AI vision systems for cargo recognition and surveillance: which rules?

Short answer: It depends on what the camera AI does. Recognising parcels, number plates or damage is usually allowed, provided you meet the baseline obligations. As soon as the system biometrically identifies people or infers emotions, you enter the prohibited or high-risk categories of the AI Act.

AI vision systems are widely used in transport and logistics: to scan load carriers, read number plates, detect damage or watch over yards and loading docks. Which rules apply depends on what the system actually does — not on what it is called. The AI Act (Regulation (EU) 2024/1689) is applied in phases between 2025 and 2027 and operates alongside the GDPR.

Cargo recognition: usually allowed

A camera that counts boxes, recognises pallets, reads number plates or detects damage to containers does not in principle process biometric data. Such uses generally fall outside the prohibited practices and the high-risk categories of Annex III. However, the AI literacy obligation (Article 4), in force since 2 February 2025, applies to everyone who deploys AI: the people working with the system must have sufficient knowledge to use it responsibly. If people are visible in the footage — for example drivers at a loading dock — the GDPR continues to apply in full to that camera surveillance, even where the AI component itself is low-risk.

When it becomes prohibited or high-risk

The tipping point is biometrics and surveillance of individuals. Real-time remote biometric identification in publicly accessible spaces is in principle prohibited; the AI Act allows only narrow, strictly framed exceptions for law enforcement. Untargeted scraping of facial images to build facial-recognition databases and emotion recognition in the workplace are also prohibited practices that have applied since 2 February 2025. Systems for biometric identification or categorisation of individuals that are not prohibited fall under high-risk (Annex III, point 1), with strict requirements on risk management, data quality, transparency and human oversight. A camera that primarily scans cargo but incidentally recognises or assesses staff can thus still fall within these regimes.

What to arrange in practice

First determine the function of the system: does it scan objects or identify people. Document that distinction, because it determines the applicable regime. For object recognition, arrange AI literacy and a GDPR legal basis for any people who are visible. For biometric or surveillance functions: the ban cannot be legitimised with consent or a business interest, and high-risk obligations formally apply from 2 August 2026 — via the proposed Digital Omnibus this shifts to 2 December 2027 (still under consideration). Transparency obligations (Article 50) take effect on 2 December 2026. On the privacy side, the Dutch Data Protection Authority is the supervisory authority in the Netherlands.

Read more: AI Act: timeline of obligations. Take the scan.