EU AI Act Goes Live

Europe’s AI law is moving from paper to enforcement, with national regulators now building the machinery that will police it across the bloc. (europa.eu) The Artificial Intelligence Act entered into force on Aug. 1, 2024, but its rules apply in stages: bans on some uses and AI literacy duties started on Feb. 2, 2025; rules for general-purpose AI and national governance structures started on Aug. 2, 2025; most enforcement begins on Aug. 2, 2026. (europa.eu 1) (europa.eu 2) In the Netherlands, the government published a draft AI Regulation Implementation Act for consultation on April 20, 2026, and said oversight will be shared by sector regulators rather than handed to a single new watchdog. The consultation runs until June 1, 2026. (openrijk.nl) (pinsentmasons.com) Dutch officials said the Dutch Data Protection Authority, known as the AP, will act as the lead regulator for new areas, while the AP and the Dutch Digital Infrastructure Inspectorate, or RDI, will coordinate the wider system. A legal analysis of the draft said the model uses ten market surveillance authorities. (openrijk.nl) (lexology.com) That setup matters because the AI Act does not replace the General Data Protection Regulation. The International Association of Privacy Professionals said the AI Act works like a product-safety law, while the GDPR protects personal-data rights, so one AI system can trigger both regimes at once. (iapp.org) The overlap is most obvious in high-risk systems that use personal data. The IAPP said deployers may need both a fundamental rights impact assessment under Article 27 of the AI Act and a data protection impact assessment under Article 35 of the GDPR, because one does not replace the other. (iapp.org) High-risk AI under the law includes systems used in areas such as recruitment, law enforcement, and other uses that can affect safety or fundamental rights. The Dutch privacy regulator said deployers of those systems must log activity, manage data properly, and make sure human oversight is possible. (autoriteitpersoonsgegevens.nl) For providers, Article 9 requires a risk-management system that is established, documented, maintained, and updated through the system’s entire lifecycle. The European Commission’s AI Act Service Desk says that process must identify risks, test the system, and regularly review mitigation measures, including for vulnerable groups. (europa.eu) (eur-lex.europa.eu) The next hard date is Aug. 2, 2026, when Annex III high-risk systems, transparency rules in Article 50, and national and European enforcement structures are due to apply together. By Aug. 2, 2027, the rules for high-risk AI embedded in regulated products are scheduled to apply as well. (europa.eu) For companies selling or using AI in Europe, the shift is no longer about reading the law. It is now about which regulator calls, which assessment must be filed, and whether the records, testing, and controls are already in place before August. (openrijk.nl) (iapp.org)