EU AI Act Enforcement

The European Union’s AI Act has moved from a law on paper to an enforcement deadline calendar, with national regulators now deciding who polices what before August 2026. (commission.europa.eu) The act entered into force on August 1, 2024, and its main compliance dates arrive in phases: banned AI practices and AI literacy rules from February 2, 2025; general-purpose AI model rules from August 2, 2025; and most high-risk AI system obligations from August 2, 2026. (europarl.europa.eu) In the Netherlands, the government opened a consultation this week on draft legislation that would spread AI Act oversight across 10 regulators, using a sector-by-sector model instead of a single AI watchdog. The consultation closes on June 1, 2026. (pinsentmasons.com) The Dutch draft gives coordinating roles to the Dutch Data Protection Authority and the State Inspectorate of Digital Infrastructure, while sector regulators would supervise AI inside their own domains, including health, consumer products and labor. (pinsentmasons.com) That structure follows Dutch recommendations published in November 2024, which said existing market surveillance authorities should handle many Annex I high-risk systems, while the data protection authority and digital infrastructure regulator should cover Annex III high-risk systems and prohibited AI uses. (data-en-maatschappij.ai) For companies, the hardest part is not naming the regulator. It is building the controls the AI Act demands for high-risk systems before they go on the market: risk management, data governance, technical documentation, logging, human oversight, accuracy testing and conformity assessment. (europarl.europa.eu) Those AI Act duties increasingly sit on top of the General Data Protection Regulation, not instead of it. The International Association of Privacy Professionals said this week that the AI Act is a product-safety law, while the General Data Protection Regulation is a fundamental-rights law for personal data, and companies may need both a fundamental rights impact assessment and a data protection impact assessment. (iapp.org) The overlap gets concrete in sensitive-data cases. The AI Act allows processing special-category personal data when it is strictly necessary to monitor, detect and correct bias in high-risk systems, but the General Data Protection Regulation still requires a valid legal basis or exception for that processing. (iapp.org) Dutch regulators are also preparing a regulatory sandbox, a supervised testing space for AI developers, with a target launch by August 2026. A March 2025 proposal said 25 organizations had already raised 40 questions in a pilot run. (autoriteitpersoonsgegevens.nl) The next year now looks less like a debate over whether Europe will regulate AI and more like an implementation race over documentation, testing and enforcement lines that companies can no longer treat as theoretical. (commission.europa.eu)