EU AI Act for Dutch Website Owners

On 2 August 2026 the EU AI Act's transparency rules apply. If your Dutch website has a chatbot or you use AI to draft blog posts or generate marketing images, this article explains what changes and what does not. The short version: most Dutch SMB websites have almost nothing to do, and what they do have to do is narrow.

<figure className="my-8"> <svg role="img" aria-labelledby="art50-flow-nl-en-title" aria-describedby="art50-flow-nl-en-desc" viewBox="0 0 1200 800" xmlns="http://www.w3.org/2000/svg" style={{ maxWidth: '100%', height: 'auto' }}> <title id="art50-flow-nl-en-title">Decision flowchart for whether Article 50 of the AI Act creates obligations for a Dutch website.</title> <desc id="art50-flow-nl-en-desc">Top-down flowchart with four entry points for the four paragraphs of Article 50. Path one for chatbots routes to "no action needed" when a mainstream vendor handles disclosure. Path two for AI-written public-interest text routes to the editorial-review exemption when the operator reviews and approves the content. Path three for AI images of real people or events routes to a deepfake labelling requirement when the image would appear authentic. Path four for emotion-recognition or biometric-categorisation systems routes to a notification obligation. A summary box notes that most Dutch SMB sites reach no-new-obligation outcomes on all four paths.</desc> <rect x="0" y="0" width="1200" height="800" fill="#FFFFFF"/> <text x="600" y="35" textAnchor="middle" fontFamily="Instrument Serif, serif" fontSize="20" fontWeight="600" fill="#1A1A1A">Does Article 50 apply to your Dutch website?</text> <rect x="40" y="80" width="260" height="65" rx="8" fill="#FFFFFF" stroke="#1A1A1A" strokeWidth="2"/> <text x="170" y="108" textAnchor="middle" fontFamily="Instrument Serif, serif" fontSize="14" fontWeight="600" fill="#1A1A1A">1. Chatbot on site?</text> <text x="170" y="128" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">(Art. 50(1))</text> <rect x="320" y="80" width="260" height="65" rx="8" fill="#FFFFFF" stroke="#1A1A1A" strokeWidth="2"/> <text x="450" y="108" textAnchor="middle" fontFamily="Instrument Serif, serif" fontSize="14" fontWeight="600" fill="#1A1A1A">2. AI-written public-interest text?</text> <text x="450" y="128" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">(Art. 50(4) text)</text> <rect x="600" y="80" width="260" height="65" rx="8" fill="#FFFFFF" stroke="#1A1A1A" strokeWidth="2"/> <text x="730" y="108" textAnchor="middle" fontFamily="Instrument Serif, serif" fontSize="14" fontWeight="600" fill="#1A1A1A">3. AI image of real people/events?</text> <text x="730" y="128" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">(Art. 50(4) deepfake)</text> <rect x="880" y="80" width="260" height="65" rx="8" fill="#FFFFFF" stroke="#1A1A1A" strokeWidth="2"/> <text x="1010" y="108" textAnchor="middle" fontFamily="Instrument Serif, serif" fontSize="14" fontWeight="600" fill="#1A1A1A">4. Emotion / biometric system?</text> <text x="1010" y="128" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">(Art. 50(3))</text> <path d="M 170 145 L 170 195" stroke="#525252" strokeWidth="1.5" fill="none"/> <polygon points="170,200 165,190 175,190" fill="#525252"/> <path d="M 450 145 L 450 195" stroke="#525252" strokeWidth="1.5" fill="none"/> <polygon points="450,200 445,190 455,190" fill="#525252"/> <path d="M 730 145 L 730 195" stroke="#525252" strokeWidth="1.5" fill="none"/> <polygon points="730,200 725,190 735,190" fill="#525252"/> <path d="M 1010 145 L 1010 195" stroke="#525252" strokeWidth="1.5" fill="none"/> <polygon points="1010,200 1005,190 1015,190" fill="#525252"/> <rect x="40" y="210" width="260" height="80" rx="8" fill="#FEF3C7" stroke="#D97706" strokeWidth="1.5"/> <text x="170" y="240" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fontWeight="500" fill="#1A1A1A">Mainstream vendor</text> <text x="170" y="258" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fontWeight="500" fill="#1A1A1A">handles disclosure?</text> <text x="170" y="278" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">(check vendor docs)</text> <rect x="320" y="210" width="260" height="80" rx="8" fill="#FEF3C7" stroke="#D97706" strokeWidth="1.5"/> <text x="450" y="240" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fontWeight="500" fill="#1A1A1A">You review and</text> <text x="450" y="258" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fontWeight="500" fill="#1A1A1A">editorially approve?</text> <text x="450" y="278" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">(editorial-review exemption)</text> <rect x="600" y="210" width="260" height="80" rx="8" fill="#FEF3C7" stroke="#D97706" strokeWidth="1.5"/> <text x="730" y="240" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fontWeight="500" fill="#1A1A1A">Would it appear</text> <text x="730" y="258" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fontWeight="500" fill="#1A1A1A">authentic to a viewer?</text> <text x="730" y="278" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">(Art. 3(60) test)</text> <rect x="880" y="210" width="260" height="80" rx="8" fill="#FEE2E2" stroke="#B91C1C" strokeWidth="1.5"/> <text x="1010" y="245" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="13" fontWeight="500" fill="#1A1A1A">Notification required</text> <text x="1010" y="265" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">to exposed individuals</text> <path d="M 170 290 L 170 340" stroke="#525252" strokeWidth="1.5" fill="none"/> <polygon points="170,345 165,335 175,335" fill="#525252"/> <path d="M 450 290 L 450 340" stroke="#525252" strokeWidth="1.5" fill="none"/> <polygon points="450,345 445,335 455,335" fill="#525252"/> <path d="M 730 290 L 730 340" stroke="#525252" strokeWidth="1.5" fill="none"/> <polygon points="730,345 725,335 735,335" fill="#525252"/> <rect x="40" y="355" width="260" height="75" rx="8" fill="#DCFCE7" stroke="#1B7D56" strokeWidth="1.5"/> <text x="170" y="385" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="13" fontWeight="600" fill="#145E40">No action needed</text> <text x="170" y="405" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#145E40">Provider handles Art. 50(1)</text> <rect x="320" y="355" width="260" height="75" rx="8" fill="#DCFCE7" stroke="#1B7D56" strokeWidth="1.5"/> <text x="450" y="385" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="13" fontWeight="600" fill="#145E40">Editorial-review</text> <text x="450" y="405" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="13" fontWeight="600" fill="#145E40">exemption applies</text> <rect x="600" y="355" width="260" height="75" rx="8" fill="#FEE2E2" stroke="#B91C1C" strokeWidth="1.5"/> <text x="730" y="385" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="13" fontWeight="600" fill="#B91C1C">Deepfake labelling</text> <text x="730" y="405" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="13" fontWeight="600" fill="#B91C1C">required from 2 Aug 2026</text> <rect x="100" y="490" width="1000" height="220" rx="12" fill="#F0FDF4" stroke="#1B7D56" strokeWidth="2"/> <text x="600" y="535" textAnchor="middle" fontFamily="Instrument Serif, serif" fontSize="22" fontWeight="600" fill="#145E40">Most Dutch SMB sites reach green outcomes</text> <text x="600" y="568" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="14" fill="#1A1A1A">on all four entry points. The AI Act mostly regulates AI providers,</text> <text x="600" y="590" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="14" fill="#1A1A1A">not the Dutch businesses that use AI-built tools on their websites.</text> <text x="600" y="640" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="13" fontWeight="500" fill="#525252">If any path led to amber or red: it's narrower than the headlines suggest. Read on.</text> <text x="600" y="765" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">Source: Regulation (EU) 2024/1689, Articles 50, 3(60), 99. Applicable 2 August 2026.</text> </svg> <figcaption>Four entry points, four outcomes. Most paths lead to "no new obligation" for typical Dutch small business websites.</figcaption> </figure>

The honest answer up front

For most Dutch SMB websites the AI Act creates almost no new obligations. The heavy obligations under Article 50 fall on the AI providers (the vendors of ChatGPT, Claude, Midjourney, Cursor and the rest). The narrow obligations that fall on the website operator are about deepfakes and emotion-recognition systems that most Dutch SMBs do not use. This article shows when you do need to act and, more importantly, when you do not.

If you also want the broader picture of who pays when AI helps build your Dutch site, that is its own topic.

What Article 50 actually requires

Article 50 of Regulation (EU) 2024/1689 has four paragraphs, and each paragraph allocates the obligation to a different party. Reading them as one rule produces panic. Reading them in turn produces clarity.

Article 50(1): chatbots must disclose they are AI

Providers of AI systems that interact directly with natural persons must design those systems so users are informed they are dealing with an AI, unless that is obvious to a reasonably well-informed average consumer in context.

• Who is responsible: the AI provider, not the deploying business.
• What it means for a Dutch SMB: essentially nothing if you use a mainstream chatbot. The vendor builds the disclosure in. Your only check is to confirm the vendor's chatbot does in fact identify itself as AI when a visitor first interacts.
• Edge case: if you built or substantially modified the chatbot yourself, you become the provider for that specific chatbot and inherit the obligation.

Article 50(2): generative AI output must be machine-readable as artificial

Providers of generative AI systems must mark outputs as artificially generated in machine-readable ways (watermarks, metadata) that allow downstream detection.

• Who is responsible: the AI provider.
• What it means for a Dutch SMB: nothing direct. Watermarking is the AI vendor's problem. When you publish a ChatGPT-drafted post or a Midjourney image on your site, you are not expected to add cryptographic watermarks. The provider should have done so.
• One caveat: do not intentionally strip vendor watermarks. That reads as bad faith and is a separate Article 50(2) problem.

Article 50(3): emotion recognition and biometric categorisation

Deployers using emotion-recognition or biometric-categorisation systems must inform the natural persons exposed to those systems.

• Who is responsible: the deployer, which is you if you use such a system.
• What it means for a Dutch SMB: very little, because almost no SMB uses these. Emotion-recognition tools for HR analytics, retail sentiment cameras, attention-tracking on web pages are the realistic deployer cases. A typical Dutch bakery, restaurant or salon does not deploy any of them.
• GDPR overlay: when one of these systems processes biometric or special-category data, GDPR Article 9 applies on top, which is usually the binding obligation the AP enforces against in practice.

Article 50(4): deepfakes and AI-generated public-interest text

Deployers of AI systems that generate or manipulate "deepfake" content must disclose the artificial origin. A second paragraph extends this to AI-generated text published to inform the public on matters of public interest.

• Who is responsible: the deployer, which is you.
• What is a deepfake: Article 3(60) defines it as AI-generated or AI-manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic. The key words are "existing" and "falsely appear authentic." Generic AI marketing imagery without identifiable real people or real events is not a deepfake under that definition.
• What it means for a Dutch SMB: narrow scope. A Dutch real estate agent using AI to depict a real listing's interior in a way that could pass as photographic is in scope. A salon using AI to make abstract pattern graphics for an Instagram post is not.
• The editorial-review exemption: for AI-generated text under Article 50(4) second paragraph, the labelling obligation does not apply where "the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content." This is the single most important exemption for Dutch SMB blog content. If you review and sign off on AI-drafted posts as the editor, you are out of scope of Article 50(4) text labelling.

Three Dutch SMB scenarios

You added a chatbot to your dental practice website in Amsterdam. Article 50(1) lives with the chatbot vendor. As long as the chatbot identifies itself as an AI or that is obvious from context, you are compliant. Check the vendor's documentation once. You are done.

You use ChatGPT to draft blog posts for your Rotterdam consultancy, then you edit them before publishing. Article 50(4) text labelling does not apply. The editorial-review exemption attaches because you held editorial responsibility. The hand-edit can be light, but you do need to actually take editorial responsibility. A "reviewed by" byline or an internal record of the review is enough.

You're a Utrecht real estate agent generating staged photos of empty rooms with AI. Two paths. If the image plausibly depicts the real listing's actual room in a way a viewer would treat as authentic photography, it is a deepfake under Article 3(60) and needs the AI-generated label. If the image is a concept render of "this is roughly what the space could look like" with no claim to depict the actual room, it is outside Article 50(4). The conservative move is to label all virtually-staged images and lose nothing by doing so.

When this article does not apply to you

If your Dutch business uses AI for hiring decisions, credit scoring, insurance underwriting, biometric identification, education access decisions or anything law-enforcement-adjacent, you are in Annex III high-risk territory. Those obligations land 2 August 2027. They are different and heavier than Article 50, and the AP plus the RDI (Rijksinspectie Digitale Infrastructuur) will treat them under a separate enforcement regime. The realistic SMB falls outside this category. If you recognise yourself in it, talk to a specialist. This article is not for that case.

If your site is purely informational with no chatbot, no AI-generated images of real people or places and no AI-drafted text on matters of public interest, Article 50 essentially does not affect you. The GDPR fine ranges the AP applies, cookie law under the Telecommunicatiewet and the EAA all still apply on their own timelines, but those are existing obligations the AI Act does not change.

Enforcement: AP and RDI

<figure className="my-8"> <svg role="img" aria-labelledby="art99-tiers-nl-en-title" aria-describedby="art99-tiers-nl-en-desc" viewBox="0 0 900 480" xmlns="http://www.w3.org/2000/svg" style={{ maxWidth: '100%', height: 'auto' }}> <title id="art99-tiers-nl-en-title">Three tiers of AI Act fines under Article 99.</title> <desc id="art99-tiers-nl-en-desc">Three penalty tiers under Article 99 of the AI Act. Tier one for prohibited practices under Article 5 reaches up to 35 million euros or 7 percent of worldwide annual turnover. Tier two for most obligations including Article 50 reaches up to 15 million euros or 3 percent. Tier three for supplying incorrect information to authorities reaches up to 7.5 million euros or 1.5 percent. A footnote notes that Member States may apply lower fines to SMEs under Article 99(6) and that realistic Dutch SMB exposure is proportionate to turnover and actual harm.</desc> <rect x="0" y="0" width="900" height="480" fill="#FFFFFF"/> <text x="450" y="40" textAnchor="middle" fontFamily="Instrument Serif, serif" fontSize="20" fontWeight="600" fill="#1A1A1A">AI Act fines under Article 99</text> <rect x="60" y="80" width="780" height="90" rx="10" fill="#FEE2E2" stroke="#B91C1C" strokeWidth="2"/> <text x="80" y="115" fontFamily="Instrument Serif, serif" fontSize="16" fontWeight="600" fill="#B91C1C">Tier 1: Prohibited practices (Art. 5)</text> <text x="80" y="138" fontFamily="DM Sans, sans-serif" fontSize="13" fill="#1A1A1A">Up to EUR 35 million or 7% of worldwide annual turnover (the higher).</text> <text x="80" y="158" fontFamily="DM Sans, sans-serif" fontSize="12" fill="#525252">Social scoring, manipulative AI, untargeted facial-image scraping.</text> <rect x="60" y="190" width="780" height="90" rx="10" fill="#FEF3C7" stroke="#D97706" strokeWidth="2"/> <text x="80" y="225" fontFamily="Instrument Serif, serif" fontSize="16" fontWeight="600" fill="#D97706">Tier 2: Most obligations including Article 50</text> <text x="80" y="248" fontFamily="DM Sans, sans-serif" fontSize="13" fill="#1A1A1A">Up to EUR 15 million or 3% of worldwide annual turnover (the higher).</text> <text x="80" y="268" fontFamily="DM Sans, sans-serif" fontSize="12" fill="#525252">Transparency failures, high-risk system breaches.</text> <rect x="60" y="300" width="780" height="90" rx="10" fill="#F5F5F5" stroke="#525252" strokeWidth="1.5"/> <text x="80" y="335" fontFamily="Instrument Serif, serif" fontSize="16" fontWeight="600" fill="#525252">Tier 3: Incorrect information to authorities</text> <text x="80" y="358" fontFamily="DM Sans, sans-serif" fontSize="13" fill="#1A1A1A">Up to EUR 7.5 million or 1.5% of worldwide annual turnover (the higher).</text> <text x="80" y="378" fontFamily="DM Sans, sans-serif" fontSize="12" fill="#525252">Misleading regulator responses.</text> <rect x="60" y="410" width="780" height="50" rx="6" fill="#F0FDF4" stroke="#1B7D56" strokeWidth="1"/> <text x="450" y="432" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fontWeight="500" fill="#145E40">Article 99(6): Member States may apply lower fines to SMEs and start-ups.</text> <text x="450" y="448" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">Realistic Dutch SMB exposure is far below maxima and proportionate to turnover and harm.</text> </svg> <figcaption>The headline maxima under Article 99. For a Dutch small business, realistic exposure is proportionate to turnover and harm, not these numbers.</figcaption> </figure>

The Netherlands has designated the Autoriteit Persoonsgegevens as the national competent authority for AI Act enforcement, with the RDI (Rijksinspectie Digitale Infrastructuur, part of Agentschap Telecom) acting in market surveillance for AI systems placed on the market. Verify the live designation against the Commission's Article 70 register before relying on it, because the Dutch designation has gone through several iterations.

For a realistic Dutch SMB, an Article 50 enforcement action typically starts with a complaint about a specific issue, such as an unlabelled deepfake of a real person or an emotion-recognition CCTV system without notification, and lands on a warning or an order to comply before any fine. Article 99(6) tells Member States to consider lower fines for SMEs and start-ups, and the AP has built that into its published enforcement approach for other regulations like the GDPR. The €15M/3% maximum is the headline number, not what an Amsterdam dental practice would face for a missed deepfake label.

Effective dates: what applies when

<figure className="my-8"> <svg role="img" aria-labelledby="ai-act-timeline-nl-en-title" aria-describedby="ai-act-timeline-nl-en-desc" viewBox="0 0 1100 320" xmlns="http://www.w3.org/2000/svg" style={{ maxWidth: '100%', height: 'auto' }}> <title id="ai-act-timeline-nl-en-title">AI Act phased application timeline from August 2024 to August 2027.</title> <desc id="ai-act-timeline-nl-en-desc">Horizontal timeline with six milestones from August 2024 to August 2027. Entry into force on 1 August 2024. Prohibited practices applicable on 2 February 2025. General-purpose AI obligations and national-authority designations on 2 August 2025. Article 50 transparency obligations on 2 August 2026, highlighted as the most relevant milestone for Dutch website owners. A provisional Digital Omnibus transitional deadline of 2 December 2026. High-risk system obligations on 2 August 2027.</desc> <rect x="0" y="0" width="1100" height="320" fill="#FFFFFF"/> <text x="550" y="30" textAnchor="middle" fontFamily="Instrument Serif, serif" fontSize="18" fontWeight="600" fill="#1A1A1A">AI Act phased application (Article 113)</text> <line x1="80" y1="120" x2="1040" y2="120" stroke="#1A1A1A" strokeWidth="2"/> <circle cx="120" cy="120" r="6" fill="#525252"/> <text x="120" y="146" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fontWeight="500" fill="#525252">1 Aug 2024</text> <text x="120" y="162" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="10" fill="#525252">Entry into force</text> <circle cx="270" cy="120" r="6" fill="#D97706"/> <text x="270" y="146" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fontWeight="500" fill="#D97706">2 Feb 2025</text> <text x="270" y="162" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="10" fill="#D97706">Prohibited practices (Art. 5)</text> <circle cx="450" cy="120" r="6" fill="#D97706"/> <text x="450" y="146" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fontWeight="500" fill="#D97706">2 Aug 2025</text> <text x="450" y="162" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="10" fill="#D97706">GPAI obligations; Art. 70 designations</text> <circle cx="680" cy="120" r="10" fill="#1B7D56"/> <text x="680" y="146" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fontWeight="700" fill="#1B7D56">2 Aug 2026</text> <text x="680" y="162" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="10" fontWeight="600" fill="#1B7D56">Article 50 applies (your date)</text> <circle cx="810" cy="120" r="5" fill="#A3A3A3"/> <text x="810" y="146" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fontWeight="500" fill="#525252">2 Dec 2026</text> <text x="810" y="162" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="10" fill="#525252">Digital Omnibus transitional (if confirmed)</text> <circle cx="1000" cy="120" r="6" fill="#525252"/> <text x="1000" y="146" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fontWeight="500" fill="#525252">2 Aug 2027</text> <text x="1000" y="162" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="10" fill="#525252">High-risk system obligations</text> <text x="550" y="240" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fill="#525252">Article 113 sets the dates. The 2 December 2026 transitional period depends on</text> <text x="550" y="258" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="12" fill="#525252">the Digital Omnibus being adopted (7 May 2026 provisional agreement). Verify at publish.</text> <text x="550" y="295" textAnchor="middle" fontFamily="DM Sans, sans-serif" fontSize="11" fill="#525252">Source: Regulation (EU) 2024/1689, Article 113.</text> </svg> <figcaption>The dates Article 113 sets out. The 2 December 2026 transitional period for systems already on the market depends on the Digital Omnibus being adopted. Verify at publish.</figcaption> </figure>

What this does not change

The AI Act is additional to the existing rules. It does not replace anything. The GDPR still applies to any AI system processing personal data on your Dutch site, and the EDPB's December 2024 opinion on AI models is the authoritative guidance for that overlay. The Telecommunicatiewet (art. 11.7a) still governs cookie consent. The EAA still applies. If you want the broader GDPR and EAA liability picture for AI-built Dutch sites, that is the cluster's hub piece.

The AI Act adds narrow transparency obligations on a narrow set of AI uses. It does not transform what your Dutch site has to do across the board.

The Digital Omnibus and the moving timeline

On 7 May 2026 the Council and Parliament reached a provisional agreement on a Digital Omnibus on AI that, among other things, would grant providers of generative AI systems already on the EU market before 2 August 2026 a transitional period until 2 December 2026 to come into compliance with Article 50(2). The headline date of 2 August 2026 for Article 50 itself does not move. The transitional details for already-placed systems may shift, and the Product Liability Directive that applies a few months later on 9 December 2026 is its own related strand. <!-- TODO: replace with /nl/en/guides/product-liability-directive-2026 when cluster #5 publishes --> Verify the Digital Omnibus status at the time you act on this.

The Commission also published draft Guidelines on Article 50 on 8 May 2026, with consultation closing 3 June 2026. The Guidelines are the Commission's interpretive instrument and the most current authoritative source on what Article 50's four paragraphs actually require in practice. The voluntary Code of Practice on AI-Generated Content is the parallel industry-facing instrument, with a final version expected June 2026. Neither is binding law. Both are authoritative interpretation.

Five things to check on your Dutch site before 2 August 2026

1. Your chatbot, if any, discloses its AI nature on first interaction or in a way a reasonable visitor would clearly recognise. Confirm with the vendor.
2. Any image on your site depicting a real person, real place or real event in a way that could appear authentic is labelled as AI-generated.
3. Any AI-drafted blog post has clear human editorial review on file. A "reviewed by" byline or an internal record is enough.
4. Any emotion-recognition or biometric-categorisation system you deploy (sentiment-analysis cameras, in-store attention tracking, AI-powered HR shortlisting) discloses that fact to the people exposed.
5. No copyright or personality-rights issues in any AI-generated content on your site. The labelling question is separate from the licensing question, and both can apply to the same image.

Our free compliance scan checks GDPR, cookies, accessibility and image rights today. AI Act labelling checks are on the roadmap. The scan will not yet flag missing Article 50(1) chatbot disclosure, but it will tell you whether the rest of your Dutch site is on solid ground.

Common Questions

Do I have to label every AI-written blog post I publish on my Dutch site?

No. Article 50(4) has an editorial-review exemption. If you review and sign off on AI-drafted text as the editor, the labelling obligation does not apply. The AP and RDI are not coming for hand-edited blog posts.

Do I have to disclose that my chatbot is AI under Dutch law?

Article 50(1) puts that obligation on the AI provider, not on you as the deploying business. Mainstream chatbot vendors build the disclosure in. Your job is to confirm the vendor does so, not to add the disclosure yourself.

What counts as a deepfake under the AI Act?

Article 3(60) defines it as AI-generated or AI-manipulated image, audio or video that resembles existing persons, objects, places, entities or events and would falsely appear authentic. Generic AI marketing imagery without real people or real events is not a deepfake.

What can the AP or RDI fine me for an Article 50 violation?

Article 99 sets the maximum at EUR 15 million or 3% of worldwide annual turnover. The Netherlands has signalled it will apply Article 99(6) proportionately for SMEs. Realistic exposure for a Dutch SMB website is far below the maxima.

Does this apply if I sell to UK customers but my site is Dutch?

Yes. The AI Act binds you as the Dutch operator wherever your customers are. The reverse case (a UK operator selling to Dutch customers) brings the UK operator into AI Act scope for that activity under Article 2 extraterritorial reach.

Related reading

Cluster pieces that pair with this one:

• Who's liable when AI helps build your Dutch website. The hub piece on GDPR, EAA and cookie-law liability for AI-assisted Dutch sites.
• AI-generated images on your website and Article 50(4) deepfake labelling in practice. <!-- TODO: replace with /nl/en/guides/ai-generated-images-copyright when cluster #3 publishes -->
• Product Liability Directive 2024/2853, applicable 9 December 2026, four months after Article 50. <!-- TODO: replace with /nl/en/guides/product-liability-directive-2026 when cluster #5 publishes -->
• AI-generated code copyright. Distinct from Article 50 transparency. This one is about open-source licensing rather than disclosure. <!-- TODO: replace with /nl/en/guides/ai-generated-code-copyright when cluster #2 publishes -->
• GDPR fines in the Netherlands. The enforcement context the AI Act sits alongside.

This article is technical analysis, not legal advice. The author is not your lawyer and is not your registered controller. For a binding view, talk to one of those.