The legislation set out below is of a particular significance to online businesses.

This includes the:

Relevant EU law applicable in the Netherlands includes the:

Primary legislation (formal Acts) must be passed by the Lower House of Parliament (Tweede Kamer) and the Senate (Eerste Kamer).

A formal Act can empower certain government ministers to make delegated regulation (ministeriële regeling).

The steps vary depending on the type of business, however, the steps to set up an online business typically include:

This varies widely depending on the type of business operated. In general, the following types of contract parties can be expected:

Laws dealing with contracting on the internet (see also Question 8), GDPR and certain sector specific laws (such as the Telecommunications Act) set requirements to provide certain information in a clear and comprehensible manner, which indirectly affect the design of websites and apps.

The Authority for Consumers and Markets (Autoriteit Consument & Markt) (ACM) provides guidance with regard to consumer protection aspects in its Guide to online consumer protection (Leidraad bescherming online consument, 31 October 2022) (ACM Guidance).

Government websites and apps are required to comply with specific accessibility requirements under the national implementation of the EU Web Accessibility Directive ((EU) 2016/2102). This may indirectly reflect on suppliers of websites and apps to governments, among others through specifications set in public procurement tenders.

The Netherlands is in the process of implementing the European Accessibility Act (Directive (EU) 2019/882), which will, effective June 2025, introduce accessibility requirements for a variety of products and consumer services, including for:

The specific steps depend on the type of business that the app relates to. In general, the following steps should be taken:

In principle all contracts can be concluded electronically, just as non-electronic contracts are, as long as they comply with the Dutch legal requirements of a contract, that is, there must be an offer and acceptance of that offer. On certain topics, Dutch law provides specific rules for contracts that are concluded electronically.

General T&Cs. Under Dutch law, general T&Cs are basically all the terms of a contract other than the terms that indicate the essence of the agreement (the latter being for example the specifics of the actual product or service or the price).

Special requirements for the acceptance of general T&Cs in consumer contracts or contracts with small companies include:

Other regulatory requirements. For contracts concluded electronically, the following rules apply (Articles 227b and 227c, Book 6, Civil Code):

Dutch law also provides specific consumer protection rules for the conclusion of electronic contracts via "distance selling" which includes online sales (see Question 8).

Under Dutch law, certain contracts must be concluded in writing, such as the deed to transfer copyrights and the sale of a house to a non-professional party. Such contracts can also be concluded by electronic means, provided that the:

(Article 227a, Book 6, Civil Code (see the E-Commerce Directive).)

Deeds that create or transfer rights in real estate require the involvement of courts, public authorities or professions exercising public authority and cannot be concluded electronically.

In addition to general contract law, the following laws specifically deal with contracting on the internet.

E-commerce. Traders must comply with the e-commerce rules, in particular with information requirements. These rules apply to both business and consumer contracts (see Question 1, Question 7 and Question 39).

Platform to business. The P2B Regulation applies to platform/search engine operators where both:

It places new obligations on operators of online platforms and online search engines in relation to their B2B dealings, such as obligations to:

Consumer contracts. Specific requirements apply for distance selling to consumers (including online contracting), which are mostly mandatory (Articles 230m-230s and 230v-230z, Book 6, Civil Code (see the Consumer Rights Directive)):

In electronic contracting a trader must notify the customer whether:

Contractual documents in general must be kept for at least seven years after the end of the term of the agreement (Article 10, Book 2 and Article 15i, Book 3, Civil Code; Article 52, Tax Act (Algemene wet inzake rijksbelastingen)).

The GDPR imposes a general duty to retain personal data only for as long as is necessary for the purpose for which the data is collected or held (Article 5(1)(e), GDPR). Personal data cannot be kept for longer than is necessary for the purposes for which the personal data are processed in a form that permits identification of data subjects. Time limits to have the data stored erased or reviewed must be in place.

There are no official government trusted site accreditations for websites. For webshops there are a couple of commercial and nationally recognised certification marks available. Some certification marks are linked to being a member of a certain trade association.

The same remedies that apply to breach of a non-electronic contract are available for breach of an electronic contract.

Where a specific regulatory requirement is breached (by the trader), additional remedies might be available, such as:

An e-signature or digital signature is an electronic variant of a handwritten signature. E-signatures or digital signatures are often used:

E-signatures are governed by the Civil Code (Book 3, Article 15a) and the Electronic Identification Regulation((EU) 910/2014) ((eIDAS Regulation) (repealing Directive 1999/93/EC), see Question 12).

The eIDAS Regulation has been directly applicable in the Netherlands since 1 July 2016, is binding in its entirety and takes precedence over national Dutch law.

Dutch Code definition of digital signatures. The eIDAS Regulation distinguishes three types of electronic signatures:

Electronic signature. This is data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.

Advanced electronic signature. An advanced electronic signature is an electronic signature that must be:

Qualified electronic signature. This is an advanced electronic signature (see above) that is created by a qualified electronic signature creation device and based on a qualified certificate. For the requirements for qualified certificates and qualified creation devices, see Annex I and Annex II of the eIDAS Regulation.

Signatures that comply with the requirements mentioned above are legal e-signatures.

E-signatures can exist in different formats, for example:

Under the eIDAS Regulation, a qualified electronic signature (as defined in the eIDAS Regulation) has the same legal effect (for example, for practical purposes of proof) as a handwritten signature.

Under Dutch law, an advanced electronic signature and other electronic signatures (both as defined in the eIDAS Regulation) also have the same legal effect as a handwritten signature, provided that the method for signing that has been used is sufficiently reliable, considering:

(Article 3:15a, Civil Code.)

By Article 3:15a of the Civil Code, the Netherlands used its right to define the legal effect of electronic signatures, other than qualified electronic signatures, in accordance with recital 49 of the eIDAS Regulation.

Because advanced electronic signatures and other electronic signatures are not regulated by the eIDAS Regulation, in the Netherlands parties can contractually agree on the level of reliability of advanced electronic signatures and other electronic signatures (for example, agree on whether the above condition is met). This does not apply to qualified electronic signatures, as the eIDAS Regulation regulates the legal effect of the qualified electronic signature.

Under the Civil Code (Book 3, Article 15a), a qualified electronic signature, an advanced electronic signature and an electronic signature have the same legal effect as a handwritten signature provided that the applicable conditions are met. This means that there are, in principle, no limitations on the use of e-signatures.

Limitations only apply if the law stipulates that a contract must be concluded on paper (see Question 7), when a handwritten signature is required. Further, it could be harder to prove the validity of an electronic signature in comparison with handwritten signatures. This risk can be mitigated to an extent with the use of a "qualified electronic signature" (see Question 12).

The GDPR and the GDPR Implementation Act regulate the collection and use of personal data. The GDPR applies to data controllers, defined as "persons who determine the purposes and means of the processing of personal data." The GDPR also applies to data processors, defined as "persons who process personal data on behalf of the controller."

Non-EU established organisations are subject to the GDPR where they process personal data about EU data subjects in connection with:

The GDPR regulates personal data relating to an identified or an identifiable natural and living person. It does not regulate information relating to corporate bodies. Data about a sole proprietor is however, considered personal data for the purpose of the GDPR.

The GDPR further clarifies the scope of the definition in some areas, for example by explicitly classifying "location data, online identifiers, and genetic data" as personal data (Article 4(1), GDPR). This is expanded on in recital 30, which makes clear that this refers to identifiers provided by "devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags".

Under the GDPR special categories of personal data ("sensitive data") receive special protection.

These include:

Where information being processed is capable of revealing such sensitive data (as defined above) by means of an intellectual operation involving comparison or deduction (such as the publication of a spouse's name, which may reveal one's sexual orientation), Article 9 of the GDPR also applies (CJEU case C-184/20, ground 120).

A data controller must have a lawful basis and a separate additional condition for processing (such as explicit consent) to process this data (Article 9, GDPR) (see also Question 16).

In the context of digital businesses, the following information, is likely to satisfy the definition of "personal data" for GDPR purposes:

(See also Question 21.)

The GDPR imposes a series of conditions for the collection and use of personal data, also known as data protection principles (Article 5, GDPR). For example, lawful processing requires a legal basis, such as the consent of the data subject (Article 6 GDPR). Valid consent, that is specific, informed and freely given, remains a lawful basis for processing personal data. Other legal grounds set out in Article 6 of the GDPR include the use of personal data:

Other principles set out in Article 5 of the GDPR include that personal data must be:

The GDPR also restricts the use of cloud solutions that involve the storage of personal data on servers located (and transfer of personal data more generally) outside the EU/EEA by prohibiting the transfer of such data to non-EU/EEA countries unless:

A range of mechanisms can be relied on to transfer personal data on the basis of appropriate safeguards, such as the standard contractual clauses (as adopted through the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) and Binding Corporate Rules (Article 47 GDPR).

Article 49 provides an exception and according to the European Data Protection Board such transfers would occur outside the regular course of action.

A significant number of public authorities and regulators can access or compel disclosure of information that is relevant to the exercise of their regulatory functions.

For example, an employer must provide:

Specific public authorities can request identifying information for situations described in the Criminal Procedure Code, such as to solve certain types of crimes. Digital detection methods of the judicial authorities include the search and seizure of electronic data, the retrieval of passwords (decryption) and interception of communications.

The Criminal Procedure Code was further amended to include the option for law enforcement authorities to compel the disclosure of encryption keys by giving notice (Article 552a, Criminal Procedure Code).

The police and the judicial authorities can request an ISP to disclose personal data of its customers only if the person in question is suspected of committing a criminal offence (Article 126na, Criminal Code; Article 13.4, Telecommunications Act).

Case law confirms that ISPs may, under specific circumstances, be obliged to disclose data (such as names and addresses) of their subscribers in civil matters as well. The principles developed in the case law show a certain duty of care.

The use of cookies is regulated by Directive 2009/136/EC (Citizens' Rights Directive), implemented by the Telecommunications Act, and the GDPR. The telecoms regulator, the ACM, is the competent supervisor of the cookie regime together with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (AP) if the use of cookies involves the processing of personal data.

In principle, website operators cannot use cookies unless the customer/website visitor:

Consent must:

There must be an option to withdraw the consent. This should be as user-friendly as possible.

The Telecommunications Act offers two exceptions to the above obligation of requesting consent:

If these exceptions apply, the website must still provide information regarding the use of cookies if personal data are processed.

Тhe AP has deemed the use of "cookie walls" non-compliant with GDPR, by which websites, apps or other service providers only provide access to their site if users consent to the use of tracking cookies (or other similar tracking software). This is considered invalid consent.

In the ACM Guidelines for the protection of online consumers, consent for cookies must be given by opting-in; a pre-ticked box that needs to be de-selected is not permitted.

As far as the usage of cookies constitutes the processing of personal data, the GDPR and other applicable data protection laws must be complied with. Under Dutch law, a burden of proof exists with respect to tracking cookies (such cookies collect data about the online behavior of data subjects). This relates to the assumption that the use of so-called "tracking" cookies qualifies as processing of personal data. An exemption for purely analytical cookies entered into force in July 2015.

Under the GDPR any cookie or other identifier that is uniquely attributed to a device (and so potentially identifying an individual) is likely to be considered as personal data.

The proposed e-Privacy Regulation (repealing the E-Privacy Directive) is likely to have an impact on the use and system design of cookies.

The GDPR requires companies to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss, destruction and/or damage. This includes an obligation to ensure that an appropriate level of security is applied to internet transactions that involve the transmission of personal data (Article 32, GDPR).

Data controllers must notify the DDPA and the data subject of any personal data breaches that have or are likely to have serious adverse consequences on data protection or personal privacy (Articles 33 and 34, GDPR). Such notifications must be made to the DDPA no later than 72 hours after the controller becomes aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The EU is also working on various new legislative proposals concerning cyber security, such as the successor to the NIS Directive, the NIS2 Directive (NISD2). NISD2 focuses on strengthening cyber security across all member states, and will apply to companies in essential sectors, including digital infrastructure (specifically digital providers such as online marketplaces and social media platforms) and financial markets infrastructure. The NIS2 Directive provides seven key requirements companies need to comply with, including incident response, supply chain security and encryption.

In addition, the EU has adopted the Digital Operational Resilience Act (DORA) (2020/0266 (COD), which focuses on cybersecurity within financial institutions (including payment institutions) and their third-party ICT-providers.

(See also Question 21.)

While the GDPR does not require the use of encryption, organisations such as website providers must ensure that the security measures they take are proportionate to the sensitivity of the data concerned. Data encryption will often be considered an appropriate and necessary technical measure for the protection of personal data stored on mobile digital media, sensitive or confidential e-mail communications, and data held in the cloud.

Under the Criminal Procedure Code (Wetboek van Strafvordering) law enforcement authorities can compel the disclosure of encryption keys by giving notice.

Additionally the use of encryption may become mandatory for companies under the scope of the proposed NIS2 Directive.

(See also Question 19.)

Traders require a licence from the Dutch Central Bank for the provision of payment services as stipulated in the Financial Supervision Act (FSA) (Wet op het Financieel Toezicht) and those institutions are subject to ongoing supervision (also relating to for example the Dutch AML Act (Wet ter voorkoming van witwassen en financieren van terrorisme). A payment service provider already authorised as payment service provider in another EU country can however passport its services into the Netherlands.

Several exceptions and exemptions are available in relation to the licence obligation when providing payment services. Examples are the:

PSD2 introduces the requirement for financial institutions to grant access to third party players (for example, Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs)) to bank accounts. Such third party players must meet certain requirements and require a licence before they can offer account information services or payment initiation services.

PSD2 and the delegated Regulation on Regulatory Technical Standards (RTS) provide for, among other things, the protection of personal (accounts) data and strong customer identification requirements in addition to the general data protection requirements discussed in Question 14, Question 15 and Question 19.

A public consultation of PSD2 has been launched and a PSD3 proposal was announced for Q2 2023. The EC also announced in its Digital Finance Strategy and Retail Payment Strategy that it was considering imposing wider Open Finance requirements, which would require institutions that maintain various different accounts to also open the access to non-payment accounts. A proposal was expected for Q2 2023.

Traders cannot discriminate against customers within the EU by applying different conditions for payment transactions based on the customer's nationality, place of residence or place of establishment, the location of the payment account, the place of establishment of the payment service provider or the place of issue of the payment instrument (see Article 5, Geo-Blocking Regulation).

Parents or legal representatives need to give permission (that is, consent) for the processing of personal data of children under 16 years (Article 5(1) and (4), GDPR Implementation Act). Such consent can be withdrawn at any time and an organisation should make a "reasonable effort" to ensure such permission is still enduring.

Minors can enter into legal agreements if they have express or implied parental consent (Article 234, Book 1, Civil Code). If the contract or legal act is deemed "normal" for minors of a particular age, there is a presumption that parental consent is present.

There are some circumstances in which contracts with older minors (aged 16 or over) can be enforceable without parental consent, including contracts for medical treatment and of employment (Articles 447 and 612, Book 7, Civil Code).

The ACM gives specific guidance on the use of digital services by children. For example, game providers cannot directly persuade children to make in-app purchases.

In the Netherlands there are no specific laws protecting companies that resell or market online digital content, services or software licences provided by a supplier outside the jurisdiction.

It is permissible to hyperlink to a third party's website, provided that the linked material has been authorised by the rights holder and is freely accessible (Svensson and Others v Retriever Sverige AB [2014] (C-466/12) and BestWater International (C-348/13)) and the link is not used to circumvent restrictions, such as paywalls, log-ins or other barriers. The same applies when framing technology is used (embedded link).

In a European Court of Justice (ECJ) case (VG Bild-Kunst (C-392/19)), the court held that copyright holders can also restrict the framing of their work by contract, but only by imposing that effective technological measures will be adopted to restrict third parties from framing the work.

In an earlier case (GS Media (C-160/15)), the ECJ decided that when hyperlinks are posted for profit, it may be expected that the necessary checks are carried out to ensure that the work concerned is not published without the rights holder's consent. When a person knows or should have known that the hyperlink they post provides access to a work that is published without the rights holder's consent, the provision of that link can constitute copyright infringement.

Other practices are not permitted if they are a breach of a third party's exclusive rights under copyright or trade mark law. Under certain circumstances, caching and spidering (using a web crawler or spider which systematically browses the web) could fall under the scope of the exemption for temporary acts of reproduction of copyright protected works. If information is extracted from a third party's website, it is also necessary to ensure that the use is not in breach of the T&Cs of that website.

A company is allowed to use a Benelux or European trade mark of a third party in advertising keywords to promote an alternative product or service, if such use is not likely to have an adverse effect on one of the functions of the trade mark. If, for example, it is not clear for consumers that the promoted goods or services are not the trade mark holder's, but goods and services of the third party, the trade mark holder can prohibit that use because it has an adverse effect on the indication of origin function (CJEU Interflora/Marks & Spencer (C-323, 09), ground 34-35).

Companies must be pro-active in avoiding confusion regarding the origin of the goods or services for which the advertising keyword consisting of a third party's trade mark is used.

The above applies to metatags as well. Although the CJEU's case law relates to advertising keywords, Dutch Courts have applied this EU case law to metatags (see for example: District court The Hague, 20 July 2016, C/09/483170 / HA ZA 15-217, ground 4.4).

When the marketing (or comparative advertising) of a product by means of an advertising keyword causes confusion among consumers with regard to a product, trade mark, trade name or other distinctive component of a competitor, such advertising can be unlawful for consumers or competitors (Articles 6:193c (2)(a) and 6:194a (2)(a) and (d), Civil Code).

There are no specific regulations in place relating to the licensing of domain names between a domain name registrant and third parties. Domain names must be registered through a registrar with the relevant registry. The sole registry in the Netherlands (SIDN) is responsible for the registration of .nl domain names. Anyone can apply for a .nl domain name (through a registrar). However, companies that have their registered office outside the Netherlands must choose domicile at the office of SIDN for the purpose of legal proceedings relating to the domain name.

For .nl domain names a "first to file" system applies. This means that the person who first applies for the domain name is the person who can use the domain name. Domain names do not constitute property rights. However, a domain name can be used as a trade name in the course of trade and trade name rights can arise.

Under Benelux trade mark law, trade mark holders can oppose the use without due cause of a domain name that corresponds to their trade mark when that use takes unfair advantage of or is detrimental to the distinctive character or the reputation of the trade mark. Besides court proceedings, the trade mark owner (or the owner of a trade name) can use the dispute resolution system for .nl domain names when the domain name conflicts with its trade mark (or trade name), the domain name holder has no rights to or legitimate interest in the domain name and the domain name has been registered or is being used in bad faith.

A domain name can be registered as a trade mark if the sign meets the requirements for registration.

A trade name comes into existence from using the trade name in the course of trade and not from registering the name in the Commercial Register of the Chamber of Commerce. The owner of prior trade name rights can oppose the use of the same or a similar trade name in case of likelihood of confusion. Trade mark owners with prior rights can oppose the use of a conflicting trade name of a later date.

Although it is not a requirement for trade names to have distinctive character, the scope of protection of purely descriptive trade names is limited. For infringement of a trade name, there must be a likelihood of confusion (Article 5, Tradename Act). The likelihood of confusion needs to be determined on the basis of a global assessment. One of the factors to be taken into account is the public's need to keep certain descriptive terms free from protection, which limits the scope of protection of those trade names (Dutch Supreme Court 19 February 2021, 19/04586, DOC/Dairy Partners).

There is no separate set of rules on jurisdiction for disputes and/or internet transactions.

Business-to-business (B2B) agreements. In Europe, the applicable jurisdiction for contractual obligations (including internet transactions) is the jurisdiction in which the obligation is performed (Article 7, Recast Brussels Regulation ((EU) 1215/2012)). For sales of goods, the jurisdiction lies where the goods were delivered or should have been delivered. For the provision of services, the jurisdiction lies where the services were provided or should have been provided. The parties can, however, agree on another jurisdiction to govern their internet transactions.

In an international context and in the absence of specific international conventions that apply or a specific agreement between the parties, Dutch private international law rules will apply.

Since 2019, has been possible for parties to opt for proceedings at the Netherlands Commercial Court (NCC), where litigation can be conducted in English. A matter must have international scope. Parties must explicitly agree on the jurisdiction of the Amsterdam District Court (this can also be done after the dispute has arisen) and agree to litigate at the NCC in English. Appeals can be lodged with the Netherlands Commercial Court of Appeal and are also in English.

B2C agreements. In spite of any choice of jurisdiction made by the parties, a consumer can always bring proceedings against the other party to a contract either in the courts of the member state, in which that party is domiciled/carrying out its activities or in the courts where the consumer is domiciled (Article 18, Recast Brussels Regulation). However, proceedings can also be brought against a consumer in the courts of the member state in which the consumer is domiciled.

There are exceptions to each rule on jurisdiction, so each case should be considered on its facts. For example, different rules apply in relation to non-contractual disputes such as defamation or copyright infringement (where in general under the Recast Brussels Regulation and 2001 Brussels Regulation jurisdiction is ascertained on the basis of the state in which the harmful act occurred).

The Geo-blocking Regulation does not amend or override the above rules on jurisdiction. Compliance with the Geo-blocking Regulation does not imply that a trader directs its activities to the member state of the consumer (Article 1(6), Geo-blocking Regulation).

The same rules apply to internet transactions as to other disputes. The two principle sets of general rules determining the applicable law are the:

Rome I and II are both only applicable within the EU, but by virtue of a transitional provision in the Dutch Civil Code, the same methodology applies to other international matters which fall outside the scope of those regulations (under Articles 10:154 and 10:159 of the Civil Code).

B2B agreements. The parties are free to choose the law which will govern their international contract (Rome I, Article 3). Where the parties do not choose which law will govern the contract, the applicable law is determined in accordance with the rules set out in Rome I (in particular, Article 4).

B2C agreements. European consumers can generally only be summoned into proceedings in their state of domicile but can elect whether to sue businesses in the state of either the consumer or the business.

The governing law in a B2C contract is the law of the country in which the consumer has their habitual residence, if the seller pursues their commercial activities in that country or, by any means, directs their activity to that country (Rome I, Article 6).

The parties are free to agree to a different governing law, but this choice of applicable law cannot result in a loss of protection to the consumer.

Applicable laws regarding ADR include:

ADR Directive. This seeks to make ADR available to consumers for any types of contractual disputes with traders, including online and offline, and domestic or cross border transactions (excluding health and higher education disputes). The ADR entity for European trade disputes is the Dutch branch of the European Consumer Centre (ECC-Net) (Europees Consumenten Centrum) which advises consumers on their rights and obligations relating to purchases made or with traders established in other European member states.

For national trade disputes, there are several (specialised) ADR entities. The most important is the Dutch Foundation for Consumer Complaints Boards (De Geschillencommissie).

ODR Regulation. This provides for an "out of court" online platform for settling disputes arising from online transactions. Once an EU resident consumer submits their dispute online, they will be linked with national ADR providers who will seek to resolve the dispute.

The Online Dispute Resolution (ODR) platform (launched on 15 February 2016 by the EC) redirects consumers in European member states who are seeking to resolve disputes arising from online transactions to the appropriate (ADR) entity or entities in the member state where the trader is established.

While some national ADR entities can give binding advice, the ECC-Net (see above ADR/ODR Options) is a non-judicial organisation with no enforcement mechanisms. For cross-border disputes in the EU with a claim of up to EUR2,000, the European Small Claims Procedure is available to litigants as an alternative to the normal national judicial procedures. A judgment given in this procedure is recognised and enforceable in any other EU member state without the need for a declaration of enforceability and without any possibility of opposing its recognition.

Traders that are established in the Netherlands must inform consumers of the ADR entity or entities that exist and/or by which the traders are covered in a clear, comprehensible and easily accessible way on their websites, irrespective of whether the organisation itself is associated with any ADR entity (Article 13, ADR Directive).

Traders engaging in online sales or service contracts and online marketplaces established within the EU, must provide on their websites an electronic link to the European ODR platform (see above ADR/ODR Options) (Article 14, ODR Regulation).

While the national ADR entities can give binding advice, ECC-Net (see above ADR/ODR options) is a non-judicial organisation with no enforcement mechanisms. For cross-border disputes in the EU with a claim of up to EUR5,000, the European Small Claims Procedure is available to litigants as an alternative to the normal national judicial procedures. A judgment given in this procedure is recognised and enforceable in any other EU member state without the need for a declaration of enforceability and without any possibility of opposing its recognition.

Traders that are established in the Netherlands must inform consumers of the ADR entity or entities that exist and/or by which the traders are covered in a clear, comprehensible and easily accessible way on their websites, irrespective of whether the organisation itself is associated with any ADR entity (Article 13, ADR Directive).

Traders engaging in online sales or service contracts and online marketplaces established within the EU must:

Advertising of products and services is in general governed by the Unfair Commercial Practices Act (Wet oneerlijke handelspraktijken), which implements the Unfair Commercial Practices Directive. This Act prohibits unfair practices, including misleading and aggressive sales techniques. Practices are unfair if they cause or are likely to cause the average consumer to take a transactional decision that they would not otherwise have taken. As the Act applies to advertising in general (irrespective of the medium), it also applies to online advertising and advertising on social media.

The Unfair Commercial Practices Act is enforced by the ACM and the Financial Markets Authority (Autoriteit Financiële Markten) (AFM). If there is an unlawful commercial practice, the undertaking will be liable for the damage caused to the consumer by the practice. Consumers also have the option to nullify any agreement that is concluded as a result of an unfair commercial practice. In 2016, the EC published a guide on the application of the European Unfair Commercial Practices Directive.

The Civil Code (Book 6, Articles 194 to 196 (which implement the Misleading and Comparative Advertising Directive) govern both misleading B2B advertising and lawful comparative advertising.

The advertising industry provides for self-regulation in the form of the Dutch Advertising Code (Advertising Code) (Nederlandse Reclame Code). The Code is available at https://www.reclamecode.nl/wp-content/uploads/2018/10/SRCNRCENboekje_oktober2017.pdf (available in English). This code is written and maintained by the Advertising Code Authority (Stichting Reclame Code) and reflects the sector interpretation of the statutory rules on advertising and marketing. While it is not a formal act, the Advertising Code is generally understood as the common professional standard by courts and supervising authorities. Anyone who feels that an advertisement violates the Advertising Code can submit a complaint to the Advertising Code Committee (Reclame Code Commissie). The Advertising Code includes sector specific rules on advertising on social media, which in general aim to prevent hidden marketing.

See also Question 14 for specific rules on cookies and online behavioural advertising and Question 33 for specific rules on spam and direct marketing.

Certain products/services are prohibited from being advertised or sold online or are subject to additional restrictions, such as:

The Advertising Codes (see Question 31) provide for specific codes of conduct governing online advertising of certain products, such as alcohol, games of chance and text message (sms) services.

On 1 April 2021, the Remote (online) Gambling Bill (Wet Kansspelen of afstand) entered into force. Providers of online games of chance require a license granted, under strict conditions, by the Dutch regulator of gambling services (Kansspelautoriteit). The Dutch legislator only permits advertising of legal gambling services under strict circumstances. In accordance with the Draft Decree on advertising activities for high-risk games of chance (Ontwerpbesluit inperking van wervings en reclameacitiviteiten voor risicovolle kansspelen), advertisements for online gambling services:

The Telecommunications Act (Article 11.7) sets out rules on the sending of unsolicited commercial text messages or emails ("direct marketing") (Article 13 (see the E-Privacy Directive). The following rules generally apply to messages sent to both private and corporate subscribers/ users:

However, prior opt-in is not required where:

Also, prior opt-in is not required when such a message is sent to electronic contact details which are specifically made available by the non-private subscriber or user for receiving such messages.

The GDPR also regulates the sending of commercial text messages or emails where this involves the processing of personal data. The GDPR confers an absolute right to object (opt-out) to the use of one's personal data for marketing purposes (Article 21, GDPR). Further, the GDPR imposes an obligation on organisations that collect personal data to inform affected individuals regarding the intended use of that data and prohibits the use of personal data purposes that are incompatible with the purposes for which the data were originally collected.

There are no specific language requirements for a website that targets the Netherlands . However, rules on general T&Cs in consumer contracts and on concluding distance contracts with consumers require the T&Cs and other information to be provided in plain and clear language. In some circumstances, this may must be in Dutch, for example where the seller cannot assume the target group understands a language other than Dutch.

Traders resident in the Netherlands are subject to Dutch (corporate or personal) income tax with respect to their worldwide profits, which includes profits from online sales.

If the trade is carried on through a Dutch limited liability company, the company is subject to Dutch corporate income tax at:

As of 1 January 2023, this is expected to change to:

If the trade is not carried on through a company, the trader is subject to personal income tax in box 1, which includes (among others) profits from private business, salary and deemed income from a privately owned house used as main residence at:

As of 1 January 2023, this is expected to change to:

The effective tax rate may differ due to tax credits, deductions, and exemptions.

Sales concluded by non-resident traders are only subject to Dutch tax if the sales can be allocated to a Dutch permanent establishment (PE) or permanent representative (PR) of the trader.

A PE generally exists if the non-resident trader has a fixed establishment (for example, office space) in the Netherlands through which its business is carried on (exceptions apply).

A PR is a person or company that plays an important role in the representation of the trader (for example, negotiates the terms of contracts on behalf of the trader).

The existence of a PE or PR should be assessed based on the specific facts and circumstances of each case.

The Netherlands can be limited in its taxing rights by double tax treaties with other countries. If income is subject to tax in multiple jurisdictions and there is a PE or PR, double tax treaties generally allocate taxing rights to the jurisdictions of the PE or PR (to the extent the income can be allocated to one of them).

The OECD is working on proposals to introduce different taxing rights. As a result of these changes, it is likely that companies will become subject to tax without a PE or PR. These developments should be monitored.

Online sales also have VAT implications (see Question 36, Jurisdiction – VAT).

Persons and companies subject to a certain tax (such as VAT, corporate income tax and wage tax) must register for those taxes. Registration for Dutch resident persons and companies should be done with the tax office in the geographic jurisdiction in which the taxpayer resides. Non-resident traders should register with a specific department of the Dutch tax authorities (Kantoor Buitenland).

If a company or business registers with the Dutch Chamber of Commerce, registration with the Dutch tax authorities is normally done automatically. For income tax purposes, a taxpayer that has not been asked to file a tax return within six months of the tax liability arising must request a tax return from the Dutch tax authorities. For VAT purposes such request should be made before the payment deadline. Importantly, a VAT registration is required to reclaim input VAT.

In principle, cross-border B2B supplies fall into a VAT "reverse charge" reporting procedure, requiring the business customer to self-account for the VAT due. That avoids a need for the supplier to register for VAT in the customer's country. An exception to the reverse charge reporting procedure can apply if the trader has a PE in the customer's country.

Different rules apply for B2C supplies in the EU. In principle, VAT is due in the resident country of the supplier. However, exceptions apply and the specific rule which will depend on the type of business, for example:

Restrictions on content include the following:

Content must not contravene public order or public morals (Article 40, Book 3, Civil Code).

The person or entity that uploaded the unlawful content is prima facie liable for the content. For example, if the website operator uploads the content, they are liable for it.

Where a website provides an option for third parties (not acting under the website operator's authority) to upload content, the website operator can benefit from the "safe harbour" exception set out in Article 196c, paragraph 4, Book 6 of the Civil Code (based on Article 14 of the E-commerce Directive). In case law, this standard has been interpreted in such a way that the safe harbour clause can only be invoked if the website operator does not actively interfere with the content.

If there is no active interference, the website operator is not liable for the unlawful content that a third party placed on the website, provided that the website operator either:

Removing content might infringe the right of the third party that uploaded the content or lead to a breach of contract. It is therefore advisable for the website operator to stipulate a right to remove unlawful content in the website's general T&Cs or the terms of use as well as publishing its notice-and-take-down procedure on the website.

The Digital Copyright Directive introduces a separate "safe harbour" regime for online content-sharing service providers pertaining to copyright protected content that is uploaded on their platforms by third parties. This regime is much stricter than the regime provided under Book 6 of the Civil Code (see above) and lays a heavier duty on the online content-sharing service providers to prevent the unauthorised sharing of such infringing content (including monitoring obligations). This regime has been implemented into the Dutch Copyright Act.

Websites must display the following information in a clear, direct, and permanent manner:

(Article 15d, Book 3, Civil Code (see also the E-Commerce Directive).)

Under the Unfair Commercial Practices Act, "traders" who make misleading claims that are considered unlawful towards consumers are liable. If the website is a trading platform that allows third parties to promote their products, both the website operator and the third-party sellers can qualify as traders. Determining who is liable depends on the nature of the misleading claim and whether the website operator can make use of the safe harbour exception (see Question 38). It also depends on the status of the third-party seller, that is whether they are a trader (acting for purposes relating to their trade or business) or a consumer.

If the website is an online marketplace that allows third parties to promote their products, new rules are applicable as of this year (2022). Consumers should be provided with information about whether the third-party offering goods, services or digital content on the platform is a trader or non-trader and about how the obligations related to the contract are shared between this third-party and the provider of the online marketplace (to whom a consumer can turn in case of problems).

In principle, both the website operator and the third-parties offering their goods, services or digital content on the website can be held liable for website displays. However, the specific provisions arising from Dutch consumer protection legislation only apply in case of an agreement between a consumer and a trader. For contracts between consumers (C2C) the general rules of contract law apply.

Pricing errors are in principle at the risk of the seller (whether this is the website operator or a seller that sells its products through the website/trading platform). If the buyer can demonstrate that it honestly relied on that price and, for example, that the price difference was not substantial, the seller must accept a sale at the advertised price. Most website terms and conditions contain a provision to exclude liability for obvious errors and typos, e.g. "subject to printing errors".

For other unlawful content, see Question 38.

ISPs do not have any general right under Dutch law to shut down a website, remove content or disable linking without permission. However, to avoid liability relating to unlawful content and to benefit from the statutory defence for ISPs for such content (Article196c, Book 6, Civil Code (see also the E-Commerce Directive)) most ISPs reserve the right in their general T&Cs to remove unlawful content, websites or links without prior permission.

Several Dutch ISPs have set up a Notice-and-Take-Down Code of Conduct (Gedragscode Notice-and-Take-Down) which describes the procedure that should be followed.

If content on a website infringes copyrights, the copyright holder can obtain an injunction under article 26d of the Copyright Act, requiring the ISP whose services are being used by a third party to infringe copyrights to block the applicable website. However, this will only be granted by a court in case of very severe copyright infringements by that website.

Under case law, the measure of disabling the content must be effective and proportional and a fair balance between the fundamental rights of the copyright owner and the website operator/ ISP must be assured.

In 2020, the Dutch Court of Appeal ordered several ISPs to block the website The Pirate Bay. This is a peer-to-peer film and music sharing website of which had been proven that it severely infringed copyrights by enabling its users to share content without the necessary authorisation.

In November 2021, a number of Dutch ISPs and two stakeholder organisations (Stichting BREIN and Federatie Auteursrechtbelangen) signed the Website Block Convenant (Convenant Blokkeren Websites). Dutch ISPs have declared they will jointly block websites that enable the illegal downloading of copyright protected content, but only after the ruling of a judge in a procedure started by one of the stakeholder organisations.

Products and services sold online are generally subject to the same rules and regulations as offline sold products and services. However, since 2022, special conformity rules have applied to the supply of digital content and digital services. These rules dictate the (quality) requirements/ standards that must be met by the digital content and services and the remedies to which the consumer is entitled when the digital content or service fails to conform. These rules are set out in Civil Code, Book 7, Articles 17 -18a, 21-25 and 50aa - 50ap, and are partly formed by the implementation of the Sale of Goods Directive and the DCSD that provide special ruse for sales to consumers.

The act of selling products and services online is governed by special rules on distance selling (see Question 1 and Question 8).

Online businesses usually require the same sort of insurance as other businesses in the specific relevant industry sector. For online businesses, a cybersecurity insurance policy might also be relevant.

Proposal for an EU Regulation concerning the respect for private life and the protection of personal data in electronic communications (2017/0003 (COD), 5008/21) (Regulation on Privacy and Electronic Communications). As part of the e-commerce package in the European Digital Single Market Strategy, this (new) e-Privacy Regulation would particularise and complement the GDPR on which electronic data qualifies as personal data, such as the requirements for consent for the use of cookies and rules on spam. However, the introduction of this directive has been delayed on multiple occasions. There is currently no expected date for it to be brought into force.