European legislation and regulation

The GDPR is the European privacy directive. In the Netherlands, it is further elaborated in the Dutch GDPR Implementation Act (in Dutch, Uitvoeringswet AVG). The law has been in effect since 2018. A report on the outcomes of this law was released in 2024 and may lead to a revision.

The European Digital Services Act came into force across Europe on 16 November 2022 and has been in effect since 17 February 2024. Some rules relating to very large online platforms and search engines have been applicable since 16 November 2022. These include reporting obligations, independent audits, data exchange and supervision (including fees), investigation, enforcement and monitoring. This law applies to intermediary services, including social media platforms and app stores. The DSA exists primarily to protect citizens from illegal content and misinformation.

The DMA came into force in 2023. This regulation assigns responsibilities to providers of major digital platforms and online service providers. The DMA includes rules, prohibitions, and obligations for these platforms. It also contains rules about the use and sharing of data.

eIDAS stands for ‘Electronic Identities And Trust Services’. With eIDAS, the European member states have agreed to uniform concepts, levels of assurance, and digital infrastructure. In 2023, the eIDAS regulation was amended to make the access provided by this system universal. Part of the regulation is the cross-border use of European-recognised login tools and certificates.

The Single Digital Gateway is a regulation that establishes a single digital access point. This gateway provides online access to the information, administrative procedures and services that people need to live or do business in another EU country. The SDG Regulation entered into force on 11 December 2018. The regulation provided for the phased implementation of information and procedures. These deadlines have now expired.

The Data Governance Act is a key pillar of the European Data Strategy. Its aim is to utilise data capacity to benefit European citizens and businesses. The DGA will make more data available and facilitate data sharing between sectors and EU countries.

The Directive on Open Data and the Reuse of Public-Sector Information promotes the use of open data by public authorities. This Directive entered into force on 16 July 2019 and was implemented in phases for new websites, existing websites and mobile applications. These deadlines have now passed.

The Directive on the Accessibility of Websites and Apps of Public Sector Bodies came into force on 22 December 2016 and helps member states achieve their accessibility goals. It also helps them meet the obligations of the UN Convention on the Rights of Persons with Disabilities (CRPD). Another goal of the directive is to harmonise the accessibility requirements of EU countries. In the Netherlands, the directive is further detailed in the Temporary Decree on Digital Accessibility of the Government (in Dutch, Tijdelijk besluit digitale toegankelijkheid overheid).

Under the European Accessibility Act (EAA), providers of websites, apps, e-books, ticket machines, and online shops are legally required to ensure their services are accessible to everyone. This law took effect on June 28, 2025. Since 2018, government websites and apps have already been subject to the Decree on Digital Accessibility of the Government, and these requirements continue to apply with the new legislation.

The Directive on Security of Network and Information System (NIS2) aims to further strengthen cybersecurity in Europe. The directive provides legal measures to raise the overall level of cybersecurity in the EU and entered into force on 16 January 2023.

The Data Act allows public authorities to access data from third parties, provided the data is requested for a legitimate purpose, such as an emergency. The Data Act came into force on 11 January 2024 and was implemented on 12 September 2025. All of its rules will become mandatory in 2026.

The AI Act includes requirements and frameworks for the development and use of AI systems by governments and market players, facilitating innovation and economic development while protecting public values.

The EU is working on a regulation to establish interoperability frameworks for sharing information in the public sector. A number of EU interoperability initiatives already exist, such as the European Interoperability Framework (EIF). However, these are not binding and have limited impact. The Interoperability Act aims to improve the quality of public services across all EU countries. This regulation entered into force on 11 April 2024 and took effect on 12 July 2024. The provisions on interoperability assessments and national competent authorities took effect as of 12 January 2025.

With the Cyber Solidarity Act, the European Commission strives to strengthen the cybersecurity capabilities of member states and the EU.

The proposed Gigabit Infrastructure Act focuses on accelerating the installation of high-quality networks by making it financially attractive. The proposal is still in an early stage and may take until 2030 to be enacted into law.

The proposal for a digital omnibus comprises a series of technical amendments to a large body of digital legislation. Proposal for a digital omnibus regulation and factsheet Omnibus AI and Omnibus Digital (Dutch).