The NLdigital terms are widely regarded as the standard general terms and conditions for the digital sector in the Netherlands. As the previous version dated back to 2020, it was time for an update: the NLdigital Terms 2025. These terms have been updated and now align more closely with recent European legislation. A positive development, but what do these changes actually mean for your organisation? In this blog, we outline the key changes.
What is new?
General
New chapters have been added on compliance, cybersecurity, data sharing, AI and online platforms. As a result, the NLdigital Terms 2025 better reflect current developments in the sector. That said, the balance between supplier and customer has hardly shifted: the supplier retains a strong position, while the customer takes on more responsibilities. Below are a few concrete examples of how this plays out in practice.
Compliance
One of the key additions is the new chapter on compliance. Where the GDPR previously took centre stage, this chapter now covers multiple laws, including the AI Act, NIS2 and the Data Act. It also includes provisions on usage requirements for products and services. For example, the customer must ensure that the product or service is used only as intended by the supplier and that it includes the correct documentation, such as declarations of conformity.
Notably, suppliers are not required to guarantee that their products or services fully comply with all applicable legislation. Instead, responsibility rests with the customer to assess in advance whether the offered product or service meets the legal requirements. This may pose significant challenges for the average purchaser of IT services, who will often lack the expertise needed to make such an assessment.
Cybersecurity
A separate chapter on cybersecurity has also been added. This chapter states that the customer is responsible for securing its own systems. Only where explicitly agreed in writing is the supplier obliged to apply data segmentation when creating backups. Here too, the provisions are relatively brief and general, despite cybersecurity being a critical issue in practice. Organisations that place high demands on, or have a strong interest in, data integrity and system security would be well advised to make clear and specific arrangements with their supplier on this point.
Data sharing
In addition, a new chapter on data sharing has been introduced. The customer may submit a data sharing request to the supplier, provided that the request is specific and made in writing. Suppliers must then make reasonable efforts to comply with the request, at customary rates. The terms also impose strict deadlines for data transfer: generally no more than 30 days, with an extension of up to seven months in exceptional cases. If the customer does not specify how the data sharing request should be carried out, the supplier may treat this as a request to delete the data and terminate the service. This gives effect to the obligations arising under the Data Act.
Artificial intelligence
For the first time, the terms also include a separate chapter on AI. This is a logical addition, given that IT companies increasingly offer AI systems and integrate AI into existing IT solutions. This chapter stipulates that the customer must use an AI system in accordance with its intended purpose and the supplier’s instructions. The customer must also report incidents relating to the AI system, organise human oversight and ensure sufficient AI literacy within the organisation. In addition, the customer may not, without the supplier’s consent, modify the AI system or use it for AI training or scraping. The supplier also retains the right to modify or withdraw the AI system from the market if it no longer complies with its intended purpose, without incurring any liability for damages.
Overall, customers purchasing an AI system are subject to a considerable number of obligations. While these obligations may appear manageable at first glance, they can have significant practical and organisational implications. It is therefore advisable to consider these aspects carefully before deploying an AI system.
Complaints procedure
Finally, a formal complaints procedure has been added for online platforms, giving effect to one of the obligations under the Digital Services Act. Customers may submit a complaint within six months of a decision by an online platform, which must then be handled within a reasonable period. In the event of repeated unfounded complaints, the supplier may temporarily suspend the customer to prevent abuse. If the customer disagrees with the outcome of the complaint, they may refer the matter to an out-of-court dispute resolution body.
Conclusion: modernisation, with a caveat
Overall, the NLdigital Terms 2025 provide a modern legal framework for the digital sector. However, the obligations imposed on customers remain strict, while suppliers often assume only best-efforts obligations. As a result, suppliers retain significant leeway to limit their risks, which in practice largely fall on the customer. In short: the NLdigital Terms 2025 place greater emphasis than ever on compliance, data transparency and AI, but the relationship between customer and supplier remains unequal in many respects.
Would you like to be sure that your IT organisation is contracting under the right terms and conditions? Consider having a quick scan of your contracts carried out by one of our legal counsels. We would be happy to assist.
Contact us
