Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Library shelves with books
Guide

Guide to primary sources: where AI regulation actually lives

Adopted 2026-06-11 · ≈ 2 min read · Dirk Baaijen

To follow AI regulation, reading three primary sources well beats thirty summaries. This guide organises the official repositories — European, Dutch and standardisation — and notes per source what to use it for and what to watch out for.

Much is written about AI regulation and little is cited. Summaries age quickly — especially now that application dates are shifting — and copy each other's inaccuracies. This guide organises the sources where the rules themselves live, in three layers.

Layer 1: the European texts and their interpreters

EUR-Lex is the only authentic repository of Union law. For the AI Act (2024/1689) and DORA (2022/2554): use the consolidated version once amendments have been incorporated, and always check Article 113 and the final provisions respectively for the application dates — the date of entry into force and the date an obligation becomes applicable differ systematically.

The AI Office of the European Commission publishes, via the digital strategy site, the documents that shape the regulation in practice: guidelines (among others on prohibited practices and the definition of an AI system), the questions-and-answers document on AI literacy, the code of practice for general-purpose models and implementing acts. To know how the Commission reads an open norm, look here.

The EDPB matters as soon as AI touches personal data — which is the case for virtually every application aimed at natural persons. Opinions on AI models and on the relationship between the GDPR and the AI Act appear here first.

Layer 2: the Dutch supervisors

The Autoriteit Persoonsgegevens coordinates Dutch algorithm and AI supervision and reports periodically on AI and algorithm risks. The RDI is the designated market surveillance authority for a large part of the regulation; the government took the step toward formal designation of the supervisors in April 2026, and the draft implementation act was open for consultation until 1 June 2026. For the financial sector, DNB and AFM remain the first counter, including where AI obligations arrive via DORA and financial services law.

With all four, mind the difference between guidance (interpretation, often ahead of formal competence) and formal decisions or directives.

Layer 3: standardisation

The harmonised standards that will provide a presumption of conformity with the AI Act are developed by CEN-CENELEC JTC 21. The standards themselves become usable only after publication of their references in the Official Journal, but the work programmes and draft standards give the best picture of what conformity assessment will concretely look like.

Working rules for using these sources

  1. Cite the consolidated EUR-Lex text, not a summary; name the article and

paragraph.

  1. Distinguish three kinds of dates: entry into force, date of application

and — since the Digital Omnibus agreement — politically agreed but not yet published amendments. Only what is in the Official Journal is law.

  1. Use trackers such as artificialintelligenceact.eu as an index to find the

right primary source, never as the final source.

  1. Date every reference: this field changes by the quarter, and a source

without a consultation date is worthless within six months.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    AI Act in the Official Journal; EUR-Lex also provides the consolidated version after later amendments.
  2. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
    Central Commission page on the AI Act: implementing acts, guidelines and the AI Office.
  3. https://www.edpb.europa.eu
    European Data Protection Board; opinions and guidelines at the intersection of AI and data protection.
  4. https://www.autoriteitpersoonsgegevens.nl
    Dutch Data Protection Authority, including coordination of algorithm and AI supervision in the Netherlands.
  5. https://www.rdi.nl
    Dutch Authority for Digital Infrastructure, designated market surveillance authority for a large part of the AI Act.
  6. https://www.dnb.nl
    De Nederlandsche Bank; supervision of DORA and of AI use in the financial sector.
  7. https://www.afm.nl
    Dutch Authority for the Financial Markets; conduct supervision, including AI applications aimed at consumers.
  8. https://www.cencenelec.eu
    CEN and CENELEC; the joint technical committee JTC 21 develops the harmonised standards under the AI Act.
  9. https://artificialintelligenceact.eu
    Unofficial but careful tracker by the Future of Life Institute; useful as an index, not an authentic source.

Share on LinkedIn

Read next

U

National supervisors: how AI Act enforcement is divided (the Dutch case)

The AI Act is largely enforced nationally. In the Netherlands a draft Implementation Act (consultation 20 April–1 June 2026) gives the AP and RDI a coordinating role over ten existing market surveillance authorities, with the AFM and DNB supervising the financial sector.

A

The interplay of the AI Act and DORA: one AI system, two supervisory frameworks

Financial institutions deploying AI fall under DORA (since January 2025) and the AI Act at the same time. This analysis maps where the frameworks meet, where the AI Act explicitly defers to financial services law, and where duplicate work looms.

U

Qualified trust services under eIDAS

The eIDAS Regulation defines which trust services qualify as "qualified", sets the requirements for that status, and establishes a supervision framework — including precise timelines for conformity assessment reporting.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.