EU AI Act & AI Strategy for Manufacturers: What Dutch Factories Need to Know

EU AI Act compliance manufacturing has moved from legal abstraction to operational reality. Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act — entered into force in August 2024, and its obligations are now on a clear timetable for manufacturers across the Netherlands and the wider EU. Whether your factory runs predictive maintenance algorithms, computer vision quality inspection, production scheduling optimisation, or AI-assisted worker-monitoring systems, there is a question you need to answer: what risk category does each of those systems fall into, and what does that mean for how you deploy and govern them?

The answer is more nuanced than the headlines suggest. The vast majority of AI applications currently running in Dutch manufacturing facilities are not high-risk under the EU AI Act. Predictive maintenance models, demand-forecasting engines, and optical defect-detection systems deployed as standalone quality tools sit in the limited-risk or minimal-risk categories. But a subset of factory AI — particularly AI that forms part of the safety function of a machine, AI used to monitor workers in ways that affect their working conditions, or AI integrated into autonomous machinery — can qualify as high-risk and trigger a substantial set of compliance obligations.

This guide is written for operations directors, plant managers, CTO offices, and the owners of Dutch manufacturing businesses who are trying to work out what the EU AI Act means for them in practice. It explains how the Act applies to manufacturing AI, how it interacts with the EU Machinery Regulation, and what a practical, phased AI strategy looks like for a factory that wants to be both competitive and compliant. It is general information, not legal advice — for advice specific to your organisation and systems, engage a qualified legal professional.

Does the EU AI Act apply to AI systems used in manufacturing?

Yes — but the way it applies depends almost entirely on what the AI system is doing and where its outputs go. The EU AI Act takes a risk-based approach, placing every AI system into one of four categories: unacceptable risk (prohibited outright), high-risk, limited-risk, or minimal-risk. For manufacturers, the critical question is whether any of your AI systems fall into the high-risk category, because that is where the substantive compliance obligations live.

High-risk AI systems are defined in Regulation (EU) 2024/1689 by reference to two lists. The first is a list of sectors in Annex I where AI systems used as safety components are automatically high-risk — this list is tied to existing EU product safety legislation, and it includes machinery. The second is Annex III, which enumerates specific high-risk use cases across domains including employment, law enforcement, and critical infrastructure. For manufacturing specifically, the most relevant high-risk categories are:

• AI used as a safety component of a product covered by EU harmonisation legislation listed in Annex I — this is the manufacturing-specific high-risk trigger, and it captures AI embedded in machinery where the AI itself performs a safety function.
• AI systems used for worker monitoring and evaluation — Annex III explicitly lists AI used for monitoring the performance and behaviour of employees in the context of employment, including in manufacturing environments.
• AI used in critical infrastructure — if your manufacturing facility is part of critical infrastructure (energy production, water, certain supply chains), additional considerations may apply.

Crucially, AI used for operational efficiency without a safety function — predictive maintenance that flags a potential bearing failure to a human technician, a demand-forecasting model that feeds into a planner's spreadsheet, a quality-inspection camera that flags suspect parts for human review — is typically not high-risk under the Act. These systems sit in the limited-risk or minimal-risk categories. Limited-risk systems (including AI that interacts directly with people) carry transparency obligations but nothing approaching the full high-risk compliance regime.

This distinction matters enormously for how you prioritise your AI compliance programme. Spending as much effort on your scheduling algorithm as on an AI system embedded in a safety-critical press or robot is a misallocation of resources. The first step of any responsible AI manufacturing strategy is an honest risk classification of every AI system in your estate.

The Machinery Regulation: the other piece of the compliance puzzle

For manufacturers, the EU AI Act does not sit in isolation. It interacts closely with the new EU Machinery Regulation (Regulation (EU) 2023/1230), which replaces the Machinery Directive and applies to machinery placed on the EU market from 20 January 2027. The Machinery Regulation introduces updated safety requirements for machinery that incorporate evolving AI or machine learning capabilities — a direct response to the reality that modern industrial machines increasingly run adaptive algorithms rather than fixed control logic.

The interaction between the two regulations works as follows. If a machine incorporates an AI system, and that AI system performs a safety function for that machine, then the AI system is high-risk under the EU AI Act (because machinery is listed in Annex I). The manufacturer of the machine — as the provider of the AI system in this context — carries provider-level obligations under the AI Act: technical documentation, conformity assessment, registration in the EU database of high-risk AI systems, a declaration of conformity, and CE marking where applicable. The Machinery Regulation then layers on its own requirements for safety, transparency, and risk assessment for the machine as a whole.

If you are a manufacturer who buys machines with embedded AI, rather than building them, you are primarily a deployer under the AI Act rather than a provider. Your obligations as a deployer are still meaningful — you must use the system according to the provider's instructions for use, ensure human oversight, monitor operation, report serious incidents, and maintain logs — but the heaviest documentation burden falls on the machine builder. Understanding whether your supplier has discharged their provider obligations is itself a due-diligence step: if they have not, you carry the residual risk.

The authoritative guidance on how the EU AI Act and the Machinery Regulation interact is available from the European Commission AI regulatory framework pages, which are updated as implementing acts and official guidance are published. We recommend bookmarking these rather than relying on secondary summaries — the detail matters.

What are the high-risk obligations that apply to manufacturing AI?

If you have identified a manufacturing AI system that is high-risk — typically because it is embedded in a safety-critical machine, because it monitors workers in ways that affect their conditions, or because it performs autonomous decision-making in a regulated context — you face a specific and demanding set of obligations. These differ depending on whether you are the provider (you built or placed the system on the market) or the deployer (you are using a system someone else built). Most manufacturers are deployers for AI embedded in machines they purchase, and providers for AI systems they develop internally or commission from software vendors for their own use.

Risk management system

High-risk AI systems must operate within a documented risk management system that runs throughout the system's lifecycle — not a one-time assessment but a continuous process of identifying, analysing, evaluating and mitigating risks. For a factory deployer, this means maintaining records of how the AI system is configured, what operational envelope it is designed for, and how risks are monitored and mitigated in your specific factory context. An AI implementation audit is typically the right starting point — a structured review of what each system is doing, what data it processes, and where the gaps are in your oversight framework.

Data governance and quality

High-risk AI systems must be developed and used with appropriate data governance. For manufacturers using or building AI on internal operational data — sensor readings, machine logs, production records, quality inspection images — this means ensuring the data is accurate, representative of your operational conditions, and appropriately managed throughout its lifecycle. Poor data governance is not just a compliance risk; it is the most common reason AI systems underperform in factory settings. Robust data engineering — clean pipelines, documented data lineage, version-controlled datasets — is the foundation of both compliance and performance.

Technical documentation

Providers of high-risk AI systems must produce technical documentation before placing the system on the market or putting it into service. This documentation must describe the system's purpose, the data it uses, how it was trained, its performance characteristics, its limitations, and the risk management measures applied. For internally developed AI systems — such as a proprietary predictive maintenance model built on your own historian data — you are the provider, and you need to produce this documentation even if the system never leaves your factory. This is often a gap for manufacturers who have built AI capabilities organically over time without formalising the documentation.

Transparency and instructions for use

High-risk AI systems must come with instructions for use that enable deployers to understand the system's purpose, capabilities, and limitations, and to operate it in compliance with the Act. Providers must make these available. As a deployer, you must follow them — and you must be able to demonstrate that you have done so. If you are buying an AI-enabled machine or software system and the supplier cannot provide adequate instructions for use, that is a contractual and compliance gap that needs to be addressed before deployment.

Human oversight

Human oversight is the requirement that tends to generate the most questions in manufacturing contexts, because so much of the value of factory AI comes from its ability to operate at speeds and scales that exceed human attention. The EU AI Act does not prohibit autonomous operation — but it does require that for high-risk AI systems, the humans responsible for the system can effectively monitor its operation, understand what it is doing and why, intervene when necessary, and override outputs when appropriate. In practice, this means designing systems with meaningful oversight interfaces, training the operators who use them, and ensuring that the organisational structure supports genuine human accountability rather than nominal sign-off on automated decisions. Our work on machine learning systems always includes explainability and oversight design as core components, not afterthoughts.

Logging and record-keeping

High-risk AI systems must automatically log events during their operation, to the extent technically possible. For manufacturing, this typically means ensuring that AI system outputs — particularly decisions or recommendations with safety or quality implications — are logged with sufficient detail to allow retrospective audit. How long logs must be retained depends on the system type and the applicable sectoral legislation, but the principle is that competent authorities must be able to review system behaviour after an incident. If you are deploying a third-party AI system, reviewing the vendor's logging capabilities and making logging requirements explicit in your contract is a specific action item.

Conformity assessment and CE marking

Providers of high-risk AI systems in the Annex I categories — which includes safety-component AI in machinery — must undergo a conformity assessment before the system is placed on the market. For many machinery AI systems, this will be a self-assessment against harmonised standards, combined with the existing Machinery Regulation conformity assessment. For systems requiring third-party involvement (particularly in higher-risk applications), a notified body may need to be involved. The conformity assessment feeds into a declaration of conformity and, where applicable, CE marking on the product. This is primarily a concern for machine builders selling into the EU market — but if you are buying machines, checking that your supplier has completed a valid conformity assessment is a due-diligence obligation.

Which manufacturing AI use cases are typically not high-risk?

It is as important to know what is out of scope as what is in scope. The following manufacturing AI applications typically fall into the limited-risk or minimal-risk categories under the EU AI Act, and do not trigger the full high-risk compliance regime:

• Predictive maintenance models that generate alerts or recommendations for human review — provided the AI output feeds a human decision rather than directly triggering machine shutdown or safety-critical action without human intervention.
• AI-powered quality inspection cameras that flag suspect components for human review — provided the AI is not autonomously accepting or rejecting products with no human in the loop and no traceability to a human decision.
• Production scheduling and OEE optimisation algorithms that recommend schedules for human approval — because scheduling is not a safety function and does not fall under Annex III.

• Demand forecasting and supply chain optimisation models used to support procurement and logistics planning.
• Energy consumption optimisation systems operating within normal operational parameters and not connected to safety-critical control functions.
• RAG-based knowledge assistants helping maintenance technicians retrieve documentation or troubleshooting guidance.

For these systems, the EU AI Act obligations are minimal or limited to transparency requirements (for example, disclosing when a system is AI-generated if it interacts with people). That does not mean governance is irrelevant — good AI governance is good engineering practice regardless of regulatory category — but it does mean you can prioritise accordingly.

AI strategy manufacturing Netherlands: building a compliant and competitive AI programme

Regulatory compliance is a necessary condition for AI deployment in EU manufacturing, but it should not be the ceiling of ambition. Dutch manufacturers that approach EU AI Act compliance as a one-time tick-box exercise will find themselves revisiting it repeatedly as the regulatory landscape evolves and as they add new AI capabilities. A more durable approach is to build an AI strategy that embeds governance from the outset — so that compliance is a byproduct of good practice rather than a retrofit.

What does that look like in practice for a Dutch manufacturing company? Crux Digits works with industrial clients across the Netherlands to build exactly this kind of integrated AI strategy, from initial readiness assessment through to live deployment and ongoing governance. The typical journey has four stages.

Stage 1: AI readiness assessment and risk classification

Before you can build a strategy, you need an honest picture of where you are. An AI readiness assessment for a factory covers three dimensions: the AI systems you already have (including any AI capabilities embedded in machines you have purchased, ERP systems, and SCADA platforms), your data infrastructure (quality, accessibility, governance), and your organisational readiness (skills, oversight processes, decision-making structures). Alongside this, every AI system in scope is classified against the EU AI Act risk framework — high-risk, limited-risk, or minimal-risk — so that compliance effort is directed where it is needed.

This assessment often surfaces surprises. Manufacturers frequently discover that systems they thought of as simple rule-based automation actually contain ML components that warrant classification. Equally, systems that seemed potentially high-risk often turn out to be clearly limited-risk once the use case is properly characterised. Getting the classification right is the foundation of everything that follows.

Stage 2: governance framework and policy

An AI governance framework for a manufacturing company does not need to be a lengthy document — it needs to be a practical, usable structure that tells people how decisions about AI are made, who is accountable for what, and how risks are identified, escalated and managed. For manufacturers with high-risk AI systems, the governance framework must include the risk management system required by the Act. For all manufacturers, it should include data governance policies, an AI procurement checklist (for vetting AI-enabled equipment from suppliers), and an incident and near-miss reporting process.

Governance frameworks also need to address the human oversight question in operational terms: who on the shop floor is responsible for monitoring AI system outputs, with what training, with what authority to intervene, and how interventions are recorded. This is the gap between a compliant governance document and a genuinely governed AI programme — the latter requires organisational change, not just documentation.

Stage 3: technical implementation with compliance built in

When new AI systems are deployed — whether built in-house, commissioned from a software partner, or embedded in new machinery — compliance requirements should be addressed in the design, not bolted on afterwards. For internally developed AI systems (a predictive maintenance model, a computer vision inspection system, a scheduling optimiser), this means building in logging, explainability, documentation, and data governance from the project start. Our AI implementation methodology includes compliance checkpoints at each project stage: architecture review, data pipeline design, model development, testing, and deployment. We also build the data engineering foundations that make AI systems reliable and auditable — because an AI system is only as trustworthy as the data pipeline feeding it.

Stage 4: ongoing monitoring, audit and adaptation

The EU AI Act is not a one-time compliance event — it is a continuing obligation. AI systems drift over time as production conditions change, as new products are introduced, and as the underlying ML models encounter data distributions they were not trained on. A governance programme for manufacturing AI needs to include regular performance reviews, periodic bias and drift assessments, and a mechanism for updating or retraining models when performance degrades. It also needs to track regulatory developments: implementing acts, harmonised standards, and official guidance are still being published, and the compliance requirements for specific use cases will become clearer over time.

For manufacturers without a large in-house AI team, this ongoing governance work can be structured as a light-touch retainer rather than a full-time function. The goal is to have a clear owner, a regular review cadence, and a documented audit trail — not to create bureaucracy for its own sake.

AI governance industrial company: a practical compliance checklist

• Inventory all AI systems in your factory estate — including AI embedded in machines, ERP and MES systems, SCADA platforms, and any software tools with AI scoring or recommendation features.
• Classify each system against the EU AI Act risk framework (Annex I and Annex III) to determine whether it is high-risk, limited-risk, or minimal-risk.
• For high-risk systems, identify whether you are the provider or the deployer — the obligations differ substantially, and knowing which role you play is the starting point for compliance planning.
• If you are a deployer of purchased high-risk AI systems, request EU AI Act conformity documentation, instructions for use, and logging specifications from your suppliers before deploying.
• If you are a provider of internally developed AI systems, begin producing the technical documentation required by the Act — system purpose, training data, performance characteristics, risk management measures.
• Establish a risk management system for each high-risk AI system — a documented, continuously maintained process for identifying, evaluating and mitigating risks throughout the system's operational life.
• Design and document your human oversight process — who monitors AI outputs, with what training, with what authority to intervene, and how interventions are recorded.
• Review your data governance — data quality, lineage, retention, access controls, and the accuracy and representativeness of training data for any AI systems you develop.
• Check your Machinery Regulation obligations if you build or import machines with embedded AI safety functions — conformity assessment, technical documentation, CE marking.
• Update supplier contracts for AI-enabled machinery and software to include EU AI Act conformity requirements, logging specifications, and incident notification obligations.
• Train operational staff who interact with high-risk AI systems on the system's purpose, limitations, and how to exercise meaningful oversight.
• Establish a regular review cadence — at minimum annual, and triggered by significant changes to the system, its data inputs, or the operational environment.

Responsible AI manufacturing EU: why compliance is also a competitive advantage

The EU AI Act is sometimes framed as a burden on innovation, particularly for smaller manufacturers without large compliance functions. There is a real cost to compliance — documentation takes time, governance structures require investment, and human oversight needs to be genuinely meaningful rather than nominal. But the manufacturers that will struggle most are those that treat compliance as an external imposition rather than an opportunity to build internal capability.

Dutch manufacturers that invest in AI governance now are building something of lasting value: a clear picture of their AI assets, a structured process for evaluating new AI investments, a data infrastructure that supports both current and future AI use cases, and a demonstrable commitment to responsible AI that is increasingly valuable to enterprise customers, particularly those in regulated industries or with their own supply-chain due-diligence obligations. The EU AI Act will eventually require many of these things from all manufacturers — getting there first is an advantage, not a concession.

There is also a direct operational benefit. Manufacturers that have done the work of classifying their AI systems, documenting their performance, and building oversight processes into their operations are better positioned to catch system failures, identify model drift, and maintain the performance levels that justify their AI investment. Governance is not opposed to performance — at industrial scale, it is the foundation of it.

Crux Digits works with Dutch manufacturers to build AI strategies that are both ambitious and grounded — technically rigorous, commercially realistic, and EU AI Act-ready from the start. We are a vendor-neutral consultancy: we do not have commercial relationships with AI platform vendors, and our recommendations are based solely on what is right for your factory, your data, and your compliance context. You can read more about our approach to manufacturing AI on our manufacturing industry page, or explore specific services including AI implementation, data engineering, machine learning, and transparent pricing. Our case studies show how this translates into practice. When you are ready to talk, reach out for a free initial conversation — we will give you an honest picture of where you stand and what the practical next steps are.

Frequently asked questions