AIAdopt
HomeInsightsThe EU AI Act for local authorities: what must you already have in place?
articleMay 2026· 6 min reading time

The EU AI Act for local authorities: what must you already have in place?

What the EU AI Act means for local authorities: which tools are high-risk, citizens' rights under Article 86, the deadlines and the four roles that need training.

The EU AI Act for local authorities: what must you already have in place?
Updated 1 July 2026. The Digital Omnibus on AI has been adopted by the European Parliament (16 June 2026) and the Council (29 June 2026) and is still awaiting publication in the Official Journal of the EU, expected in July 2026. Until that publication, the original text of the AI Act formally remains the legal baseline. Through the Omnibus, the application dates for high-risk AI move to 2 December 2027 (stand-alone Annex III systems) and 2 August 2028 (AI in regulated products). The AI literacy obligation of Article 4 continues to apply, as it has since 2 February 2025; the Omnibus does reword that obligation slightly (see below).

Why local authorities are different from other organisations

For most organisations, the EU AI Act mainly revolves around Article 4, the obligation around AI literacy of staff; what Article 4 of the EU AI Act requires is something we set out elsewhere.

For local authorities it is different. Local governments take decisions about citizens, about benefits, permits, social services, enforcement. As soon as AI is introduced into these decision-making processes, each application must be evaluated against Annex III of the regulation. For public assistance, essential services, law enforcement and migration or asylum procedures, the chance of a high-risk AI classification is considerable.

That is not a matter of interpretation. Annex III lists the high-risk AI applications explicitly, and among them are: AI for access to essential public services, AI for assessing or granting public assistance, AI for law enforcement, AI for migration and asylum procedures. Local authorities touch all these areas in their daily practice.

What local governments often do not realise

In conversations with municipal secretaries and IT coordinators, the same pattern keeps coming up: people know that the EU AI Act exists, but underestimate the sheer breadth of the term "AI system". The law applies not only to spectacular applications such as facial recognition or predictive policing. It also applies to everyday tools, with very different risk levels:

An informational chatbot on the municipal website about waste collection or opening hours: usually limited risk with a transparency obligation under Article 50, not high-risk.
A decision-support system for permit applications: possibly high-risk AI, depending on how heavily the AI output feeds into the decision.
An algorithm that prioritises benefit files by risk indicators: a candidate for high-risk AI, because it touches essential public assistance.
A tool that automatically categorises public-space reports: usually minimal or limited risk, unless linked to enforcement decisions or decisions that significantly affect citizens.
Microsoft 365 Copilot in the hands of an official who uses it to write policy documents: usually not high-risk, but very much in scope of Article 4.

Where these tools qualify as AI systems and are used by or on behalf of the local authority, the authority will generally be the deployer. The Article 4 obligation applies to all cases. For the applications that turn out to fall under Annex III, the specific high-risk AI obligations come on top.

What is already mandatory now, what is still to come

Already in force. Article 4 on AI literacy has applied since 2 February 2025. Providers and deployers of AI systems must take measures that support the AI literacy of their staff and of those who work with AI on their behalf, tailored to role, experience and context of use. The Omnibus is intended to clarify that this is an obligation of means: you do not have to guarantee a specific level per person, but you do have to take demonstrable measures. For local authorities, this is the most concrete obligation at this moment.

On 2 December 2026. The Digital Omnibus adds a new obligation: a ban on AI systems for non-consensual intimate-content generation, often referred to as "nudification", and on AI that can generate child sexual abuse material. Relevant for IT procurement policy and for what ends up in the municipal AI tool inventory.

On 2 December 2027. The high-risk AI obligations for stand-alone systems under Annex III become enforceable on this date. Originally, 2 August 2026 was set in Regulation 2024/1689; that date remains formally valid until the Digital Omnibus is published in the Official Journal of the EU, expected in July 2026.

On 2 August 2028. On that date, the high-risk AI obligations become applicable for AI systems embedded in regulated products.

The extra time is not a free pass. For systems that will later be classified as high-risk AI, the provider obligation to carry out a conformity assessment lies primarily with the supplier. For local authorities as deployer, something else applies: using the system in line with the instructions, arranging human oversight with people trained for it, keeping input data under control, monitoring use, reporting serious incidents, keeping logs, checking that required EU database registration has been completed before use, informing affected persons where the law requires it, and cooperating with supervisory authorities.

Who supervises, which rights do citizens get

In Belgium and the Netherlands, supervision is being organised through national and sectoral authorities. For local governments, privacy supervision, sectoral supervision and market surveillance will overlap in practice. In Belgium, the list of fundamental rights authorities under Article 77 has now been published, and it concerns several designated bodies. FPS Economy acts as the official publication and coordination point, not as the sole regulator. The broader supervisory structure (market surveillance, national competent authorities) is being further filled in. In the Netherlands, the supervisory structure is still being finalised through national implementation legislation.

For citizens, Article 86 can create a right to a clear and meaningful explanation where a decision is taken on the basis of output from an Annex III high-risk AI system, and that decision has legal or similarly significant adverse effects. This does not apply to every AI-supported administrative step. In addition, for high-risk AI, local authorities must arrange human oversight and keep their existing objection and appeal procedures in order. Complaints are inevitable.

The four roles that must be trained differently in every local authority

One generic training for all officials is not enough for Article 4, and certainly not for local authorities that are going to work with high-risk AI. The law requires the level of training to fit the role. In practical terms, there are four groups that each need their own approach:

General staff (front-desk staff, administration, communication): basic knowledge of responsible AI use, what they may and may not enter into an AI tool, how to recognise warning signs.
Policy officers and permit officers: deeper knowledge of high-risk AI in public services, recognising bias in decision support, arranging human oversight.
Management and executive committee: governance, risk assessment at municipal level, the division of roles between provider and deployer, the duty to account to the municipal council.
IT and information security officers: technical knowledge of logging, monitoring, the detection of shadow AI (unapproved AI use in the organisation), managing supplier contracts that contain AI components.

A local authority that does not address these four roles separately will find it hard, at an audit, to demonstrate that the Article 4 obligation has been taken seriously.

What you can realistically do now

The postponement of the high-risk AI deadlines to 2027 and 2028 changes the time pressure, not the task. The Article 4 obligation already applies, and the time until 2 December 2027 is exactly what a local authority needs to take the high-risk steps carefully rather than in a rush.

Coming months:

Inventory: map all AI systems in use within your local authority. Do not forget the "invisible" ones: AI components in existing software packages, individual ChatGPT accounts of officials, AI features in Microsoft 365.
First risk indication: determine for each system whether it is limited risk, possibly high-risk under Annex III, or out of scope.
Role-based training: start AI literacy training for the four groups above. This can be done now, and must be done now.

Second half of 2026:

Central file: document everything in one central file. Which official followed which training, when, with what result? Which AI systems are in use, at what risk level, with which human-oversight measure? Appoint a responsible person, preferably someone who also holds the DPO function or information security role.
Supplier contracts: review contracts for AI components. Which supplier is the provider, which information should you receive from them as deployer?

2027:

Make high-risk AI systems operational: for systems that will be high-risk: arrange human oversight, make logging operational, record usage instructions, set up an incident-reporting procedure. The actual conformity assessment lies with the supplier; your task is to check that it exists and that the system is used according to specifications.

What it brings your local authority

It is tempting to see the EU AI Act as compliance overhead, yet another obligation on top of the GDPR and NIS2. For local authorities there is a second side. A local authority that has its AI use in order takes better decisions, protects citizens against unjustified decisions, and builds trust with residents who are becoming ever more critical of algorithmic government. That is not a luxury, that is the basic legitimacy of local government in 2026 and beyond.

At AIAdopt, we have tailored the base package and the Public Services sector extension (M3-PD) specifically to the reality of Belgian and Dutch local governments. Every training ends with an assessed certificate that lists the AI Act articles covered, the very evidence a supervisory authority may ask for.

Want to know where your organisation stands?

Download our free EU AI Act Compliance Checklist or view our AI literacy training.

Want to know more?

Get in touch for a no-obligation conversation about what AIAdopt can do for your organisation.