AI regulation goes into effect: work to do for developers and users

The AI Regulation is the world's first comprehensive law on artificial intelligence. The AI Regulation sets out the rules for the responsible development and use of AI by companies, governments and other organizations.

Inventory risks and take action

For developers and users of AI, it is important to quickly identify which AI systems they offer or use and in which risk group that they fall into: are they AI systems that will soon be prohibited, high-risk systems, or low-risk systems? After that, the highest priority is to take action:

1. Banned AI. Developers must take these systems off the market and organizations using them must stop doing so. The provisions on prohibited AI are already in effect as of February 2025. It is also likely that organizations using these systems are already violating laws, such as equal treatment, privacy, or labor laws. As of August 2025, organizations that develop or deploy prohibited AI must expect hefty fines, based on the AI regulation. The AP will continue to clarify which systems do and do not fall under the ban in the coming period.

2. high-risk AI. These systems must meet requirements for risk management, the quality of data used, technical documentation and record keeping, transparency and human oversight, among others. In addition, a seal of approval is mandatory for these systems. Users of AI systems can already inquire with the provider to what extent it is preparing to make the AI system compliant. For public authorities or those performing public tasks, additional requirements sometimes apply, such as performing a "fundamental rights impact assessment. If they fail to meet these requirements, developers may not offer these systems and organizations may not use them.

3. AI with limited risk. For systems intended to interact with individuals or generate content, such as deepfakes, are subject to transparency obligations. If these systems are offered or used, people must be informed about them. Developers must design their systems to do this, and organizations deploying the systems must actually inform people. Users of AI systems would do well to inquire with the provider about the status of these.

Bring AI knowledge up to date

As of February 2025, there is also a requirement that organizations deploying AI systems must have sufficient knowledge about AI. The level of knowledge per employee must match the context in which the AI systems are used and how the systems may affect (groups of) individuals.

For example, the AI knowledge requirement means that an HR employee must understand that an AI system can contain biases or ignore essential information, resulting in an applicant being unfairly nominated or not nominated. 

And a counter clerk at a municipality that uses AI systems to verify the identity of citizens must realize that these systems often do not work equally well for everyone. And that this person therefore absolutely cannot blindly follow the outcomes of these types of AI systems.  

In the coming period, the AP intends to consider with stakeholders ways to improve the level of AI knowledge among organizations.

Supervisors

There is also work to be done for the cabinet. For example, it must quickly become clear which regulators in the Netherlands will be responsible for what part of the supervision of the AI regulation, the Autoriteit Persoonsgegevens AP) and the Rijksinspectie Digitale Infrastructuur (RDI) wrote in June in an opinion.

Want to know more about the steps developers and users need to take to comply with the AI regulation? Read the roadmap. Learn more about current and future risks around AI and algorithms? Read the latest edition of the Report AI & Algorithm Risks Netherlands (RAN).

When does what take effect?