Legal website requirements Netherlands 2026: mandatory information for Dutch businesses
Which information must a Dutch business website legally display? Overview of obligations under the Trade Register Act, Civil Code, Telecommunications Act and GDPR, and what you need to check now.
- Every Dutch business website is legally required to display the registered trade name, registered address, KvK number (Art. 15a Trade Register Act jo. Art. 9 Trade Register Decree 2008) and VAT identification number (Art. 35a para. 1 VAT Act 1968) on every page or on a clearly accessible contact page. Missing any of these exposes you to a notice from the Chamber of Commerce or the Tax Authority.
- Webshops (e-commerce, distance selling) have additional obligations: Art. 7:46c Dutch Civil Code (information duties for consumer distance contracts) requires you to state — before purchase — the total price including VAT, delivery time, 14-calendar-day right of withdrawal (Art. 7:46d Civil Code), complaints procedure and seller identity. Non-compliance makes the contract voidable.
- Cookie consent is required for non-functional cookies (Telecommunications Act Art. 11.7): opt-in required, not opt-out. The GDPR (Art. 13) requires a privacy statement with processing purposes, legal basis, retention periods and data subject rights. The Dutch Data Protection Authority can impose fines of up to EUR 20 million or 4% of global annual turnover.
Which information must a Dutch business website legally display?
Dutch businesses are legally required to display on their website: the registered trade name, the registered address, the KvK number (Art. 15a Trade Register Act jo. Art. 9 Trade Register Decree 2008) and the VAT identification number (Art. 35a para. 1 VAT Act 1968). These details must be easily and directly accessible, typically via the contact page or footer. Failure to display them constitutes a violation of the Trade Register Act and tax legislation. In addition, webshops are subject to information duties under Book 7 of the Dutch Civil Code (distance selling), all websites must comply with the cookie rules of the Telecommunications Act, and a privacy statement is required under the GDPR. This article provides a concise checklist per legal framework with source references.
Mandatory business details: KvK number, address and VAT number
Article 15a Trade Register Act 2007 jo. Article 9 Trade Register Decree 2008 requires every business to display its registered trade name and registered address on websites and in email communications. Article 35a para. 1 VAT Act 1968 requires VAT-registered businesses to display the VAT identification number on all invoices and commercial websites. For a sole trader, the VAT number takes the form NL + an RSIN-derived number + B + 2 digits (note: does not contain the BSN; it is a separate number issued by the Tax Authority). Legal entities (BV, NV, foundation) also display the RSIN (Legal Entities and Partnerships Information Number) under Article 9 Trade Register Decree 2008. Placement: a contact page or footer is sufficient provided it is easy to find without multiple clicks. Verify your details via the public trade register at kvk.nl and belastingdienst.nl.
Information duties for webshops: Art. 7:46c Civil Code and right of withdrawal
Webshops selling to consumers (distance contracts, Art. 7:46a Civil Code) are required under Article 7:46c Civil Code to clearly state before the contract is concluded: (1) the identity and address of the seller; (2) the total price including VAT, delivery costs and any other charges; (3) the delivery time; (4) the payment methods; (5) the right of withdrawal: consumers have 14 calendar days after receipt to cancel the purchase without giving a reason (Art. 7:46d Civil Code); (6) the complaints procedure and any dispute resolution options. The European Directive 2011/83/EU (Consumer Rights Directive) underlies this; the Dutch implementation is in Book 7 of the Civil Code. Non-compliance makes the contract voidable (Art. 7:46i Civil Code) and automatically extends the withdrawal period to 12 months. Book 7 obligations do not apply to B2B transactions, but business customers also expect transparency about prices, delivery times and payment terms.
Cookies and privacy statement: Telecommunications Act Art. 11.7 and GDPR Art. 13
Article 11.7 Telecommunications Act prohibits placing or reading non-functional cookies and similar technologies (such as fingerprinting or localStorage tracking) without prior consent from the visitor. Consent must be freely given, specific, informed and unambiguous (opt-in; not opt-out via a pre-ticked box). Functional cookies (login status, shopping cart, language preference) are exempt. Third-party analytics cookies (Google Analytics, Meta Pixel) do require consent. The Dutch Data Protection Authority (AP) and the Authority for Consumers and Markets (ACM) enforce cookie rules; the ACM has issued several fines for dark patterns (difficult to decline, coloured buttons). GDPR Article 13 requires every controller to inform data subjects at the time of collection about: the purpose and legal basis for the processing (Art. 6 GDPR), the retention periods, the recipients (processors and third countries), and data subject rights (access, correction, deletion, objection). This applies to every contact form, every cookie that processes personal data, and every analytics system. Keep versions of your privacy statement in version control: the AP can demonstrate during enforcement what was online at any given time.
Checklist legal website requirements Netherlands 2026
Use the checklist below to audit your website. Display on a clearly accessible contact page or footer is sufficient in most cases. (1) Trade name as registered with the KvK: yes/no. (2) Registered address (not a PO box): yes/no. (3) KvK number: yes/no. (4) VAT identification number (for VAT-registered businesses): yes/no. (5) Email address or contact form for accessibility: yes/no. (6) Cookie banner with opt-in for non-functional cookies (Telecommunications Act Art. 11.7): yes/no. (7) Privacy statement compliant with GDPR Art. 13 with purpose, legal basis, retention periods, recipients and rights: yes/no. (8) Webshop additionally: total price including VAT, delivery time, 14-day right of withdrawal, complaints procedure (Art. 7:46c Civil Code): yes/no. (9) Complaints procedure and ODR link (Online Dispute Resolution, mandatory for EU webshops via ec.europa.eu/odr): yes/no. Missing any one item is quick to fix; do not delay as enforcement by the ACM and AP is active.
Frequently asked questions about legal website requirements
Do I need to display my KvK number on my website?
Is a privacy statement required for a business website?
Do I need to obtain consent for Google Analytics?
Does the 14-day right of withdrawal only apply to webshops?
What are the consequences of non-compliance with legal website requirements?
Need your website reviewed for legal requirements and privacy?
Book a free call. We check your website for mandatory disclosures, cookie banner and privacy statement compliance, and resolve any shortcomings.
Book a free call →Free and without obligation · Reply within one business day · Fixed price up front, no surprises