What is the EU AI Act and why now?
The EU AI Act is a European regulation that sets requirements for developing and using AI systems. The premise is simple: not all AI carries the same risk, so not all AI gets the same rules. A spam filter and an AI that screens job applicants do not fall into the same category. The law uses a risk pyramid and places the heaviest burden on the applications that can affect people the most.
The AI Act entered into force on 1 August 2024. The obligations arrive in phases, spread across several years. The prohibited practices and the duty to make your staff AI-literate have applied since 2 February 2025. The rules for general-purpose AI models (think of the large language models behind ChatGPT) have applied since 2 August 2025. The rest follows through to 2028.
Why is this urgent now, despite a partial postponement? For three concrete reasons. The transparency obligation still takes effect on 2 August 2026, so if you run a chatbot or AI content on your site, you will deal with it this year. The fines are steep: up to 7% of your worldwide turnover for the most serious breaches. And enforcement in the Netherlands is becoming concrete: the implementing act designates ten regulators that will be able to impose fines.
What I see here at the boardroom table: most boards underestimate this not because the rules are unclear, but because AI does not behave like one contained project. AI is spread across your whole organisation: in customer service, in HR, in fraud detection, in the tool an employee installed themselves yesterday. The compliance question is therefore first an inventory question. You can only classify what you have mapped. That is the work you need to start on now, not in 2027.
Who does the EU AI Act apply to?
The AI Act applies to almost every organisation that works with AI, but not every organisation has the same obligations. That depends on your role. The law distinguishes two main roles, and the difference determines how heavy your burden is.
A provider develops an AI system, or has it developed, and places it on the market under its own name. Providers carry the heaviest burden: conformity assessment, technical documentation, a risk-management system and registration. A deployer uses an AI system under its own responsibility, for example by using a purchased tool for CV screening. That burden is lighter, but not zero: use in line with the instructions, human oversight, monitoring and keeping logs.
Watch out for a pitfall in the role split. If you substantially modify a purchased high-risk system, or put it on the market under your own brand, you may become a provider yourself under Article 25, with all the obligations that entails. "We only buy it in" is therefore not always a valid reassurance.
The law also reaches beyond the EU. If you supply AI services from another country to users in the EU, or if the output of your system is used in the EU, you fall under the rules. That makes the AI Act, like the GDPR, a law with a long arm.
Whether the law applies to your specific organisation, and at which risk level, deserves its own answer. Work through the four concrete criteria in the separate guide: does the AI Act apply to my organisation?. It also includes a self-check per situation.
The four risk levels, from prohibited to minimal
The heart of the AI Act is the risk pyramid. Every AI system falls into one of four levels, and that level determines your obligations. The higher up the pyramid, the stricter the rules and the smaller the group of systems that fall under it.
Unacceptable risk — prohibited (Art. 5)
E.g. social scoring, subliminal manipulation, nudifier apps
High risk — strict requirements (Art. 9-15, Annex III)
E.g. recruitment, credit scoring, biometrics, education
Limited risk — transparency obligation (Art. 50)
E.g. chatbots, deepfakes, AI-generated content
Minimal risk — no extra obligations
E.g. spam filters, recommendation systems, AI in games
Unacceptable risk: prohibited. These applications are not allowed in the EU, as of 2 February 2025. Think of social scoring by governments, subliminal manipulation, the untargeted scraping of faces from the internet for recognition databases, and emotion recognition in the workplace or in education. Since the Digital Omnibus, a ban has been added on AI that creates non-consensual intimate imagery or child abuse material, the so-called nudifier apps. That ban takes effect on 2 December 2026.
High risk: strict requirements. This is the category with the most obligations, and it is broader than many people think. Annex III lists, among others, AI for recruitment and selection, credit scoring, access to essential services, education and examination, biometrics, critical infrastructure, law enforcement and migration. For these systems the requirements from Articles 9 to 15 apply: risk management, data quality, technical documentation, logging, human oversight, robustness and cybersecurity. On top of that come a conformity assessment, CE marking and registration in an EU database.
Limited risk: transparency obligation. Systems that communicate with people or generate content fall under Article 50. The core: you must make clear that someone is dealing with AI. A chatbot must disclose that it is a chatbot, and AI-generated or manipulated content (deepfakes, synthetic images, audio and video) must be recognisable as such. For most organisations this is the category that will bite first.
Minimal risk: no extra rules. The vast majority of AI applications fall here: spam filters, recommendation systems, AI in games. Here the law imposes no extra obligations. Voluntary codes of conduct are encouraged, but not mandatory.
The timeline after the Digital Omnibus: which deadline applies now?
This is the part where the most outdated information circulates, so pay close attention here. The original timeline was adjusted in 2026. In November 2025 the European Commission proposed the Digital Omnibus on AI, because the harmonised standards and the designation of regulators were running late. After a failed negotiation round at the end of April, the institutions reached an agreement in early May 2026. The European Parliament endorsed it on 16 June 2026, and the Council gave definitive approval on 29 June 2026.
An important nuance: the new dates only become fully binding once the Omnibus appears in the Official Journal of the EU. That happens in July 2026, after which it enters into force three days later. The definitive adoption has taken place, so this is the timeline you plan on now. The table below is the current state of play.
| Date | What takes effect | Status |
|---|---|---|
| 1 August 2024 | AI Act enters into force | In force |
| 2 February 2025 | Prohibited practices (Art. 5) and AI literacy (Art. 4) | In force |
| 2 August 2025 | Obligations for general-purpose AI models (Art. 51-55), governance and penalty provisions | In force |
| 2 August 2026 | Transparency obligation (Art. 50), full enforcement over general-purpose AI models, market surveillance | Unchanged, going ahead |
| 2 December 2026 | Watermarking duty for existing generative systems and the new ban on nudifier apps | New via Omnibus |
| 2 August 2027 | Deadline for national AI sandboxes and existing general-purpose AI models must comply | Shifted |
| 2 December 2027 | High-risk obligations for standalone systems (Annex III) | Postponed from 2 Aug 2026 |
| 2 August 2028 | High-risk obligations for AI embedded in regulated products (Annex I) | Postponed from 2 Aug 2027 |
The architecture of the law has not changed. The Omnibus shifts deadlines and clarifies rules, but leaves the risk-based approach intact. What does happen: more time for the heaviest high-risk requirements, while the transparency obligation stays on its original date. That distinction is the core of your planning.
Why starting now is still the smartest move, despite the postponement: the work itself does not get easier with time. The hard part of AI Act compliance is not filling in a documentation template. The hard part is finding every AI system in your organisation, deciding which category it falls into, and keeping that current as new systems appear. That work does not depend on the final standards. I developed this reasoning further in why you should start on the AI Act now.
Which obligations do you have exactly?
Your obligations depend on three things: the risk level of your system, your role, and whether you work with general-purpose AI models. Below are the four obligations that apply to most organisations this year or next.
AI literacy (Article 4). This is the most underrated obligation, because it has applied since 2 February 2025 and touches every organisation that uses AI. You must ensure that the people who work with AI have enough knowledge to do so responsibly. The Omnibus softened the wording to a duty to actively promote AI literacy with appropriate measures. The enforcement power for this comes from August 2026. What this means in concrete terms for your organisation is set out in the AI training obligation of 2026.
Transparency (Article 50). From 2 August 2026 you must make clear when people are dealing with AI. Chatbots must disclose themselves. AI-generated content must be recognisable, and generative systems must mark their output in a machine-readable way, for example with a watermark. For systems that were already on the market before August 2026, a grace period until 2 December 2026 applies for that watermarking duty. I worked out the technical side of this, with standards like C2PA and SynthID, in how to fight insurance fraud with watermarks. For voice and chatbots the disclosure obligation is extra relevant, as in voice AI in customer service.
High-risk requirements (Articles 9-15). If you fall into the high-risk category, the heavy burden arrives: a risk-management system, high data quality, technical documentation, logging, human oversight and strong security. Providers also carry out a conformity assessment and register the system. These requirements only take effect on 2 December 2027, but the preparation takes months.
General-purpose AI models (Articles 51-55). Providers of general-purpose AI models have had obligations since August 2025 around technical documentation, a copyright policy and a summary of the training data. For the heaviest models there are extra requirements around systemic risk. The voluntary Code of Practice, published by the AI Office on 10 July 2025, gives providers a practical path to compliance.
The difference between provider and deployer determines how many of these obligations rest on you. The table makes that concrete.
| Obligation | Provider | Deployer |
|---|---|---|
| Conformity assessment and CE marking | Yes | No |
| Draw up technical documentation | Yes | No (but keep it) |
| Risk-management system | Yes | Partly, within own use |
| Set up human oversight | Design facilitates it | Yes, in practice |
| Keep logs | Yes | Yes |
| Monitoring and incident reporting | Yes | Yes, towards provider and regulator |
| Fundamental rights assessment (FRIA) | No | Yes, in certain cases |
| Transparency towards those affected | Yes | Yes |
Fines and supervision: who enforces in the Netherlands?
The fines under the AI Act are high enough to keep a board awake. They are tiered: the most serious category of breaches gets the highest maximum fine. The percentages below are of worldwide annual turnover, and each time the higher of the two amounts applies. For small businesses and start-ups the lower of the two applies instead, so the fine stays proportionate.
| Type of breach | Maximum fine |
|---|---|
| Prohibited practices (Art. 5) | 35 million euros or 7% of worldwide annual turnover |
| High-risk and transparency obligations | 15 million euros or 3% of worldwide annual turnover |
| Incorrect or misleading information to regulators | 7.5 million euros or 1% of worldwide annual turnover |
% of worldwide annual turnover
Prohibited practices (Art. 5)
or 35m euros
High-risk and transparency
or 15m euros
Incorrect information
or 7.5m euros
Enforcement is arranged at the European level but organised nationally. In the Implementing Act for the AI Regulation, which went into consultation in April 2026, the Netherlands opts for a hybrid model with ten market regulators. Each regulator supervises within its own domain, so that as much as possible you deal with a party you already know.
Two regulators get the central role. The RDI (Dutch Authority for Digital Infrastructure) is the national point of contact and coordinates. The Dutch Data Protection Authority (AP) coordinates supervision of fundamental rights and of AI that processes personal data, and becomes the default regulator where there is no clear sectoral party. The AP thereby becomes almost a horizontal linchpin in AI supervision, without formally being the AI authority.
| Domain | Primary regulator |
|---|---|
| Fundamental rights and AI with personal data | Dutch Data Protection Authority (AP) |
| National point of contact and coordination | Dutch Authority for Digital Infrastructure (RDI) |
| Financial sector (banks, insurers) | DNB and AFM |
| Product safety | NVWA, NLA and other inspectorates |
| Healthcare | Dutch Healthcare Authority (NZa) and the IGJ sphere |
| Consumer protection | Authority for Consumers and Markets (ACM) |
What I see from insurance: in the financial sector the division of tasks is drawn along the existing Twin Peaks model. DNB looks at business operations, the AFM at conduct and products. The Dutch Association of Insurers asked for clarity about that division. Rightly so, but in my experience the division of tasks is not the real brake on AI at insurers. That is a knowledge problem, not a supervision problem. I worked that out in AI supervision at insurers. In 2026 the AP and RDI are also setting up an AI sandbox, where you can test your systems and get guidance.
How do you approach AI Act compliance?
Compliance is not a one-off project you tick off, but a process you set up. The order below works in practice, and the first step is by far the most important: without an inventory you cannot classify anything.
Map all AI
Classify per system
Determine obligations
Measures and documentation
Oversight and review
Step 1: map all AI. Create a central AI register. Note per system the purpose, the supplier or model, the data flows and the person responsible. Include the tools employees have purchased themselves, because that shadow AI also falls under the law. The inventory is the real work. Everything else builds on it. Why blocking shadow AI does not work is set out in blocking shadow AI does not work, and which users you encounter in your organisation in the four AI users in your organisation.
Step 2: classify each system. Determine the risk level per system: prohibited, high, limited or minimal. Be honest here, because the high-risk category is broader than it looks at first glance. Do not do this once. Review it every quarter, because your AI use changes continuously.
Step 3: determine your obligations. Link the corresponding duties to each classified system, and mind your role. Are you a provider or a deployer? If you process personal data, this runs directly alongside your GDPR obligations. How AI and customer data come together is set out in uploading customer data to AI.
Step 4: set up measures and documentation. Arrange human oversight, logging, monitoring and the required documentation. For high-risk systems that includes a risk analysis, and where it touches fundamental rights a fundamental rights assessment. Do this in phases, with the first deadlines as your guide.
Step 5: set up oversight and review. Appoint someone responsible, record a reporting process and review the whole periodically. Governance is not a document but a routine. Why this is a board task and not an IT task is set out in the blind spot in the boardroom.
Compliance checklist
- Central AI register set up, including self-purchased tools?
- Each system classified by risk level?
- Your role determined per system (provider or deployer)?
- AI literacy of staff arranged (Art. 4)?
- Transparency set up for chatbots and AI content (Art. 50)?
- Person responsible appointed and reporting process recorded?
The biggest misconceptions about the EU AI Act
Misconception: the AI Act is postponed, so I do not have to do anything yet. In reality only part of the high-risk obligations is postponed. The transparency obligation, the prohibited practices and the AI literacy duty apply as normal, partly since 2025. And the inventory work takes months, regardless of the deadline.
Misconception: the law only applies to tech companies. In reality the law applies to every organisation that uses AI, even if you only buy in tools. If you use AI for decisions about people, such as recruitment or credit scoring, you quickly end up in the high-risk category.
Misconception: if I buy in AI, the supplier is responsible. In reality, as a deployer you carry your own obligations: human oversight, monitoring and logging. And if you substantially modify a purchased high-risk system, you may become a provider yourself under Article 25.
Misconception: the AI Act does not apply outside the EU. In reality the law also reaches parties outside the EU, as soon as their AI services or the output thereof are used in the EU. As with the GDPR, what counts is where the effect lands, not where the server sits.
Misconception: compliance is an IT project. In reality it is a governance question. Liability lies with leadership, and the choices about which AI you deploy and accept belong at the boardroom table, not only with the tech department.
Frequently asked questions
Does the EU AI Act also apply to small businesses?
Yes, the law also applies to SMEs, because the risk level of your AI use counts, not your company size. There are reliefs, though: the simplified rules for small businesses were extended via the Omnibus to organisations with up to 750 employees and 150 million euros in turnover. In practice many small businesses need to do little, unless they use AI for decisions about people.
When exactly does the EU AI Act take effect?
The law entered into force on 1 August 2024 and arrives in phases. Prohibited practices and AI literacy have applied since February 2025, rules for general-purpose AI models since August 2025. The transparency obligation takes effect on 2 August 2026. The heavy high-risk obligations have been shifted via the Digital Omnibus to 2 December 2027 (Annex III) and 2 August 2028 (Annex I).
What are the fines for breaching the AI Act?
The highest fines apply to prohibited AI practices: up to 35 million euros or 7% of worldwide annual turnover, whichever is higher. For breaches of high-risk and transparency obligations it is up to 15 million euros or 3%. For providing incorrect information to regulators it is up to 7.5 million euros or 1%. For small businesses the lower of the two amounts applies.
Who supervises the AI Act in the Netherlands?
The Netherlands opts for a hybrid model with ten market regulators. The RDI is the national point of contact and coordinates, the AP coordinates supervision of fundamental rights and AI with personal data. In the financial sector DNB and the AFM supervise, in healthcare the NZa, and there are sectoral inspectorates for product safety. The implementing act that arranges this was still in consultation in mid-2026.
What is the difference between a provider and a deployer?
A provider develops an AI system and places it on the market, and carries the heaviest obligations such as conformity assessment and documentation. A deployer uses an AI system under its own responsibility, and has lighter but real duties such as human oversight, monitoring and logging. You can change from deployer into provider if you substantially modify a system.
Does a chatbot on my website fall under the EU AI Act?
Yes, a chatbot falls under the transparency obligation in Article 50. You must make clear that visitors are communicating with an AI system and not a human. If you publish AI-generated content, it must be recognisable. This obligation takes effect on 2 August 2026 and is the first concrete AI Act deadline for many organisations.
What is the Digital Omnibus and what does it change?
The Digital Omnibus on AI is a package of amendments to the AI Act, definitively adopted on 29 June 2026. The main change is the postponement of the high-risk obligations to 2027 and 2028. There is also a ban on nudifier apps, the rules for SMEs are broadened, and the interaction with existing product legislation is clarified. The law's risk-based approach remains unchanged.
Go deeper
This guide is the hub. I develop the topics below in more depth in separate articles.
Around the law itself: does the AI Act apply to my organisation? answers the scope question with four criteria. The AI training obligation of 2026 is about the AI literacy duty from Article 4. Why you should start now explains why the postponement is no reason to wait.
Around governance and the board: the blind spot in the boardroom on why AI is a board task, open source AI as a governance necessity on supplier choices, and AI due diligence in acquisitions on AI risk in transactions.
Around AI use in your organisation: blocking shadow AI does not work and the four AI users in your organisation on inventory, and uploading customer data to AI on the overlap with the GDPR.
Around transparency and insurance: AI supervision at insurers on the role of DNB and AFM, watermarks against insurance fraud on C2PA and SynthID, and voice AI in customer service on the disclosure obligation for voice bots.
Want to quickly find out whether your AI use falls under the law and what you need to arrange? Use the AI Act Impact Scanner.
About Marc Diks
I have worked in insurance for more than 25 years and sit at the boardroom table on AI strategy. I look at AI through the lens of risk, governance and customer trust, and I build AI applications in production myself. That combination means I do not see AI regulation as an abstraction, but as something you have to embed in your processes. More about my background is on the about page.
Want my view on AI and governance in your inbox every week? Subscribe to the newsletter. Want to spar about AI Act compliance in your organisation? Get in touch.
Sources
- Regulation (EU) 2024/1689 (EU AI Act), EUR-Lex: eur-lex.europa.eu (opens in new window)
- Timeline for implementation of the EU AI Act, AI Act Service Desk (European Commission): ai-act-service-desk.ec.europa.eu (opens in new window)
- Digital Omnibus on AI, proposal and explanation (European Commission): digital-strategy.ec.europa.eu (opens in new window)
- Supervision of AI becomes concrete, key role for AP and RDI (Dutch Data Protection Authority): autoriteitpersoonsgegevens.nl (opens in new window)
- EU Council final approval Digital Omnibus (29 June 2026), overview: ieu-monitoring.com (opens in new window)
- EU AI Act Omnibus Agreement, analysis of postponed deadlines (Gibson Dunn): gibsondunn.com (opens in new window)
- Association of Insurers asks for clarity on AI supervision of insurers (Dutch Association of Insurers): verzekeraars.nl (opens in new window)