The EU AI Act applies to most Dutch SMEs, but for the majority it is far less work than the headlines suggest. The Act regulates AI by risk, not by company size: a few uses are banned, a narrow set is high-risk, and most SME tools - chatbots, content generators, simple automations - fall into the limited-risk or minimal-risk tiers. For limited-risk AI your main duty is transparency: tell people when they are talking to or seeing output from an AI. The practical move is to inventory where you use AI, classify each use by risk, and add basic transparency - not to halt your AI plans.
What the EU AI Act actually is
The EU AI Act is the first broad European law that regulates artificial intelligence directly. It entered into force on 1 August 2024 and applies across all EU member states, including the Netherlands, so there is no separate Dutch version to wait for - the same rules apply to a one-person MKB shop in Nieuwegein as to a multinational in Amsterdam. What differs is not the law but how much of it touches you, and for most small and medium-sized businesses that turns out to be a thin slice.
The Act is built on a simple idea: regulate AI by how much risk a given use poses to people, not by how clever the technology is or how big the company deploying it is. The same model - say, a large language model behind a chatbot - can be barely regulated in one use and tightly regulated in another, depending on what it decides and who it affects. That is the single most useful thing to understand before you read another word about compliance.
One honest caveat up front: this is general information from an AI implementation team, not legal advice. Crux Digits builds and classifies AI systems; we are not a law firm, a Data Protection Officer, or a notified body. For a binding legal opinion on your specific situation, talk to a qualified lawyer. What we can do well is help you map where you stand and build systems that are compliant by design - which is usually where the real work is anyway.
The four risk tiers, in plain language
The Act sorts every AI use into one of four buckets. Knowing which bucket each of your tools sits in tells you almost everything about your obligations.
- Unacceptable risk (banned). A short list of uses that are simply prohibited in the EU - things like social scoring of citizens, manipulative systems that exploit vulnerabilities, and most real-time biometric identification in public spaces. The vast majority of SMEs will never go near these.
- High-risk. AI used in sensitive areas: recruitment and CV screening, credit scoring, access to essential services, safety components in products, and similar. These carry the heaviest obligations - risk management, data governance, human oversight, documentation, and conformity assessment. Some SMEs land here, most notably through HR and hiring tools.
- Limited-risk. AI that interacts with people or generates content, where the main requirement is transparency. This is where most SME tools live: customer-facing chatbots, AI that drafts emails or marketing copy, and systems that generate or manipulate images, audio, or video.
- Minimal risk. Everything else - spam filters, AI in your accounting software, recommendation features, inventory forecasting. The Act imposes essentially no specific obligations here. Most of the AI you already use without thinking about it sits in this tier.
The practical takeaway: the tier is decided by the *use*, not the *tool*. The same chatbot is limited-risk when it answers product questions and edges toward high-risk if you point it at screening job applicants. Classify each use separately.
What most Dutch SMEs actually have
If you run a typical MKB business - a consultancy, a webshop, a logistics operator, a clinic, a manufacturer - and you have adopted AI in the last two years, your portfolio almost certainly looks like this: a customer or website chatbot, a few generative-AI helpers for writing and images, and a handful of behind-the-scenes automations that classify, summarise, or forecast. In risk terms, that is mostly limited-risk and minimal-risk. The scary high-risk obligations apply to specific, named use cases, and you have to actively be doing one of them to be caught by them.
For limited-risk systems, the duty is transparency, and it is genuinely modest. If a person is interacting with an AI - a chatbot, a voicebot - they need to be told, unless it is obvious from the context. If you publish AI-generated or AI-edited images, audio, or video, that content generally needs to be marked as artificially generated. If you send AI-written communications that could be mistaken for a human, the same logic of honest disclosure applies. None of this requires a compliance department; it requires a clear label and a sentence or two of disclosure.
Minimal-risk systems carry no specific AI Act obligations at all. That said, 'no AI Act obligation' is not the same as 'no obligation.' If your AI processes personal data, the GDPR still applies in full - and for many SMEs the GDPR is the heavier, more immediate constraint. It is worth being clear-eyed that the AI Act sits on top of existing law, not instead of it. If you want a deeper, general walkthrough of compliance mechanics, our companion guide on EU AI Act compliance in the Netherlands covers the full picture beyond the SME-specific angle here.
The key dates: a phased rollout through 2027
The Act does not switch on all at once. It phases in over several years, which is good news - it gives you time to get organised rather than scramble.
- 2 February 2025 - the bans on unacceptable-risk AI took effect, along with new obligations around AI literacy for staff who use AI systems at work.
- 2 August 2025 - rules for general-purpose AI models (the large foundation models from providers like OpenAI, Google, and others) began to apply. For most SMEs this lands on your vendors, not on you directly.
- 2 August 2026 - the transparency obligations under Article 50 apply. This is the date most relevant to the average SME: it is when the duty to disclose chatbots, AI interactions, and AI-generated content becomes enforceable.
- 2 August 2027 - the bulk of the high-risk obligations, including those for AI embedded in regulated products, reach their full deadline.
If you take one date away, make it 2 August 2026. For the limited-risk transparency tier where most SMEs sit, that is your practical horizon. It is far enough away that there is no need to panic, and close enough that quietly sorting it out over the coming months is the sensible play.
Your practical first steps as an SME
You do not need a consultant to begin - you need an afternoon and a spreadsheet. Here is the sequence we walk SME clients through.
1. Inventory your AI uses. List every place AI touches your business: the obvious tools (chatbots, ChatGPT-style assistants, image generators) and the embedded ones (AI features inside your CRM, marketing platform, accounting suite, support desk). You cannot classify what you have not catalogued, and most teams are surprised by how long the list gets once they look properly.
2. Classify each use by risk. Go down the list and tag each one: minimal, limited, high, or banned. Be honest about the high-risk triggers - recruitment, credit, access to services, biometrics. For most SMEs the result is a long tail of minimal-risk, a short list of limited-risk, and zero or one high-risk items that deserve a closer look.
3. Add basic transparency where it is due. For your limited-risk items, implement the disclosures: a clear note that the chatbot is an AI, a label on AI-generated visuals, honest framing on AI-assisted communications. This is usually a few hours of copy and config work, not a project.
4. Do vendor due diligence. Most SMEs do not build their own AI - they buy it. So a large part of your compliance rides on your suppliers. Ask vendors how their tool is classified, whether they support the transparency and documentation you will need, and how they handle the general-purpose AI model rules. Keep the answers on file. If a vendor cannot answer, that itself is a useful signal.
Document the inventory and your classification decisions, even loosely. If a regulator or a customer ever asks, 'we looked at this, here is how we reasoned,' is a far stronger position than a blank stare - and it costs you almost nothing to keep the record as you go.
How to not panic - and not ignore it either
There are two failure modes with the AI Act, and they pull in opposite directions. The first is panic: freezing AI projects, assuming you need a full compliance overhaul, or believing every tool is a high-risk liability. For the typical MKB business that is simply not where the law lands, and freezing your AI roadmap out of fear hands an advantage to competitors who took ten minutes to actually read the risk tiers.
The second failure mode is ignoring it: assuming that because you are small, the rules do not reach you. They do - the Act applies regardless of company size, and limited-risk transparency obligations are easy to overlook precisely because they are easy to meet. The cost of the disclosure is trivial; the cost of being the business that confidently passed off an AI bot as a human agent is reputational as much as legal.
The calm middle path is the right one. Treat the AI Act the way you treat any other compliance matter: do the inventory once, classify, add the handful of disclosures you owe, keep a light paper trail, and revisit it when you adopt something genuinely new - especially anything that touches hiring or other high-risk territory. That is a few hours of work spread over the coming year, not an existential threat. Build it into how you adopt AI rather than bolting it on after the fact, and it largely takes care of itself.
Where compliance and good engineering overlap
The reassuring part is that most of what the AI Act asks for is also just good practice. Knowing what your systems do, being honest with users, keeping a record of decisions, choosing vendors who can stand behind their tools - these are the habits of a well-run AI operation regardless of the law. Compliance and quality engineering point the same way far more often than they conflict.
That overlap is exactly where building things properly the first time pays off. When you design a generative AI feature or an automation with transparency and traceability in mind from the start, the compliance disclosure is a side effect of clean design rather than a retrofit. It is much cheaper to add a clear 'you are talking to an AI assistant' notice while you are building the chatbot than to patch it across a live system later, and the same is true of logging what a model decided and why.
This is also why a structured AI roadmap matters. If you are still mapping where AI fits in your business, an AI Audit and Strategy engagement is the natural place to fold risk classification into the planning - you decide what to build and you classify it in the same conversation, rather than treating compliance as a separate, later headache.
Where Crux Digits helps
Crux Digits is a boutique AI consultancy in Nieuwegein, in the province of Utrecht, working with SMEs across the Netherlands and Europe. We are implementers - we build AI systems and we classify them as part of building them. We are not a law firm or a notified body, so we will not hand you a legal opinion, but we will help you get the practical work right: inventory your AI uses, classify each by risk tier, design the transparency in from the start, and stand up systems that are compliant because they are well-built.
We work in fixed-scope projects with transparent pricing, so you know what you are committing to before you start. An AI Audit and Strategy engagement at a fixed EUR 2,500 is often the right entry point for an MKB business: it gives you the inventory, the risk classification, and a clear roadmap in one pass. From there, a Proof of Concept or a Production Launch can build the actual systems with compliance baked in rather than bolted on. You can see how the engagements are structured on our services page.
If you are weighing up where AI fits in your business and want the AI Act handled as part of the plan rather than as a separate worry, a free, no-pressure consultation is a sensible first step. Bring your list of AI tools - or your questions about building one - and we will help you see clearly where you stand. You can reach us through the contact page whenever you are ready.
Frequently asked questions
Does the EU AI Act apply to small businesses in the Netherlands?
Yes. The EU AI Act applies across the EU regardless of company size, so Dutch SMEs and the MKB are covered just like large firms. What changes with size is not whether the law applies but how much of it touches you - and for most small businesses the relevant obligations are the light-touch transparency rules of the limited-risk tier, not the heavy high-risk requirements.
What risk category does a customer chatbot fall into under the EU AI Act?
A typical customer-service or website chatbot is a limited-risk AI system. The main obligation is transparency: users must be told they are interacting with an AI rather than a human, unless that is already obvious from the context. The tier can change with the use, though - if you pointed the same bot at screening job applicants, that use could become high-risk.
When do the EU AI Act transparency rules start for SMEs?
The Article 50 transparency obligations apply from 2 August 2026. This is the most relevant date for the average SME, because it covers disclosing chatbots, AI interactions, and AI-generated content. Bans on prohibited AI took effect on 2 February 2025, and most high-risk obligations reach their full deadline on 2 August 2027.
What is the first step to prepare my SME for the EU AI Act?
Start with an inventory: list every place AI touches your business, including the AI features embedded in tools you already use. Then classify each use by risk tier - minimal, limited, high, or banned. You cannot decide what compliance you owe until you know what AI you are actually running, and most teams find the list is longer than they expected.
Do I need a lawyer to comply with the EU AI Act?
For most SMEs the practical work - inventory, risk classification, and basic transparency disclosures - does not require a lawyer and can be handled internally or with an AI implementation partner. A lawyer is worth involving for a binding legal opinion, for genuinely high-risk use cases such as hiring or credit decisions, or when you need certainty about a borderline classification. This article is general information, not legal advice.
How does the EU AI Act relate to the GDPR for Dutch SMEs?
The two sit on top of each other rather than replacing each other. The AI Act governs how AI systems are built and used by risk level, while the GDPR governs how you handle personal data. If your AI processes personal data - which is common - both apply, and for many SMEs the GDPR is actually the heavier day-to-day constraint of the two.