You want to capture the value of AI and work demonstrably responsibly. The European AI Act provides the framework. We help you organise AI clearly, from inventory to training and from policy to continuous assurance. Realistic, pragmatic and tailored to your organisation.
AI governance is the set of agreements, processes and documentation through which your organisation uses AI responsibly and demonstrably. We help with inventory, risk classification, policy, AI literacy and — for high-risk systems — the conformity assessment the EU AI Act prescribes.
The European AI Act has been in force since 1 August 2024 and is being introduced in phases. Its purpose: to ensure that people and organisations can rely on AI systems that are safe, transparent and operate under human oversight. For organisations that want to deploy AI, the framework above all brings clarity — which rules apply to which type of application, and how do you make that demonstrable?
The Act takes a risk-based approach. Most everyday AI applications, such as text assistants, recommendation systems and inventory tools, sit in the lightest category. Applications with a bigger impact, such as AI in recruitment or medical assessment, come with more extensive requirements. Two obligations apply to every organisation working with AI: maintain an AI register, and ensure demonstrable AI literacy among staff.
August 2026 is the milestone when the full framework for high-risk systems becomes enforceable. No reason for panic, but a good reason for structure. Those who calmly start now with inventory and guidelines have ample time to set up governance pragmatically — and along the way build trust with employees, clients and regulators.
Aug 2024
AI Act entered into force
Feb 2025
AI literacy applies to every organisation using AI
Aug 2026
Full framework for high-risk systems
4
Risk levels with a differentiated approach per AI type
The AI Act takes a risk-based approach. The higher the risk an AI system poses to people or society, the stricter the rules. Classification is the first step for every organisation: before you can design a compliance programme, you need to know which category your AI falls into.
AI applications that pose a direct threat to fundamental rights are fully banned since 2 February 2025. Think of systems that manipulate people via subliminal techniques, social credit systems, or real-time biometric identification in public spaces (with limited exceptions for counter-terrorism).
These applications are practically absent in regular business processes; supervision here is the strictest.
The core of the AI Act. High-risk systems have significant consequences for health, safety or fundamental rights. Examples: AI for hiring, credit scoring, medical diagnostics, critical infrastructure, migration and law enforcement.
Risk management, data governance, technical documentation, conformity assessment, CE marking, EU database registration, human oversight and transparency.
AI systems that interact with people (chatbots, deepfake generators, emotion recognition) must be transparent. Users have to know they're communicating with AI.
From August 2026 specific labelling obligations apply to AI-generated content.
The vast majority of AI applications — spam filters, recommendation systems, inventory tools — fall in this category. No mandatory requirements, but the AI Act encourages voluntary codes of conduct and AI literacy.
Note: the AI literacy obligation (Article 4) applies to every organisation using AI, regardless of risk level.
Map every AI system your organisation uses or builds. Determine the risk class, purpose, supplier and processed data per system. Without this overview, compliance is impossible.
Article 4 obliges every organisation that uses AI to ensure adequate AI literacy among everyone involved. That covers internal staff, external consultants, and even clients who use AI on your platform.
Set up a clear governance structure: who is responsible for AI decisions? Who supervises? AI governance touches the board, HR, compliance, operations and legal.
For high-risk systems: implement a risk management system with continuous monitoring. Draft technical documentation that proves the system meets the AI Act. Ensure data governance with demonstrably bias-free, representative datasets.
High-risk systems must go through a conformity assessment before going to market. Either via internal control or via external assessment by a notified body. Then comes CE marking and registration in the EU database.
Compliance isn't a one-off project. After August 2026 organisations must continuously monitor regulatory updates, report incidents, and update compliance processes.
We build AI systems ourselves, so we understand both the technology and the organisational side. Our approach is paced, workable and adapts to your starting point.
We map every AI system in your organisation: what you use, where it comes from, which data it processes, for which purpose. Each system is classified per the AI Act risk classes. Result: an AI register with risk classification per system.
We test your current state against the AI Act and GDPR requirements. Where are you, where do you need to be, and what's the fastest route? We put together a concrete roadmap with priorities, ownership and timelines.
We develop practical AI guidelines that fit your organisation: not a generic policy document, but workable agreements on how staff use AI responsibly. Including governance structure, RACI matrix and escalation procedures.
We train your staff in AI literacy: not only because it's required (Article 4), but because it works. Teams that understand AI use it more effectively and recognise risks faster. From board to shop floor, tailored to role and knowledge level.
For organisations with high-risk AI systems: we guide the conformity assessment, draft the technical documentation, and make sure you're ready for CE marking and registration. We support both internal and external assessment routes.
AI compliance has no end point. We help you set up continuous monitoring, track regulatory developments, and periodically review your AI register and policy. So you stay in control after August 2026.
The conformity assessment is the proof that a high-risk AI system meets the AI Act requirements. It's mandatory before the system goes to the European market or is put into use. There are two routes.
The provider performs the assessment itself. This includes verifying the quality management system (Article 17) and reviewing the technical documentation. Suitable for most high-risk systems provided harmonised standards have been followed.
A notified body assesses both the quality management system and the technical documentation. Mandatory for biometric identification systems and when harmonised standards have not, or only partly, been followed. On approval, an EU certificate for technical documentation follows.
After successful assessment the provider draws up an EU declaration of conformity and applies CE marking. The system is registered in the EU database for high-risk AI systems. Significant changes or a change of intended purpose require a new conformity assessment.
1 August 2024
AI Act entered into force
2 February 2025
Ban on unacceptable AI + AI literacy obligation
2 August 2025
Rules for general-purpose AI models (GPAI) + governance
2 August 2026
Full rules for high-risk AI, transparency obligations, conformity assessments, CE marking, EU database registration
2 August 2027
Rules for high-risk AI in regulated products (Annex I/II)
31 December 2030
Deadline for large IT systems (border control, etc.)
Note: the Digital Omnibus proposal (November 2025) suggests shifting some deadlines. Until publication in the Official Journal, the original deadlines remain legally in force.
For organisations working with AI it helps that supervision in the Netherlands is clearly divided. One coordinating line, with sector-specific expertise where it adds value — that gives confidence for questions, notifications and the conversation with your regulator.
The Data Protection Authority (AP) and the Dutch Authority for Digital Infrastructure (RDI) are designated as coordinating regulators. The AP already operates in this role via the Algorithm Coordination Directorate and focuses on the broader governance aspects of AI.
Where AI is deployed within specific sectors, existing regulators join in: the AFM and DNB for financial services, the IGJ for healthcare, and the ACM for market supervision. That builds on expertise that's already there.
The AP has named five priorities for 2026: system supervision, transparency and explainability, frameworks and standards, bias and fairness testing, and AI literacy. Those themes mirror what makes a sound governance programme. Putting attention on them now aligns you neatly with the supervisory perspective.
Article 4 of the AI Act asks every organisation that uses or builds AI to ensure adequate AI literacy among everyone involved. An obligation, but above all an opportunity. Teams that understand AI deploy it more effectively, recognise risks faster and have better conversations about when AI helps and when it doesn't.
Staff working with AI understand how the systems function, what their limits are, and the trade-offs involved.
It covers internal staff, external consultants and clients using AI on your platform.
You can simply track who was trained when, so literacy grows demonstrably with the organisation.
Many AI Act obligations overlap with what you already do (or should do) under GDPR. You can extend your processing register with an AI column. The DPIA you run for high-risk personal data processing often also covers the risk analysis for AI. You can extend your privacy policy with an AI section.
But there are real differences. GDPR protects personal data; the AI Act regulates the AI system as a product. The AI Act requires conformity assessments and CE marking — GDPR doesn't. And for high-risk AI in public bodies the AI Act prescribes a Fundamental Rights Impact Assessment (FRIA), on top of the DPIA.
Gaide helps you set up AI Act compliance as an extension of your existing GDPR programme. No separate track, no duplicate documentation.
AI governance is a board-level topic. Who is responsible if an AI decision goes wrong? The AI Act requires organisations to assign responsibilities explicitly. Directors need to understand AI to steer strategically and manage risk.
The AI Act adds new compliance requirements that connect to existing frameworks (GDPR, NIS2). You need a grip on AI risks, reporting and demonstrable compliance. The August 2026 deadline calls for action now.
AI in recruitment, selection and assessment is high-risk under the AI Act. AI literacy is also an HR responsibility: you must be able to demonstrate that staff are trained. This is a strategic theme for L&D and employer branding.
The technical documentation requirements of the AI Act are substantial. You must document design decisions, data lineage, bias tests and testing methodologies. Agile teams used to minimal documentation need to adjust their way of working.
Wherever AI is deployed in business processes — from customer service to logistics — human oversight must be ensured. The AI Act requires that users can interpret AI output and intervene where necessary.
We're an AI consultancy that builds and deploys AI systems ourselves. That means we approach governance not as a paper exercise, but as an integral, pragmatic part of how you deploy AI in practice — alongside legal and sector partners where that adds value.
We understand both the technical requirements (documentation, bias testing, monitoring) and the organisational side (governance, training, culture change).
Our guidelines are workable. Staff understand them, managers can enforce them, and regulators accept them.
We don't only write the policy — we help with implementation, training and continuous assurance.
Whether you're a scale-up with your first AI tool or an organisation with dozens of AI systems, we scale our approach with you.
Yes, partly. The ban on unacceptable AI practices and the AI literacy obligation have applied since 2 February 2025. The full rules for high-risk systems become enforceable on 2 August 2026.
Yes. The AI literacy obligation (Article 4) applies to every organisation using AI, regardless of complexity. In addition, specific applications — for example using ChatGPT for HR screening — can fall under higher risk classes.
The Act has a tiered sanctions framework, comparable to GDPR. For most organisations the day-to-day reality is broader: clients increasingly ask for demonstrable AI governance in tenders, and employees and customers value organisations that are transparent about how they use AI. Starting early gives you the calm and the time to set this up well.
It depends on your starting position and the number of high-risk systems. A baseline (AI register, policy, training) can be in place in 4-8 weeks. Full conformity for high-risk systems usually takes 3-6 months.
They complement each other. GDPR protects personal data; the AI Act regulates the AI system as a product. Many obligations overlap, so combining them smartly avoids duplicate work. Gaide helps you take an integrated approach.
Not always. Most high-risk systems can be assessed via internal control, provided harmonised standards have been followed. External assessment by a notified body is mandatory for biometric identification systems and in specific other cases.
Yes. The law is extraterritorial: it applies to any organisation that places AI systems on the EU market or deploys them, regardless of where the company is established.
Whether you're just starting with AI governance or want to sharpen an existing programme, we'd be glad to think along. In a no-strings half-hour we'll talk through where your organisation stands and what a fitting trajectory could look like.