Since April 20 we know who will supervise your AI in the Netherlands. And the first one you should call is probably a name you don't know.
An entrepreneur I know well wanted to find out last week which regulator oversees his AI. Not the Dutch Data Protection Authority, as everyone assumes, but an inspectorate none of us had ever heard of. I understood his confusion.
That is actually a meaningful detail. Since April 20, the proposal is on the table: ten regulators, each for their own sector.
TL;DR
- Ten regulators, two coordinators. On April 20, 2026, the Dutch government opened consultation on the draft AI Act Implementation Act: ten existing regulators each get their own sector, with the Dutch Data Protection Authority (AP) and the Radiocommunications Agency / Digital Infrastructure Inspectorate (RDI) acting as coordinators.
- The RDI is your first call, not the AP. If you don't fit neatly into one sector — the situation for most SMEs — the RDI is the Central Contact Point and the AP is the safety net for high-risk AI without a clear sector.
- Still a proposal, not a law. The consultation ran until June 1 and the bill still has to pass both chambers of parliament — the final division of tasks can still shift.
- The obligations already apply, regardless of the regulator. The regulation itself works directly: AI literacy has been mandatory since February 2025, and the bulk of the rules take effect on August 2, 2026.
- For most SMEs, it's narrow. Two things really matter: making your AI recognisable (transparency) and making your people AI-literate.
What landed on the table on April 20
For a long time, the biggest unknown about the EU AI Act wasn't what needed to happen, but who in the Netherlands would enforce it. That question has now been answered. On April 20, 2026, State Secretary Aerdts, responsible for the Digital Economy and Digital Sovereignty portfolio, sent the draft AI Act Implementation Act (Uitvoeringswet AI-verordening) out for public consultation. Anyone could respond until June 1, after which the bill moves to the House of Representatives and the Senate.
The government deliberately chose not to create one new AI super-regulator. Instead, ten existing regulators each get an additional task, within the domain they already know. The logic behind it is simple: as an entrepreneur, you'll mostly deal with an agency you're already familiar with, rather than a brand-new office you still have to learn to navigate.
Worth holding onto before you panic: this is a proposal, not a law. The final division can still change during parliamentary debate. But the direction is clear, and that is exactly why the old excuse of "nobody knew who was in charge" no longer holds up.
The map: ten regulators at a glance
Below are all ten, with the type of AI each one covers. Two of them, the AP and the RDI, also get a coordinating role on top of their own oversight: they safeguard cooperation and knowledge-sharing between the rest.
| Regulator | What the office covers (AI) |
|---|---|
| Dutch Data Protection Authority (AP) (opens in new window) | Prohibited AI (Art. 5), transparency such as recognisable chatbots and deepfakes (Art. 50), and a large share of the high-risk applications from Annex III (recruitment, education, benefits, law enforcement). Plus the safety net for anything without a clear sector. Coordinator. |
| Digital Infrastructure Inspectorate (RDI) (opens in new window) | Algorithms in telecom and digital infrastructure. Central Contact Point for all your questions. Coordinator. |
| Netherlands Authority for Consumers and Markets (ACM) (opens in new window) | Misleading algorithms and unfair recommendations aimed at consumers. |
| Netherlands Authority for the Financial Markets (AFM) (opens in new window) | AI in financial services, investment advice and asset management. |
| De Nederlandsche Bank (DNB) (opens in new window) | AI at financial institutions, from a prudential-supervision perspective. |
| Netherlands Food and Consumer Product Safety Authority (NVWA) (opens in new window) | AI in products that fall under product safety rules. |
| Netherlands Labour Authority (NLA) (opens in new window) | AI in work equipment and products covered by product safety rules. |
| Health and Youth Care Inspectorate (IGJ) (opens in new window) | AI in medical devices and healthcare. |
| Human Environment and Transport Inspectorate (ILT) (opens in new window) | AI in products and critical infrastructure already falling under ILT. |
| Attorney General at the Supreme Court (PGHR) (opens in new window) | High-risk AI in the judiciary. |
Take a moment to look at it. Most names on this list belong to sectors with heavy, sector-specific rules already: banks, hospitals, food safety, telecom, the judiciary. That's no coincidence. And it explains why the map probably plays out differently for you than you'd expect.
The office nobody knows
In almost every piece of coverage on this topic, attention goes to the Dutch Data Protection Authority. Understandable, since the AP has been the coordinating regulator for algorithms since 2023 and gets the largest share in the proposal: the prohibited AI practices, the transparency rules, and a large part of the high-risk applications.
But look at how the proposal is actually structured, and you see something else. The Digital Infrastructure Inspectorate, the RDI, becomes the Central Contact Point. That's the office where entrepreneurs, politicians and the public can bring their questions. If you're not sure which of the ten applies to you, the RDI is your first call. Not the AP.
And for anything that is high-risk but doesn't fit any clear sector, the AP steps in as the safety net. The honest answer to that entrepreneur's question — who oversees my AI — for an average SME is therefore: probably nobody with a dedicated sector, so the RDI as your contact point with the AP as the backstop. A name almost no entrepreneur knows, and an agency you probably associate mostly with privacy.
I find that telling. The system is built to be recognisable for those who already fall under a regulator, and leaves the entrepreneur who falls in between to search for themselves.
Follow me on LinkedIn
Why nine of the ten probably don't apply to you
Ten regulators sounds like ten times the hassle. For most entrepreneurs, it's really more of a map of sectors you're not in. If you run a marketing agency, a local service business or a webshop, the offices for financial institutions, medical devices, product safety and the judiciary simply don't apply to you.
That follows from how the regulation itself is designed. The rules are risk-based, meaning requirements get heavier as the risk of an AI system increases. The heaviest obligations fall on those who build or deploy high-risk AI, and most SMEs don't. They use ordinary tools, like ChatGPT for text or Copilot in Office. That makes the map considerably less scary than the headline suggests. Whether the regulation applies to your organisation at all is something I cover separately in my EU AI Act guide.
There is one line you do need to draw. If you deploy AI that genuinely decides about people, the picture changes. Think of a system that screens CVs in recruitment, assesses creditworthiness, or determines who gets access to a service. Then you're in the high-risk category, and that part of the AP's mandate does apply directly to you. That's the question to ask yourself: does my AI decide something about a person, or does it merely support my own work?
What actually matters: two things
For the average SME that uses AI but doesn't build it, it comes down to two obligations. No cathedral of compliance — just two things that genuinely apply.
Transparency. Make your AI recognisable. If a chatbot talks to your customers, say it's a bot. If you publish AI-generated images or text, it must be identifiable as such. This falls under Article 50 of the regulation and the AP enforces it. In practice, it's marketing-driven SMEs that trip up here most often, because AI content enters their workflow fastest and most unnoticed.
AI literacy. This obligation already applies, since February 2, 2025, and follows from Article 4. Your people need enough knowledge and understanding to use AI responsibly. I've worked out how to approach this concretely in AI Training Obligation 2026, and in October 2025 the AP translated it into a four-step plan in its guidance "Building further on AI literacy": identify, set goals, execute, and evaluate. I won't repeat all of that here, but the core message is that it's lighter than most entrepreneurs fear.
One thing that's often forgotten: document your approach. Keep a short record of which AI you use, who works with it, and what you do for literacy. Not for the paperwork, but because a lack of literacy can weigh against you if an incident is ever assessed. An internal document of a few pages is enough, as long as you keep it up to date.
If you are in the financial sector, it works a bit differently, since the AFM and DNB share supervision there. I wrote about that division earlier in AI Supervision for Insurers. For everyone else: don't build a heavy compliance track for an obligation that fits on a postcard.
"Not final yet" doesn't mean "you can wait"
Here's the trap. This is a proposal that was in consultation until June 1, and it still has to pass both chambers of parliament. Many entrepreneurs read "not yet final" as "I can still wait." That is exactly the wrong lesson.
The Dutch law only regulates who enforces the rules. The obligations themselves are in the European regulation, and that works directly, regardless of when the Dutch enforcement structure is finalised. The literacy obligation has applied since February 2025. The bulk of the regulation, including the high-risk requirements and the transparency rules, takes effect on August 2, 2026. High-risk AI embedded in regulated products follows on August 2, 2027. Brussels still has a Digital Omnibus in progress that could shift that timeline, so the exact dates aren't set in stone. But the fact that the enforcer hasn't been appointed yet never meant the rules didn't apply yet.
There's also a helping hand in this. From 2026, the AP and the RDI are setting up an AI sandbox, a testing environment where you can trial a risky application under the regulator's guidance before going live. And the direction of the consultation already tells you what to expect. The window to prepare is now.
So the question isn't whether oversight is coming. The question is whether you know your own office before that office knows you.
The entrepreneur who asked me last week who oversees his AI walked away with an answer he didn't expect: probably nobody with a clear sector, so the RDI as his first call and the AP as the backstop. He went quiet for a moment. Not because it was complicated, but because it had stayed foggy for so long and suddenly had a name. That's the real shift in this proposal. The office exists. Now it's your turn.
Sources
- The AP on the new division of tasks and the key role of the AP and RDI (opens in new window)
- The ten regulators listed by sector, Computable (opens in new window)
- Legal analysis of the bill, with the RDI as Central Contact Point, Declercq (opens in new window)
- The phasing and dates of the AI regulation, The Innovative Lawyer (opens in new window)
- The AP's October 2025 guidance on AI literacy, Nederland Digitaal (opens in new window)
