EU AI Act for Dutch Website Owners

On 2 August 2026 the EU AI Act's transparency rules apply. If your Dutch website has a chatbot or you use AI to draft blog posts or generate marketing images, this article explains what changes and what does not. The short version: most Dutch SMB websites have almost nothing to do, and what they do have to do is narrow.

How the AI Act lands in Dutch law

Regulation (EU) 2024/1689 is the EU AI Act, in force across the Union from 1 August 2024 and applying in tranches up to 2 August 2027. As a regulation it has direct effect in the Netherlands without a national transposing act, but the Netherlands still has to designate competent authorities, build conformity-assessment infrastructure and pass an Uitvoeringswet AI to bring section-level fines and enforcement powers into Dutch administrative law. That implementing pipeline is run by the Ministerie van Economische Zaken en Klimaat under Minister Sophie Hermans, with input from the Ministerie van Justitie en Veiligheid and from the Ministerie van Binnenlandse Zaken on public-sector AI. As of May 2026 the implementing wetsvoorstel has been published in heads form and consulted via internetconsultatie.nl, and the final Uitvoeringswet AI is expected before the August 2026 transparency-tier deadline. The position should be re-checked on overheid.nl and the Tweede Kamer documents portal before relying on it.

Three Dutch authorities sit ahead of the rest as AI Act competent authorities, with the split now substantially settled in a 2024 letter from the Minister of Economic Affairs and Climate Policy to the Tweede Kamer. The Autoriteit Persoonsgegevens is the primary competent authority for personal-data and biometric AI components, and the AP has already published preparatory guidance on what controllers should be doing now to align with both GDPR and AI Act obligations. The Autoriteit Consument & Markt is the digital-services and consumer-facing competent authority, including for the transparency duties around AI-generated content under Article 50(4), and the ACM is already the Dutch digital services coordinator under the EU Digital Services Act. The Rijksinspectie Digitale Infrastructuur (RDI), formerly Agentschap Telecom, is the broader market-surveillance authority for the high-risk-systems tier under Annex III and Article 43.

Two further institutions sit underneath. The Stichting Koninklijk Nederlands Normalisatie-instituut (NEN), the Dutch national standards body, is the candidate for AI Act conformity-assessment standards work in cooperation with CEN-CENELEC at EU level. The Raad voor Accreditatie is the Dutch accreditation body that would accredit notified bodies for high-risk-systems conformity assessments. The Inspectie Gezondheidszorg en Jeugd (IGJ) handles medical-device AI as a continuation of its Medical Devices Regulation role. For a typical Dutch SMB website neither NEN nor IGJ is in scope, because high-risk-systems and medical-device AI are not the part of the Act that applies to an ordinary marketing site. The Article 50 transparency tier is the only AI Act surface that touches most Dutch small business websites.

Dutch enforcement priors matter as much as the regulator designation. The AP has built its reputation around structured supervision in identified focus sectors and large enforcement actions against systemic violations rather than headline fines for small operators. Chair Aleid Wolfsen has been explicit in public statements about proportionate enforcement for SMEs and about the AP's expectation that compliance investments be reasonable in light of the operator's size and processing volumes. That continuity is likely to carry into AI Act enforcement; the realistic exposure for a Dutch small business website that gets Article 50 labelling slightly wrong is a corrective notice, not a six-figure fine. The Article 99(6) proportionality rule for SMEs reinforces that posture. The ACM's emerging enforcement style under the DSA is similarly graduated, with engagement and statutory notices before financial penalties, and the Coordinated Plan on AI published by ACM in 2025 confirms a guidance-first approach for Dutch SMEs.

The Nationale AI Strategie, first published in 2019 and refreshed in 2024 by the Ministerie van Economische Zaken en Klimaat, frames the Dutch posture on AI regulation. It explicitly favours an innovation-friendly regulatory environment combined with strong fundamental-rights protections, channeled through the Nederlandse AI Coalitie public-private body. The AI Coalitie includes industry associations such as VNO-NCW and MKB-Nederland alongside universities and research institutes, and its working groups have produced sector-specific implementation guides for AI Act compliance ahead of the 2026 transparency-tier deadline. For a Dutch website owner the practical takeaway is that the regulator pipeline is being built with proportionality and SME-friendliness as explicit design principles, but proportionality does not mean exemption. The transparency duties under Article 50(1) for chatbots, Article 50(2) for AI-generated text in public-interest matters, Article 50(3) for emotion and biometric-categorisation systems, and Article 50(4) for deepfakes still apply on 2 August 2026 to any Dutch operator whose website hits the trigger.

Cross-border posture is simple for the Netherlands under the AI Act, because the regulation has extraterritorial reach under Article 2(1)(c) to operators outside the Union whose AI-system output is used in the Union. A Dutch operator selling into the UK still falls under the AI Act for its Dutch-Union activity. A UK operator selling into the Netherlands falls under the AI Act for that limited activity even though it is otherwise governed by UK law. The reverse is not true under the UK AI Regulation Bill framework, which is principles-based rather than rule-based as of May 2026, so the asymmetry favours Dutch operators in some practical respects.

The honest answer up front

For most Dutch SMB websites the AI Act creates almost no new obligations. The heavy obligations under Article 50 fall on the AI providers (the vendors of ChatGPT, Claude, Midjourney, Cursor and the rest). The narrow obligations that fall on the website operator are about deepfakes and emotion-recognition systems that most Dutch SMBs do not use. This article shows when you do need to act and, more importantly, when you do not.

If you also want the broader picture of who pays when AI helps build your Dutch site, that is its own topic.

What Article 50 actually requires

Article 50 of Regulation (EU) 2024/1689 has four paragraphs, and each paragraph allocates the obligation to a different party. Reading them as one rule produces panic. Reading them in turn produces clarity.

Article 50(1): chatbots must disclose they are AI

Providers of AI systems that interact directly with natural persons must design those systems so users are informed they are dealing with an AI, unless that is obvious to a reasonably well-informed average consumer in context.

• Who is responsible: the AI provider, not the deploying business.
• What it means for a Dutch SMB: essentially nothing if you use a mainstream chatbot. The vendor builds the disclosure in. Your only check is to confirm the vendor's chatbot does in fact identify itself as AI when a visitor first interacts.
• Edge case: if you built or substantially modified the chatbot yourself, you become the provider for that specific chatbot and inherit the obligation.

Article 50(2): generative AI output must be machine-readable as artificial

Providers of generative AI systems must mark outputs as artificially generated in machine-readable ways (watermarks, metadata) that allow downstream detection.

• Who is responsible: the AI provider.
• What it means for a Dutch SMB: nothing direct. Watermarking is the AI vendor's problem. When you publish a ChatGPT-drafted post or a Midjourney image on your site, you are not expected to add cryptographic watermarks. The provider should have done so.
• One caveat: do not intentionally strip vendor watermarks. That reads as bad faith and is a separate Article 50(2) problem.

Article 50(3): emotion recognition and biometric categorisation

Deployers using emotion-recognition or biometric-categorisation systems must inform the natural persons exposed to those systems.

• Who is responsible: the deployer, which is you if you use such a system.
• What it means for a Dutch SMB: very little, because almost no SMB uses these. Emotion-recognition tools for HR analytics, retail sentiment cameras, attention-tracking on web pages are the realistic deployer cases. A typical Dutch bakery, restaurant or salon does not deploy any of them.
• GDPR overlay: when one of these systems processes biometric or special-category data, GDPR Article 9 applies on top, which is usually the binding obligation the AP enforces against in practice.

Article 50(4): deepfakes and AI-generated public-interest text

Deployers of AI systems that generate or manipulate "deepfake" content must disclose the artificial origin. A second paragraph extends this to AI-generated text published to inform the public on matters of public interest.

• Who is responsible: the deployer, which is you.
• What is a deepfake: Article 3(60) defines it as AI-generated or AI-manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic. The key words are "existing" and "falsely appear authentic." Generic AI marketing imagery without identifiable real people or real events is not a deepfake under that definition.
• What it means for a Dutch SMB: narrow scope. A Dutch real estate agent using AI to depict a real listing's interior in a way that could pass as photographic is in scope. A salon using AI to make abstract pattern graphics for an Instagram post is not.
• The editorial-review exemption: for AI-generated text under Article 50(4) second paragraph, the labelling obligation does not apply where "the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content." This is the single most important exemption for Dutch SMB blog content. If you review and sign off on AI-drafted posts as the editor, you are out of scope of Article 50(4) text labelling.

Three Dutch SMB scenarios

You added a chatbot to your dental practice website in Amsterdam. Article 50(1) lives with the chatbot vendor. As long as the chatbot identifies itself as an AI or that is obvious from context, you are compliant. Check the vendor's documentation once. You are done.

You use ChatGPT to draft blog posts for your Rotterdam consultancy, then you edit them before publishing. Article 50(4) text labelling does not apply. The editorial-review exemption attaches because you held editorial responsibility. The hand-edit can be light, but you do need to actually take editorial responsibility. A "reviewed by" byline or an internal record of the review is enough.

You're a Utrecht real estate agent generating staged photos of empty rooms with AI. Two paths. If the image plausibly depicts the real listing's actual room in a way a viewer would treat as authentic photography, it is a deepfake under Article 3(60) and needs the AI-generated label. If the image is a concept render of "this is roughly what the space could look like" with no claim to depict the actual room, it is outside Article 50(4). The conservative move is to label all virtually-staged images and lose nothing by doing so.

When this article does not apply to you

If your Dutch business uses AI for hiring decisions, credit scoring, insurance underwriting, biometric identification, education access decisions or anything law-enforcement-adjacent, you are in Annex III high-risk territory. Those obligations land 2 August 2027. They are different and heavier than Article 50, and the AP plus the RDI (Rijksinspectie Digitale Infrastructuur) will treat them under a separate enforcement regime. The realistic SMB falls outside this category. If you recognise yourself in it, talk to a specialist. This article is not for that case.

If your site is purely informational with no chatbot, no AI-generated images of real people or places and no AI-drafted text on matters of public interest, Article 50 essentially does not affect you. The GDPR fine ranges the AP applies, cookie law under the Telecommunicatiewet and the EAA all still apply on their own timelines, but those are existing obligations the AI Act does not change.

Enforcement: AP and RDI

The Netherlands has designated the Autoriteit Persoonsgegevens as the national competent authority for AI Act enforcement, with the RDI (Rijksinspectie Digitale Infrastructuur, part of Agentschap Telecom) acting in market surveillance for AI systems placed on the market. Verify the live designation against the Commission's Article 70 register before relying on it, because the Dutch designation has gone through several iterations.

For a realistic Dutch SMB, an Article 50 enforcement action typically starts with a complaint about a specific issue, such as an unlabelled deepfake of a real person or an emotion-recognition CCTV system without notification, and lands on a warning or an order to comply before any fine. Article 99(6) tells Member States to consider lower fines for SMEs and start-ups, and the AP has built that into its published enforcement approach for other regulations like the GDPR. The €15M/3% maximum is the headline number, not what an Amsterdam dental practice would face for a missed deepfake label.

Effective dates: what applies when

What this does not change

The AI Act is additional to the existing rules. It does not replace anything. The GDPR still applies to any AI system processing personal data on your Dutch site, and the EDPB's December 2024 opinion on AI models is the authoritative guidance for that overlay. The Telecommunicatiewet (art. 11.7a) still governs cookie consent. The EAA still applies. If you want the broader GDPR and EAA liability picture for AI-built Dutch sites, that is the cluster's hub piece.

The AI Act adds narrow transparency obligations on a narrow set of AI uses. It does not transform what your Dutch site has to do across the board.

The Digital Omnibus and the moving timeline

On 7 May 2026 the Council and Parliament reached a provisional agreement on a Digital Omnibus on AI that, among other things, would grant providers of generative AI systems already on the EU market before 2 August 2026 a transitional period until 2 December 2026 to come into compliance with Article 50(2). The headline date of 2 August 2026 for Article 50 itself does not move. The transitional details for already-placed systems may shift, and the Product Liability Directive that applies a few months later on 9 December 2026 is its own related strand. <!-- TODO: replace with /nl/en/guides/product-liability-directive-2026 when cluster #5 publishes --> Verify the Digital Omnibus status at the time you act on this.

The Commission also published draft Guidelines on Article 50 on 8 May 2026, with consultation closing 3 June 2026. The Guidelines are the Commission's interpretive instrument and the most current authoritative source on what Article 50's four paragraphs actually require in practice. The voluntary Code of Practice on AI-Generated Content is the parallel industry-facing instrument, with a final version expected June 2026. Neither is binding law. Both are authoritative interpretation.

Five things to check on your Dutch site before 2 August 2026

1. Your chatbot, if any, discloses its AI nature on first interaction or in a way a reasonable visitor would clearly recognise. Confirm with the vendor.
2. Any image on your site depicting a real person, real place or real event in a way that could appear authentic is labelled as AI-generated.
3. Any AI-drafted blog post has clear human editorial review on file. A "reviewed by" byline or an internal record is enough.
4. Any emotion-recognition or biometric-categorisation system you deploy (sentiment-analysis cameras, in-store attention tracking, AI-powered HR shortlisting) discloses that fact to the people exposed.
5. No copyright or personality-rights issues in any AI-generated content on your site. The labelling question is separate from the licensing question, and both can apply to the same image.

Our free compliance scan checks GDPR, cookies, accessibility and image rights today. AI Act labelling checks are on the roadmap. The scan will not yet flag missing Article 50(1) chatbot disclosure, but it will tell you whether the rest of your Dutch site is on solid ground.

Common Questions

Do I have to label every AI-written blog post I publish on my Dutch site?

No. Article 50(4) has an editorial-review exemption. If you review and sign off on AI-drafted text as the editor, the labelling obligation does not apply. The AP and RDI are not coming for hand-edited blog posts.

Do I have to disclose that my chatbot is AI under Dutch law?

Article 50(1) puts that obligation on the AI provider, not on you as the deploying business. Mainstream chatbot vendors build the disclosure in. Your job is to confirm the vendor does so, not to add the disclosure yourself.

What counts as a deepfake under the AI Act?

Article 3(60) defines it as AI-generated or AI-manipulated image, audio or video that resembles existing persons, objects, places, entities or events and would falsely appear authentic. Generic AI marketing imagery without real people or real events is not a deepfake.

What can the AP or RDI fine me for an Article 50 violation?

Article 99 sets the maximum at EUR 15 million or 3% of worldwide annual turnover. The Netherlands has signalled it will apply Article 99(6) proportionately for SMEs. Realistic exposure for a Dutch SMB website is far below the maxima.

Does this apply if I sell to UK customers but my site is Dutch?

Yes. The AI Act binds you as the Dutch operator wherever your customers are. The reverse case (a UK operator selling to Dutch customers) brings the UK operator into AI Act scope for that activity under Article 2 extraterritorial reach.

Related reading

Cluster pieces that pair with this one:

• Who's liable when AI helps build your Dutch website. The hub piece on GDPR, EAA and cookie-law liability for AI-assisted Dutch sites.
• AI-generated images on your website and Article 50(4) deepfake labelling in practice. <!-- TODO: replace with /nl/en/guides/ai-generated-images-copyright when cluster #3 publishes -->
• Product Liability Directive 2024/2853, applicable 9 December 2026, four months after Article 50. <!-- TODO: replace with /nl/en/guides/product-liability-directive-2026 when cluster #5 publishes -->
• AI-generated code copyright. Distinct from Article 50 transparency. This one is about open-source licensing rather than disclosure. <!-- TODO: replace with /nl/en/guides/ai-generated-code-copyright when cluster #2 publishes -->
• GDPR fines in the Netherlands. The enforcement context the AI Act sits alongside.

This article is technical analysis, not legal advice. The author is not your lawyer and is not your registered controller. For a binding view, talk to one of those.