Dutch proposal for AI supervision: hybrid cooperation between market supervisory authorities

The European AI Act came into force on 2 August 2024. The Netherlands were somewhat behind schedule on one key point: the August 2025 deadline for appointing national supervisory authorities was not met. Only 20 April 2026, Minister for the Digital Economy and Sovereignty Aerdts submitted the proposal for a Dutch AI Implementation Act for public consultation.

Hybrid supervisory model 

The AI Act has direct effect in all Member States. Supervision is partly regulated at European level and (to a greater extent) at national level. At European level, the AI Office is responsible for the enforcement and implementation of the AI Act in the Member States. The AI Office has a special role: it specifically supervises so-called general-purpose AI models (GPAI models), such as large language models. The European administration is supported by three advisory bodies: the European Artificial Intelligence Board (comprising representatives from all EU Member States), the Scientific Panel (independent AI experts) and the Advisory Forum (a broad representation of commercial and non-commercial stakeholders). At national level, Member States work closely with the AI Office and the Commission, and each Member State must designate national competent authorities to act as market supervisors. In the Netherlands, it was still unclear who the national competent authorities would be.

The government has now opted for a hybrid supervisory model with ten market supervisory authorities. The reasoning is logical: supervisors oversee AI within the domain they are already familiar with, so that organisations deal with familiar faces as much as possible. For example, the Dutch Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB) will be responsible for AI at financial institutions, the Health and Youth Care Inspectorate (IGJ) will supervise AI in the healthcare sector, and inspectorates such as the NVWA and ILT will oversee product safety. The Procurator General at the Supreme Court and the Chair of the Administrative Jurisdiction Division of the Council of State are designated to oversee AI in the administration of justice.

For areas of supervision that do not fit well with the existing powers of other supervisory authorities, the Dutch Data Protection Authority (AP) will be given a central and comprehensive role. The AP will become the market supervisory authority for prohibited AI practices, for transparency obligations, and for a large proportion of high-risk applications, including AI used in recruitment and selection, education, lending and government decision-making. This represents a significant expansion of its remit, on top of its existing responsibilities as the supervisory authority for the GDPR and as the coordinating algorithm supervisory authority.

In addition to their own supervisory tasks, the AP and the Dutch Authority for Digital Infrastructure (RDI) will jointly assume a coordinating role within the entire supervisory system. This coordination encompasses not only coordination between the ten market supervisory authorities themselves, but also cooperation with sectoral supervisory authorities and with authorities overseeing compliance with fundamental rights. In addition, the AP and RDI are responsible for harmonising supervision. Finally, both organisations are jointly establishing a mandatory AI regulatory sandbox: a controlled environment within which companies and other organisations can develop and test their AI systems under the supervision of regulators, without immediately running the risk of enforcement action. This sandbox offers a valuable opportunity, particularly for innovative applications, to gain clarity at an early stage regarding the admissibility and compliance with the regulation. In addition, market surveillance authorities will gain a better understanding of innovative AI systems and the issues faced by AI providers. Market surveillance authorities will adopt an innovation-friendly and flexible approach within the sandbox, but there is no possibility of waiving rules. The idea is that the interpretation provided by market surveillance authorities should clarify the rules set out in the AI Act, making it easier for providers to comply with them.

At first glance, this structure appears clear, but at the same time much remains to be clarified. When an AI-system affects multiple domains, it is unclear who the primary supervisory authority is. The coordinating role of the AP and RDI therefore seems particularly important, but the practical implementation has yet to be proven. There is also the question of the AP's capacity: the AP has for years had to cope with limited resources in carrying out its GDPR tasks, and supervising the AI Act places a significant new burden on its remit.

What’s next?

The requirements for high-risk AI systems are expected to come into force on 2 December 2027. According to the AI Act, these requirements were due to come into force on 2 August 2026, but are likely to be postponed as a result of the "Digital Omnibus AI" adopted by the European Parliament on 26 March 2026.

In practical terms, these requirements mean that providers of high-risk AI systems must have a robust risk management system, technical documentation and event logging, and that the systems must meet requirements for transparency, accuracy and cybersecurity. Deployers (organisations that use high-risk AI developed by others) also have obligations, including carrying out a fundamental rights impact assessment (FRIA) prior to use.

Organisations would be well advised to identify which AI systems they use or develop, and determine whether these fall under the prohibitions, the high-risk category or the transparency requirements. Policies must be drawn up for high-risk AI systems. This includes drafting or updating technical documentation, establishing a risk management system, ensuring human oversight and carrying out the aforementioned fundamental rights impact assessment. Contractual agreements with suppliers of AI systems must also be reviewed: the regulation imposes certain obligations on providers, but deployers must be able to demonstrate that they are fulfilling their responsibilities. For financial institutions, the situation is particularly complex, as both the AFM or DNB and the AP may have jurisdiction over different aspects of the same AI application. And any company using generative AI or chatbots,  which is now virtually every organisation, will soon be subject to transparency obligations that can be enforced by the AP.