Introduction

The Dutch business community and the government have a positive view on technology and the chances and benefits it offers. Cloud and AI are embraced, but of course with caution and an open eye for the risks. However, in general such risks are deemed to be low and acceptable. This differs from a number of other EU countries.

2023 witnessed remarkable strides in the dynamic realm of TMT, setting the stage for transformative trends that will shape the near future. From the surge in Generative AI adoption and the imperative to curtail algorithmic biases to the convergence of Augmented Reality (AR), Virtual Reality (VR) and Artificial Intelligence (AI) signalling an era of unparalleled customisation, this article explores the key developments driving innovation across industries, with an emphasis on the developments in relation to AI.

Delving into the realm of robotics, the integration of machine learning algorithms and sensor technologies brings us closer to the realisation of collaborative human-robot ventures. As the digital landscape braces for an increase in cyber threats, a unified defence against sophisticated AI-powered attacks becomes paramount, emphasising the need for standardised cybersecurity frameworks and collaborative efforts between industries and governments to safeguard data and privacy. An instrumental role to curtail these threats is foreseen in the EU Artificial Intelligence Act (AI Act).

This article will also discuss the latest TMT trends regarding competition law, the various inbound legislations on the use of data, an update on the 5G and FM frequency auctions, and important developments in light of personal data protection and taxes.

EU AI Act

On 9 December 2023, the European Parliament reached a provisional agreement on the text of the AI Act, which is likely to be the world’s first comprehensive law regulating the use of AI. The agreement must still be approved by all EU member states and the entire European Parliament; the law will enter into force two years after such approval. The AI Act is risk-based, which means that the obligations of providers and users of AI systems depend on the level of risk that the respective AI technology may create and/or generate, and that AI systems with a higher risk of affecting society will be subject to stricter requirements.

The AI Act attempts to establish guidelines to navigate the complexities of AI-generated content and authorship. The legislation recognises the importance of human creativity and addresses concerns surrounding ownership and attribution in instances where AI autonomously produces content. Furthermore, the AI Act integrates provisions for digital rights management tailored to AI-generated media, safeguarding against the unauthorised use and potential misuse of copyrighted material.

Prohibited uses

The proposal bans AI systems that violate EU values such as through violation of fundamental rights. This applies, for example, to “social scoring” by governments or companies, or the classifying or profiling of people based on their social behaviour or personal characteristics. The banned systems include:

• “real-time” biometric identification systems in public places;
• biometric categorisation based on sensitive characteristics, such as gender, race, ethnicity, citizenship, religion and political affiliation;
• predictive detection systems, based on profiling, location or previous criminal behaviour; and
• emotion recognition in law enforcement and workplace settings (among others).

High-risk AI

High-risk systems, such as AI systems that may cause significant harm to human health, safety and/or fundamental rights, are subject to more restrictions under the AI Act. For instance, AI used in controlling critical infrastructure in the fields of water, gas and electricity or medical devices will be subject to more scrutiny. Biometric identification, categorisation and emotion recognition systems are also considered high-risk.

Minimal risk

Minimal risk AI systems are those that can be developed and used according to existing legislation – ie, there are no additional requirements for them in the proposed regulation. Such systems include spam filters and search engines.

Specific transparency risk

Users should be made aware that they are interacting with a chatbot when employing such an AI system – eg, ChatGPT. There will also be a requirement for registration in a central European database before the application can be marketed in Europe. In addition, it is mandatory to record all copyrighted data used to train AI systems and to disclose its use in a detailed overview. Deepfakes and other AI-generated content need to be labelled as such. When biometric categorisation or emotion recognition systems are used, users need to be informed. Last but not least, providers need to make the content detectable as having been artificially generated or manipulated, by designing the system in a way that artificially generated or manipulated audio, video, text and images are marked in machine-readable format.

Innovation

To support innovation in AI, the AI Act inserted exemptions for research activities and for AI components provided under open-source licences. The AI Act promotes so-called test environments (sandboxes) set up by government agencies to test AI before it is brought to market.

Position of citizens

The European Parliament wants to strengthen citizens' rights. Think, for example, of being able to file complaints and get explanations about decisions using AI systems.

Next steps

On 9 December 2023, the European Parliament and the Council of the EU reached a preliminary political agreement on the AI regulation; they are still working on the formal legal text before the regulation is adopted by both bodies. Once the AI regulation is adopted, member states will begin implementing the regulation domestically. Most standards will take effect two years after the effective date, which is expected to be in mid-2026.

Furthermore on AI, on 11 December 2023, the Dutch government announced by way of a letter from the Minister of Digitalisation that it is currently in the process of creating guidance on safe and responsible use of generative AI within the government. In addition, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) announced in its yearly plan for 2024 that algorithms and AI will be a specific area of focus.

Technology Trends in Competition Law

The EU Digital Markets Act (DMA) became applicable in May 2023, and intends to ensure fair and contestable digital markets. In September 2023, the European Commission designated six companies as so-called “gatekeepers” under the DMA for the first time – Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft.

Being designated as a gatekeeper comes with various obligations to maintain fair and effective competition. By March 2024, gatekeepers must have adjusted their businesses to comply with the DMA. Apple, ByteDance and Meta have all appealed their designations. More gatekeepers may be designated by the Commission in 2024. The case law resulting from the different proceedings will likely shape the Commission’s DMA enforcement in 2024 and the years to come.

The EU Digital Services Act (DSA) intends to create a safer digital space where the fundamental rights of users are protected, and to establish a level playing field for businesses. It already applies to designated online platforms and search engines, and will apply to all regulated companies as of February 2024. In December 2023, the Commission adopted a second set of designation decisions under the DSA, designating three very large online platforms: Pornhub, Stripchat and XVideos.

These designations follow a first set of designation decisions of 19 very large online platforms and search engines in April 2023. Amazon and Zalando have already challenged their designation by the Commission. Separately, in December 2023, the Commission opened formal proceedings against X to assess whether it may have breached the DSA in areas linked to risk management, content moderation, dark patterns, advertising transparency and data access for researchers. Again, the outcome of the different proceedings will likely guide the Commission's DSA enforcement in future. Amazon, in particular, has put forward wide-ranging arguments against the Commission’s designation, including challenges to the scope of the DSA itself.

In 2024, the Dutch Authority for Consumers and Markets (ACM) will likely continue to pay particular attention to companies’ use of algorithms and AI.

The focus in relation to antitrust damages cases before the Dutch civil law courts will likely continue to shift from follow-on cartel damages cases to abuse of dominance damages cases, specifically in relation to Big Tech. In 2024, the Dutch litigation landscape is expected to change even further in relation to Big Tech companies that have been designated under the DMA/DSA. A new wave of private enforcement actions may therefore be forthcoming in the Netherlands shortly.

Reporting Obligations for Platform Companies in Respect of Tax

EU rules were introduced in 2023 (under Directive 2021/514, also known as DAC-7) that extended EU tax transparency requirements to digital “platforms”. The aim of DAC-7 is to improve administrative tax co-operation – and counter tax fraud/tax evasion – and to address the challenges posed by the digital platform economy. Accordingly, an obligation was introduced for “platform operators” to provide information on income derived by sellers through those platforms.

An entity qualifies as a platform operator if it contracts with sellers in order to provide access and use of an online “marketplace” platform to those sellers. A platform operator falls under the scope of DAC-7 rules if, in brief, it is tax resident, has been incorporated under the laws of or is operationally active in an EU member state. The rules affect platform operators offering sellers access to:

• the rental of immovable property, including both residential and commercial property, as well as any other immovable property and parking spaces;
• a personal service;
• the sale of goods; and
• the rental of any mode of transport.

The Netherlands implemented the DAC-7 directive into its local laws as of 1 January 2023 and platform operators had to file their first DAC-7 reporting, with regard to 2023, in January 2024.

Delayed Introduction of Digital Services Tax

The Dutch political parties that formed the 2021–2023 government (which collapsed in the fall of 2023) agreed to the introduction of a digital services tax in the Netherlands. However, unlike several other EU member states, they did not progress this topic, and no such tax has yet been introduced. The political parties that won the elections on 22 November 2023 did not include any significant notes related to the introduction of a digital services tax in their campaign plans.

Accordingly, it remains most likely for now that the Netherlands will await global acceptance of the OECD’s initiative to adapt the multilaterally agreed international tax system currently in place in such a way that some of the world’s largest multinational e-commerce businesses would need to start paying income taxes based not on where they are located or are otherwise active, but on where their consumers are located (also known as “Pillar 1”).

5G Auction to be Held

The 5G frequency auction that was originally scheduled to be held in 2023 has been postponed to early 2024, due to a conflict with Dutch maritime company Inmarsat. Now that this auction is likely to finally take place this year, media and telecommunications companies can brace themselves for an important year.

(Upcoming) Data-Related Legislation

In an attempt to keep up with the fast-evolving landscape of digital governance and the accumulation of a significant quantity of data in the digital space, the EU has undertaken significant legislative initiatives to fortify its financial, cybersecurity and data management frameworks, including the Digital Operational Resilience Act (DORA), the NIS2 Directive, the EU Data Act and the EU Data Governance Act.

Digital Operational Resilience Act

DORA is a ground-breaking legislative move in the EU, reshaping the way financial institutions manage operational risks in an increasingly digital era. Addressing the escalating reliance on digital infrastructure and the severe consequences of operational disruptions, DORA introduces a comprehensive framework to counteract cyber threats and enhance operational resilience.

Under DORA, outsourcing service providers in the EU face heightened requirements, compelling them to invest significantly in robust cybersecurity measures, compliance frameworks and incident response capabilities. This shift is expected to fuel demand for specialised cybersecurity services within the outsourcing industry.

DORA mandates financial institutions to identify and manage cyber risks through regular risk assessments, resilience testing and incident reporting to competent authorities. The regulation aims to ensure the stability and security of the financial sector, safeguard consumers and strengthen the overall economy. Virtually all financial entities in the EU fall under DORA's purview, including key third parties providing ICT-related services.

Outsourcing is central to DORA, with financial institutions facing stringent responsibilities regarding cybersecurity assessments and monitoring of third-party service providers. Key requirements include addressing ICT third-party risks through rigorous contractual arrangements, location indications for data processing, service descriptions, access guarantees, exit strategies, audits and performance targets.

DORA has been in effect since 14 December 2022 and requires in-scope companies to achieve compliance by 17 January 2025. As a binding regulation applicable across all EU member states, ongoing outsourcing agreements should already integrate DORA's requirements, emphasising the need for prompt adherence. Within the Netherlands, the Dutch Authority for the Financial Markets (Autoriteit Financiele Markten) will be responsible for supervising compliance with DORA.

NIS2 Directive

The EU Directive on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”) signifies a monumental step towards harmonising cybersecurity standards across EU member states. Replacing the previous NIS Directive, the NIS2 Directive broadens its scope to cover medium-to-large enterprises and public organisations performing vital functions for the economy or society.

The NIS2 Directive introduces measures for elevating the cybersecurity posture of critical infrastructure operators and digital service providers, focusing on risk management, incident reporting and security certification schemes. Compliance with the NIS2 Directive is essential for outsourcing service providers, necessitating investments in advanced cybersecurity technologies, workforce training and robust incident-response capabilities.

Notably, the relationship between DORA and the NIS2 Directive is critical, with both pieces of legislation sharing significant requirements. As a regulation, DORA applies directly to all EU member states, while the NIS2 Directive is a directive requiring implementation into national law. The NIS2 Directive provides an exemption to ensure overlapping DORA provisions take precedence.

The implementation of NIS2 in 2023 requires EU member states to adopt it into national legislation by 17 January 2025. As organisations seek expert guidance for cybersecurity compliance, there is likely to be an increased demand for cybersecurity consulting services, offering a competitive advantage to outsourcing providers with robust security measures.

Furthermore, the Dutch legislature expects to publish the proposal for the Dutch implementation of the NIS2 Directive for public consultation in the first quarter of 2024.

Data Act

In addition to DORA and the NIS2 Directive, the proposed EU Data Act promises to have a profound impact on the technology and outsourcing landscape, particularly concerning the vast amounts of data processed through internet of things (IoT) services. Aimed at establishing a unified data governance framework across the EU, the EU Data Act emphasises data sharing and management practices, prioritising data protection and privacy.

The EU Data Act introduces new rules regarding data governance, access and sharing, enhancing data portability and interoperability. For outsourcing providers, compliance requires robust data management practices, stringent privacy measures and secure data-sharing protocols. Organisations aligned with the principles of the General Data Protection Regulation (GDPR) will find themselves well-prepared for the EU Data Act, while non-compliance may pose challenges in serving European clients or processing EU citizens' data.

The Data Act was adopted by the European Council on 27 November 2023 and entered into force on 11 January 2024. It will apply 20 months later, on 12 September 2025, prompting outsourcing providers to closely monitor developments and proactively ensure adherence to its provisions. In the Netherlands, it is not yet clear which supervisory authority will be responsible for monitoring adherence with this regulation.

EU Data Governance Act

Finally, 2023 marked the enactment of the EU Data Governance Act. This regulation on data governance seeks to improve the development of trustworthy data-sharing systems by regulating the re-use of data held by the public sector. In order to achieve this purpose, the EU Data Governance Act provides for four broad sets of measures:

• member states must facilitate the re-use of certain public sector data that cannot be made available as open data – eg, certain health data can be re-used to advance research to find cures for rare or chronic diseases;
• it includes measures to install data intermediaries that will function as trustworthy organisers of data sharing or pooling within the common European data spaces;
• there are measures to assist citizens and businesses in the process of making their data available for the benefit of society; and
• there are measures to facilitate data sharing by making it possible for data to be used across sectors and borders, and to ensure that the right data can be re-used for the right purpose.

The EU Data Governance Act applies to both personal and non-personal data, whereas the GDPR only applies to personal data. Where personal data is in scope, the GDPR will apply alongside the EU Data Governance Act.

The EU Data Governance Act entered into force on 23 June 2022 and has been applicable since September 2023. Within the Netherlands, the Netherlands Authority for Consumers and Markets (Autoriteit Consument en Markt) is responsible for supervising compliance with the EU Data Governance Act.

Data Protection – Transferring Personal Data to the US

Perhaps the most impactful trend with respect to data protection was the adoption of the adequacy decision for the EU-U.S. Data Privacy Framework (EU-US DPF), succeeding the Privacy Shield. This decision reinstates the possibility of data transfers between EU organisations and those in the US that have self-certified compliance with the principles of the EU-US DPF. Following the EU, the UK and Switzerland have also adopted their respective transfer mechanisms: the UK Extension to the EU-US DPF and the Swiss-U.S. DPF.

Given the previous invalidation of predecessors such as the “Safe Harbour” agreement and the “Privacy Shield” by the Court of Justice of the European Union (CJEU), the sustainability of the EU-US DPF is yet to be seen. One attempt from a member of the French Parliament, Philip Latombe, to challenge this decision – through an application for interim relief – has already been recorded, but ultimately failed because the CJEU held that he failed to establish the presence of serious and irreparable harm. Therefore, the CJEU has not (yet) reviewed this transfer mechanism on the merits. However, with a declaration of intention to initiate a legal action against the EU-US DPF by the person responsible for the invalidation of its two predecessors, this is still likely to occur in the next couple of years.

This and other data protection-related trends will be discussed in more detail in the Netherlands Trends & Development chapter in Chambers Data Protection & Privacy 2024.

Cloud

Although the Netherlands has a relatively high adaptation of cloud solutions, many enterprises have a major roadmap to bring applications to the cloud. These projects can be challenging, especially if it is not recognised early on that applications will need to be replaced by applications with slightly different functionality. This nears the risk of failure.

The Dutch government has a positive view on technology and on the cloud, and has adopted a new cloud policy that allows broad use of cloud applications. US cloud providers are not seen as suspicious and the risks of the US CLOUD Act are usually deemed acceptable.

Conclusion

In conclusion, the continuously evolving TMT landscape witnessed transformative developments in 2023 that set the stage for the future. The adoption of Generative AI, the convergence of AR/VR and AI, and the advancements in robotics signal a paradigm shift in innovation. As the digital landscape faces escalating cyber threats, the EU AI Act and collaborative defence mechanisms take centre stage, emphasising the importance of standardised cybersecurity frameworks.

The EU AI Act, with its risk-based approach, is poised to become the world's first comprehensive law regulating AI use. It addresses concerns surrounding AI-generated content, emphasising human creativity, ownership and attribution. The Act's focus on prohibited uses and the regulation of high-risk AI systems demonstrates a commitment to safeguarding fundamental rights and societal well-being.

In the realm of competition law, the DMA and DSA are reshaping digital markets by designating gatekeepers and establishing a safer online space. These designations, along with ongoing legal proceedings, will significantly influence DMA and DSA enforcement in the coming years.

In the realm of taxation, the extension of EU tax transparency requirements to digital platforms (DAC-7) and the upcoming reporting obligations for platform operators mark a significant step in countering tax fraud in the digital platform economy.

The delay in the introduction of a digital services tax in the Netherlands reflects a cautious approach, possibly awaiting global acceptance of the OECD's initiative. Furthermore, the 5G and FM frequency auctions, initially scheduled for 2023, are anticipated in early 2024, bringing substantial developments for media and telecommunications companies in the Netherlands.

The legislative initiatives on data management – including the Digital DORA, the NIS2 Directive, the EU Data Act and the EU Data Governance Act – underline the EU's commitment to fortifying digital governance. DORA's impact on financial institutions and outsourcing providers is evident, emphasising the need for robust cybersecurity measures.

The EU Data Governance Act, enacted in 2023, focuses on trustworthy data-sharing systems, setting measures for re-using public sector data and facilitating cross-sector and cross-border data sharing. This legislation, alongside the EU Data Act, strengthens data protection and privacy, aligning with GDPR principles.

Furthermore, the adequacy decision for the EU-US DPF reinstates data transfers, marking a pivotal trend in data protection. However, the sustainability of the EU-US DPF, given past invalidations, remains a crucial aspect to monitor.

As we move forward, TMT will continue to be an area deserving of close legislative attention, as it remains subject to technological advancements and instrumental in balancing innovation with societal well-being. The next phase will require adaptability and collaboration across industries to navigate the complexities of the rapidly changing digital environment.