The AI Act is the European regulation governing the development and use of artificial intelligence. It adopts a risk-based approach. This ranges from prohibited applications to strict rules for high-risk AI and transparency requirements for AI-integrated systems.
Want to learn more about the AI Act and what it means for your organisation? Our cheat sheet gives you an overview of key rules, risks, and obligations. Download the factsheet and gain immediate insight into the impact of the AI Act.
Get the cheat sheetThe AI Act is the European Union's regulatory framework for AI systems. It governs the development, provision, and use of these systems. It paves the way for innovation while limiting risks to safety, fundamental rights, and transparency. The regulation focuses primarily on the reliability and safety of AI systems. When personal data is involved, the GDPR also applies. Organizations must therefore take both frameworks into account.
The AI Act has a very broad scope. This act applies to almost all organisations that develop, supply, or use AI. The following parties fall under the rules:
Providers of AI systems (developers, suppliers)
Distributors and importers
Users of AI systems (businesses, governments, institutions)
GPAI providers (providers of general-purpose AI models)
Organisations that integrate AI into products, such as medical devices, vehicles, or machinery
In addition, the AI Act impacts the entire supply chain. Organisations must demonstrate that suppliers are compliant.
The AI Act takes a risk-based approach. When the potential risk to individuals and society increases, the rules become stricter. Based on this approach, AI systems are classified into the following elements:
The AI Act and the GDPR apply alongside each other. The AI Act focuses on the safety and reliability of AI systems, while the GDPR regulates the processing of personal data.
When AI applications process personal data, organisations must often comply with both laws. In some situations, the GDPR may require a DPIA, while the AI Act may require a Fundamental Rights Impact Assessment (FRIA).
The AI Act distinguishes between different parties in the value chain of AI systems. Each role has its own responsibilities.
Provider
The party that develops the AI system or places it on the market under its own name.
Deployer
The organisation that actually uses the AI system within their processes.
Importers and distributors
Parties that bring AI systems onto the European market or distribute them.
Providers of high-risk AI must demonstrate that their system meets the legal requirements, for example through conformity assessments and documentation.
Each Member State will have at least one supervisory authority. In the Netherlands, the current market supervisory authorities and inspection services will oversee AI.
Supervisory authorities may:
Access all documentation, source code and model parameters.
Give binding instructions on how the AI should be used.
Stop AI systems that are too risky.
Issue fines.
Fines can amount to:
EUR 35 million or 7% of global annual turnover for companies, when using prohibited AI.
EUR 15 million or 3% of global annual turnover for companies, involving other violations.
EUR 7.5 million or 1.5% of global annual turnover for companies, in case of providing incorrect, incomplete, or misleading information to supervisory authorities.
Lower ceilings apply for SMEs and startups.
AI systems used in sectors such as education, recruitment, credit scoring or critical infrastructure are considered high-risk and are subject to extensive compliance requirements.
AI-generated content must be recognisable as synthetic. For deepfakes, this must be made explicitly visible.
Leave a message via the form. One of our legal advisors will contact you. We always begin with a free introductory meeting: by phone, at our office, or at your location.