Global Data and Cyber Handbook

The Netherlands

Select a Topic
Start Comparison
Regulators, Enforcement Priorities and Penalties
Jump to
Regulators, Enforcement Priorities and Penalties Start Comparison
Who are the main data privacy, non-personal data and/or cybersecurity regulator(s) in the jurisdiction?

Last reviewed: December 2024

The Dutch Data Protection Authority ("Autoriteit Persoonsgegevens", "Dutch DPA", or "AP") is the only data privacy regulator in the Netherlands overseeing data protection legislation, including a number of specific provisions of the Digital Services Act. It is expected that the Dutch DPA will also be tasked to supervise and enforce the AI Act.

The Dutch Authority for Consumers & Markets ("Autoriteit Consument & Markt" or "ACM") is competent to supervise and enforce the Data Governance Act. It is yet unclear whether ACM will also be tasked to supervise and enforce the Data Act.

The Dutch Authority for Digital Infrastructure ("Rijksinspectie Digitale Infrastructuur" or "RDI"), currently tasked to supervise and enforce the Wbni (implementing the NIS Directive) is anticipated to become the competent authority under NIS 2 for supervision and enforcement of in-scope entities in the sectors energy, digital infrastructure, space, manufacturing, digital providers, public administration, postal and courier services, research and ICT service management, whereas for operators in the other sectors specific sectoral authorities will be competent.

How active is each of the regulator(s)?

Last reviewed: December 2024

Moderately active 

What are each of the regulator's anticipated enforcement priorities for the next 12 months?

Last reviewed: December 2024

In 2024 the Autoriteit Persoonsgegevens ("Dutch DPA", or "AP") focused on matters that pose the biggest risks for individuals and society, specifically within the following five focus areas:

  • algorithms & AI
  • big tech
  • freedom & security
  • data brokering
  • digital government

The Dutch DPA had also announced that it would (amongst others) prioritize complaints submitted against big tech companies as well as complaints, breaches and investigations pertaining to algorithms & AI and data brokering. and The DPA also announced the kick-off of a multiyear project on unlawful online tracking, including through cookies.
Recent enforcement activity by the Dutch DPA reveals that these enforcement priorities have been put into practice. Various fines were imposed against big tech and other companies for violations concerning transparency, use of cookies, data collection and data transfers. While no specific agenda for 2025 has been released yet, it seems likely that big tech, AI and online tracking will remain key focus areas for the Dutch DPA in the year ahead.

Enforcement priorities of the competent cybersecurity authorities have not been made public.

What trends are you seeing in regulatory investigations relating to data & cyber?

Last review date: December 2024

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

  Increasing

Class actions/group actions under data or cyber regulation are:

  Increasing

What are the potential penalties/remedies for non-compliance with the key data and cybersecurity laws in the jurisdiction?

Last reviewed: December 2024

There are:

☒   administrative remedies / civil penalties applied by regulators and law enforcement

☒   private remedies

Individuals may, for example,

  • file complaints with the data protection authorities
  • claim damages for material or non-material damages
If data subjects have private remedies, what form can these remedies take?

Last reviewed: December  2024

☒   individual personal actions

☒   representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

☒   class actions

{{ $store.state.loadingScreen.message }} ...