The AI Act imposes obligations on providers, deployers, importers and distributors. What exactly your organisation needs to do depends on its role in the chain, and the risk classification of the relevant AI system or AI model. The higher the risk, the more onerous the obligations. These obligations directly affect the responsibilities of directors and supervisory board members, who must ensure that the organisation achieves timely compliance. The general counsel and corporate secretary have a key role to play in translating regulations into internal policies and governance structures. Set out below are best practices for responsible AI use.
Identify all AI applications and their risk levels
Map an overview of all software and hardware with AI functionality that the organisation deploys or provides. Distinguish between AI systems and AI models in doing so. Put briefly: an AI model is a building block; an AI system is an applied product. The AI Act defines an AI system as a machine-based system that operates with varying levels of autonomy and that infers, from the input it receives, how to generate outputs such as predictions, content, recommendations or decisions. For a detailed explanation of the definition of AI systems, please see this news item. Under the AI Act, AI models fall into two categories: general-purpose AI (GPAI) and GPAI models that pose a systemic risk. The latter are subject to additional obligations. In a previous news item, we discussed the classification of GPAI models and the obligations associated with them in more detail.
In your inventory, note the distinction between AI deployed as a standalone product (“stand-alone AI“) and AI embedded in other products or services (“embedded AI“). Despite being easily overlooked in practice, embedded AI falls within the scope of the AI Act all the same. Examples include AI functionalities incorporated into HR software, such as automatic CV screening.
Next, classify each AI system according to one of the four risk levels under the AI Act: unacceptable risk, high risk, limited risk or minimal risk. The risk level determines which obligations apply. Various additional requirements are imposed on high-risk AI systems in particular. Determine, too, whether your organisation is a provider or a deployer of the high-risk AI system, as the obligations for providers are more onerous. Bear in mind that your organisation may also be regarded as a provider if AI applications are used under its own name, or if a chatbot originally developed for customer enquiries is repurposed for HR use.
Ensure AI literacy through a suitable training programme
Organisations that develop or deploy AI have to ensure that their staff are sufficiently “AI-literate”. This obligation has applied since February 2025, making it one of the first concrete action points. AI literacy refers to the knowledge and skills that staff need in order to apply AI responsibly, tailored to their role, experience and the context in which the AI is used. What AI literacy entails for your organisation in practice therefore depends on the technical knowledge and experience of those involved and the context in which they work with AI. There is no one-size-fits-all approach. The same applies to directors and supervisory board members: in many cases, they need at least a basic understanding of AI to enable them to ask the right questions and exercise effective supervision in this area. The Dutch Data Protection Authority has provided guidance to steer development of a multi-annual action plan. It calls for an agenda, budget and responsibilities to be set at management level. A brief summary can be found in this news item, including practical examples from the EU AI Office.
Identify transparency obligations and standardise communication
The AI Act requires transparency in certain cases. Users need to know when they are interacting with an AI system (such as a chatbot); AI-generated content must be clearly identifiable as such (including deep fakes); and providers of high-risk systems must provide clear information about their systems’ operation and limitations. Determine whether these obligations apply to your organisation and ensure they are implemented consistently across the business.
Embed AI compliance within the broader digital compliance framework
AI legislation and regulation will continue to evolve, including, for example, through the current negotiations on the AI Omnibus legislation. Assign responsibility within your organisation to one or more individuals to monitor developments in AI legislation and regulations and to update policy accordingly. In addition, integrate AI compliance into your broader digital compliance framework and ensure that directors and supervisory board members receive regular updates on this topic.
If you have any questions about what the AI Regulation and the new AI Omnibus legislation mean for your organisation, please do not hesitate to contact Jurre Reus or Lucy de Graaf.
