Fines and enforcement under the UAIV: the Dutch supervisory model.

The EU AI Act establishes rules for the development and use of AI systems across the European Union, but leaves enforcement and national supervision largely to individual member states. In the Netherlands, this is handled by the Uitvoeringswet AI-verordening (UAIV, the Dutch AI Act Implementation Act). On 20 April 2026, State Secretary Aerdts (Digital Economy and Sovereignty) opened the draft legislation for public consultation. The consultation ran until 1 June 2026 and outlines how the Dutch supervisory framework will be organised, which authorities will have jurisdiction, and what fines may be imposed.

What the UAIV regulates

The UAIV is the national statute that makes the AI Act enforceable in the Netherlands. Without it, supervisory authorities have no statutory powers to act. The Act designates which authorities serve as market surveillance authorities, grants them the powers required by the AI Act, governs how authorities collaborate and share information, and sets out the procedure for imposing fines. The UAIV is therefore not primarily a substantive tightening of the European rules, but their organisational and procedural translation into Dutch law.

A decentralised supervisory model

The Netherlands has not opted for a single central AI supervisory authority. The draft legislation distributes supervision across ten existing authorities, each responsible for their own domain. The underlying principle is that organisations should continue to deal with the regulators they already know. A financial institution using AI for credit scoring will engage with the Authority for the Financial Markets (AFM) or the Dutch Central Bank (DNB), not a new AI authority.

The Dutch Data Protection Authority (AP) and the State Inspectorate for Digital Infrastructure (RDI) play a coordinating role across the entire framework. They support other supervisory authorities, facilitate collaboration, and prevent fragmentation of oversight. The RDI is additionally designated as the Single Point of Contact (SPOC): the formal point of contact for citizens, businesses, and European institutions, and the representative of the Netherlands in European deliberations.

Distribution by domain

The ten designated market surveillance authorities each have their own sphere of competence:

• AP: supervision of prohibited AI practices, the majority of high-risk AI systems listed in Annex III of the AI Act (including biometrics, education, labour market, and democratic processes), and transparency obligations. Within the AP, AI market surveillance will be organised separately from its GDPR supervision tasks.
• RDI: coordinating supervisory authority and SPOC; also competent for AI in wireless devices (Radio Equipment Directive) and digital critical infrastructure, together with the Inspectorate for the Environment and Transport (ILT).
• AFM and DNB: fully competent for prohibited AI practices, high-risk AI systems, and transparency obligations within the financial sector.
• IGJ (Health and Youth Care Inspectorate): supervision of AI in medical devices and healthcare applications.
• Netherlands Labour Authority (NLA): supervision of AI in workplace contexts, such as CV screening and scheduling algorithms.
• NVWA: product safety for consumers, AI in food supply chains and consumer goods.
• Procurator General at the Supreme Court and President of the Administrative Jurisdiction Division of the Council of State: supervision of AI in the administration of justice, with safeguards for the independence of the judiciary.

Enforcement powers

The draft legislation grants supervisory authorities broad enforcement powers. They may conduct unannounced inspections, request documents, examine AI registers, and review technical documentation. A notable power is the ability to conduct investigations under a fictitious identity: regulators may approach AI systems as mystery shoppers to test how they function in practice. Upon finding an infringement, authorities may impose an order under penalty, apply administrative enforcement measures, and, for serious violations, issue administrative fines.

Fines: three tiers

The AI Act itself (Article 99) sets the maximum fine amounts. The UAIV regulates the national procedure for imposing them. There are three tiers:

• Up to €35 million or 7% of total worldwide annual turnover (whichever is higher): for use of prohibited AI systems such as social scoring, manipulation of vulnerable groups, or unauthorised real-time remote biometric identification.
• Up to €15 million or 3% of total worldwide annual turnover: for non-compliance with most other obligations, including requirements for high-risk AI systems and transparency obligations.
• Up to €7.5 million or 1% of total worldwide annual turnover: for supplying incorrect, incomplete, or misleading information to supervisory authorities or notified bodies.

Lower ceilings apply to small and medium-sized enterprises. When determining the level of a fine, supervisory authorities consider factors including the severity and duration of the infringement, the degree of intent or negligence, the scale of harm caused, and the prior conduct of the organisation.

Current status and next steps

The prohibited AI practices (Article 5 of the AI Act) have been in force since 2 February 2025. The AI literacy obligation under Article 4 has applied since the same date. For standalone high-risk AI systems listed in Annex III, the original compliance deadline of 2 August 2026 has been extended to 2 December 2027 following the political agreement on the AI Omnibus of 7 May 2026. For AI embedded in regulated products (Annex I), the deadline is 2 August 2028.

The UAIV itself has not yet entered into force. Following the public consultation (closed 1 June 2026), the bill will proceed to parliamentary scrutiny by both chambers. In the interim, the RDI and AP are operating under existing powers derived from the GDPR and the General Administrative Law Act.

"Because AI is applied in many sectors, the Cabinet proposes a supervisory structure in which multiple existing supervisory authorities collaborate." — Dutch Government, 20 April 2026

Implications for providers and deployers

Organisations deploying AI must establish which supervisory authority has jurisdiction over their area of application. A healthcare organisation looks to the IGJ, a bank to the AFM or DNB, and an employer using AI for workforce management to the Netherlands Labour Authority. For applications spanning multiple sectors, or where no sectoral authority exists, the AP is the primary point of contact.

Practical compliance steps include maintaining an AI register covering all systems in use, being able to demonstrate that staff meet the AI literacy obligation, and having technical documentation and risk assessments available for high-risk applications. Supervisory authorities have confirmed that enforcement may commence as soon as the relevant provisions take effect.