The AI Act is no longer a future problem
Brussels negotiated for years, in 2024 the EU AI Act was adopted as Regulation 2024/1689, and since 2 February 2025 the first obligations have been in force. For an SME in the Netherlands that means: from now on there are prohibitions, from now on mandatory AI literacy for your staff, and from 2026 to 2027 heavier requirements if you use or build high-risk AI. The law is no longer a 2027 agenda item. It's here, and your organisation will almost certainly have to deal with it.
This article explains it without legal jargon. For the full overview with tools and checklists see /ai-act. Want to know quickly where you stand? Take the self-scan at /ai-act-checker.
The law is no longer a 2027 agenda item. It's here, and your organisation will almost certainly have to deal with it.
The AI Act in a few sentences
The AI Act is the first broad AI legislation in the world. The approach is risk-based: not every application gets the same rules, the obligations depend on what the AI does and where it is used. The law applies to anyone offering AI on the EU market or using it in the EU. So also to American vendors selling here, and to a Dutch company that deploys external AI in its operations.
Two roles you need to keep straight. A provider is the party that makes the AI or puts it on the market. A deployer is the party that uses the AI inside its organisation. Most SMEs are deployers. Only organisations that themselves put AI models or AI systems on the market are providers.
The four risk categories
The law has four categories, rising in severity.
1. Unacceptable risk (prohibited, since 2 February 2025). Applications that violate fundamental rights. Examples: social scoring by governments, real-time biometric surveillance in public spaces without strict exceptions, manipulative AI aimed at vulnerable groups, emotion recognition in the workplace or in education (with exceptions for medical or safety purposes). SMEs rarely brush up against this, but it's important to know the ban so you know when to stay away.
2. High risk (obligations from August 2026). AI with direct consequences for people, their rights or safety. Examples: AI in recruitment and selection, AI in credit decisions, AI in educational assessment, AI in medical diagnostics, AI in critical infrastructure. This category comes with an extensive package: risk management, dataset quality control, technical documentation, transparency to users, human oversight, robustness, accuracy and cybersecurity. Using AI in your HR process or customer screening? Then this chapter matters most to you.
3. Limited risk (transparency obligations). AI that interacts with people (chatbots, voicebots) must make clear that it is AI. AI-generated content (deepfakes, manipulated text, images) must be recognisable as such. Do you run a chatbot, an AI voice reception, or publish AI content? Get that transparency in place now.
4. Minimal risk (no specific obligations). The vast majority of AI applications fall here: spam filters, AI in search engines, product recommendations, AI features in office software. No specific obligations under the AI Act, but the general duty (art. 4) of AI literacy for your people still applies.
The timeline: what is now and what is still coming?
| Date | What kicks in |
|---|---|
| 2 August 2024 | AI Act published in the EU Official Journal |
| 2 February 2025 | Prohibitions and AI literacy (art. 4) in force |
| 2 August 2025 | Rules for general-purpose AI (GPAI providers) |
| 2 August 2026 | Obligations for high-risk AI in force |
| 2 August 2027 | Remaining obligations (notably existing high-risk) in force |
For SMEs, August 2026 is the pivot date. From then on the heavy obligations for high-risk AI apply, and enforcement starts in phases.
Article 4: AI literacy is now mandatory
The most concrete thing that has applied to every business since February 2025: article 4 of the AI Act. Every organisation that deploys AI (provider or deployer) has to make sure its staff and involved external parties have "a sufficient level of AI literacy". There is no size threshold. A ten-person SME using ChatGPT falls under this duty just as much as a multinational running agent systems.
What does that mean in practice? Your staff need to know what AI is, how it works at a high level, what the risks are (hallucinations, bias, data leak risk) and how to use it responsibly. Higher-risk applications need deeper training, for office use a basic introduction is enough. Document what you do: training sessions, policy, prompts and guidelines. If a regulator ever comes knocking, you want to be able to show that you have it in order.
For the practical training side see /ai-training. Want to go deeper on article 4? Read AI Act art. 4 for SMEs.
What can you do now? (six steps for SMEs)
Step 1: Inventory where you use AI. Not only ChatGPT and Copilot, also AI features in tools you already had (Hubspot, Salesforce, Mailchimp, recruitment software, customer service tools). Make a list per department.
Step 2: Categorise per application. For each application: minimal, limited, high or unacceptable risk? In most cases you sit in minimal or limited. Check for high risk in HR (selection), credit assessments, educational evaluation, healthcare outcomes or customer scoring.
Step 3: Get transparency in place for limited risk. Chatbot? Make clear it's AI. Voicebot? Same. AI-generated marketing content at a scale where your audience needs to know? Label it.
Step 4: Train your staff. A basic AI literacy training for everyone who uses AI. Record attendance and content. Typically 90 minutes interactive, with sector examples, prompt basics, risks and internal policy.
Step 5: Write down your policy. A short internal AI policy document: which tools are allowed, which data is or isn't in scope, when to escalate to IT, what to do in an incident. Keep it concise (two or three pages) and keep it current.
Step 6: Plan for 2026. Are there high-risk applications in your stack? Start now on technical documentation, dataset controls and the governance structure you need to have in place by August 2026.
What the AI Act means per sector (in practice)
The law looks abstract, but in client conversations the same sector-specific questions keep coming back. Four common scenarios and what they mean concretely.
HR and recruitment. Are you using AI to screen CVs, score candidates or automatically pre-select? That's high-risk. From August 2026: document your dataset (which examples train the system, how you safeguard against unintended discrimination), ensure human oversight on every rejection, and inform candidates that AI is in the process. Many ATS vendors (Werken bij, Recruitee, Greenhouse) offer helper features here, but as the deployer you stay responsible.
Healthcare. AI in diagnostics, treatment advice or triage is high-risk. A GP practice using a chatbot to intake symptoms quickly falls into this category if the output feeds into decisions in the consulting room. Approach: technical documentation of the AI system, clinical validation, human oversight firmly embedded in the process, and transparency to the patient.
Legal and accountancy. AI that generates legal or tax advice falls under generative AI with transparency requirements, not automatically under high-risk. But professional accountability for the outcome stays with the adviser. Practical: always use AI output as a draft, run a professional check, and inform clients about AI use in your workflow. For accountants see also AI for accountants.
Education. AI for student assessment, exam grading or admission decisions is high-risk. For teaching support (a student chatbot, an AI tutor) you're in limited risk with transparency requirements. For a focused walkthrough per education step see AI in education.
How enforcement works in the Netherlands
In the Netherlands multiple regulators are involved. The Dutch Data Protection Authority (AP) is the coordinating market regulator, with sector-specific authorities alongside it: DNB for finance, IGJ for healthcare, the Inspectorate of Education for education, ACM for consumer affairs. The fines are steep: up to 35 million euro or 7% of worldwide turnover for prohibited AI practices, and lower but still significant up to 15 million or 3% of turnover for other breaches.
Practically this means for SMEs: enforcement really begins from 2026 on high-risk, and in 2025 regulators are communicating mostly through guidelines and outreach. But waiting until you get a letter is not a strategy, it's procrastination. The catch-up push public bodies will make is predictable. Whoever gets their documentation in order now will have peace of mind later.
How DataDream helps
DataDream supports Dutch SMEs on four concrete points.
1. Compliance scan. A structured inventory of your AI use and a per-application classification. Result: a risk overview and a priority list. Start with /ai-act-checker for a first self-scan.
2. AI literacy training. Live or online, 90 minutes or half a day, with sector examples from your world. Includes attendance list and certification for your records. See /ai-training.
3. AI policy and governance. A workable internal AI policy document, a role division (DPO, AI lead, decision-makers) and escalation paths. Fits your existing compliance work without stalling the process. See /ai-strategie.
4. Setting up control measures. For high-risk applications: technical documentation, monitoring, incident response and an audit trail. Bespoke per application.
Waiting until you get a letter is not a strategy, it's procrastination.
An honest summary
The AI Act is not a reason for SMEs to panic, but it is a reason to get the basics in order now. AI literacy is mandatory, transparency to chatbot users is mandatory, and if you deploy AI in HR or customer scoring you have until August 2026 to get the heavier obligations in place. Whoever has done nothing by 2026 risks fines (up to 35 million euro or 7% of worldwide turnover for the most serious breaches) and reputational damage.
Start small. A compliance scan, a training, a policy document. That's the minimum. For the wider context (which obligations, which deadlines, which sectors) see /ai-act. For a free self-scan see /ai-act-checker. Want help with the execution? Book a free call.
Curious what AI can do for your business?
Take the free AI Scan and find out in 1 minute.
Frequently asked questions
- What is the AI Act?
- The AI Act (Regulation 2024/1689) is the first broad AI law in the world. Its approach is risk-based: obligations scale with what the AI does and where it is used. The law applies to anyone offering AI on the EU market or using AI in the EU, so it also covers Dutch SMEs that deploy external AI.
- What do you need to do right now under the AI Act?
- From 2 February 2025 article 4 applies: AI literacy. Every organisation that deploys AI, including an SME with ten employees using ChatGPT, must make sure staff know what AI is, what the risks are and how to use it responsibly. Document your training and policy. Chatbots and AI-generated content must be recognisable as such.
- When do the heavy obligations kick in?
- 2 August 2026 is the pivot date: that is when the obligations for high-risk AI apply (such as AI in recruitment, credit provision, medical diagnostics or educational assessment). If you use AI in HR or customer scoring, you have until then to get risk management, documentation and human oversight in order.
- What are the fines under the AI Act?
- Up to 35 million euros or 7% of worldwide turnover for prohibited AI practices, and lower but still substantial (up to 15 million or 3% of turnover) for other violations. Enforcement on high-risk applications really starts from 2026; in 2025 regulators focus mostly on awareness and issuing guidelines.
