Comprehensive Guide for EU AI Act & AI Legislation in the Netherlands

Introduction: What is the EU AI Act?

The EU AI Act aims to strike a balance between stimulating innovation and protecting fundamental rights, safety, and ethics. The legislation adopts a risk-based approach: the greater the risk posed by the AI system, the stricter the rules that apply. As the first binding AI law globally, it sets a precedent for how democracies regulate emerging technology.

The Four Risk Categories

• Unacceptable risk (Prohibited systems): Systems that pose a clear threat to the safety and rights of people. Examples include social scoring by governments, subliminal influence techniques, and real-time biometric identification in public spaces (with narrow exceptions for law enforcement).

• High risk (Regulated): Systems with a significant impact on people's lives — in HR and recruitment, critical infrastructure, education, healthcare, and the justice system. These must undergo a Conformity Assessment (CE marking), use high-quality datasets to prevent discrimination, maintain detailed documentation and logging, implement human supervision (human-in-the-loop), and guarantee robustness, cybersecurity, and accuracy.

• Limited risk (Transparency obligation): AI systems where users must know they are interacting with AI. Examples include chatbots, deepfake generators, and emotion recognition systems. The primary obligation is transparency.

• Minimal / No risk (Freely permitted): The vast majority of AI applications — AI-driven games, spam filters, recommendation engines. No specific legal obligations under the AI Act, although voluntary codes of conduct are encouraged.

AI Legislation in the Dutch Context

• Regulators: The Dutch Data Protection Authority (Autoriteit Persoonsgegevens / AP) is a central player given the overlap between AI and personal data. The National Inspectorate for Digital Infrastructure (RDI) and sector-specific regulators — such as the AFM for financial services — also play a crucial role in national AI supervision.

• Overlap with the GDPR / AVG: Any AI application that processes personal data falls directly under the General Data Protection Regulation. Data minimisation, purpose limitation, and legal basis for training models remain in full effect. The AI Act does not replace the GDPR — it complements it.

• AI Literacy (Article 4): A fundamental part of the law requires that providers and users of AI ensure their staff maintain sufficient AI literacy. This is not optional — it is a legal obligation that affects training, procurement, and operations.

Step-by-step Compliance Roadmap

• 1. Inventory: Map all AI systems in the organisation. Identify which are developed internally (as 'provider') and which are purchased from third parties (as 'user' or 'deployer').

• 2. Risk Classification: Determine for each system which of the four risk categories it falls into. Document the reasoning, especially for systems near the high-risk threshold.

• 3. Gap Analysis & Governance: Assess whether current IT processes, contracts (SLAs, Data Processing Agreements), and internal policies already comply with the AI Act requirements. Update them where they fall short.

• 4. Training & AI Literacy: Invest in AI literacy programmes for employees at all levels — from board members setting strategy to operational staff using AI tools daily.

• 5. Ongoing monitoring: AI Act compliance is not a one-off project. Establish monitoring processes to track regulatory updates, new guidance from the AP and RDI, and changes in how your AI systems are used.

Key Dates and Timeline

The EU AI Act entered into force on 1 August 2024. Prohibited systems must comply by February 2025. Obligations for high-risk systems in Annex I apply from August 2026, and broader high-risk system obligations from August 2027. The Dutch government is actively preparing national enforcement infrastructure to support these deadlines.

How Gigabyte Consultancy Can Help

Gigabyte Consultancy supports organisations in the Netherlands and across the EU in navigating AI Act compliance. From AI system inventories and risk classifications to governance frameworks, human-in-the-loop implementation, audit trail setup, and staff AI literacy programmes — we provide practical, implementation-focused support grounded in real IT delivery experience.