AI Legislation Netherlands & EU AI Act – Comprehensive Compliance Guide

Overview and Purpose of the EU AI Regulation

The EU AI Regulation (Regulation (EU) 2024/1689) is the first comprehensive legislation covering artificial intelligence, aimed at making AI innovations safe and trustworthy. The law takes a risk-based approach: the greater the risk posed by an AI system to society, the stricter the requirements.

The law entered into force on 2 August 2024 with a phased rollout. From February 2025, all prohibited AI applications are banned. From August 2025, rules apply to general-purpose AI models. From August 2026, all high-risk AI systems must be fully compliant, and from August 2027 this also applies to risk products with embedded AI.

The Four Risk Categories

• The AI Regulation classifies AI systems based on the risk they pose:
• Unacceptable risk (Prohibited): Systems that pose a clear threat to rights and safety. Examples include social scoring by governments, subliminal influence techniques, and real-time biometric identification in public spaces.
• High risk (Regulated): Systems with significant impact on people's lives — in biometrics, critical infrastructure, healthcare, education, HR, and law enforcement. These must meet strict requirements: conformity assessment (CE marking), high-quality datasets, detailed logging, human oversight (human-in-the-loop), and demonstrable robustness and cybersecurity.
• Limited risk (Transparency obligation): AI systems where users must know they are interacting with AI, such as chatbots, deepfakes, and emotion recognition systems.
• Minimal or no risk (Freely permitted): The vast majority of AI applications, such as AI games and spam filters. No specific legal obligations, but voluntary codes of conduct are encouraged.

Implementation in the Netherlands and Regulatory Cooperation

In the Netherlands, the Data Protection Authority (Autoriteit Persoonsgegevens / AP) and the National Inspectorate for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur / RDI) work closely together. Existing market supervisory authorities oversee high-risk AI systems (Annex I), with technical support from the RDI. The AP and RDI jointly supervise prohibited AI, large language models (Annex III), and transparency obligations such as Article 50 for generative AI. Sector-specific regulators including the AFM (finance), NZa (healthcare), and ACM also play a role within their own domains.

The overlap with the GDPR remains significant: any AI application processing personal data also falls under the General Data Protection Regulation. Data minimisation, purpose limitation, and the legal basis for training models remain in force alongside AI Act requirements. The AI Regulation does not replace the GDPR — it complements it.

Article 4 of the AI Regulation introduces a mandatory AI literacy requirement: providers and users of AI systems must ensure their staff have sufficient knowledge and skills to use AI responsibly. This is not a recommendation — it is a legal obligation.

Five-Step Compliance Roadmap for Organisations

• Experts recommend organisations work with a concrete and phased compliance plan:
• Step 1 – Inventory: Map out which AI tools and models your organisation already uses. Many companies discover more AI applications in use than expected — from SaaS chatbots to analytics software and recommendation systems.
• Step 2 – Risk analysis: Classify each system into one of the four risk categories. This quickly reveals whether you are using prohibited AI (which must stop) or whether additional requirements apply, such as documentation and CE marking for high-risk systems.
• Step 3 – Policy frameworks and contracts: Adapt internal IT and data policies for AI. Include model contract clauses that oblige providers to fulfil their AI Act obligations. Ensure ICT contracts contain liability and audit provisions for AI compliance.
• Step 4 – Implementation and training: Introduce technical controls (risk management systems, data quality, human oversight) and train staff in AI literacy at all levels.
• Step 5 – Documentation and monitoring: Record all steps in an AI register or compliance report. Update procedures after incidents and evaluate at least annually. Appoint a responsible person or team for AI compliance matters.

Checklists and Contract Clauses

ICT contracts will increasingly require specific AI clauses. The EU has published model clauses focusing on AI Act obligations: risk management, audit and reporting rights, transparency obligations, and human oversight. Also include penalty provisions for cases where prohibited AI is nonetheless supplied. Note that the model clauses are not all-encompassing contracts — matters such as intellectual property and GDPR obligations remain regulated separately.

For organisations, compliance is not merely a legal exercise. It requires coordination between IT, data privacy, and regulators. Practical resources for Dutch organisations include the government's AI Act guide (Rijksoverheid), the Ministry of Economic Affairs explanations for entrepreneurs, and practical guidance from the AP and RDI.

How Gigabyte Consultancy Can Help

Gigabyte Consultancy supports Dutch and European organisations at every step of AI Act compliance: from system inventories and risk classifications to setting up governance, human-in-the-loop mechanisms, audit trails, and AI literacy programmes for staff.

Whether you are an SME encountering AI regulation for the first time or an IT service provider guiding clients — we provide practical, implementation-focused support without unnecessary legal complexity. Get in touch for a no-obligation conversation.