NL·EU AI Act series·Netherlands implementation·Updated April 2026
The EU AI Act in the Netherlands: hybrid supervision, ten authorities deep.
The Dutch model is hybrid by design. Ten market-surveillance authorities share competences across sectors, with Autoriteit Persoonsgegevens (AP) leading on prohibited practices, transparency, and the bulk of high-risk applications. AP and the Rijksinspectie Digitale Infrastructuur (RDI) co-coordinate. The public consultation on the Dutch AI Implementation Act opened 20 April 2026 and runs to 1 June 2026.
The public consultation on the Dutch AI Implementation Act opened on 20 April 2026 and closes 1 June 2026 — the practical window for Dutch deployers, providers, and trade associations to influence how the ten-authority hybrid is operationalised. AP and RDI continue to co-coordinate the network in the meantime.
From 2 August 2026, public bodies in the Netherlands will be required to register high-risk AI systems in the EU database, irrespective of whether the Digital Omnibus on AI delays other high-risk obligations. The Omnibus, in trilogue since 23 March 2026, proposes 2 December 2027 (stand-alone) and 2 August 2028 (embedded) as new high-risk dates.
Who supervises what in the Netherlands
The Netherlands operates a hybrid supervisory model. AP holds horizontal competences over prohibited practices, transparency obligations and the largest share of high-risk applications. RDI handles infrastructure-adjacent supervision and co-coordinates the network. Eight further sectoral authorities hold market-surveillance roles within their domains. The table below reflects the working allocation as of April 2026; the Implementation Act consultation may refine boundaries.
| Authority | Mandate | EU AI Act role (April 2026) |
|---|---|---|
| AP | Autoriteit Persoonsgegevens (data protection authority) | Co-coordinator. Prohibited practices, transparency obligations, large share of high-risk applications, GDPR–AI Act overlap. Primary point of contact for cross-sector deployers. |
| RDI | Rijksinspectie Digitale Infrastructuur | Co-coordinator. Infrastructure, telecommunications, radio equipment; technical-conformance supervision in adjacent product law. |
| AFM, DNB | Financial-conduct and prudential supervisors | Sector-specific high-risk AI in financial services: credit scoring, insurance underwriting, anti-fraud, algorithmic trading. Market-conduct conformity overlap. |
| IGJ | Inspectie Gezondheidszorg en Jeugd (health and youth-care inspectorate) | Healthcare AI: clinical decision support, diagnostic AI, ambient documentation; MDR/IVDR overlap with the AI Act conformity route. |
| NLA | Nederlandse Arbeidsinspectie (labour inspectorate) | Workplace AI: emotion recognition prohibition, worker monitoring, automated employment decisions. |
| ACM | Autoriteit Consument en Markt (competition and consumer authority) | Consumer-facing AI, dark-pattern overlap with the Digital Services Act, recommender systems. |
| CvdM | Commissariaat voor de Media | Media, AI-generated content, transparency obligations under Article 50. |
| College voor de Rechten van de Mens | Netherlands Institute for Human Rights | Article 77 fundamental-rights body; non-discrimination supervision on AI-affected decisions. |
| Onderwijsinspectie | Inspectorate of Education | Education-sector AI; admissions and assessment systems, prohibited emotion-recognition use cases in classrooms. |
| ILT | Inspectie Leefomgeving en Transport | Transport, environment, critical infrastructure AI; Annex III overlap. |
Rijksoverheid opened public consultation on the Dutch AI Implementation Act (Uitvoeringswet AI-verordening) on 20 April 2026, closing 1 June 2026. The Act will codify authority designations, fine ceilings, sandbox arrangements, and procedural rules for cooperation between AP, RDI and the eight sectoral authorities. Until adoption, the network operates on a Memorandum of Cooperation rather than statute.
Dutch sector overlays
The substantive Articles 9–15 obligations apply EU-wide. What differs in the Netherlands is the supervisory stack on top. The most common combinations:
| Sector | Dutch regulators on top of the AI Act |
|---|---|
| Healthcare AI | IGJ for clinical AI inspections; CIBG for medical-device registry; AP on patient-data overlap; College ter Beoordeling van Geneesmiddelen on AI-aided drug decisions. MDR/IVDR conformity where the AI is a medical device. |
| Financial services | AFM on conduct (algorithmic trading, recommendation, treating customers fairly); DNB on prudential and AML; AP on customer-data lawful basis. |
| Public administration | From 2 August 2026, public bodies must register high-risk AI in the EU database. The Adviescollege ICT-toetsing reviews algorithmic-decision systems in central government. AP holds horizontal supervision. |
| Workplace AI | NLA on the prohibited-practice line (emotion recognition, biometric categorisation in workplaces). Works-council co-determination under the Wet op de ondernemingsraden often applies in parallel. |
| Logistics and ports | ILT and Havenbedrijven supervise transport-system AI. Critical infrastructure under Annex III(2) where safety components are involved. |
| Media and content | CvdM on Article 50 disclosure for media providers; ACM on platform-side recommender systems and dark patterns. |
Data-protection overlay: UAVG
Dutch AI deployments rarely sit on AI Act obligations alone. The UAVG (Uitvoeringswet Algemene verordening gegevensbescherming) and GDPR remain the operative data-protection regime, and AP supervises both. Common overlaps:
- Article 10 (data governance) and GDPR Articles 5–6. Lawful basis for training data, purpose limitation, accuracy.
- Article 13 (transparency) and GDPR Articles 13–14. Information to data subjects on automated decision-making.
- Article 14 (human oversight) and GDPR Article 22. Meaningful human review of consequential decisions.
- Article 26 (deployer obligations) and AP-required impact assessments. A single artefact often covers both with care.
AP’s SyRI ruling (in the District Court of The Hague, 2020) and its subsequent guidance on algorithmic governance remain the practical reference for high-risk public-sector deployments.
Regulatory sandbox
Article 57 sandbox provisions are addressed in the draft Dutch AI Implementation Act, with operational launch expected in step with adoption. AP and RDI are the indicated co-administrators. Healthcare deployers can also use IGJ pilot-monitoring arrangements and the CBG Innovative Medicines Office as parallel innovation routes during the interim.
References
- European Union. Regulation (EU) 2024/1689 (EU AI Act). EUR-Lex 32024R1689.
- Stibbe. Dutch proposal for AI supervision: hybrid cooperation between market surveillance authorities. stibbe.com.
- Prokopiev Law. Netherlands opens public consultation on AI Act implementation law in April 2026. prokopievlaw.com.
- Autoriteit Persoonsgegevens. Algoritmes en AI: toezicht en handhaving. autoriteitpersoonsgegevens.nl.
- Technology’s Legal Edge. State of the Act: EU AI Act implementation in key Member States, November 2025. technologyslegaledge.com.
- European Parliament. AI Act delayed application; ban on nudifier apps, March 2026. europarl.europa.eu.
Build the evidence trail
Dutch operators: Article 12 logs on demand, in time for AP and the EU register.
The Glacis Agent Runtime Security & Evidence Sprint produces signed evidence receipts and a tamper-evident Article 12 log from your AI’s actual runtime behaviour — runtime controls run inside your infrastructure with zero sensitive-data egress. AP inspectors and notified bodies receive verifiable evidence packs in place of written assertions, and high-risk public-body deployers gain register-ready artefacts.
10 business days. One named workflow. Signed evidence pack on day ten.