EU AI Act in the Netherlands: Enforcement, Authorities, and Business Obligations
AP and RDI proposed as Dutch AI Act supervisors via draft Implementation Act (Apr 2026). Covers authority roles, GDPR overlap, and Dec 2027 deadline.
The Netherlands is one of Europe's most digitally advanced economies, home to a dense cluster of technology companies, financial institutions, and public-sector bodies that have made AI integration a policy priority for years. The EU AI Act — Regulation (EU) 2024/1689 — applies here directly, without waiting for a Dutch law to say so. What the Netherlands is still finalising is how it will enforce that Regulation: which authorities carry which mandate, and what procedural powers underpin them. That process is well advanced but not yet complete.
This article sets out the proposed Dutch supervisory architecture, the status of the draft Implementation Act, the interaction with the GDPR and the Dutch data protection framework, the corrected timeline following the Digital Omnibus, and what companies operating in the Netherlands should be doing now.
A Regulation, Not a Directive: No Dutch Transposition Required
The EU AI Act is a Regulation under Article 288 TFEU. It entered into force on 1 August 2024 and applies directly in every Member State — the Netherlands included — without any domestic transposition step. Dutch companies do not wait for parliament to act before obligations bite. Article 5's prohibited practices have applied since 2 February 2025. GPAI obligations under Chapter V have applied since 2 August 2025.
What the Netherlands must provide is the national enforcement infrastructure: designated competent authorities, domestic legal powers for those authorities to investigate and sanction, and national implementing choices in the areas where the Regulation leaves Member State discretion — such as the structure of AI regulatory sandboxes and the coordination arrangements between sectoral supervisors.
That infrastructure is provided by the draft Implementation Act (Uitvoeringswet AI-verordening). Published for public consultation on 20 April 2026, it proposes the authority designations and the domestic procedural rules. It has not yet been enacted. The current plan is to lay the Bill before the House of Representatives (Tweede Kamer) in Q4 2026. Until the Implementation Act passes, the authority designations described below remain proposed, not formally settled — though the underlying Regulation's obligations are live regardless.
The Netherlands' Decentralised Supervisory Model
The Dutch draft Implementation Act proposes a decentralised model: two coordinating authorities at the top, with approximately eight sectoral market surveillance authorities (MSAs) beneath them, each responsible for their own domain. The Netherlands has long favoured sector-specific supervision — the same structure it uses for financial services, healthcare, and data protection. Applying that principle to the EU AI Act means the authority with existing domain expertise in a given sector handles AI Act enforcement there, with two central bodies providing coordination across the whole.
Until the Tweede Kamer enacts the Implementation Act, the designations described below are what the government has proposed and published for consultation — not yet settled law.
Who Will Enforce the EU AI Act in the Netherlands?
AP — Autoriteit Persoonsgegevens
The AP (Autoriteit Persoonsgegevens — the Dutch Data Protection Authority) is proposed as the market surveillance authority for the Article 5 prohibited AI practices, for the majority of Annex III high-risk systems, and for the Article 50 limited-risk transparency obligations. It is the broadest-mandate authority in the proposed structure.
Within the AP, a dedicated DCA (Directie Coördinatie Algoritmes — Department for the Coordination of Algorithmic Oversight) coordinates AI and algorithmic supervision. The DCA is not new: the AP has been building its algorithmic oversight capacity for several years, publishing guidance on automated decision-making and profiling under the GDPR. The EU AI Act gives that existing capability a statutory enforcement mandate for the first time.
Housing the primary AI Act MSA inside the data protection authority matters in practice. Most Annex III high-risk AI systems process personal data. One authority will supervise both frameworks — coordinated inspections and shared documentation requests are likely. That is also a concentration of regulatory attention companies should factor into their risk planning.
RDI — Rijksinspectie Digitale Infrastructuur
The RDI (Rijksinspectie Digitale Infrastructuur — the Netherlands' Inspectorate for Digital Infrastructure) is proposed as the market surveillance authority for high-risk AI in critical infrastructure and digital infrastructure, and as the central coordination point for the entire Dutch AI Act supervisory framework. It is also the likely single point of contact (SPoC) for the EU AI Office in Brussels.
The RDI already oversees the radio spectrum, electronic communications, and the Digital Services Act. Giving it the coordinating and SPoC role for the EU AI Act makes administrative sense: it is the natural counterpart to the EU AI Office and the body through which GPAI-related communications will flow for Dutch-connected companies.
Sectoral Market Surveillance Authorities
Beneath the AP and RDI, approximately eight sectoral authorities are proposed as MSAs for their respective domains. These would include supervisors in financial services, healthcare, labour, and other sectors with established Annex III exposure. The Implementation Act will specify which authority covers which Annex III category in each sector. Until then, the precise allocation is still being finalised.
AI Office (Brussels): GPAI Oversight
Dutch companies that develop and place general-purpose AI models on the market — GPAI model providers — are supervised not by the AP or RDI but directly by the EU AI Office in Brussels. The AI Office has competence over all GPAI provider obligations under Articles 53 and 55. The RDI acts as the Dutch SPoC for coordination purposes, but GPAI compliance for Dutch foundation-model companies is primarily an EU-level matter.
How the Dutch Framework Interacts with the GDPR
The AP already enforces the GDPR in the Netherlands through the UAVG (Uitvoeringswet Algemene Verordening Gegevensbescherming). When the Implementation Act passes, the same authority will enforce both. That overlap matters for how Dutch companies structure their compliance work.
The most direct interaction is between GDPR Article 35 (the Data Protection Impact Assessment, or DPIA) and Article 27 of the EU AI Act (the Fundamental Rights Impact Assessment, or FRIA). Both are pre-deployment assessments requiring analysis of risks to fundamental rights. For a Dutch municipality deploying an AI system to assess benefit eligibility, both are mandatory before go-live — and Article 27(4) explicitly permits the FRIA to build on an existing DPIA. Running them in sequence, DPIA first, is the most efficient approach.
GDPR Article 22 restricts solely automated decisions with legal or similarly significant effects — affected persons must be able to obtain human intervention and contest the outcome. Article 14 of the EU AI Act independently requires human oversight mechanisms for high-risk AI systems. For a Dutch insurer using AI to set life or health insurance premiums, both apply: Article 22 GDPR governs the individual decision; Article 14 governs the system's design. Neither substitutes for the other.
Article 12 of the EU AI Act requires logging for high-risk AI systems, running alongside GDPR Article 30 records of processing and Article 5(2) accountability requirements. Treat the AI Act technical file and the GDPR documentation as a single integrated record set — the AP will audit both.
The EU AI Act Timeline as It Applies in the Netherlands
| Date | What applies |
|---|---|
| 2 February 2025 | Article 5 prohibited practices and Article 4 AI literacy — in force, enforceable now |
| 2 August 2025 | GPAI obligations (Chapter V, Articles 51–56), governance, AI Office, Article 99 penalties |
| 2 August 2026 | General application including Article 50 limited-risk transparency (chatbots, deepfakes, synthetic-content marking) |
| 2 December 2027 | Stand-alone high-risk AI systems (Annex III list) — deferred under the Digital Omnibus |
| 2 August 2028 | High-risk AI as safety components of Annex I regulated products — deferred under the Digital Omnibus |
Two points deserve emphasis.
Article 5 is already live and has been since February 2025. Any Dutch company or public body whose AI systems involve biometric categorisation by sensitive characteristics (outside permitted exceptions), social scoring, manipulation exploiting personal vulnerabilities, or real-time remote biometric identification in public spaces should have completed its prohibited-practice review well before now. The AP can act on those violations today.
The high-risk deadline is no longer August 2026. Under the Digital Omnibus — the Commission amendment package for which the European Parliament and Council reached political agreement on 7 May 2026, with formal adoption expected before 2 August 2026 — stand-alone Annex III systems now face a deadline of 2 December 2027, and high-risk AI embedded in Annex I regulated products has until 2 August 2028. The original date was deferred, not cancelled. Assembling a full Article 9 risk management system, Annex IV technical documentation, Article 14 human oversight controls, and completing conformity assessment under Article 43 is at minimum six to twelve months of focused work. Companies that start in early 2027 will not finish in time.
On the sandbox: member states are required to have an operational AI regulatory sandbox in place by 2 August 2026. The Netherlands is preparing one. For Dutch companies that want to test innovative AI systems in a supervised environment before full compliance is required, tracking the sandbox launch and eligibility criteria is worthwhile.
Penalties: What Companies in the Netherlands Face
The penalty framework is Article 99 of the Regulation. The Implementation Act will set the domestic procedural rules for how the AP and other Dutch authorities apply those fines. The substantive tiers are fixed in the Regulation:
- €35,000,000 or 7% of total worldwide annual turnover (whichever is higher) — for violations of the Article 5 prohibitions. This tier has applied since 2 August 2025 for penalties generally (Article 5 prohibitions themselves have been enforceable since 2 February 2025).
- €15,000,000 or 3% — for non-compliance with most other obligations: high-risk AI requirements (Articles 9–15), provider obligations (Article 16), deployer obligations (Article 26), and Article 50 transparency duties.
- €7,500,000 or 1% — for supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.
For SMEs and start-ups, Article 99(6) provides a proportionality protection: the fine is capped at the lower of the fixed amount or the percentage of turnover. A Dutch company with €5 million annual turnover cannot face a €15 million fine for a high-risk obligation breach — 3% of €5 million is €150,000, and that is the applicable ceiling. This protection is worth understanding; it does not reduce the compliance obligation, but it makes the downside financially predictable for smaller companies.
The procedural steps — how the AP issues an investigation decision, how companies respond, how fines are calculated and appealed — will be set by the Implementation Act. Until it passes, the underlying Regulation's penalty regime applies, but the domestic procedural path for Dutch enforcement is not yet fully defined.
As a concrete example: a Dutch HR-tech company of 60 employees deploying an AI recruitment screening tool for a client — without completing the required Annex IV technical documentation or Article 27 FRIA — faces the €15M/3% tier as a provider under Article 16, capped at 3% of its turnover under Article 99(6).
Netherlands-Specific Compliance Considerations
The Dutch Algorithm Register and Transparency Culture
The Netherlands has run a public-sector algorithm register since 2022. Central government bodies are expected to list the algorithms they use in decision-making processes affecting citizens. This register is not mandated by the EU AI Act — it is a domestic transparency initiative — but it signals the regulatory culture Dutch companies and public bodies operate in. The AP's DCA draws on this existing practice. Public bodies deploying Annex III AI systems should treat the EU AI Act registration requirement under Article 49 (into the EU database under Article 71) as layering on top of existing domestic transparency expectations, not replacing them.
The AP's Existing Algorithmic-Oversight Work
The AP has published guidelines on automated decision-making, profiling, and algorithmic transparency under GDPR. That body of guidance is directly relevant to EU AI Act compliance — the analytical frameworks the AP applies in GDPR algorithmic reviews are a reasonable proxy for how it will approach EU AI Act market surveillance. Companies already familiar with AP algorithmic guidance are better positioned than those encountering this authority for the first time.
Public-Sector FRIA
Dutch public bodies — municipalities, central government departments, the Belastingdienst, the IND — deploy AI across Annex III categories with high societal stakes: benefit eligibility, immigration processing, law enforcement risk assessment. Article 27 requires public-body deployers to complete a FRIA before deployment. The FRIA must be documented, registered in the EU database under Article 49, and available for AP inspection. The existing algorithm register means public-sector AI is already visible; an AP team that cross-references it with EU database registrations will find gaps quickly.
Deployer vs. Provider: The Article 25 Line
Most Dutch companies that use third-party AI tools operate as deployers under Article 26. But Dutch technology companies — particularly those in Amsterdam and Eindhoven that build on foundation models — need to examine the Article 25 role-shift carefully. A company that substantially modifies a high-risk AI system, fine-tunes a model on proprietary data and ships the result, or places a third-party system on the market under its own name becomes a provider under Article 16. That brings the full obligation stack: Article 9 risk management, Annex IV documentation, Article 43 conformity assessment, Article 49 registration. The analysis should happen before product decisions are finalised.
The Regulatory Sandbox
The Netherlands is preparing its AI regulatory sandbox ahead of the 2 August 2026 deadline under Article 57. Companies developing novel AI applications in healthcare, mobility, or public services should track the launch. Priority access for SMEs and start-ups is guaranteed under Article 58.
How Confir Helps Companies in the Netherlands
The Dutch compliance workload for companies with Annex III systems is documentation-intensive: Article 9 risk management records, Annex IV technical documentation, Article 27 FRIA for public-body deployers, Article 43 conformity preparation, Article 47 Declaration of Conformity, Article 72 post-market monitoring logs, and an AI register to anchor all of it.
Confir handles that documentation work through a rule-based, deterministic classification and assessment engine — not AI. The same intake always produces the same output; every finding traces to the explicit rule that generated it, which is what an audit-defensible compliance record requires. It generates the Annex IV technical documentation pack, the Article 47 / Annex V Declaration of Conformity, and the Article 27 FRIA — the three documents Dutch authorities will ask for first. EU-hosted, self-serve, from €600 per year.
What Companies in the Netherlands Should Do Now
Immediately — Article 5 review: The prohibited-practice obligations under Article 5 have applied since 2 February 2025. If any AI system used or deployed by your organisation involves biometric categorisation by sensitive characteristics, social scoring, manipulation of persons exploiting vulnerabilities, or real-time remote biometric identification in public spaces, that review should already be complete. If it is not, it is overdue.
Before 2 August 2026 — Article 50 transparency: Any AI system that interacts with natural persons — chatbots, voice interfaces, AI-generated content tools, emotion-recognition applications — must comply with Article 50's disclosure requirements by 2 August 2026. Users must know when they are interacting with an AI, when content is synthetically generated. This is not the high-risk deadline; it is a separate and firm obligation.
2026–2027 — High-risk preparation for Annex III systems: Stand-alone Annex III systems have until 2 December 2027 under the Digital Omnibus deferral. Use 2026 to build the AI inventory and classification. Apply the Article 6(3) filter rigorously — many systems that touch Annex III areas do not ultimately land in the high-risk tier. Identify which systems do, assign provider and deployer roles, and begin documentation. If your organisation is a public body, the Article 27 FRIA should be initiated in parallel with technical documentation.
Track the Implementation Act and AP/RDI guidance: Monitor the Uitvoeringswet AI-verordening as it moves through the Tweede Kamer in Q4 2026. The AP and RDI are likely to publish supervisory guidance before formal enactment — watching for those signals will tell you where enforcement attention will land first.
Frequently Asked Questions
Who enforces the EU AI Act in the Netherlands?
The draft Implementation Act proposes two coordinating authorities: the AP (Autoriteit Persoonsgegevens) as primary market surveillance authority for Article 5 prohibited practices, most Annex III high-risk systems, and Article 50 transparency; and the RDI (Rijksinspectie Digitale Infrastructuur) as central coordination point and proposed single point of contact for the EU AI Office, with market surveillance authority for critical and digital infrastructure AI. Around eight sectoral authorities sit beneath them. These designations are proposed — not enacted as of June 2026. The EU AI Office in Brussels supervises GPAI providers directly.
What is the role of the Autoriteit Persoonsgegevens in AI Act enforcement?
The AP is proposed as the Netherlands' broadest-mandate AI Act supervisor: primary MSA for Article 5 prohibited practices, the majority of Annex III high-risk systems, and Article 50 transparency obligations. Its dedicated DCA (Directie Coördinatie Algoritmes) coordinates algorithmic and AI oversight. The AP already enforces GDPR, so its AI Act role builds directly on existing supervisory relationships with Dutch organisations.
Has the Netherlands passed its AI Act implementation law?
No — not as of June 2026. The draft Uitvoeringswet AI-verordening was published for consultation on 20 April 2026; the government intends to lay it before the Tweede Kamer in Q4 2026. Until enacted, authority designations are proposed, not settled. The EU AI Act's obligations apply regardless — the Regulation is directly applicable under Article 288 TFEU.
What are the AI Act fines in the Netherlands?
Article 99 sets three tiers — whichever is higher of a fixed amount or a percentage of total worldwide annual turnover. Article 5 prohibited practices: €35 million or 7%. Most other obligations including high-risk requirements, provider and deployer duties, and Article 50 transparency: €15 million or 3%. Supplying incorrect information to authorities: €7.5 million or 1%. For SMEs and start-ups, Article 99(6) caps fines at the lower of the fixed amount or the percentage.
What does the RDI do under the EU AI Act?
The RDI is proposed as the central coordinating authority for AI Act supervision and the single point of contact for the EU AI Office. It is also proposed as market surveillance authority for high-risk AI in critical and digital infrastructure. For Dutch GPAI model providers, the RDI is the domestic coordination point — but primary GPAI supervision under Articles 53 and 55 sits with the EU AI Office directly.
When do high-risk AI rules apply in the Netherlands?
Under the Digital Omnibus (political agreement 7 May 2026), stand-alone Annex III high-risk systems — recruitment, creditworthiness, biometrics — have until 2 December 2027. High-risk AI in Annex I regulated products has until 2 August 2028. Article 5 prohibitions applied from 2 February 2025. Article 50 limited-risk transparency applies from 2 August 2026.
Does the Dutch algorithm register satisfy EU AI Act registration requirements?
No. The Dutch public-sector algorithm register is a domestic transparency initiative, not an EU AI Act requirement. EU AI Act registration is governed by Article 49 — providers of high-risk systems must register in the EU-wide database under Article 71 before market placement. Public bodies in the Netherlands must comply with both: the national register and the EU database registration.
Related guides
- EU AI Act in Germany: enforcement and obligations
- What is the EU AI Act?
- EU AI Act summary and key obligations
- EU AI Act penalties explained
- EU AI Act timeline and deadlines
- Extraterritorial scope of the EU AI Act
- High-risk AI systems: Annex III categories
- Article 27 FRIA and public-sector AI compliance
- Deployer obligations under Article 26
- AI risk classification under Article 6
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →