AI Laws and Regulations in the Netherlands: GDPR, AI Act & Safety (2026)

Three laws you need to know

You want to use AI in your business. But what's actually allowed? Which rules apply? And what happens if you get it wrong? In this article, we explain the three most important laws that apply when you work with AI as a Dutch company: GDPR, the EU AI Act, and sector-specific safety regulations. No legal jargon — just clearly explained.

1. GDPR (General Data Protection Regulation)

GDPR has been in effect since 2018 and regulates everything around personal data. As soon as you use AI to process personal data — think of customer names, addresses, emails, social security numbers — GDPR applies. The core rules: you may only process data if you have a legal basis (such as consent or a contract), you must process as little data as possible (data minimization), and you must secure it.

What this means in practice: if you use an AI tool that analyzes customer data, you need to know where that data goes, who has access to it, and how long it's stored.

2. The EU AI Act

The EU AI Act is the world's first AI-specific law and came into effect on August 1, 2024. The law is being phased in. Here's the complete timeline:

• February 2, 2025 — Prohibited AI applications are no longer allowed. All employees using AI must be AI-literate.
• August 2, 2025 — Rules for providers of general purpose AI models (like ChatGPT, Claude, Gemini).
• August 2, 2026 — Full obligations for new high-risk AI systems. Transparency obligations for AI communicating with people.
• August 2, 2027 — All rules fully in effect, including AI in regulated products (medical devices, machinery, toys).
• August 2, 2030 — Existing high-risk AI systems at government organizations must comply by this date.

3. Sector-specific rules

In addition to GDPR and the AI Act, some sectors have additional rules. Healthcare has the WGBO, the financial sector has the Wft, and the legal sector has professional secrecy rules. If you deploy AI in these sectors, you must account for this additional legislation.

Risk classes of the AI Act — where does your application fall?

The AI Act works with four risk classes. The higher the risk, the stricter the rules.

• Unacceptable risk (prohibited) — AI systems that manipulate people, apply social scoring, or conduct untargeted biometric surveillance. Prohibited since February 2025.
• High risk — AI in critical applications like medical diagnostics, credit assessment, personnel selection and law enforcement. Strict requirements: risk analysis, human oversight, technical documentation.
• Limited risk (transparency obligations) — AI systems communicating with people, like chatbots. You must clearly indicate users are dealing with AI.
• Minimal risk — Most SME AI applications: spam filters, AI text generation, process automation. No specific AI Act requirements, but GDPR still applies for personal data.

What should you do as an SME right now?

Five concrete steps to ensure your AI use stays within the rules.

• 1. Map which AI you use — Create an overview of all AI tools your company uses. Per tool: what data goes in, where does it go, and who is the provider?
• 2. Determine the risk level — Use the AI Regulation Decision Aid from the Ministry of the Interior to determine the risk class per application.
• 3. Ensure AI literacy — Since February 2025, employees working with AI must have sufficient knowledge.
• 4. Check your processing agreements — If you use an AI tool that processes personal data, you need a processing agreement with the provider.
• 5. Document your choices — Record why you use which AI tool, what risks you've identified and what measures you've taken.

What are the fines?

The AI Act has fines up to 35 million euros or 7% of global annual turnover for the most serious violations. GDPR has fines up to 20 million euros or 4% of turnover. The Dutch Data Protection Authority is increasingly active in enforcement.

Useful sources and tools

Various official sources help you understand and apply the rules:

• Dutch Data Protection Authority — AI Regulation — Supervisor, risk classes, rules. autoriteitpersoonsgegevens.nl/themas/algoritmes-ai/ai-verordening
• Digital Government — AI Regulation — Government overview of the AI regulation. digitaleoverheid.nl/overzicht-van-alle-onderwerpen/artificiele-intelligentie-ai/ai-verordening
• Algorithm Framework MinBZK — Decision aid, timeline, requirements and tools. minbzk.github.io/Algoritmekader/ai-verordening
• Entrepreneurs Portal — AI Act — Rules per sector for entrepreneurs. ondernemersplein.overheid.nl/wetten-en-regels/ai-act
• AI Regulation Guide (PDF) — Comprehensive government guide. open.overheid.nl/documenten/8d7b5ccb-41fc-4d92-a4c2-a7fa81e66bfb/file

How AIFAIS handles this

At AIFAIS, we build AI solutions that are GDPR-proof by design. That means: data minimization, local processing where possible, processing agreements with all AI providers, and transparency to your customers about AI use.

An example: our case analysis tool for lawyers anonymizes all personal data locally in the browser, before the document goes to the AI. The AI never sees real names or addresses.

Want to use AI within the rules?

We're happy to help. In a process scan, we map which AI applications are suitable for your business — and how to do it within the regulations. Contact us at aifais.com/contact.