AI Video Analytics Under the EU AI Act: The Dutch Reading

The Netherlands is not a difficult jurisdiction for AI video analytics at industrial perimeters. It is the difficult jurisdiction. Every other European reading of the AI Act becomes easier once a system has been engineered to survive a Dutch deployment.

That sentence is not marketing. It is the operational conclusion drawn from how the Autoriteit Persoonsgegevens has positioned itself since 2023, from the way Dutch case law treats workplace and perimeter surveillance, and from the order in which Brussels has phased the AI Act into force. The Netherlands has chosen, deliberately and visibly, to read the Regulation at its strictest reasonable point. Site operators, security integrators, and manufacturers who build for that reading produce systems that travel. Those who build for Spain, Germany, or Italy first and then attempt to retrofit Dutch compliance produce systems that get switched off.

This article describes the Dutch reading in operational terms. It is written from the perspective of a manufacturer of AI-supported video analytics for construction, logistics, and industrial perimeters. It is addressed to the operators on the other side: the people who carry the deployment risk when an analytic model misclassifies a worker, when a biometric function triggers a regulator notification, when a retention setting collides with Article 5 of the GDPR. The Dutch position is not a paradox to be solved. It is a discipline to be absorbed.

Why the Netherlands sets the European ceiling

The Autoriteit Persoonsgegevens has, over the last three reporting cycles, established itself as the most assertive data protection authority in the EU on matters of algorithmic processing. The benchmark cases are documented and the fines have been substantial. Tax administration profiling, facial recognition trials in supermarkets, biometric attendance systems in logistics warehouses. In each instance the AP did not merely sanction. It published reasoning that other European authorities then cited. The pattern matters because it tells a manufacturer what the AP reads first when a new technology arrives at its desk.

The AP reads necessity before it reads consent. It reads proportionality before it reads legitimate interest. It reads the specific risk that the technology poses to the data subject before it reads the operational benefit to the controller. That order of reading is not unique to the Netherlands. It is what the European Data Protection Board has asked of every national authority. What is unique is that the AP applies the order with very little tolerance for the argument that a technology is useful, established, or industry standard. The AP does not consider those arguments sufficient. It considers them irrelevant to the question of whether the processing is lawful.

For AI video analytics this produces a clear consequence. A perimeter system that classifies persons, that distinguishes worker from intruder, that tracks movement across zones, will be evaluated by the AP under both the GDPR and the AI Act simultaneously. The two regimes overlap. They do not contradict each other but they do reinforce each other, and the Dutch reading treats the reinforcement as binding. A system that passes one but fails the other has failed. A system that passes both in a thin sense, with consent forms and signage, but cannot demonstrate necessity and proportionality at the level of system design, has also failed. The standard of demonstration is high. It is documentary, it is technical, and it presumes that the controller has tested alternatives before deploying the one in question.

This is the ceiling. It is not lower than the AI Act requires. It is the AI Act read without the discounts that other jurisdictions are still trying to negotiate.

The risk tiers as they actually apply

The AI Act sorts AI systems into four categories. Prohibited practices. High-risk systems. Limited-risk systems with transparency obligations. Minimal-risk systems. The categories are well known. What is less well understood at operator level is where a perimeter video analytic actually lands, and the answer depends on what the system does, not on what the vendor calls it.

A system that performs real-time remote biometric identification in publicly accessible spaces sits in the prohibited category, with the narrow law enforcement carve-outs that the final text preserved. A system that performs biometric categorisation based on sensitive attributes is also prohibited. Most industrial perimeter analytics do not do either of these things in their default configuration. They detect motion, classify object types, draw bounding boxes around persons or vehicles, and flag anomalies against a learned baseline. That places them, in the default configuration, outside the prohibited tier.

The question is what happens at the next step. If the system stores facial templates, even transiently, to support re-identification across cameras, it crosses into biometric processing under the GDPR and into a regulated zone under the AI Act. If the system is integrated with access control such that the analytic decision triggers a gate or a door, the integration may pull the analytic into the high-risk tier under Annex III, depending on the deployment context. If the system is used to evaluate the conduct of workers, it engages workplace surveillance law, which in the Netherlands is read through both the Works Council Act and the AP's own guidance on employee monitoring. Each of these crossings is a design decision. None of them is accidental. A manufacturer that ships a single configuration to every customer in the EU and lets the customer decide which features to enable has, in effect, transferred the classification risk to the operator. In the Netherlands that transfer does not absolve the manufacturer. The AP has been explicit that the provider obligations under the AI Act apply to whoever places the system on the market, regardless of what the deployer chooses to switch on.

The practical implication is that the design of the system, the way features are exposed, the defaults at first installation, and the documentation that accompanies the product all participate in the legal classification. A perimeter analytic that is shipped with biometric features disabled by default, that requires an explicit configuration step to enable them, and that logs the configuration change in a way that the deployer cannot retroactively alter, is a different legal object than the same software shipped with everything switched on.

What biometric carve-outs actually cover

The biometric provisions of the AI Act have been described, in popular accounts, as a ban on facial recognition. They are not. They are a structured set of prohibitions and high-risk classifications with carve-outs that are narrower than the marketing material of any vendor suggests. The Dutch reading treats the carve-outs as exceptions to be justified, not as defaults to be invoked.

Real-time remote biometric identification in publicly accessible spaces for law enforcement purposes is prohibited unless one of three narrow conditions applies and a judicial or independent administrative authorisation has been obtained. None of these conditions extend to private security at industrial perimeters. A logistics yard is not a publicly accessible space in the meaning of the Regulation, but the line between a logistics yard and the public road that borders it is not always clean, and a camera that points at the gate often captures the road. The AP has signalled, in its 2024 guidance, that it will read the spatial boundary strictly. A camera that incidentally records the public road is processing personal data of passers-by, and if that processing involves biometric features it engages the full apparatus of the GDPR plus the AI Act.

Biometric categorisation based on sensitive attributes, including race, political opinion, trade union membership, religion, sexual orientation, is prohibited without qualification in the deployment contexts that matter for perimeter security. Emotion recognition in the workplace is prohibited with very limited exceptions for medical or safety reasons. These prohibitions are not subject to legitimate interest balancing. They are absolute within their scope, and the Dutch reading does not narrow the scope.

What remains permitted, and what most well-engineered perimeter analytics actually do, is non-biometric person detection. The system identifies that an object in the frame is a person. It does not identify which person. It does not store features that would allow identification across sessions. It assigns a transient track ID that is discarded when the person leaves the frame. This is a categorical processing operation, not a biometric one, and it sits outside the prohibited and high-risk tiers provided that the rest of the system is engineered consistently. The engineering consistency is what the AP will examine. A system that claims to perform only non-biometric detection but retains image data in a way that supports later identification has not actually stayed outside the biometric category. It has merely deferred the processing.

The high-risk path and what it costs

When a perimeter analytic does fall into the high-risk tier, whether because it is integrated with access control in a way that engages Annex III or because the deployer has enabled biometric features, the obligations under Articles 8 through 15 of the AI Act apply. These are not light obligations. They include a risk management system that runs across the lifecycle of the model, data governance covering training and validation sets, technical documentation that a market surveillance authority can read, record keeping that allows reconstruction of the system's behaviour, transparency to deployers, human oversight built into the system architecture, and a level of accuracy, robustness, and cybersecurity that has been tested and documented.

NIST CSF 2.0 and IEC 62443 are the operational frameworks that most credible manufacturers use to satisfy the cybersecurity element. NIST 800-53 provides the control catalogue. ISO 27001 covers the management system around the controls. None of these are required by name in the AI Act, but the AP and other competent authorities will look for evidence that the manufacturer has used a recognised framework. A perimeter system whose cybersecurity posture is documented only as a vendor's assertion will not pass scrutiny. A system whose posture is mapped to a published framework, with the gaps acknowledged and the compensating controls described, is in a different position.

The cost of operating a high-risk system over its lifetime is substantially higher than the cost of operating a system that has been engineered to remain outside the high-risk tier. This is the central commercial calculation. For most industrial perimeter applications, the operational benefit of biometric features is small compared to the compliance cost they trigger. A non-biometric detection system, well engineered, delivers most of the security value at a fraction of the regulatory overhead. The Dutch reading rewards this calculation. A manufacturer that defaults its systems to the non-biometric path, and that requires deliberate configuration to enter the high-risk path, has positioned its product for the Netherlands and, by extension, for every other EU jurisdiction. The book BOSWAU + KNAUER. From Building to Security Technology argues this point at length: the platform that survives is the one that treats compliance as a structural property of the architecture, not as a layer added at the customer site.

Enforcement and the operational reality

The AP is not the only authority involved. Market surveillance under the AI Act will be conducted by designated national bodies, and the coordination between the AP, the market surveillance authority, and the labour inspectorate is still being established. What is already clear is that the AP will lead on questions of personal data, that the market surveillance authority will lead on questions of conformity assessment and CE marking under the AI Act, and that the labour inspectorate will engage where workplace surveillance is involved. Operators face the possibility of parallel proceedings from three authorities, each examining a different facet of the same deployment.

The penalties are non-trivial. The AI Act provides for administrative fines of up to thirty-five million euro or seven percent of global annual turnover for prohibited practices, fifteen million or three percent for other violations, and seven and a half million or one and a half percent for incorrect information to authorities. The GDPR fines run in parallel. A deployment that violates both regimes is exposed to both fine ranges. The AP has not been shy about issuing GDPR fines in the upper bands when it concludes that the controller has ignored guidance. There is no reason to expect a different posture under the AI Act.

The enforcement posture matters operationally because it determines what a site operator must be able to demonstrate at short notice. The AP can request documentation, can require access to systems, can demand that a deployment be paused while it conducts an investigation. A site that cannot produce its data protection impact assessment, its records of processing, its conformity documentation, its human oversight protocols, and its incident logs within the timelines that the authority sets, has effectively confessed to the violation regardless of what the underlying processing actually does. Documentation is not paperwork. It is the only evidence that the system is operated as designed. CISA, in its parallel guidance for operational technology, makes the same point: in a regulated environment, what is not recorded did not happen, and what did happen but was not recorded cannot be defended.

What holds

The Netherlands has chosen to read the AI Act as it was written, without the discounts that vendors and trade associations have lobbied for in other capitals. This choice produces a clear engineering brief for manufacturers of perimeter video analytics. Default to non-biometric processing. Expose biometric features only through deliberate configuration that the deployer must authorise and log. Document the system against recognised frameworks. Build human oversight into the architecture rather than into the operations manual. Treat the AP's published reasoning as the European ceiling, not as a national peculiarity.

For operators, the Dutch reading is an opportunity rather than a constraint. A perimeter system that is compliant in the Netherlands is compliant everywhere in the EU. The reverse is not true, and the gap between the two positions is widening as the AI Act phases in. Site operators who are currently deploying analytics under the assumption that German or Spanish guidance represents the European norm should expect the norm to shift toward the Dutch reading over the next two reporting cycles.

A sixty-minute confidential conversation, the first of the three engagement paths described in BOSWAU + KNAUER, is the appropriate format to test whether a current deployment sits on the right side of that shift. For sites that already suspect the answer is no, a three to five day audit, conducted on the standards the AP would apply, produces the documentation that determines what comes next.

Frequently asked questions

How strict is AP?

The Autoriteit Persoonsgegevens is the strictest data protection authority in the European Union on matters of algorithmic processing and video analytics. It applies necessity and proportionality tests before it considers consent or legitimate interest, it treats the AI Act and the GDPR as mutually reinforcing rather than as alternative routes, and it has issued fines in the upper administrative bands when controllers have ignored its published guidance. The practical effect is that any video analytic deployment in the Netherlands must be defensible at the level of system design, not only at the level of operational documentation.

What is high-risk AI?

Under the AI Act, high-risk AI systems are those listed in Annex III or integrated as safety components in regulated products. For perimeter video analytics, the high-risk path is typically entered when the system performs biometric identification or categorisation, when it is integrated with access control in safety-critical contexts, or when it is used to evaluate worker conduct. High-risk systems trigger obligations under Articles 8 through 15: risk management, data governance, technical documentation, record keeping, transparency, human oversight, accuracy and robustness, and cybersecurity. The compliance overhead is substantial and persists across the operational lifetime.

What is allowed at perimeters?

Non-biometric person and vehicle detection is generally permitted at industrial perimeters, provided that the processing is necessary and proportionate, that signage and information obligations are met, that retention periods are minimised, and that the system does not incidentally capture publicly accessible spaces in a way that engages further prohibitions. Object classification, motion analytics, zone-based alerting, and anomaly detection against learned baselines fall within this permitted range. Biometric identification, emotion recognition in workplace contexts, and categorisation based on sensitive attributes do not, and the Dutch reading does not narrow these prohibitions through interpretive carve-outs.

Who enforces?

Enforcement in the Netherlands is distributed across three authorities. The Autoriteit Persoonsgegevens leads on personal data and on the GDPR dimensions of any deployment. The designated market surveillance authority under the AI Act handles conformity assessment, CE marking, and the provider obligations of the Regulation. The Nederlandse Arbeidsinspectie engages where workplace surveillance is involved. The authorities coordinate but they do not consolidate proceedings, which means a single deployment can face parallel investigations under different regimes. Administrative fines under the AI Act reach thirty-five million euro or seven percent of global turnover for prohibited practices.