Dutch Data Protection Authority Zeroes In on Surveillance, AI, & Digital Resilience for 2026

Key Takeaways

• Surveillance Under Scrutiny: The Dutch Data Protection Authority will prioritize limiting large-scale surveillance practices in 2026, with a particular focus on preventing discrimination and safeguarding fundamental freedoms.
• AI Oversight Expands: The regulator is strengthening its capacity on AI and algorithms and will publish its position on generative AI under the GDPR while coordinating with other authorities on implementing the EU AI Regulation.
• Digital Resilience in Focus: Cybersecurity awareness and systemic digital risks, including dependencies on third-country service providers, will remain a core supervisory priority.
• Closer Regulatory Coordination: Increased collaboration with other supervisory authorities reflects a more joined-up approach to managing cross-cutting digital, security, and governance risks.

Deep Dive

The Dutch Data Protection Authority is sharpening its regulatory focus as it looks ahead to a more complex digital landscape. In its 2026 annual plan, the Authority sets out three priorities that will guide its work through 2028: mass surveillance, artificial intelligence, and digital resilience.

At the top of the list for 2026 is mass surveillance, where the Authority says it will place particular emphasis on preventing discrimination. As surveillance technologies become more widespread, the regulator plans to push back against their routine and large-scale use, discouraging blanket deployment and stepping in to limit applications where necessary. The plan also points to heightened attention on the security domain more broadly, especially where surveillance measures raise questions about how far security efforts can go without eroding fundamental freedoms.

Artificial intelligence forms the second pillar of the Authority’s agenda, with a clear focus on building internal expertise and regulatory clarity. The regulator is expanding its capacity in the area of AI and algorithms and plans to publish its vision on generative AI and how it fits within the existing GDPR framework. Alongside this, the Authority will continue working with other supervisory bodies on the implementation of the EU’s AI Regulation, reflecting the increasingly coordinated approach regulators are taking as AI-specific rules begin to take shape.

Digital resilience rounds out the Authority’s priorities. Here, the focus is on strengthening awareness of cybersecurity risks and systemic dependencies, including reliance on third countries for key digital services. The regulator said it will continue sharing information on these risks while deepening cooperation with other supervisory authorities to address vulnerabilities that cut across sectors and jurisdictions.

The priorities signal a regulatory strategy that links privacy, security, and resilience more closely than ever. Rather than treating data protection in isolation, the Dutch regulator is positioning itself to address the broader risks that come with pervasive surveillance technologies, rapidly advancing AI, and increasingly interconnected digital infrastructures.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.