Dutch DPA sets its course for 2026–2028 with three strategic priorities

According to the AP, it plans to focus its activities within its strategic priorities on large-scale systems and processing with significant societal impact, though it reserves flexibility to address additional issues that may arise based on latest trends and developments. The AP has highlighted that its limited supervisory capacity requires clear prioritisation within its broad statutory mandate.

Below, we outline additional details of the AP’s planned key actions across its fundamental pillars in each strategic priority.

1. Mass surveillance: curbing disproportionate tracking online and in public spaces

The AP expresses concern about the increasing use of tracking technologies, both online and in physical environments, warning that large‑scale surveillance can quickly infringe personal autonomy, enable indirect discrimination, and create pressure on vulnerable groups. Its stated objective is to prevent the emergence of a “surveillance society,” which it describes as one where “vulnerable groups come under even more pressure and (indirect) discrimination lurks.”

Key actions for 2026

AI continues to be a core supervisory theme, with the AP emphasising early-stage intervention, particularly during AI model development and system design.

Key actions for 2026

• Creating frameworks and standards: continued interventions in the law enforcement domain and closely examining the legal framework for online data collection (such as cookies).
• Encouraging responsible use: guidance for data‑sharing in healthcare and the social domain, awareness efforts on private camera use and publishing a discussion paper on smart cameras and behavioural detection.
• Strengthening cooperation: joint efforts with the Dutch Authority for Consumer and Markets (“ACM” — the Dutch regulator responsible for tackling unfair commercial practices, online deception and manipulation, and other consumer‑facing digital market risks) to enhance transparency in digital learning tools used by schools.

2. Artificial Intelligence: early compliance and proactive governance

• Creating frameworks and standards: publication of its vision on generative AI and forthcoming guidance on GDPR preconditions for AI model training, clarification of the right to explanation in automated decision-making and continuation of the bi‑annual AI & Algorithm Risk Report.
• Encouraging responsible use: training reporting centres to identify algorithmic risks and development of a handbook on ethical AI addressing fairness, bias and discrimination.
• Strengthening cooperation: coordination with regulators and municipalities within the Netherlands on AI Act governance and ongoing engagement with other European regulators on possible amendments to the AI Act.

3. Digital resilience: autonomy and security in an unstable geopolitical context

The AP stresses the need for a resilient and autonomous digital infrastructure, particularly given reliance on non‑EU technology providers.

Key actions for 2026

• Creating frameworks and standards: evaluation of security practices in healthcare and the launch of a post-quantum cryptography (PQC) project to anticipate quantum-enabled cybersecurity risks.
• Encouraging responsible use: organize an AI & Algorithms seminar on digital autonomy and ongoing scrutiny of cloud dependencies.
• Strengthening cooperation: intensified collaboration with the National Cyber Security Centre ("NCSC") and healthcare regulators to enhance national digital resilience.

Building on the 2025 Annual Plan

The AP’s 2025 Annual Plan was structured around five thematic enforcement areas in Algorithms & AI, Big Tech, Freedom & Security, Data Trade, and Digital Government. By focusing on only three overarching strategic priorities the AP’s 2026 Annual Plan seems to move from thematic oversight to a more consolidated, multi-year and systemic supervisory model. In doing so, the AP notes that it is actioning the recommendations outlined in its 2024 external evaluation (here).

Substantively, AI remains a core focus, but in 2026 the AP places stronger emphasis on front-end involvement in AI development and cross-regulatory governance under the AI Act. In addition, digital resilience, particularly cloud dependencies and post-quantum security, has emerged as a distinct structural priority.

The 2026 Annual Plan closely aligns with the EDPB’s 2026–2027 Work Programme (here) by focusing on ensuring consistent data protection within the broader EU digital regulatory framework, human-centric oversight of high-risk technologies, and strengthened (international) cooperation between data protection and sectoral regulators.

Budget constraints

The budget constraints already noted in the 2025 Annual Plan remain a major structural challenge, according to the AP. In 2026, its budget is approximately €53.5 million, where the AP indicates it would need €69 million to fulfil its statutory duties. The AP warns that this gap in funding may hamper its ability to adequately perform its tasks given the high degree of digitization in the Netherlands.

Conclusion

The strategic priorities show that the AP is moving towards more anticipatory and collaborative supervision, especially in the area of AI, while continuing to push for greater digital resilience. This approach is consistent with the AP’s recent activities, such as its warning about major security risks with AI agents like OpenClaw (here), its vision on Generative AI (here) and its guidance on AI literacy (here).

Organisations operating in the Netherlands should expect earlier regulatory engagement, more detailed guidance, and increasing scrutiny of systems with large‑scale or societal impact. Against this backdrop, organisations should assess whether their data‑processing activities intersect with the AP’s strategic priorities, and whether their current governance and compliance frameworks reflect the AP’s evolving expectations. For businesses operating in areas the AP has identified for more active intervention (large‑scale surveillance, AI system development, and digital‑infrastructure dependencies) there may also be value in seeking constructive engagement with the AP. Proactive dialogue can help reduce compliance uncertainty, clarify supervisory expectations at an early stage, and support more stable long‑term relationships with the regulator.

Authored by Joke Bodewits, Julian Flamant, and David Wesselman.