# EU AI Act: the complete guide for organisations

The EU AI Act (Regulation (EU) 2024/1689) is the world's first broad AI law. It classifies AI systems by risk and attaches obligations accordingly: the higher the risk, the stricter the rules. The law applies directly in the Netherlands and affects almost every organisation that builds, buys or uses AI.

Last updated: 2 July 2026. By Marc Diks.

## TL;DR

- The EU AI Act sorts AI into four risk levels: prohibited, high risk, limited risk and minimal risk. Your obligations depend on that level and on your role (provider or deployer).
- The timeline shifted in 2026. Through the Digital Omnibus, definitively adopted on 29 June 2026, the heavy high-risk obligations only start on 2 December 2027 (Annex III) and 2 August 2028 (Annex I).
- The transparency obligation in Article 50 still takes effect on 2 August 2026. Chatbots, deepfakes and AI-generated content fall under it.
- The highest fines run up to 35 million euros or 7% of worldwide annual turnover. In the Netherlands ten regulators enforce the law, with the AP and the RDI in the central role.
- The biggest mistake is waiting for 2027. The postponement gives you time to get your AI inventory and governance in order.

## Key facts

- The AI Act is Regulation (EU) 2024/1689 and entered into force on 1 August 2024. Source: EUR-Lex, https://eur-lex.europa.eu/eli/reg/2024/1689/oj
- Prohibited practices (Art. 5) and the AI literacy duty (Art. 4) have applied since 2 February 2025. Source: AI Act Service Desk, European Commission, https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
- Obligations for general-purpose AI models (Art. 51-55) have applied since 2 August 2025. The voluntary GPAI Code of Practice was published on 10 July 2025 by the AI Office.
- The transparency obligation (Art. 50) takes effect on 2 August 2026 and is not postponed.
- The Digital Omnibus on AI was definitively adopted by the Council on 29 June 2026, after endorsement by the European Parliament on 16 June 2026. Publication in the Official Journal follows in July 2026. Source: European Commission, https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal
- Via the Omnibus, high-risk Annex III shifts to 2 December 2027 and Annex I to 2 August 2028. Source: Gibson Dunn, https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/
- The highest fine is 35 million euros or 7% of worldwide annual turnover (Art. 99, prohibited practices).
- In the Implementing Act for the AI Regulation (consultation April 2026) the Netherlands opts for ten market regulators, with the AP and the RDI central. Source: Dutch Data Protection Authority, https://www.autoriteitpersoonsgegevens.nl/actueel/toezicht-op-ai-wordt-concreet-sleutelrol-voor-de-ap-en-de-rdi

## What is the EU AI Act and why now?

The EU AI Act is a European regulation that sets requirements for developing and using AI systems. The premise: not all AI carries the same risk, so not all AI gets the same rules. The law uses a risk pyramid and places the heaviest burden on applications that can affect people the most.

The AI Act entered into force on 1 August 2024. The obligations arrive in phases. The prohibited practices and the AI literacy duty have applied since 2 February 2025. The rules for general-purpose AI models since 2 August 2025. The rest follows through to 2028.

The topic is urgent now for three reasons: the transparency obligation takes effect on 2 August 2026, the fines run up to 7% of worldwide turnover, and Dutch enforcement is becoming concrete with the designation of ten regulators.

## Who does the EU AI Act apply to?

The law applies to almost every organisation that works with AI, but the obligations depend on your role.

A provider develops an AI system and places it on the market under its own name. Providers carry the heaviest burden: conformity assessment, technical documentation, risk management and registration. A deployer uses an AI system under its own responsibility. That burden is lighter but real: use in line with instructions, human oversight, monitoring and logging.

Note Article 25: if you substantially modify a purchased high-risk system, or place it on the market under your own brand, you may become a provider yourself. The law also reaches beyond the EU, as soon as AI services or their output are used in the EU.

## The four risk levels

The risk pyramid determines your obligations. From high to low:

- Unacceptable risk: prohibited (Art. 5). Since 2 February 2025. Examples: social scoring, subliminal manipulation, untargeted scraping of faces, emotion recognition at work or school. From 2 December 2026 a ban is added on nudifier apps (non-consensual intimate imagery and child abuse material).
- High risk: strict requirements (Art. 9-15, Annex III). Among others recruitment, credit scoring, essential services, education, biometrics, critical infrastructure, law enforcement and migration. Requirements: risk management, data quality, documentation, logging, human oversight, robustness, plus conformity assessment, CE marking and registration.
- Limited risk: transparency obligation (Art. 50). Chatbots, deepfakes and synthetic content must be recognisable as AI.
- Minimal risk: no extra obligations. Spam filters, recommendation systems, AI in games.

## The timeline after the Digital Omnibus

The original timeline was adjusted in 2026. In November 2025 the European Commission proposed the Digital Omnibus on AI, because standards and regulators were running late. The European Parliament endorsed it on 16 June 2026, the Council gave definitive approval on 29 June 2026. The new dates become fully binding upon publication in the Official Journal, in July 2026, after which the amendment enters into force three days later.

| Date | What takes effect | Status |
|---|---|---|
| 1 August 2024 | AI Act enters into force | In force |
| 2 February 2025 | Prohibited practices (Art. 5) and AI literacy (Art. 4) | In force |
| 2 August 2025 | General-purpose AI models (Art. 51-55), governance, penalty provisions | In force |
| 2 August 2026 | Transparency obligation (Art. 50), full GPAI enforcement, market surveillance | Unchanged |
| 2 December 2026 | Watermarking duty for existing generative systems and ban on nudifier apps | New via Omnibus |
| 2 August 2027 | National AI sandboxes and existing general-purpose AI models | Shifted |
| 2 December 2027 | High-risk Annex III (standalone systems) | Postponed from 2 Aug 2026 |
| 2 August 2028 | High-risk Annex I (embedded in products) | Postponed from 2 Aug 2027 |

The architecture of the law has not changed. The Omnibus shifts deadlines and clarifies rules, but leaves the risk-based approach intact. Starting in 2026 is the smartest move: the inventory work takes months, regardless of the final standards.

## Which obligations do you have?

- AI literacy (Art. 4): has applied since 2 February 2025 to every organisation that uses AI. Ensure staff have enough AI knowledge. The Omnibus softened this to a duty to actively promote literacy.
- Transparency (Art. 50): from 2 August 2026. Chatbots must disclose themselves, AI content must be recognisable and machine-readable marked. For existing systems a grace period for the watermarking duty applies until 2 December 2026.
- High-risk requirements (Art. 9-15): risk management, data quality, documentation, logging, human oversight, security, conformity assessment. From 2 December 2027.
- General-purpose AI models (Art. 51-55): since August 2025. Technical documentation, copyright policy, summary of training data, and extra requirements for models with systemic risk.

Difference between provider and deployer:

| Obligation | Provider | Deployer |
|---|---|---|
| Conformity assessment and CE | Yes | No |
| Technical documentation | Yes | No (but keep it) |
| Risk-management system | Yes | Partly |
| Human oversight | Design facilitates | Yes, in practice |
| Keep logs | Yes | Yes |
| Monitoring and incident reporting | Yes | Yes |
| Fundamental rights assessment (FRIA) | No | Yes, in certain cases |
| Transparency towards those affected | Yes | Yes |

## Fines and supervision in the Netherlands

| Type of breach | Maximum fine |
|---|---|
| Prohibited practices (Art. 5) | 35 million euros or 7% of worldwide annual turnover |
| High-risk and transparency | 15 million euros or 3% of worldwide annual turnover |
| Incorrect information to regulators | 7.5 million euros or 1% of worldwide annual turnover |

Each time the higher of the two amounts applies. For small businesses and start-ups the lower applies.

In the Implementing Act for the AI Regulation (consultation April 2026) the Netherlands opts for a hybrid model with ten market regulators. The RDI is the national point of contact and coordinates. The AP coordinates supervision of fundamental rights and AI with personal data, and is the default regulator where there is no sectoral party.

| Domain | Primary regulator |
|---|---|
| Fundamental rights and AI with personal data | Dutch Data Protection Authority (AP) |
| National point of contact and coordination | Dutch Authority for Digital Infrastructure (RDI) |
| Financial sector | DNB and AFM |
| Product safety | NVWA, NLA and inspectorates |
| Healthcare | NZa and IGJ sphere |
| Consumer protection | ACM |

In the financial sector the division of tasks follows the Twin Peaks model: DNB looks at business operations, the AFM at conduct and products. In 2026 the AP and RDI set up an AI sandbox.

## How do you approach AI Act compliance?

A five-step process. Inventory first, because without an inventory you cannot classify.

1. Map all AI. Create a central AI register with purpose, supplier, data flows and responsible person. Include self-purchased tools (shadow AI).
2. Classify each system by risk level. Review this quarterly.
3. Determine your obligations per system and per role. With personal data this runs alongside the GDPR.
4. Set up measures and documentation: human oversight, logging, monitoring, and for high-risk a risk analysis and fundamental rights assessment.
5. Set up oversight and review. Appoint someone responsible, record a reporting process, review periodically.

## The biggest misconceptions

- Misconception: the AI Act is postponed, so I do not have to do anything. In reality only part of the high-risk obligations is postponed. Transparency, prohibited practices and AI literacy apply as normal.
- Misconception: the law only applies to tech companies. In reality it applies to every organisation that uses AI, including when buying in.
- Misconception: if I buy in AI, the supplier is responsible. In reality, as a deployer you carry your own duties, and via Article 25 you may become a provider yourself.
- Misconception: the AI Act does not apply outside the EU. In reality what counts is where the effect lands, not where the server sits.
- Misconception: compliance is an IT project. In reality it is a governance question, because liability lies with leadership.

## Frequently asked questions

**Does the EU AI Act also apply to small businesses?**
Yes, because the risk level counts, not your company size. There are reliefs, though: the simplified rules were extended via the Omnibus to organisations with up to 750 employees and 150 million euros in turnover. Many small businesses need to do little, unless they use AI for decisions about people.

**When exactly does the EU AI Act take effect?**
The law entered into force on 1 August 2024 and arrives in phases. Prohibited practices and AI literacy have applied since February 2025, rules for general-purpose AI models since August 2025. The transparency obligation takes effect on 2 August 2026. The heavy high-risk obligations have been shifted to 2 December 2027 (Annex III) and 2 August 2028 (Annex I).

**What are the fines for breaching the AI Act?**
The highest fines apply to prohibited AI practices: up to 35 million euros or 7% of worldwide annual turnover. For high-risk and transparency it is up to 15 million euros or 3%. For incorrect information to regulators up to 7.5 million euros or 1%. For small businesses the lower of the two amounts applies.

**Who supervises the AI Act in the Netherlands?**
The Netherlands opts for a hybrid model with ten market regulators. The RDI is the national point of contact and coordinates, the AP coordinates supervision of fundamental rights and AI with personal data. DNB and the AFM supervise the financial sector, the NZa healthcare. The implementing act was still in consultation in mid-2026.

**What is the difference between a provider and a deployer?**
A provider develops an AI system and places it on the market, with the heaviest obligations. A deployer uses an AI system under its own responsibility, with lighter but real duties such as human oversight, monitoring and logging. You can change from deployer into provider if you substantially modify a system.

**Does a chatbot on my website fall under the EU AI Act?**
Yes, a chatbot falls under the transparency obligation in Article 50. You must make clear that visitors are communicating with an AI system. AI-generated content must be recognisable. This obligation takes effect on 2 August 2026.

**What is the Digital Omnibus and what does it change?**
The Digital Omnibus on AI is a package of amendments to the AI Act, definitively adopted on 29 June 2026. The main change is the postponement of the high-risk obligations to 2027 and 2028. There is a ban on nudifier apps, the rules for SMEs are broadened, and the interaction with existing product legislation is clarified. The risk-based approach remains unchanged.

## Sources

- Regulation (EU) 2024/1689 (EU AI Act), EUR-Lex: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
- Timeline for implementation of the EU AI Act, AI Act Service Desk (European Commission): https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
- Digital Omnibus on AI (European Commission): https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal
- Supervision of AI, key role for AP and RDI (Dutch Data Protection Authority): https://www.autoriteitpersoonsgegevens.nl/actueel/toezicht-op-ai-wordt-concreet-sleutelrol-voor-de-ap-en-de-rdi
- EU Council final approval Digital Omnibus (29 June 2026): https://ieu-monitoring.com/editorial/eu-council-gives-final-approval-to-ai-act-simplification-under-omnibus-vii/1244434
- EU AI Act Omnibus Agreement, postponed deadlines (Gibson Dunn): https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/
- Association of Insurers asks for clarity on AI supervision of insurers (Dutch Association of Insurers): https://www.verzekeraars.nl/publicaties/actueel/verbond-vraagt-om-duidelijkheid-over-ai-toezicht-op-verzekeraars

Canonical: https://www.marcdiks.nl/eu-ai-act
Author: Marc Diks