EU AI Act for Dutch SMEs: what to do, and when?

The AI Act, formally Regulation (EU) 2024/1689, is the world's first horizontal AI law. It was adopted on 13 June 2024, published in the Official Journal of the EU on 12 July 2024, and entered into force on 1 August 2024. From that date several obligations phase in, with full application on 2 August 2026. The law applies directly in all EU member states, including the Netherlands, without national transposition.

Four key dates. 2 February 2025: prohibited AI practices (article 5) apply, and the AI literacy duty (article 4) applies to every organisation that uses AI. 2 August 2025: obligations for providers of general-purpose AI models (GPAI), such as OpenAI, Anthropic, Google and Mistral, together with governance provisions and most penalties. 2 August 2026: the bulk of the law, including rules for high-risk systems (Annex III) and transparency duties for limited-risk systems. 2 August 2027: rules for high-risk AI embedded in products covered by existing EU product legislation (Annex I, think medical devices, machinery, toys).

The AI Act is risk-based. Unacceptable risk (prohibited): government social scoring, manipulative AI that harms vulnerable groups, biometric categorisation by sensitive characteristics, real-time biometric identification in public spaces (with narrow law-enforcement exceptions), emotion recognition in workplaces and education. Banned from 2 February 2025. High risk: systems listed in Annex III (recruitment, lending, critical infrastructure, education, biometrics not under the ban, law enforcement, migration, justice) and AI in products under Annex I. Heavy obligations: risk management, data governance, technical documentation, logging, human oversight, robustness, cybersecurity. Limited risk: chatbots, deepfakes, AI-generated content. Required: tell users they are dealing with AI, label AI-generated content. Minimal risk: spam filters, AI in video games, inventory optimisation. No specific AI Act obligations, but GDPR and ordinary law still apply.

Four roles. Providers: those who develop or commission an AI system to place on the market under their own name. The heaviest role. Deployers: organisations that use an AI system in a professional context. Where most Dutch SMEs sit. Importers: businesses that bring an AI system from a third country to the EU market. Distributors: businesses in the supply chain that make AI systems available without making or importing them. Important: even as a deployer you have obligations, especially for high-risk systems (article 26): you must arrange human oversight, keep logs, report incidents, and ensure your staff are AI literate (article 4).

Article 4 requires providers and deployers to take measures to ensure, to their best extent, that their staff and other persons using AI systems on their behalf have a sufficient level of AI literacy. It must take account of technical knowledge, experience, training, the context of AI use, and the persons affected. In practice: training at role level, not one general course for everyone. A marketing employee using ChatGPT for copy needs a different curriculum from an HR manager running a recruitment screener. Regulators, in the Netherlands the Dutch Data Protection Authority (AP) and the RDI, have signalled they will enforce on demonstrability: documentation, participants, learning objectives, evaluation. We deliver this as a package via /ai-training.

Fines are tiered. Up to 35 million euros or 7% of global annual turnover (whichever is higher) for prohibited AI practices (article 5). Up to 15 million euros or 3% for breach of most other duties, including high-risk system rules, transparency, and GPAI provider duties. Up to 7.5 million euros or 1% for supplying incorrect or misleading information to regulators. SMEs and startups get specific treatment: member states may apply lower caps for smaller undertakings, and proportionality must be considered. In the Netherlands the Dutch DPA (AP) is the lead regulator, alongside sector regulators such as the RDI, AFM, and NZa.

They stack, they do not replace each other. GDPR remains fully in force for anything touching personal data. An AI system that processes personal data must comply with GDPR (legal basis, purpose limitation, data minimisation, data subject rights) and the AI Act (risk classification, documentation, human oversight). NIS2, the cybersecurity directive for essential and important entities, touches AI on technical security and incident reporting. In practice you run integrated risk assessments: a DPIA for GDPR, a fundamental rights impact assessment (FRIA) for high-risk public-sector deployers, and a NIS2 risk analysis, all from the same input. For the NIS2 side we partner with nis2-compliant.com.

The Autoriteit Persoonsgegevens (AP) is the lead Dutch market surveillance authority for the AI Act, alongside its existing role as GDPR regulator. The AP runs a dedicated algorithms and AI page with guidelines, FAQ, and sector reports. Key positions: AI literacy is not a formality but a serious obligation, deepfakes without clear labelling are problematic under both GDPR and the AI Act, and automated decision-making with legal effects falls under both article 22 GDPR and article 26 of the AI Act. The AP publishes a quarterly report on algorithmic risks in the Netherlands.

Three tracks, in this order. Track 1, fast picture: AI quickscan of half a day to a day, all AI systems mapped, risk classification, top 3 actions on one page. See also the free AI scanner on /ai-scan for a first impression. Track 2, groundwork: build an AI register, roll out AI literacy training via /ai-training, write the AI policy and internal procedures, integrate with existing GDPR work. Track 3, high risk or large scale: for organisations with real high-risk systems or GPAI builders we propose an implementation track with risk management, technical documentation, human oversight, and post-market monitoring. We work with lawyers via /ai-juridisch and, for finance and admin overlap, with accountants via /ai-accountants.

Waiting is an expensive strategy. Three reasons. One: article 4 (AI literacy) and article 5 (prohibited practices) have been in force since 2 February 2025. If you use AI today without any training or any check on prohibited use, you are already in breach. Two: high-risk implementation realistically takes six to twelve months for risk management, documentation, data quality, and audits. To be compliant on 2 August 2026, you start in early 2026, not in July. Three: customers and suppliers are already asking for evidence. A large buyer procuring an AI component wants documentation, even before full enforcement. Starting costs less than rushing. A one-day quickscan gives you immediate visibility and a prioritised list.