AI-Generated Images on Your Business Website (NL 2026)

You have been using DALL-E to make blog header images for a year. A new client asks whether you need a licence to publish them. The short answer for most ordinary marketing images is no. The four risk layers below explain when that answer changes and what the AI Act's Article 50(4) adds from 2 August 2026.

How Dutch law treats AI-generated images

Dutch copyright on still images sits under the Auteurswet 1912, with photographic works expressly enumerated as a category of work in Article 10(1)(9). The Information Society Directive 2001/29/EC and the DSM Directive (EU) 2019/790 are layered on top, the latter transposed via the Implementatiewet richtlijn auteursrecht in de digitale eengemaakte markt published in Stb. 2021, 313. The test for whether anything qualifies as a protected work runs through the Hoge Raad's Endstra-tapes judgment of 30 May 2008, which requires een eigen oorspronkelijk karakter en persoonlijk stempel van de maker, an own original character and the personal stamp of its maker. The CJEU has reinforced this in Infopaq International A/S v Danske Dagblades Forening (Case C-5/08) and applied it specifically to photographs in Painer v Standard Verlags GmbH (Case C-145/10), where the test is framed as the photographer's free and creative choices in setting, lighting and composition. A Dutch court asked whether a pure DALL-E or Midjourney prompt produces a protected work would walk that same path: there is no human author exercising free and creative choices over the specific arrangement of pixels, only a prompt that triggers a probabilistic generation. The output is typically unprotected by Dutch copyright, which means the operator who publishes it does not gain an exclusive right and a competitor can reuse it without infringing. That is a marketing consideration more than a legal exposure, but it is the correct starting point for Dutch law.

The Autoriteit Persoonsgegevens has been unusually active on the AI-image question. The AP's 2025 supervisory priorities document, the Toezichtsprioriteiten van de AP, flagged generative AI as a focus area, and the AP has published guidance on the lawfulness of AI training and AI-generated content involving personal data. The European Data Protection Board's Opinion 28/2024 on AI models, adopted on 17 December 2024, addresses the same questions at EU level and confirms that an AI image of an identifiable real person is personal data under Article 4(1) GDPR for the deployer, regardless of any conclusion the EDPB reached about the training-side analysis. For a Dutch operator that means the publication of an AI-generated portrait that depicts a real recognisable person triggers Article 6 lawfulness obligations and, if the person is identifiable from the image, Article 13 transparency duties when their data is being processed by the AI system in the operator's deployment.

Beyond copyright and data protection, two Dutch frameworks need separate consideration when an AI image touches a real person. The portretrecht, the right of portrait under Articles 19 through 21 of the Auteurswet, gives an identifiable person published in an image a separate cause of action against the publisher. Article 19 governs commissioned portraits, where publication without permission is generally not allowed. Article 21 governs non-commissioned portraits, the typical AI-image case, and permits publication only where the person depicted does not have a redelijk belang, a reasonable interest, in opposing it. Dutch courts read redelijk belang to include privacy, commercial exploitation of one's image, and risk of reputational harm. The remedy is an injunction and damages through the ordinary Rechtbank.

The Burgerlijk Wetboek route is the second framework. Article 6:162 BW supplies the unlawful-act claim for invasions of privacy and reputational harm, drawing on the Hoge Raad line that began with the Caroline van Hannover-style privacy claims and the constitutional anchor in Article 10 of the Grondwet. The Wetboek van Strafrecht supplies a criminal route in Articles 261 and 262 for smaad and smaadschrift (defamation, including by image), though prosecutions are rare and the civil route dominates. An AI-generated image that depicts a real Dutch individual engaging in conduct they did not engage in is a publication and is actionable through both 6:162 BW and portretrecht in the civil court, separately from any AP complaint.

Trade marks add a separate route. The Benelux-Verdrag inzake de Intellectuele Eigendom (BVIE) governs trademarks across the Benelux, administered by the Benelux-Bureau voor de Intellectuele Eigendom (BOIP) in The Hague. If the AI image reproduces a registered trade mark such as the Coca-Cola wordmark or the Apple logo in a way that suggests trade origin, the operator publishing it on a commercial Dutch website may be infringing Article 2.20 BVIE regardless of any copyright analysis. The Dutch remedy is an injunction at the Rechtbank Den Haag, the specialist IP court, and in practice a takedown letter that arrives long before any pleading.

The 2024 PLD framework adds nothing on the AI-image side directly, but Article 50 of the AI Act does. Regulation (EU) 2024/1689, the AI Act, applies its Article 50(4) labelling rule to deepfakes from 2 August 2026, and the Dutch competent authority that will enforce it has not been fully finalised as of May 2026. The Ministerie van Economische Zaken en Klimaat is running the designation pipeline. The likely candidates are the Autoriteit Persoonsgegevens for the components touching personal data, the Autoriteit Consument & Markt for the consumer-facing transparency tier, and the Rijksinspectie Digitale Infrastructuur (RDI) as the broader market-surveillance authority. For a Dutch small operator the practical implication is that the labelling duty crystallises in August 2026 regardless of which authority enforces it, and the deepfake definition in Article 3(60) of the AI Act is the operative test, not any Dutch-specific gloss.

The short answer

Generic AI marketing imagery is usually fine to publish in the Netherlands. The risk concentrates in four places: images that reproduce a specific existing work, images that carry a brand logo or stock-photo watermark, images that contain identifiable real people and images that look authentic enough to pass for real photography. If you have ever wondered whether the kind of Getty demand letter Dutch businesses receive for stock-photo issues could land for an AI image, it can. But only when the output reproduces a recognisable existing photograph or contains a Getty watermark. The rest of the time, the worst that happens is you find out you do not own the image you "made."

What the courts have actually decided

The most-cited ruling is Getty Images (US) Inc & Ors v Stability AI Ltd [2025] EWHC 2863 (Ch), a UK High Court judgment of 4 November 2025. You can read the full judgment on the Judiciary website. The popular headline was "Stability AI mostly wins." That is roughly true, but the holdings are narrower than the headline suggests. Dutch readers should treat it as UK-specific context rather than as a settled EU position.

Getty abandoned its primary copyright infringement claim mid-trial because it could not prove the relevant training activity took place in the UK. The court did not rule on whether training a diffusion model on copyrighted images is itself an infringement. The "the court said training is fine" reading of the judgment is wrong. The court did not reach the question.

The court did rule on secondary copyright infringement under sections 22, 23 and 27 of the UK's Copyright, Designs and Patents Act 1988. It held that Stable Diffusion model weights are not a "copy" of the training images. The model contains trained parameters, not stored reproductions. Trademark infringement under sections 10(1) and 10(2) of the Trade Marks Act 1994 partially succeeded on a narrow set of synthetic images that bore the Getty or iStock watermark. The section 10(3) claim and passing-off were rejected.

For the Netherlands the unsettled questions matter more than the UK holdings. The Auteurswet's "eigen oorspronkelijk karakter en persoonlijk stempel" test for copyrightable works applies the same Infopaq logic as elsewhere in the EU. Robert Kneschke v LAION in Germany produced a 2024 first-instance decision favourable to LAION on a TDM exception, with an appeal expected. Like Company v Google Ireland Limited (Case C-250/25) is a CJEU referral pending. The Autoriteit Persoonsgegevens flagged generative AI as a supervisory priority in 2025, focused on training data and personal data rather than commercial output use. Treat the EU position as open for now.

The four risk layers for your business

Layer 1. Does it reproduce a specific recognisable existing work?

Most AI outputs do not. Some do. Diffusion models occasionally produce near-copies of training images, and prompts that name a living artist, a recent film or a copyrighted character raise that risk substantially. A prompt for "a friendly dentist's office" is low-risk. A prompt asking for "in the style of [named living photographer]" is not. A reverse image search on hero images and paid-ad visuals will usually surface any close original within a minute.

Layer 2. Does it contain a trademark, logo or watermark?

This is the layer the Getty ruling actually touched. Stable Diffusion was generating images with the Getty and iStock watermarks visible, and the UK court found that this constituted trademark infringement on those specific outputs. The same logic applies under Dutch trademark law if your AI image contains a recognisable brand logo, a sports team crest, a film studio mascot or a stock-agency watermark fragment.

Watermarks are the easiest defect to catch. Zoom in to 200% on the corners of any hero image before publishing. If Copytrack or PicRights send a letter to a Dutch business, the response pattern is the same as for ordinary stock-photo claims.

Layer 3. Does it contain identifiable real people?

A photograph of an identifiable real person is personal data under Article 4(1) GDPR. An AI image that resembles an identifiable real person raises the same controller-level obligations under Article 5 and may engage special-category processing under Article 9 if the image conveys sensitive attributes. Dutch portretrecht under Article 21 of the Auteurswet adds a portrait-right protection: a person depicted in a portrait can object to its publication if they have a reasonable interest, and a paid commission gives stronger rights still.

The practical rule is the same as for ordinary photography. If you want to publish an image that resembles a specific real person, you need their consent. AI does not change the rule. If you have no consent, prompt explicitly for "a fictional person, not resembling any real individual" and check the output before publishing.

Layer 4. Do you "own" what you made?

Probably not, in any useful sense. The US Copyright Office stated in March 2023 that pure AI-generated output without sufficient human creative input is not eligible for copyright. The EU's Infopaq test (Case C-5/08) requires "the author's own intellectual creation," and the Auteurswet's parallel werkbegrip test requires creative human choices. Pure prompt-based output is unlikely to satisfy either.

That ownership gap matters less than people fear. Most SMBs use marketing images to communicate, not to license out. The practical implication is that any competitor can re-use the same image you generated. It is a marketing concern. The broader question of who pays when AI-related compliance goes wrong on a website is more layered, and the answer is rarely "the AI vendor."

Article 50 of the AI Act, applicable 2 August 2026

The EU AI Act applies from 2 August 2026 in relation to its Article 50 transparency obligations. Two paragraphs of Article 50 matter for images on a website.

Article 50(2) puts a marking obligation on the provider of a generative AI system. Midjourney, OpenAI, Stability and the rest must mark their outputs as artificially generated in a machine-readable way. This is not your obligation as the website operator.

Article 50(4) puts a labelling obligation on the deployer (you) when the AI-generated content is a deepfake under Article 3(60). The definition is narrow.

A real estate agent in Amsterdam generating "virtual staging" of an actual listing that could pass for a real photograph of that specific room sits in the red quadrant and needs an "AI-generated" label. A bakery using AI to depict a generic croissant on its menu does not. The maximum fine under Article 99 is the higher of EUR 15 million or 3% of worldwide annual turnover, but Article 99(6) tells Member States to apply lower fines to SMEs, and realistic Dutch enforcement against a small business will be far below the maxima. The full AI Act guide for website owners covers the other paragraphs of Article 50.

A 7 May 2026 provisional Digital Omnibus on AI may give providers of generative AI systems already on the market a transitional period until 2 December 2026 for Article 50(2) marking. The 2 August 2026 application of Article 50 itself does not move. Verify status before acting.

Practical rules for your business

A short checklist for any Dutch SMB using AI imagery on a website.

1. Do not prompt with "in the style of [named living artist]." It elevates copyright risk without much creative benefit.
2. Zoom in to 200% on every AI image before publishing and look for stray watermarks, brand logos and signature fragments in the corners.
3. If you need an image of a person, prompt for "a fictional person, not resembling any real individual." If you want a real person, get their written consent. Portretrecht under Article 21 Auteurswet does not disappear because AI made the image.
4. Keep prompt logs. A folder of "prompt + date + tool" records is cheap insurance if a question is ever raised.
5. If you publish an image that depicts a real-looking person, place or event, label it as AI-generated. A short caption is enough and keeps you safe under Article 50(4).
6. Do not claim copyright on AI-generated images in marketing contracts. You may not have any to assign.
7. For high-stakes images (campaign hero, packaging, legal documents), use a licensed library or a human illustrator. Our recommendations on free stock photo sources that are safe to use are a starting point. <!-- TODO: replace with /nl/en equivalent when published -->

If you want a check on the rest of the site at the same time, our free compliance scan covers GDPR, cookies, accessibility and image rights. It does not yet check AI-image legitimacy directly. AI-image checks are on the roadmap.

What this article does not tell you

It does not tell you whether the AI provider was entitled to use the training data. That question stays open in the EU and is contested in Germany, in California and at the CJEU. It does not tell you that an AI image is automatically safe. The four layers can each go wrong. And it does not tell you what happens if your AI provider is eventually found liable for its training. The cascade through their terms of service is untested.

The cluster pieces this article connects to cover the related strands. Who is liable when AI helps build a website in the Netherlands sits next to this one. The same agency-tool-operator chain applies whether the AI generated code or generated an image.

Common Questions

Can someone send me a Getty-style demand letter for an AI-generated image?

Possible, but only when the AI output reproduces a recognisable existing photograph or contains a Getty or iStock watermark. Getty v Stability AI confirmed that point in November 2025. For typical AI marketing imagery with no watermarks and no recognisable real subjects, the risk of a demand letter stays low.

Do I own the AI image I generated for my website?

Probably not. The EU's Infopaq test requires the author's own intellectual creation. Pure prompt-based output usually fails it under Dutch Auteurswet as well. A competitor can re-use the same image, which is a marketing concern more than a legal one.

Do I have to label AI-generated images on my website under the AI Act?

Only when the image is a deepfake under Article 3(60), meaning it resembles a real person, place or event and would appear authentic to a reasonable viewer. Article 50(4) labelling applies from 2 August 2026. Generic AI marketing imagery without identifiable real subjects falls outside.

What is the Autoriteit Persoonsgegevens' position on AI-generated images of real people?

The Dutch DPA's 2025 supervisory priorities flagged generative AI as an enforcement focus. AI images that depict identifiable real people are personal data under Article 4(1) GDPR. Publishing them on a website without consent triggers the same controller obligations as ordinary photography.

Is Midjourney safer than DALL-E or Stable Diffusion for business use?

No meaningful legal difference today. All three rely on similar training-data practices and their terms of service all push output risk back to the user. Pick on quality and licensing terms, not on a notional safety advantage.

Related reading

The image cluster on this site sits around four pieces:

• Received a Getty Images letter. The crisis guide for human-sourced image claims.
• Are Copytrack and PicRights demands legitimate. Companion crisis article for Dutch SMBs.
• Web designer copyright liability under Dutch law. When the issue was introduced by your agency.

The AI cluster pieces this article connects to:

• AI-built website liability under Dutch law. The hub article on GDPR, EAA and cookie liability when AI helped build the site.
• The EU AI Act for website owners. Article 50 in depth, including chatbot disclosure and the editorial-review exemption.

This article is technical analysis, not legal advice. The author is not your lawyer and is not your registered controller. For a binding view, talk to one of those.