It is Tuesday morning and the data protection officer finds a letter from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) in the inbox. The regulator is investigating the use of algorithms in application assessments and asks the organisation to provide, within four weeks, an overview of the AI systems in use, the risk assessments performed and the safeguards in place. Whoever has to start taking inventory at that point is already too late. Whoever has a file on the shelf answers the letter within a week.
The direct answer to the question of which documents you must be able to show: an up-to-date AI inventory, a documented AI Act risk classification per system with reasoning, the corresponding DPIAs (and, from December 2027, FRIAs where applicable), documentation of transparency measures under Article 50, evidence of AI literacy measures under Article 4, supplier files with contractual arrangements and conformity information, and the governance decisions showing who made which judgement and when. This is not a paperwork exercise: it is essentially the question list regulators use in practice.
Why regulators ask, and what is already happening
In the Netherlands, the AP acts as the coordinating supervisor for algorithms and AI and periodically publishes its report on AI and algorithm risks. It also conducts concrete investigations into algorithm use by public bodies and companies, from fraud detection to automated customer scoring. In April 2026 the Dutch government submitted the implementing bill for the AI Act, which assigns supervision to the AP and the Dutch Authority for Digital Infrastructure (RDI), among others. The formal designation runs through that bill, but in practice the AP is not waiting: information requests about algorithms already happen today, often based on the GDPR.
That last point matters for every DPO and compliance officer, in the Netherlands and elsewhere in the EU. An information request does not have to carry the label "AI Act inspection". A GDPR investigation into automated decision-making, a complaint from a data subject or a sector-wide inquiry can touch the same documents. The file you build for the AI Act is largely the same file you need under the GDPR. Build it once, properly.
The file in seven parts
1. The AI inventory
Everything starts with a complete and current overview of the AI systems and algorithms your organisation uses, including shadow usage such as personal ChatGPT accounts and AI features switched on inside existing software. Per system, record: purpose, user group, supplier, data flows, and whether the system influences decisions about people. Without an inventory, every other regulator question is unanswerable. How to set up and maintain that inventory is covered in our guide on the AI inventory and register.
2. Risk classification with reasoning
Each system in the inventory needs an AI Act classification: prohibited practice, high risk, transparency risk under Article 50, or minimal risk. The reasoning is what counts. "We concluded this is not high risk" convinces no regulator; a documented assessment against the Annex III categories with a date, an assessor and arguments does. Mind the current timeline: obligations for standalone high-risk systems under Annex III apply from 2 December 2027, and for AI embedded in regulated products under Annex I from 2 August 2028. The prohibited practices have been enforceable since 2 February 2025, with fines through the supervisory authority of up to 35 million euros or 7 percent of worldwide turnover. The full timeline and risk ladder are in our AI Act Explorer.
3. DPIAs and, later, FRIAs
If an AI system processes personal data with a likely high risk to individuals, a DPIA under Article 35 GDPR is already mandatory today. In practice this is the first document a regulator requests, and the most common gap. The fundamental rights impact assessment (FRIA) under Article 27 AI Act follows the high-risk timeline and becomes relevant from 2 December 2027 for public bodies and providers of essential services, among others. A smart move is to combine DPIA and FRIA elements in one assessment format now: the overlap is substantial and you avoid duplicate work.
4. Article 50: transparency measures, the sharpest deadline
Article 50 takes effect on 2 August 2026 and has not been postponed. From that date you must be able to demonstrate that users know they are interacting with AI (chatbots), that synthetic content is marked in a machine-readable way, and that deepfakes and AI-generated text on matters of public interest are visibly labelled. For systems already on the market before 2 August 2026, a transition period for the watermarking obligation runs until 2 December 2026. Document the measure taken per relevant system, with screenshots and configuration evidence. This is the part an information request in the autumn of 2026 will almost certainly ask about.
5. Article 4: evidence of AI literacy
Article 4 has applied since 2 February 2025 and requires that staff deploying AI have a sufficient level of AI literacy. Do not treat this as a sanction risk with its own fine, but as a building block of demonstrable human oversight (Article 14) and as concrete risk reduction: trained staff recognise flawed output and escalate in time. For the file this means: a training plan tailored to roles and systems, participation records and ideally assessment results. Platforms such as LearnWize are built for exactly this: training plus an evidence file in one.
6. Supplier files
Most organisations are deployers, not providers. Their file then revolves around what has been agreed and recorded with suppliers: contractual arrangements on intended use, instructions for use, data processing agreements, and (for future high-risk systems) the provider's conformity information. A regulator wants to see that you did not take the supplier's word for it but tested the claims. If you want to use certification as an evidence anchor, read how ISO 42001 and the AI Act relate in ISO 42001 versus the EU AI Act.
7. Governance decisions and the accountability trail
The closing piece is the decision trail: who owns AI governance, which policies were adopted and when, which systems were approved or rejected, and how incidents are reported and followed up. Minutes, decision logs and an adopted AI policy show that compliance is an ongoing process rather than a one-off action. This part often sets the tone of an investigation: an organisation that demonstrably steers its AI use is treated differently from one that improvises.
What if the file does not exist yet
Then start in the order the regulator itself uses: first the inventory, then the classification, then the assessments and measures per system. Expect a few weeks of lead time for a first workable version in a mid-sized organisation. Keep an eye on the Digital Omnibus: the political agreement of May 2026 was endorsed by the European Parliament but has not yet been published in the Official Journal, so treat the shifted dates as the working assumption and the obligations already in force (prohibited practices, Article 4, and from 2 August 2026 Article 50 and GPAI enforcement) as hard. Organisations that want to approach this in a structured way, from inventory to inspection-ready file, can turn to Embed AI for a guided approach with a fixed timeline.
The regulator's letter may never come. But the file you build for it is exactly the file that gives you internal grip on your AI landscape. That is the real return.