International technology companies operating in the Netherlands now face a significantly more demanding compliance environment. The convergence of EU-level digital services legislation with Dutch implementing rules has created a set of binding obligations that took effect in early 2025. Companies that have not yet mapped their exposure risk enforcement action, civil liability, and – in the most serious cases – suspension of digital services activity in the Dutch market.
The Netherlands has implemented the EU Digital Services Act through national enforcement measures administered by the Dutch Authority for Digital Infrastructure. With primary compliance obligations applying to online platforms, intermediary service providers. Additionally, technology companies established or offering services in the country. Businesses meeting the relevant user or turnover thresholds must complete their compliance filings and internal governance updates. Deadlines under the Dutch implementing regime are now active, meaning non-compliant operators are already subject to supervisory scrutiny.
This alert sets out what changed, which business categories are affected, and the five immediate actions international companies should take now.
What changed – the regulatory development and its effective date
The EU Digital Services Act became directly applicable across all member states, including the Netherlands, from February 2024 for very large online platforms and online search engines. For all other in-scope providers, the full set of obligations applied from mid-2024 onward. Dutch national authorities completed their designated enforcement arrangements in the second half of 2024.
The Dutch regulatory system now operates on two levels. At the EU level, the European Commission directly supervises very large platforms and search engines. At the national level, the Autoriteit Consument en Markt (ACM – Netherlands Authority for Consumers and Markets) acts as the Digital Services Coordinator. The ACM holds powers to investigate, issue binding orders, and impose financial penalties on non-compliant intermediary service providers active in the Dutch market.
Alongside the Digital Services Act obligations, the EU AI Act compliance timeline has begun running. Prohibited AI practices became unenforceable from February 2025. Obligations for high-risk AI systems will apply in phases through 2026 and 2027. Technology companies with AI-enabled products or services in the Netherlands must treat these two regulatory streams – digital services and AI – as interconnected. Algorithmic accountability requirements under both regimes overlap significantly, particularly for recommender systems and automated decision-making tools.
Software liability rules are also evolving. The EU Product Liability Directive, now revised to cover software and AI-enabled products, has been transposed into Dutch civil legislation. This means that technology companies distributing software products – including cloud-based services – in the Netherlands face product liability exposure that did not previously exist under the prior regime. The Hoge Raad (Supreme Court of the Netherlands) is expected to develop case law on software liability as the first disputes reach appellate level.
Who is affected – threshold criteria and business categories
The digital services regime applies to four categories of provider. Each category carries a distinct set of obligations, and companies operating across categories face cumulative requirements.
Mere conduit and caching providers – internet access providers, transit networks, and basic caching services – face the lightest obligations. They must have a single point of contact registered with the ACM and implement basic notice-and-action mechanisms for clearly illegal content.
Hosting providers – including cloud infrastructure operators, data centre services. Additionally, software-as-a-service platforms that store user-generated content – must implement functioning notice-and-action systems. Publish transparency reports. Additionally, cooperate with law enforcement orders issued through Dutch courts, specifically the Rechtbank (District Court) with competent jurisdiction.
Online platforms – marketplaces, app stores, social media services, and content-sharing platforms – face the broadest obligations. These include: clear terms of service; mechanisms for users to flag illegal content; protection for minor users; advertising transparency; and, critically, algorithmic accountability disclosures explaining how recommender systems rank and present content.
Very large online platforms and very large online search engines – those exceeding 45 million average monthly active users in the EU – face the most demanding tier. These entities must conduct annual systemic risk assessments, submit to independent audits, and share data with researchers. Direct Commission supervision applies at this tier.
Technology licensing businesses and digital service providers incorporated in the Netherlands as a BV (besloten vennootschap. private limited company) or NV (naamloze vennootschap. public limited company) must ensure their corporate registry entry at the KvK (Kamer van Koophandel. Dutch Chamber of Commerce) correctly reflects their digital service activities. Misclassification of business activity in the KvK register can create complications when the ACM cross-references registration data during supervisory reviews.
International companies without a Dutch legal entity but offering digital services to users in the Netherlands must designate a legal representative established in an EU member state. Failure to appoint a representative is itself an infringement under the Dutch implementing rules.
To receive an expert assessment of your digital services exposure in the Netherlands, contact us at info@ferrazwhitmore.com.
What to do now – immediate actions and compliance timeline
Companies have limited time to address gaps before enforcement intensifies. The ACM has signalled that proactive supervisory engagement began in early 2025. The following five actions should be treated as urgent priorities.
First: classify your service category correctly. Many international technology companies underestimate the breadth of the platform definition. If your service hosts any user-generated content – including product reviews, user profiles, or third-party listings – it almost certainly qualifies as an online platform. Engage specialist AI and technology law counsel in the Netherlands to confirm your category and the precise obligations that follow.
Second: appoint a Dutch or EU legal representative. If your company lacks a Dutch-registered entity, designate an EU-based representative immediately. This is a hard legal requirement, not an administrative formality. The representative must be authorised to act on behalf of the company in dealings with the ACM and Dutch courts.
Third: audit your notice-and-action mechanism. All hosting providers and platforms must operate a functioning system for users to report illegal content. The mechanism must be accessible, easy to use, and capable of generating the required transparency reporting data. Many companies currently operating in the Netherlands have informal complaint channels that do not satisfy these requirements.
Fourth: review algorithmic accountability documentation. Online platforms must be able to explain, in plain language, how their recommender systems operate. This requirement intersects directly with AI Act compliance obligations, particularly for high-risk AI system classification. Companies should review whether their AI-enabled ranking or recommendation tools require registration under the relevant AI Act provisions. Intellectual property rights embedded in proprietary algorithms may also require review – for guidance on protecting those assets, see our analysis of intellectual property law in the Netherlands.
Fifth: prepare your first transparency report. Platforms must publish annual transparency reports disclosing, among other things, the volume of content removal orders received, actions taken, and outcomes of internal complaint procedures. For companies that have never produced such a report, the drafting and internal data-gathering process takes longer than anticipated. Starting now avoids a compliance gap at the first reporting deadline.
Businesses that established their Dutch entity through a notaris (civil law notary) in recent years should also confirm that their articles of association and corporate governance documents are consistent with the internal compliance functions now required. particularly the obligation to designate a named compliance officer for digital services matters within larger platforms.
For international companies also operating in Portugal or other EU jurisdictions, see our related alert on digital services regulation developments in Portugal for a comparison of national implementation approaches.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising technology companies, digital platforms, and institutional investors across 46 jurisdictions. Our AI and technology law practice supports clients with AI Act compliance, digital services regulation, algorithmic accountability assessments, and technology licensing matters across European and international markets. As a law firm in the Netherlands and across the EU, we combine Portuguese civil law expertise with English common law tradition to deliver cross-border regulatory solutions. Our team includes practitioners with direct experience before Dutch regulatory authorities and EU supervisory bodies. Engaging a lawyer in the Netherlands with cross-border technology expertise is essential for companies facing multi-jurisdiction digital services obligations – to discuss your situation, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.