Training
trust is a choice
On the gap between fear and knowledge in Dutch small business, and why AI literacy isn't a compliance checkbox
Fifty-one percent of Dutch business owners fear data leaks from AI. Seven percent actually know how the rules work. Both numbers come from the same study by the Dutch government and the KVK (the national chamber of commerce), late 2025, and together they tell the whole story.
The fear runs high. The knowledge runs low. And in that gap all sorts of things happen, except sensible decision-making.
the gap between fear and knowledge
Three in ten business owners now use ChatGPT or Microsoft Copilot. In professional services it’s 46 percent. At the same time, 53 percent worry about a lack of transparency and 52 percent about regulation and compliance.
And then the number that says the most to me: only 2 to 3 percent are actually taking any steps around the European AI rules. More than half have no plans at all.
That’s not an adoption problem. It’s a trust problem. I see companies do one of two things: avoid AI entirely, or dive in with no controls. Both are harmful, and both come from the same source. If you don’t understand how something works, you can’t handle it in a controlled way. All you’re left with is avoiding it or gambling.
where the fear sits, and where the risk sits
The biggest fear is that AI trains on your data. That fear isn’t crazy, but it’s aimed at the wrong place.
It doesn’t come down to the provider. It comes down to the plan. Consumer plans use your data for training by default. Anthropic even flipped that toggle to on by default in August 2025, in the fine print under a big Accept button. Business plans rule out training on customer data contractually, in black and white in the Commercial Terms and DPAs.
You can learn that difference in ten minutes. Yet almost nobody knows it, so policy gets made on the basis of a picture that’s simply wrong.
Meanwhile the real risk sits somewhere else entirely. Samsung engineers pasted source code into consumer ChatGPT without IT knowing. Group-IB found over 101,000 devices infected with infostealers that had stored ChatGPT credentials. AI agents have been tricked more than once by instructions hidden inside emails and documents.
Look at what those incidents have in common. Not one was about a model quietly training on the side. Every one was about people and configuration. Training is not the problem in 99 percent of small-business AI incidents. People and settings are.
article 4 is not a checkbox
This is where the legislator comes in. The EU AI Act applies broadly to small business from 2 August 2026, and for most use cases the obligations are light: keep an AI register, and label AI-generated content as AI. A notes app is enough for that register. This is not a six-figure project.
But article 4 of that same law asks for something else, and it gets systematically underestimated: organizations have to make sure their people are sufficiently AI-literate. Not the tools. The people.
The standard response in the market is predictable. AI literacy gets treated as a compliance obligation: buy an e-learning course, hand everyone a little certificate, box ticked. Exactly the way privacy training went before it.
I flip it around. Tools change faster than policies. A rule your team memorizes today is out of date in three months because of a new feature or a changed term. That’s why people need to know why the rules exist, not just what they are. Otherwise they don’t know when to escalate, and escalating is precisely the behavior that prevents incidents.
In fairness: I run training on AI in small business myself, so I have a stake in the conclusion that training matters more than tooling. Factor that in. The numbers above just aren’t mine, and neither is the pattern in the incidents.
what a business owner actually does
The good news is that the distance between 7 percent knowledge and enough knowledge is short. Five steps, no consultancy engagement.
Take stock of which AI tools your team uses, on which plan, on which data. That’s an hour of work and you’ll be surprised.
Then pick one official AI package for the whole team, at business tier. No scattered personal accounts, because that’s where the Samsung scenarios start.
Write a one-page policy. What’s allowed in AI, what isn’t, what you do when in doubt, who’s ultimately responsible.
Train your people on the why. This is the step article 4 means, and the only one that keeps up when the tools change.
And from August 2026, keep your register and label AI content. Done.
Anyone who takes these five steps suddenly belongs to a small minority. Not because the bar is high, but because almost nobody steps over it.
trust is a choice
People often talk about trust in AI as something that has to grow. As if it comes on its own once the technology matures, the vendors get more transparent, the rules get clearer. So: wait.
I don’t buy that. The 51 percent who fear data leaks aren’t going to feel any calmer about the next generation of models. Fear that comes from not knowing doesn’t disappear because of better products. It disappears through understanding.
In this domain, trust isn’t a feeling but a choice. You choose a plan whose terms you’ve actually read. You choose rules whose why your team understands. You choose to know what happens to your data instead of just hoping.
That’s also why the gap between 51 and 7 percent doesn’t leave me gloomy. Every company that closes that gap for itself turns fear into an informed decision. Sometimes that decision is still no, and that’s fine. A no that comes from understanding is worth more than a yes that comes from not knowing.
Trust isn’t something a vendor can hand you. It’s something you build yourself, and the first brick is understanding.