What is AI regulation in Belgium?
AI regulation: countries and regions
AI regulation in Belgium is mainly the EU AI Act, applied directly in Belgium, together with GDPR, product, consumer, employment and sector-specific rules. Belgium does not rely on one standalone national AI code for general use. Instead, the Federal Public Service Economy coordinates AI Act implementation, the Belgian Data Protection Authority remains central where personal data is involved, and Belgium's federal, regional and community structure means several public bodies can matter at once.
What this means
In practice, if you build, buy, deploy or sell AI in Belgium, the first question is usually not "what is the Belgian AI law?" but "which EU AI Act rules apply, and which Belgian authorities may become relevant?" That is because the AI Act is an EU regulation, not a directive, so it applies directly in Belgium without the usual transposition model.
Belgium is still distinctive. It has a federal constitutional structure, so powers relevant to AI, especially economy, employment, scientific research and some forms of public supervision, are spread across federal, regional and community levels. Belgium has already published its list of fundamental-rights authorities for certain high-risk AI uses, but its broader national AI Act governance set-up has been described by Belgian official sources as still being put in place.
Belgium also matters beyond its own market. Brussels is one of the official seats of the EU institutions, so Belgium is closely connected to the institutions that make, interpret and operationalise the EU AI rulebook.
Why it matters
This matters because organisations in Belgium cannot treat AI compliance as a narrow privacy issue or as a future-only problem. Some AI Act provisions already apply, and the rest arrive in phases. If your AI touches recruitment, education, credit, essential services, public administration, biometrics or law enforcement, the regulatory burden rises sharply.
It also matters because Belgium's institutional structure can make responsibility less obvious than in a more centralised state. A business may need to think about the EU AI Act, the Belgian Data Protection Authority, labour or economic inspection, regional or community bodies, and ordinary sector law at the same time. For buyers and governance leads, that means supplier diligence, role-mapping and internal accountability need to happen before deployment, not after a complaint or an audit.
How it works
The main rulebook is the EU AI Act
Belgium's core cross-sector AI rules come from Regulation (EU) 2024/1689, the EU AI Act. Because it is a regulation, it applies directly in Belgium. The Act uses a risk-based model and places different duties on providers, deployers, importers, distributors and authorised representatives. Belgian official guidance presents this as the main horizontal framework for AI, with GDPR and other existing laws continuing to apply alongside it where relevant.
The timing is phased. Under the original AI Act text, general provisions and the prohibited-practices rules started to apply in February 2025. Governance, sanctions and general-purpose AI model rules followed in August 2025. Most of the AI Act, including the main Annex III high-risk regime, applies from 2 August 2026, though this date may be deferred for some high-risk uses under the EU simplification (Digital Omnibus) package that was politically agreed in 2026 but not yet finalised in amending legislation. Product-linked high-risk AI under Annex I Section A follows later, and some legacy public and large-scale systems have longer deadlines.
Belgium is implementing the Act through institutions, not through one new stand-alone code
Belgian official materials say the Federal Public Service Economy, SMEs, Self-employed and Energy handles the general coordination of AI Act implementation in Belgium. That does not mean it is the only body that matters. The AI Act itself requires national competent authorities, including at least one notifying authority and at least one market-surveillance authority, and Belgian official guidance has stated that the broader national governance framework is still being set up.
This is important operationally. If you are trying to understand who supervises a particular AI use, the answer may depend on the role you play, the sector you are in, whether the system is high-risk, whether personal data is involved, and whether a sectoral authority already exists under other law.
Belgium's federal structure changes the implementation picture
Belgium is a federal state. The Regions have powers relating to the economy, employment, energy, transport, environment, foreign trade and scientific research in those fields. That matters for AI because many real deployments sit inside those policy areas. Even when the AI Act itself is EU law, the surrounding supervision, innovation policy, labour questions and administrative practice may be spread across levels of government.
So Belgium's AI regulation is not just a single federal story. It is an EU regulation operating inside a constitutionally shared Belgian governance model. For organisations, that means mapping not just legal duties, but also which Belgian public bodies may have a say.
The Belgian Data Protection Authority remains central where AI uses personal data
Where an AI system processes personal data, GDPR remains fully relevant in Belgium, and the Belgian Data Protection Authority remains a key institution. The Authority has published dedicated guidance on AI systems and the GDPR, explaining how familiar data-protection principles such as lawfulness, fairness, transparency, data minimisation, accuracy, security, accountability and data-subject rights apply in an AI context.
That is a major practical point. A system can be outside the strictest AI Act category and still trigger serious GDPR work. Conversely, an AI Act compliance exercise that ignores data protection will be incomplete if personal data is used for training, inferencing, monitoring, logging or user interaction.
Belgium has already published its Article 77 fundamental-rights authorities
One concrete implementation step is already visible. The AI Act requires Member States to identify the national public authorities or bodies that protect fundamental rights in relation to certain high-risk AI systems listed in Annex III. Belgium has published that list.
The list is revealing because it is multi-level. It includes federal bodies, Brussels-level bodies, Flemish bodies, French Community bodies, Walloon bodies and German-speaking Community bodies. It also expressly includes the Belgian Data Protection Authority. In other words, Belgium has already acknowledged that fundamental-rights supervision for high-risk AI will not sit neatly in a single office.
For organisations, that means a high-risk AI deployment in Belgium may create exposure not only to a market-surveillance question, but also to scrutiny from a rights-protection authority whose ordinary mandate already covers privacy, equality, labour, ombuds, media, social inspection, migration or related public-law concerns.
High-risk AI uses trigger the heaviest practical duties
Belgian official guidance explains that AI systems become high-risk in two main ways. One route is where AI is a safety component of a regulated product or is itself such a product. The other is where the intended purpose falls into one of the sensitive Annex III areas, such as biometrics, critical infrastructure, education, employment, access to essential private or public services, law enforcement, migration, or justice and democratic processes.
For providers, Belgium's official guidance highlights the usual core package: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness, cybersecurity, quality management, conformity assessment, EU declaration of conformity, CE marking and registration in the EU database where required. Deployers also have duties. They must use the system in line with instructions, ensure competent human oversight, and in workplace settings inform workers' representatives and affected workers before high-risk AI is used.
Standards and conformity assessment matter in Belgium too
Belgian users sometimes assume the technical side of AI compliance is for Brussels or for large manufacturers only. That is not right. Even in Belgium, the operational path to compliance for high-risk systems will run through European harmonised standards, conformity assessment and documentation rules.
Belgian official guidance points to harmonised standards being prepared at EU level and explains why they matter. If a provider follows harmonised standards once they are recognised, that can support a presumption of conformity. If a third-party conformity assessment is required, notifying authorities and notified bodies become part of the picture. So even though the standards are European rather than specifically Belgian, they are part of what AI regulation in Belgium looks like in practice.
Brussels gives Belgium unusual significance in AI governance
Belgium matters in AI regulation not only because Belgian organisations must comply, but also because Brussels is a core EU law-making and governance centre. Brussels is one of the official seats of the EU institutions. The European Council and the Council of the European Union sit in Brussels, and the European Commission operates there as a main executive body of the Union.
That has at least two practical implications. First, Belgium is a natural venue for ongoing AI Act guidance, coordination and stakeholder engagement. Second, organisations working with EU institutions in Brussels should remember that EU institutions are not supervised in exactly the same way as ordinary Belgian bodies. Under the AI Act framework, EU institutions, bodies and agencies fall under the European Data Protection Supervisor for market-surveillance purposes, not under Belgian national enforcement simply because they are located in Brussels.
Examples
A Belgian HR services firm using an AI tool to analyse CVs is not just buying software. In Belgian official guidance, employment and workforce management sit inside the high-risk map. If the tool falls within the high-risk regime, the deployer must use it according to instructions, make sure human oversight is carried out by trained and authorised people, and inform workers' representatives and affected workers before workplace use.
A Belgian company can also be pulled into AI regulation even when it did not build the model. The Federal Public Service Economy's entrepreneur guide gives the example of a Belgian firm acting as an authorised representative, a formal point of contact that handles documentation and communication with competent authorities for a provider based in the United States. The same guide also gives the example of a Belgian importer placing a non-EU AI application on the Union market.
A Brussels-based body may not always be supervised by Belgian authorities merely because it is in Belgium. If the user is an EU institution, body or agency located in Brussels, the relevant AI Act market-surveillance role sits with the European Data Protection Supervisor. That is a useful reminder that Belgium's importance as the EU's institutional hub creates a different supervisory map for entities operating inside the EU institutional sphere.
Common misunderstandings
A common misunderstanding is that Belgium needs a classic national transposition law before the AI Act really matters. It does not. The AI Act is an EU regulation, so it applies directly.
Another is that Belgian AI regulation is basically just GDPR. GDPR is critical where personal data is involved, but it is not the whole picture. The AI Act, product law, consumer law, employment law and sector-specific rules can all matter as well.
Another mistake is to think only developers are regulated. The AI Act also gives duties to deployers, importers, distributors and authorised representatives, and Belgian official guidance is explicit about that.
Another is to assume that buying an AI tool off the shelf removes responsibility. It does not. Deployers still have usage, oversight and incident-related duties, especially for high-risk systems.
A final misunderstanding is that all Brussels-based AI users fall under Belgian national supervision. EU institutions in Brussels are a notable exception, because the European Data Protection Supervisor has a specific AI Act role for them.
Risks and boundaries
Belgian AI regulation is not a single-agency, single-statute field. It is a layered system combining directly applicable EU law, Belgian public authorities, and ordinary sector rules. That makes simple checklists risky when the deployment involves employment, public services, essential services, health, education, biometrics or large-scale data processing.
There is also a live institutional boundary to keep in mind. Belgium has already published its Article 77 fundamental-rights authorities, but Belgian official guidance has also said that the broader national AI Act governance framework is still being put in place. That means some parts of the enforcement map are clearer than others.
Another boundary is that the AI Act does not displace all older law. A compliant AI Act position will not remove duties under GDPR, anti-discrimination law, labour law, public-law obligations or product-safety law. Nor does a privacy impact exercise automatically answer AI Act questions about classification, conformity assessment, CE marking or registration.
Finally, this area is still developing through guidance, standards and institutional designation. The architecture is durable, but some operational details, especially around competent authorities, standards and supervision pathways, can still shift.
What to do next
Start by building a clear inventory of AI uses that touch Belgium, including tools bought from third parties. Record the intended purpose, the business owner, the data used, the users affected and whether the tool sits in employment, education, essential services, public administration or another sensitive area.
Then map your role. You may be a provider, deployer, importer, distributor or authorised representative, and the duties differ. Do not assume that being "just the customer" removes responsibility.
Where personal data is involved, treat the Belgian Data Protection Authority's guidance as part of the baseline. Review lawful basis, transparency, data minimisation, rights handling, logging, security and accountability alongside the AI Act.
For high-risk candidates, ask for the actual compliance record, not marketing claims. That means technical documentation, conformity-assessment pathway, CE marking position, registration status where applicable, human-oversight design, post-market monitoring plan and incident handling.
Finally, assign owners inside the business. In Belgium that usually means legal, privacy, procurement, information security, HR or sector teams working together, because the Belgian institutional map is shared and a narrow compliance owner will miss important duties.
FAQs
Does Belgium have its own general AI Act separate from the EU AI Act?
Not as the main cross-sector rulebook. Belgium's main general framework comes from the EU AI Act, which applies directly, plus Belgian and EU rules on privacy, products, employment, consumers and specific sectors.
Which Belgian authority coordinates AI Act implementation?
Belgian official sources say the Federal Public Service Economy, SMEs, Self-employed and Energy is responsible for the general coordination of AI Act implementation in Belgium.
Is the Belgian Data Protection Authority the only relevant AI regulator?
No. It is central where personal data is involved and it is one of Belgium's Article 77 fundamental-rights authorities, but AI regulation in Belgium can also involve other national, regional and community bodies.
Do Belgian Regions and Communities matter for AI regulation?
Yes. Belgium's constitutional structure matters because powers relevant to AI, including economy, employment and scientific research in those fields, are split across levels of government.
When do the main EU AI Act rules apply in Belgium?
The Act applies in phases. Some provisions already apply, including the prohibited-practices regime. Under the original timetable, most of the main regime applies from 2 August 2026 (a date that may shift for some high-risk uses under the pending EU Digital Omnibus simplification package), with some later deadlines for specific categories.
If I use an AI tool at work but did not build it, can I still have duties?
Yes. Belgian official guidance is clear that deployers have duties, especially for high-risk systems. These include proper use, human oversight, and in workplace cases advance information to workers' representatives and affected workers.
Why does Brussels make Belgium especially important in AI regulation?
Because Brussels is one of the official seats of the EU institutions and hosts core EU law-making and executive bodies. That gives Belgium an unusual practical position in the day-to-day development and coordination of EU AI governance.
Are EU institutions in Brussels supervised by Belgium under the AI Act?
Not in the ordinary national way. For AI Act market-surveillance purposes, EU institutions, bodies and agencies fall under the European Data Protection Supervisor.