EU AI Act Compliance for North Holland SMEs: What Your AI Consultant Should Already Know
EU AI Act Compliance for North Holland SMEs: What Your AI Consultant Should Already Know
TL;DR: If your AI consultant cannot classify your use cases under EU AI Act risk tiers, walk away. Here is what a competent consultant should already know.
The EU AI Act entered its enforcement phase in January 2026. For North Holland SMEs deploying or planning to deploy AI, this is no longer a future concern. It is a current operating constraint with real obligations, real risk classifications, and real consequences for non-compliance.
Yet a pattern has emerged in the consulting market: AI consultants are selling strategy, implementation, and transformation services to Dutch SMEs without demonstrating basic competency in the regulatory framework those same SMEs are now subject to. If your AI consultant cannot classify your planned use cases under the Act's risk tiers in your first conversation, that is not a minor gap. It is a disqualifying one.
The EU AI Act is not optional context for AI consulting in the Netherlands. It is the regulatory floor. And the consultant's fluency with it is one of the clearest signals of whether they are equipped to advise your business.
What the EU AI Act Actually Requires from SMEs
The Act establishes a risk-based classification system for AI use cases. Not every application of AI carries the same obligations. Understanding where your planned use cases fall is the first step in compliance -- and the first thing a competent consultant should help you determine.
Unacceptable risk: Certain AI applications are prohibited outright. These include social scoring systems, real-time biometric identification in public spaces (with narrow exceptions), and manipulative AI designed to exploit vulnerable groups. Most SMEs will not encounter these, but a consultant should confirm that explicitly rather than assuming it.
High risk: This is where most compliance complexity lives for SMEs. AI used in employment decisions (screening, evaluation, promotion), creditworthiness assessments, access to essential services, and certain safety-critical applications falls under high-risk classification. High-risk systems require conformity assessments, risk management systems, human oversight provisions, data governance documentation, and transparency obligations.
Limited risk: AI systems that interact directly with people -- chatbots, content generators, emotion-detection systems -- have transparency obligations. Users must be informed they are interacting with AI.
Minimal risk: Most general-purpose AI tools, internal analytics, and non-customer-facing automations carry minimal additional obligations under the Act.
For a North Holland SME with 10 to 50 employees, the practical question is: which of our current or planned AI use cases fall into the high-risk or limited-risk categories, and what specific obligations follow from that classification?
What Your AI Consultant Should Demonstrate
If you are engaging an AI consultant in 2026 -- whether for strategy, readiness assessment, or implementation -- EU AI Act competency should be a baseline expectation. Here is what that looks like in practice.
Use-case classification ability. The consultant should be able to take your list of planned or active AI applications and classify each one under the Act's risk tiers within the first engagement. This is not a specialised legal exercise. It is a fundamental scoping requirement. If the consultant treats compliance as a separate workstream to be addressed later, they are structuring the engagement incorrectly.
Knowledge of Annex III categories. The high-risk classification is largely defined by Annex III of the Act, which lists specific application domains. A competent consultant should know these categories and be able to map your use cases against them without needing to research the regulation during your engagement.
GDPR intersection awareness. The EU AI Act does not replace GDPR. It layers additional obligations on top of existing data protection requirements. Your consultant should be able to explain how the two frameworks interact for your specific use cases -- particularly around automated decision-making, data subject rights, and the data governance requirements that high-risk AI systems must meet.
Documentation expectations. High-risk AI systems require technical documentation, conformity declarations, and ongoing monitoring records. A consultant advising on AI implementation should be able to outline what documentation your organisation will need to produce and maintain -- before you start building.
Proportionality for SMEs. The Act includes provisions acknowledging the compliance burden on small and medium enterprises. A good consultant will understand these provisions and advise you on how to meet obligations proportionately rather than over-engineering a compliance apparatus designed for a 500-person enterprise.
Red Flags: When the Consultant Is Not Current
Several patterns indicate an AI consultant is not adequately prepared to advise a Dutch SME in the current regulatory environment.
Compliance is positioned as a "Phase 2" topic. If the consultant's engagement model separates strategy from compliance -- do the fun AI work first, worry about regulation later -- that is a structural problem. Classification should happen at the start, because it affects which use cases are viable, how they need to be built, and what documentation overhead the organisation must absorb.
The consultant references the AI Act as "upcoming" legislation. The enforcement phase began in January 2026. General-purpose AI model obligations have been applicable since August 2025. A consultant describing the Act as future-tense is not tracking the regulatory timeline.
No mention of risk tiers in the proposal or scope of work. If the engagement proposal does not reference the Act's risk classification framework, the consultant either does not know it or does not consider it relevant. Both are disqualifying.
Generic compliance recommendations. Advice like "you should ensure AI ethics" or "implement responsible AI practices" without specific reference to the Act's requirements is not compliance guidance. It is filler.
Why This Matters More for SMEs Than Enterprises
Large enterprises typically have dedicated legal and compliance teams that can evaluate AI regulation independently of their technology consultants. North Holland SMEs with 10 to 50 employees almost never have that luxury. The AI consultant is often the only external expert advising on both the technology and the regulatory context.
That dual role makes competency in both domains non-negotiable. An SME that deploys a high-risk AI system without the required conformity assessment or documentation is not just underperforming operationally -- it is exposed to regulatory action. The Act includes provisions for fines of up to 35 million euros or 7% of global annual turnover for the most serious violations, with lower thresholds for other categories of non-compliance.
For a 30-person company in Haarlem or Zaandam, a compliance failure does not need to reach those upper thresholds to be damaging. The reputational and operational disruption of a regulatory inquiry alone can be significant.
A Practical Checklist for Evaluating Your Consultant
Before signing an AI consulting engagement, ask these questions. The answers will tell you whether the consultant is current with the regulatory environment your business operates in.
Can you classify our planned AI use cases under the EU AI Act risk tiers? If the answer is anything other than "yes, here is how," reconsider the engagement.
Which Annex III categories are relevant to our industry? The consultant should be able to answer this for your sector without needing to look it up.
How do the Act's requirements interact with our existing GDPR obligations? This should produce a specific, practical answer -- not a generic reference to "data protection."
What documentation will we need to produce for our high-risk use cases? The consultant should outline the documentation requirements at the scoping stage, not after implementation.
What SME-specific provisions does the Act include, and how do they apply to us? A good consultant will use proportionality provisions to right-size compliance, not ignore them.
If the consultant cannot answer these questions confidently and specifically, they are not equipped to advise an SME in the Netherlands in 2026.
Compliance as a Competitive Advantage
For North Holland SMEs that get this right, EU AI Act compliance is not just a cost of doing business. It is a differentiator. In a market where 95% of Dutch companies have adopted some form of AI but only a fraction are creating real business value, the organisations that can demonstrate compliant, well-governed AI deployments have an advantage with customers, partners, and regulators.
The consultant who helps you get there should be part of that advantage -- not a liability that increases your exposure.
Book a call to evaluate your AI compliance readiness
FAQ
What EU AI Act obligations apply to North Holland SMEs in 2026?
Obligations depend on how your AI use cases are classified under the Act's risk tiers. High-risk applications -- such as AI used in employment decisions, creditworthiness, or access to essential services -- require conformity assessments, risk management systems, human oversight, data governance documentation, and transparency measures. Limited-risk systems have transparency obligations. Minimal-risk applications carry few additional requirements.
How can I tell if my AI consultant understands the EU AI Act?
Ask them to classify your planned AI use cases under the Act's risk tiers during your first conversation. They should know the Annex III high-risk categories, understand how the Act interacts with GDPR, and be able to outline documentation requirements at the scoping stage. If compliance is positioned as a "Phase 2" topic or the Act is described as upcoming legislation, the consultant is not current.
Does the EU AI Act apply to small companies with fewer than 50 employees?
Yes. The Act applies based on how AI is used, not company size. However, the Act includes proportionality provisions for SMEs that allow compliance obligations to be met in a right-sized manner. A competent consultant will help you use these provisions rather than applying enterprise-scale compliance frameworks to a 20-person team.
What are the penalties for EU AI Act non-compliance?
The Act includes fines of up to 35 million euros or 7% of global annual turnover for the most serious violations, with lower thresholds for other categories. For SMEs, the practical risk is not just financial penalties but the operational and reputational disruption of a regulatory inquiry.
