be meaningful for companies developing novel AI deployments in regulated sectors.

Public-Sector Deployers and the Mandatory FRIA

Belgian public bodies — federal agencies, regional governments, municipalities — deploying high-risk AI systems in Annex III categories face a mandatory Article 27 FRIA before deployment. Given Belgium's use of AI in social services, benefit eligibility decisions, immigration processing, and public employment, this obligation has broad reach across the Belgian public sector. The FRIA must be completed before the system goes live, documented, made available for inspection by the supervisory authority, and updated whenever the deployment context changes materially.

Article 27(4) allows the FRIA to incorporate and build on an existing GDPR Article 35 DPIA — and for most Belgian public-body AI deployments, both assessments will be required. Coordinating them from the outset saves duplicated effort and produces a more coherent risk picture.

Article 25 and the Role-Shift Risk

Many Belgian companies — particularly in the technology, professional services, and public-sector-supply space — integrate third-party AI tools into their own products or services. The Article 25 rule is critical here: a deployer or distributor becomes a provider under Article 16 if it substantially modifies a high-risk AI system, places it on the market under its own name, or modifies its intended purpose. This is not a theoretical edge case. A Belgian IT integrator that takes a third-party AI recruitment tool, fine-tunes it on client data, and sells it to a public employment service as a branded product has likely crossed the Article 25 line — it must conduct its own conformity assessment, generate Annex IV documentation, and meet the full Article 16 provider obligations. The analysis is not optional.

---

How Confir Helps Companies in Belgium

Belgian compliance teams building their EU AI Act programmes face a documentation-intensive set of obligations: Article 9 risk management records, Annex IV technical documentation, Article 27 FRIAs, Article 43 conformity preparation, and an AI inventory to coordinate everything across a distributed multi-authority landscape.

Confir is an EU-hosted compliance tool built specifically for this work. Its classification engine is rule-based and deterministic — it encodes Articles 5 and 6 with Annex III logic in explicit rules, so the same intake always produces the same finding with a human-readable explanation of which rule fired. No inference, no hallucination — a consistent output that holds up when a BIPT inspector or an APD/GBA investigator reviews your file.

Confir generates the full Annex IV technical documentation pack, the Article 47 / Annex V EU Declaration of Conformity, and the Article 27 FRIA for qualifying deployers. The compliance assessment spans four structured areas: risk classification and compliance (AIRC, covering Articles 5, 6, 43, 50), data and technical robustness (AITR, covering Articles 10, 11, 15), transparency and human oversight (AITO, covering Articles 13, 14, 27), and governance and post-market monitoring (AIGM, covering Articles 9, 72, 73). Self-serve from €600 per year, no consulting engagement required. Legal entity: Confir OÜ, Estonia. EU-hosted.

---

What Companies in Belgium Should Do Now

Immediately (Article 5 obligations already apply): Review any AI system that may involve biometric categorisation by sensitive characteristics, social scoring, subliminal manipulation, exploitation of vulnerabilities, or real-time remote biometric identification in public spaces. If it fits an Article 5 category and no statutory exemption applies, the prohibition has been live since 2 February 2025 and the enforcement ceiling is €35 million or 7%.

Before 2 August 2026 (Article 50 limited-risk transparency): AI systems that interact with natural persons — chatbots, virtual assistants, synthetic-content generators — must comply with Article 50's disclosure requirements. Users must know they are interacting with AI, when content is AI-generated, and when emotion recognition is in use. This deadline was not deferred by the Digital Omnibus.

Now through 2027 (high-risk preparation, Annex III): Companies with stand-alone Annex III systems have until 2 December 2027 under the Digital Omnibus deferral. Use the current window to build the AI inventory, run the Article 6 classification analysis (applying the Article 6(3) filter carefully), assign provider and deployer roles, and begin Annex IV documentation. Public bodies should start FRIA processes now — they are mandatory before deployment and take longer than most teams expect.

Ongoing: Monitor the BIPT/IBPT designation process and the formal notification to the Commission. Track APD/GBA guidance on AI and data protection — it will be one of the more active Article 77 bodies. Watch for Belgium's regulatory sandbox announcement. If your company develops or integrates GPAI models, engage with the EU AI Office's codes-of-practice process; the Office is geographically accessible from any Belgian city.

---

Frequently Asked Questions

Which authority enforces the EU AI Act in Belgium?

Belgium's designation is still being finalised as of mid-2026. The BIPT/IBPT (Belgian Institute for Postal Services and Telecommunications) has emerged as the proposed market surveillance authority under the 2025–2029 Federal Government Agreement but has not yet been formally notified to the Commission. Alongside BIPT/IBPT, approximately 21 bodies have been designated under Article 77 to supervise AI deployments where fundamental rights are at stake, including the APD/GBA. The EU AI Office in Brussels supervises GPAI model providers directly.

Does Belgium need to pass a national AI Act law before the Regulation applies?

No. Regulation (EU) 2024/1689 applies directly in Belgium under Article 288 TFEU. Belgium does not need to pass a transposing statute for companies to be bound. The Article 5 prohibitions have applied since 2 February 2025; GPAI and penalty obligations since 2 August 2025. Belgium must designate its national competent authorities, but that is an obligation on the state, not a precondition for company compliance.

What is the high-risk AI compliance deadline for Belgian companies?

Under the Digital Omnibus — political agreement reached 7 May 2026 — stand-alone high-risk AI systems in the Annex III categories (recruitment, credit, biometrics, public services, law enforcement, migration, education, justice) have until 2 December 2027. High-risk AI embedded in Annex I regulated products (medical devices, machinery) has until 2 August 2028. The original August 2026 date was deferred.

What penalties apply under the EU AI Act in Belgium?

Article 99 sets three tiers: €35 million or 7% of worldwide turnover for Article 5 violations; €15 million or 3% for most other obligations including high-risk AI requirements and provider/deployer duties; and €7.5 million or 1% for supplying incorrect or misleading information to authorities. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the fixed amount or the percentage — a material protection for smaller companies.

Are Belgian public bodies required to complete a FRIA?

Yes. Article 27 requires public bodies — and deployers of high-risk AI in the creditworthiness (Annex III 5(b)) and life/health insurance (Annex III 5(c)) categories — to complete a Fundamental Rights Impact Assessment before putting a high-risk AI system into service. The FRIA must be documented and available to supervisors. Article 27(4) permits it to build on an existing GDPR Article 35 DPIA, which most Belgian public bodies will also be required to conduct.

How does Belgium's federal structure affect compliance?

It affects primarily which authority you face. Federal public bodies answer to BIPT/IBPT (once designated) and relevant Article 77 bodies at the federal level. Regional public administrations — Flemish, Walloon, Brussels-Capital — may fall under regional oversight structures within the distributed Article 77 framework. Companies supplying AI to Belgian public bodies should identify the level of government of their counterpart early, as it determines which bodies have supervisory standing over the deployment.

What is the BIPT/IBPT's role, and is it already active?

The BIPT/IBPT is Belgium's proposed market surveillance authority under the EU AI Act, identified in the 2025–2029 Federal Government Agreement. It is an existing regulator for telecoms and postal services with established technical regulatory capacity. Its formal designation under Article 70 — with notification to the Commission — was not complete by the 2 August 2025 deadline and is still in progress as of mid-2026. Companies should treat BIPT/IBPT as the authority they will eventually face for most high-risk AI market surveillance, while also tracking the parallel Article 77 bodies relevant to their specific deployments.

---

Related guides

• EU AI Act in Germany: Enforcement, Authorities & Obligations
• EU AI Act in the Netherlands: Authorities & Compliance
• EU AI Act in France: Enforcement, Authorities & Obligations
• What is the EU AI Act?
• EU AI Act Summary: Key Obligations Explained
• EU AI Act Penalties: Article 99 Fine Tiers
• EU AI Act Timeline and Deadlines
• AI Risk Classification Under the EU AI Act
• Annex III: High-Risk AI Use Cases
• Public Sector AI Compliance Under the EU AI Act
• Market Surveillance Authority: Role and Powers