Responsible AI Platform

AI Act supervision in the Netherlands: who enforces what and who can issue fines

ยทยท11 min read

Picture this: your organisation uses an AI system for customer acceptance and a letter arrives about compliance with the AI Act. Who signed it? The Dutch Data Protection Authority, a sectoral regulator you already know, or the European Commission in Brussels? For board members and compliance leads this is not an academic question. Knowing the supervisory landscape tells you whose expectations apply and where enforcement priorities will sit.

The direct answer: in the Netherlands, AI Act supervision is being organised around the Autoriteit Persoonsgegevens (AP, the Dutch Data Protection Authority) as the coordinating algorithm and AI regulator and the Rijksinspectie Digitale Infrastructuur (RDI, the Dutch Authority for Digital Infrastructure) for the technical side, while existing sectoral regulators such as the AFM, DNB, the Health and Youth Care Inspectorate and the Inspectorate of Education keep supervising AI within their own sectors. For providers of general-purpose AI models (GPAI), the regulator is not Dutch at all: the European Commission, through the AI Office, has exclusive supervision. The formal designation of the Dutch regulators runs through the Dutch AI Act implementation bill (Uitvoeringswet AI-verordening), which the government put out for consultation in April 2026. In short: the architecture is clear, but the legal basis for national fines was not yet finalised as of July 2026.

The supervisory landscape at a glance

For readers who want the map before the tour:

  • Autoriteit Persoonsgegevens (AP): coordinating algorithm and AI supervision, intended regulator for the prohibited practices and for domains without a clear sectoral regulator.
  • Rijksinspectie Digitale Infrastructuur (RDI): intended coordinator for the technical side, market surveillance for product-related AI and a central role towards conformity assessment bodies.
  • Sectoral regulators (AFM, DNB, health and education inspectorates, among others): AI supervision within their existing sectoral mandates.
  • European Commission / AI Office: exclusive supervision of GPAI model providers, with fining powers of up to 3 percent of worldwide annual turnover or 15 million euros.

Below I walk through each player, including what is already settled and what still has to happen.

The AP: coordinating algorithm regulator

The AP has been the Netherlands' coordinating algorithm regulator since January 2023. Within the AP, the Directorate for the Coordination of Algorithms (DCA) does this work: it maps algorithm risks in the Netherlands, periodically publishes the Dutch AI and Algorithm Risks Report, and aligns with other regulators. That coordinating role predates the AI Act becoming applicable and exists independently of any formal designation under the regulation.

Under the intended AI Act structure, the AP gains an enforcement role on top of this. The government wants to designate the AP as the regulator for the prohibited AI practices of Article 5, which have applied since 2 February 2025, and as the fallback regulator for areas of application where no clear sectoral regulator exists, with a dedicated AI officer within the AP. Think of AI in recruitment at organisations that do not fall under any sectoral regulator. The practical translation for boards: if your AI use touches personal data, profiling or decisions about people, the AP is likely to become your first point of contact. The AP can also already act today through the GDPR, with fines issued by the regulator, wherever AI systems process personal data unlawfully. That route is entirely separate from the AI Act and works right now.

The RDI: the technical pillar

The RDI is the second anchor. It has long carried out market surveillance of digital and radio equipment and knows the world of CE marking, technical standards and conformity assessment from the inside. That is exactly the world the AI Act activates: high-risk AI systems will have to pass conformity assessment, and each member state must designate and notify the bodies allowed to perform those assessments.

Under the intended structure, the RDI becomes the coordinator for the technical aspects of AI supervision and the central authority for notifying conformity assessment bodies. Together with the AP, the RDI also launched an AI regulatory sandbox in 2026, where organisations can test AI systems and receive guidance from the regulators. For providers of high-risk systems working towards 2 December 2027 (the postponed date for standalone Annex III high-risk systems), the RDI is the regulator to watch.

Sectoral regulators keep their own turf

The Netherlands has deliberately not created a brand-new AI regulator. The starting point is that AI supervision should follow existing sectoral supervision wherever possible. For practitioners that is good news: the regulator your sector already knows remains the face of enforcement.

Financial sector: AFM and DNB

For banks, insurers, pension providers and investment firms, the AFM and DNB remain the natural regulators, including for AI. They already scrutinise algorithms in credit acceptance, risk models and customer processes, and do so alongside existing frameworks such as DORA, which has applied to digital resilience since 17 January 2025. Creditworthiness assessment of natural persons and risk assessment for life and health insurance are, moreover, listed as high-risk use cases in Annex III of the AI Act.

Healthcare: the Health and Youth Care Inspectorate

The Inspectorate supervises medical devices under the MDR. AI that qualifies as a medical device, or as a safety component of one, and that requires notified body conformity assessment falls under the AI Act's Annex I regime, which will apply to those embedded systems from 2 August 2028. The Inspectorate is and remains the sectoral regulator there.

Education: the Inspectorate of Education

AI used for admission, assessment and monitoring of students appears in Annex III as high-risk. The Inspectorate of Education is the obvious regulator for educational institutions and keeps that role in the intended structure.

Brussels keeps GPAI to itself: the Commission and the AI Office

For one important category, supervision does not run through The Hague at all. Providers of general-purpose AI models, such as the large language models, fall under the exclusive supervision of the European Commission, exercised through the AI Office. Those obligations have applied since 2 August 2025; from 2 August 2026 the Commission can also actually impose fines on model providers, up to 3 percent of worldwide annual turnover or 15 million euros (Article 101). Models already on the market before 2 August 2025 benefit from a transition period until 2 August 2027.

For most Dutch organisations this is indirectly relevant: if you merely use or build on GPAI models, the AI Office will not knock on your door, but you do have a stake in your suppliers meeting their model obligations. Factor that into procurement and contracting.

The Dutch implementation bill: what is settled and what is not

The AI Act obliges member states to designate national competent authorities (Article 70) and to lay down penalty rules (Article 99). The Netherlands does this through the Uitvoeringswet AI-verordening. The government put the bill out for public consultation on 20 April 2026; it gives the AP and the RDI the coordinating roles described above and makes the AP, with a dedicated AI officer, the regulator for domains without a clear sectoral supervisor.

Be precise here, because this distinction determines who can send the letter:

  • Already settled: the European obligations themselves. Prohibited practices have applied since 2 February 2025, the AI literacy obligation of Article 4 likewise, GPAI obligations since 2 August 2025, and the transparency obligations of Article 50 take effect on 2 August 2026. The fining framework is also in the regulation itself: up to 35 million euros or 7 percent of worldwide annual turnover for prohibited practices, up to 15 million euros or 3 percent for most other obligations. And the AI Office can enforce against GPAI providers from 2 August 2026, entirely independent of Dutch legislation.
  • Still pending in the implementation bill: the formal designation of the Dutch regulators and their national fining powers. Until the bill is adopted, a Dutch regulator cannot yet impose a fine under the AI Act. That is a delay of the letter, not a waiver of the duty: the obligations apply regardless, and the AP can already act through the GDPR wherever personal data is at stake.

What this means for boards

So the question "who sends the letter" has a layered answer: your own sectoral regulator where one exists, otherwise the AP, the RDI where technical conformity is concerned, and the European Commission if you provide GPAI models yourself. The sensible sequence for now: first map your AI systems (see the guide on the AI inventory and register), determine each system's risk class with the AI Act Explorer, and organise your governance so you can tell every regulator the same story. The sharpest deadline is not the supervisory structure itself but Article 50: transparency obligations for chatbots and AI-generated content, among others, take effect on 2 August 2026. Organisations that want help translating this supervisory landscape into a concrete governance approach can turn to Embed AI.

Frequently asked questions about AI Act supervision in the Netherlands

Sources

EUR-Lex: Regulation (EU) 2024/1689 (AI Act) (accessed July 2026)
European Commission: AI Act Service Desk: application timeline (accessed July 2026)
Government of the Netherlands: Kabinet zet stap met toezicht op Europese AI-regels (accessed July 2026)
Autoriteit Persoonsgegevens: Toezicht op AI wordt concreet: sleutelrol voor de AP en de RDI (accessed July 2026)
Rijksinspectie Digitale Infrastructuur: Toezicht op AI: balans tussen veiligheid en innovatie (accessed July 2026)

โš–๏ธ Referenced Legislation