What is AI regulation in the Netherlands?
AI regulation: countries and regions
As of 6 June 2026, AI regulation in the Netherlands is mainly the EU AI Act, applied directly, plus existing Dutch and EU rules such as data protection, administrative and sector law, and Dutch public-sector governance tools. The Netherlands was still finalising its national enforcement setup through a draft implementing law. In practice, the Autoriteit Persoonsgegevens, sector regulators, the government Algorithm Register and the IAMA already shape how AI and algorithms are governed and scrutinised.
What this means
The Netherlands does not have a separate, self-contained national AI code that replaces EU law. The core binding rules come from the EU AI Act. Those rules already ban certain practices, require AI literacy, and impose duties on providers of general-purpose AI models. Most deployer, transparency and high-risk obligations arrive in later phases.
Dutch law still matters because someone has to supervise, investigate and enforce those duties nationally. As of 6 June 2026, the Dutch implementing law was still in draft form after public consultation. The proposed model uses existing regulators rather than one new AI agency, with a strong role for the Autoriteit Persoonsgegevens, or AP, and the Rijksinspectie Digitale Infrastructuur, or RDI.
The Dutch public sector also has its own accountability layer. Through the national Algorithm Register, the Algorithm Framework and the IAMA, Dutch authorities have built a transparency and rights-assessment practice that goes beyond the simple question of whether a tool falls into the EU AI Act's most tightly regulated category.
Why it matters
For organisations operating in the Netherlands, the practical question is not only whether they "use AI". It is which legal role they play, which Dutch authority they may face, what evidence they must keep, and whether their system touches people in a way that triggers transparency, human oversight or rights-assessment duties.
That matters most for public bodies, providers of public services and suppliers selling into government. In those settings, a system may need more than a vendor questionnaire. It may need internal AI literacy work, a data protection assessment, a fundamental rights impact assessment, a clear human review process, public disclosure through the Algorithm Register, and documentation that can withstand sector-specific supervision.
It also matters because the Dutch system is not built around one general AI regulator. A bank, a municipality, a medical device supplier and a ministry may all face different combinations of AP, AFM, DNB, RDI, IGJ, ILT or other authorities. Governance therefore has to be mapped to the real operating context, not to a generic "AI policy" file.
How it works
The EU AI Act is the main rulebook
The Netherlands mainly regulates AI through the directly applicable EU AI Act, not through a separate Dutch AI code. That means Dutch organisations already need to work to the Act's phased timetable. The ban on prohibited practices and the AI literacy duty apply from 2 February 2025. Rules on governance and general-purpose AI models apply from 2 August 2025. Most transparency duties and the main regime for Annex III high-risk systems apply from 2 August 2026, though this date may be deferred for some high-risk uses under the EU simplification (Digital Omnibus) package that was politically agreed in 2026 but not yet finalised in amending legislation. Annex I product safety systems follow from 2 August 2027. Older high-risk systems used by public authorities have a longer transition, but they still have to be brought into line by 2 August 2030.
Dutch implementation is about supervision, not rewriting the EU rules
As of 6 June 2026, the Dutch implementing law had been published for consultation and the consultation had closed on 1 June 2026. The draft does not create one new AI regulator. Instead it proposes a network of existing authorities. The AP and the RDI jointly coordinate the system, and the RDI acts as the central contact point. The AP is proposed as the main authority for prohibited AI, much of Annex III high-risk AI and a large part of the transparency regime. Other sectors stay with familiar regulators, such as AFM and DNB in finance, RDI and ILT in critical infrastructure, the established product regulators for Annex I products, and special arrangements for certain judicial uses.
The AP already has a live role
Even before the Dutch AI Act implementing law is final, the AP is not waiting on the sidelines. It already coordinates Dutch supervision of algorithms and AI that threaten public values and fundamental rights, and it remains the data protection supervisor wherever AI is used to process personal data. In practice, that means Dutch organisations have to think about GDPR duties, automated decision-making safeguards, transparency and human review at the same time as they prepare for AI Act compliance.
The Dutch public sector has built a wider transparency layer
The Netherlands has also built governance tools that are specifically about government use. The national Algorithm Register is a central portal where public bodies publish information about impactful algorithms. That includes, but is not limited to, AI systems that may be high-risk under the EU AI Act. So the Dutch register is a public-sector transparency instrument, not simply a copy of the EU database for high-risk AI. It is designed to help citizens, journalists and other authorities see what the state is using and why.
The legal status of that register is still not fully settled. Official government pages say that a mandatory transparency duty is intended. But a September 2025 parliamentary letter said that making the register legally mandatory was not yet opportune. The direction of travel is therefore clear, but the final binding form of the duty is still pending.
Impact assessments are where rights and governance meet
For many Dutch public-sector deployments, the key operational question is not only "is this AI?" but "what evidence do we need before first use?" Article 27 of the AI Act requires many public bodies, and private entities providing public services, to carry out a fundamental rights impact assessment before deploying an Annex III high-risk system. That assessment can complement a GDPR data protection impact assessment rather than duplicate it. In February 2026 the Dutch government updated the IAMA specifically to align it with Article 27, making it a practical bridge between an EU legal duty and Dutch public-sector practice.
This is also where transparency becomes tangible. Where Annex III high-risk systems help make, or help support, decisions about people, deployers must inform those people that such a system is being used. In the Dutch public sector, that duty sits alongside wider expectations of explainability, record keeping and public accountability.
Innovation support exists, but it is supervised
The draft Dutch law would set up one multi-sector AI regulatory sandbox operated jointly by the designated authorities. The point is to let potential providers test and refine innovative systems before market launch, with supervisory guidance inside the legal framework. It is not a free pass. Other law, including data protection law, still applies, and where personal data are involved the relevant data protection authority has to be part of the process. Testing in real-world conditions also comes with approval, safeguards, incident reporting and the possibility of suspension.
Enforcement will be practical and sector-specific
The proposed Dutch system gives the designated authorities standard market-surveillance tools, such as investigatory powers, corrective measures and administrative sanctions. For organisations, that means compliance will not be judged by one abstract checklist. It will be judged in context: financial AI in the financial sector, medical AI in medical supervision, critical infrastructure AI in infrastructure supervision, and public-sector administrative AI in the wider Dutch framework of rights protection, transparency and accountability.
Examples
A concrete Dutch public-sector example is the Central Agency for the Reception of Asylum Seekers' "Promising Link with GeoMatch". In the Algorithm Register it is described as an impactful algorithm used to advise which labour-market region gives a status holder the best chance of paid work. The entry records both a DPIA and an IAMA. It also says the employee reviews the advice, can depart from it, records the reason for doing so, and monitors the system monthly for quality and unintended effects such as discrimination. That is a good picture of what Dutch governance looks like when transparency, human review and rights checks are taken seriously.
A second workflow is the one many Dutch public bodies will face from 2 August 2026 onward for Annex III high-risk AI. If a municipality, ministry or public-service provider wants to deploy a high-risk system in a function covered by Article 27, it should complete a fundamental rights impact assessment before first deployment, align that work with any DPIA that already exists, and be ready to notify the relevant market-surveillance authority of the assessment result. In the Netherlands, that process is expected to sit within a sector-specific supervisory relationship, not a single generic AI office.
A third workflow is the proposed Dutch AI regulatory sandbox. A potential provider that is still developing an innovative AI system would be able to seek supervisory guidance before the system is placed on the market or put into use. The attraction is earlier legal and operational clarity. The constraint is that the sandbox remains supervised, personal-data rules still apply, and tests in real-world conditions may require formal approval, safeguards and incident reporting.
Common misunderstandings
Many people assume the Netherlands has its own standalone AI Act. It does not. The core binding regime is the EU AI Act, with Dutch law mainly filling in supervision, enforcement powers and public-sector governance.
It is easy to think the AP will supervise everything. It will not. The proposed Dutch model is multi-authority and sectoral, with different regulators for finance, critical infrastructure, products and certain judicial uses.
People often treat the Algorithm Register as if it were an approval mechanism. It is not. Publication improves transparency and accountability, but it does not prove that a system is lawful or well governed.
Another common mistake is to think only machine-learning systems matter. The Dutch public-sector transparency work is broader than that. The register also captures impactful algorithmic tools that may sit outside the AI Act's narrower legal definition or risk buckets.
Some organisations think they can wait for a final Dutch law before acting. That is risky. Parts of the EU AI Act already apply directly, and existing data protection, administrative and sector rules still apply now.
Risks and boundaries
AI regulation in the Netherlands is not only the AI Act. Existing law still matters, especially data protection law, administrative law, equality law, procurement rules and sector-specific supervision. An organisation can therefore be outside one AI Act duty and still face another legal problem.
The Dutch implementation picture is also still moving. As of 6 June 2026, the implementing law had been consulted on but not yet finalised. The broad structure is visible, but details can still change through the Dutch legislative process and later regulator practice.
The public-sector Algorithm Register also has a boundary. It is a transparency and accountability mechanism, not a full legal control system on its own. A register entry, an IAMA or a DPIA can be very important evidence, but none of them amounts to automatic legal approval.
There is also a timing boundary for legacy systems. Public-authority high-risk systems already on the market or in use before 2 August 2026 may have a longer path to full compliance, up to 2 August 2030. But that does not create a free travel period. Significant design changes can bring a system into the main compliance regime earlier, and other laws still apply in the meantime.
Finally, the legal position of the Algorithm Register itself remains somewhat unsettled. Official materials present eventual mandatory transparency as the policy direction. A later parliamentary letter said a binding legal duty for the register was not yet opportune. The safest view is that transparency pressure is real, but the final statutory architecture is not yet complete.
What to do next
Start with a role-and-system inventory. Identify where your organisation is a provider, a deployer, an importer, a distributor or a public body using an internal tool. Then classify each system against the EU AI Act's categories and the Dutch sector in which it will be supervised. If a system touches people in a rights-sensitive context, prepare the evidence pack now: intended purpose, data sources, human oversight design, incident process, transparency notices, AI literacy measures and any DPIA, FRIA or IAMA that may be needed. If you sell into Dutch government, assume buyers will increasingly ask not just whether your tool works, but whether it can be explained, reviewed and publicly described. And if you are in the public sector, treat the Algorithm Register and the Algorithm Framework as working governance tools now, even while the final legal duty continues to evolve.
FAQs
Is AI regulation in the Netherlands mainly national law or EU law?
Mainly EU law. The EU AI Act is the core binding regime. Dutch law mainly assigns supervisors, enforcement powers and practical governance mechanisms around that regime.
Is the EU AI Act already live in the Netherlands?
Yes. It is a directly applicable EU regulation. Different parts apply on different dates, so Dutch organisations are already inside the regime even though the Dutch enforcement architecture is still being finalised.
Has the Dutch implementation law finished?
No. As of 6 June 2026, the draft implementing law had gone through internet consultation, which ran from 20 April 2026 to 1 June 2026, but it was not yet final.
Who is likely to supervise AI in the Netherlands?
Under the proposed model, supervision is shared. The AP has the main horizontal role, but finance, critical infrastructure, products and some judicial uses sit with other authorities. The RDI is proposed as the central contact point.
Do public bodies in the Netherlands always need a fundamental rights impact assessment?
Not always. Article 27 targets many Annex III high-risk uses by public bodies and private public-service providers before first deployment. Other tools may still need different checks, such as a DPIA, procurement review or internal governance assessment.
Is the Dutch Algorithm Register the same thing as the EU AI Act database?
No. The Dutch Algorithm Register is a broader public-sector transparency mechanism. It is meant to explain impactful government algorithms, not only the systems that fall into the EU AI Act's high-risk documentation regime.
Does publishing in the Algorithm Register mean a system is compliant?
No. Publication helps transparency and accountability, but it does not replace conformity work, human oversight, data governance, security, impact assessment or sector-specific duties.
What if our public-sector high-risk system already existed before August 2026?
Legacy public-authority systems have a transition path, but they are not exempt forever. The AI Act expects the necessary steps to reach compliance by 2 August 2030, and substantial redesign can trigger earlier obligations.