Agnes at a crossroads with signposts pointing to different sectors: Finance, HR, Healthcare, and General

Which Dutch Authority Regulates Your AI Tool? The New AI Act Supervision Explained

AI Act, Compliance

You hear someone say the AI Act is coming and you need to "sort something out." But who do you actually contact if there is a problem? Who will check whether you are following the rules? The answer is less straightforward than you might hope: in the Netherlands, ten supervisory authorities have jurisdiction under the AI Act, each with their own domain.

That sounds complicated, but it becomes manageable once you know which box your organisation fits into. Most businesses will only need to deal with one or two authorities. For most SMBs, that means a sectoral authority they already know, plus the Dutch Data Protection Authority.

This article gives you a decision tree to identify which authority applies to you, along with three concrete steps to take before August 2026.

Why Ten Authorities?

The EU deliberately chose not to create a new central AI agency. Instead, existing sectoral supervisors were expanded with AI powers. The reasoning: an authority that already knows the financial sector understands the risks of credit-scoring algorithms better than a generic AI body ever could.

The Netherlands applied this approach and designated ten authorities. The Rijksinspectie Digitale Infrastructuur (RDI) acts as the central contact point for the AI Act and coordinates national enforcement. But the RDI will not itself fine companies for AI in healthcare or financial services. That is the job of the sectoral authorities that have been active in those domains for years.

The system is manageable once you have identified your sector. That is the key.

The AP: Prohibited AI and High-Risk Systems

The Dutch Data Protection Authority has two distinct roles under the AI Act, and it is important to keep them separate.

The first role is enforcing the prohibited AI practices under Article 5 of the AI Act. These are the applications that are simply not permitted: biometric categorisation based on sensitive characteristics, social scoring by governments and businesses, manipulative AI that targets people through their vulnerabilities, and real-time facial recognition in public spaces. These prohibitions have been in force since 2 February 2025 and the AP has enforcement powers regardless of sector.

The second role concerns high-risk AI systems that process personal data. Where an AI system makes or proposes decisions about individuals based on personal data, the AP always has concurrent jurisdiction alongside the sectoral authority. A recruitment tool that analyses personal profiles therefore falls under both the NLA and the AP.

In practice, this dual oversight means the AP is relevant for almost every organisation. Most AI applications in a business context process personal data about employees or customers.

Sectoral Authorities by Industry

The AFM and DNB have jurisdiction over the financial sector. That includes credit scoring models, algorithmic trading strategies, and fraud detection systems at banks, insurers, and other financial institutions. If your organisation already falls under AFM or DNB supervision, those authorities also apply to your AI applications.

The Healthcare and Youth Inspectorate (IGJ) covers medical AI. This includes diagnostic tools, AI-assisted treatment recommendations, and systems that determine which care a patient receives. This is a domain where the consequences of wrong decisions can be directly life-threatening, and the rules reflect that.

The Netherlands Labour Authority (NLA) supervises AI in the labour market. This is the domain most SMBs underestimate. A recruitment platform that ranks CVs, an HR tool that analyses performance reviews, a scheduling application that evaluates employees: all of these fall under the NLA. If your business uses AI in hiring, evaluating, or dismissing staff, the NLA is your primary authority in that area. Many organisations assume that using a vendor's SaaS tool absolves them of responsibility, but the AI Act places obligations on the user as well as the developer.

The Authority for Consumers and Markets (ACM) covers AI in the consumer domain. That includes recommendation algorithms that steer consumer behaviour, AI in pricing systems, and automated decisions that affect consumer rights.

The Netherlands Food and Consumer Product Safety Authority (NVWA) is responsible for AI in the food chain and production processes. The Human Environment and Transport Inspectorate (ILT) supervises AI in transport, logistics, and infrastructure.

Which Authority Applies to Me? (Decision Tree)

You can determine your situation by answering four questions in sequence.

Question 1: Does it involve a prohibited AI practice? Think about social scoring, real-time biometric identification in public spaces, or AI that manipulates vulnerable groups. If the answer is yes, the AP has jurisdiction. Stop here.

Question 2: In which sector does the AI application operate? Use the sector mapping above to identify the relevant sectoral authority. Financial services point to AFM/DNB, healthcare to IGJ, HR and the labour market to NLA, the consumer market to ACM, food to NVWA, transport to ILT.

Question 3: Does the system also process personal data? If yes, the AP has concurrent jurisdiction alongside the sectoral authority. In most real-world situations, this is the case.

Question 4: Does your application fit none of the above categories? Then the RDI is the designated contact point.

For most SMBs, this decision tree leads to a combination of the NLA or ACM (for HR or consumer-facing AI) plus the AP (because personal data is almost always involved). That combination is manageable. You are dealing with two authorities rather than ten.

What to Arrange Before August 2026

Full enforcement of the obligations for high-risk AI systems begins on 2 August 2026. That is the hard deadline. The prohibited practices are already enforced, but for high-risk applications, August is the turning point.

Start by mapping all your AI tools. That sounds simple, but many organisations underestimate how much AI is already active in their systems. AI features are sometimes built into standard software: your CRM, your HR platform, your accounting software. Go through all your software tools and ask each vendor whether there is AI functionality inside. For a structured approach to this process, see our AI Act compliance software for SMBs.

Then determine the risk classification for each system using the AI Act criteria. High-risk systems require documentation, human oversight, and in some cases registration in the EU database. Limited-risk systems require transparency toward users. Minimal-risk systems only need to appear in your inventory.

Finally, identify which supervisory authority has jurisdiction over each application, using the decision tree in this article. That determines exactly which requirements you need to meet and who to contact with questions. For organisations that also process personal data, linking your AI Act compliance to your GDPR documentation makes sense. ComplianceHive keeps both in the same place, including GDPR compliance features alongside AI Act tracking.

Want to document your AI tools systematically? In ComplianceHive you maintain your AI system register in one central place, with automatic risk classification and vendor details attached. That way you know, for every application, which supervisory authority has jurisdiction and what still needs to be arranged before August 2026.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free