Overview
IT law contracts for software, SaaS and licensing are governed by the general law of obligations in Book 6 of the Dutch Civil Code. For the official English translation, see the Dutch Civil Code, Book 6 (obligations and contracts). Solid IT law agreements built on these rules protect both technology providers and their clients.
IT law and technology law are critical for businesses in the digital age. Whether you’re a tech company developing software, a business implementing IT systems, or an organization handling data privacy compliance, specialized legal guidance protects your innovations and ensures regulatory compliance. Our work also covers GDPR compliance, data processing agreements, and the protection of intellectual property in software, ensuring your technology and your customer data stay on the right side of Dutch and European rules.
At Law & More, we advise tech companies, startups, and businesses on all aspects of IT law, cybersecurity, and digital compliance. Located in the Brainport Eindhoven tech ecosystem, we work extensively with software companies, SaaS providers, hardware manufacturers, and digital innovators. Our IT lawyers combine technical understanding with legal expertise to protect your business in the digital landscape.
Need Expert Advice?
Our IT law specialists are ready to help. Get personalized legal guidance today.
Quick Navigation
Latest Insights
IT Law Articles
Data sharing is the lifeblood of modern commerce. Whether you’re onboarding a new cloud provider,
A Dutch SaaS company receives a cease-and-desist letter claiming that a core feature of their
1. Introduction – Why Is a Patent Essential for Entrepreneurs? You have spent months –
What We Do
Software licensing and SaaS agreements
GDPR compliance and data protection
Privacy policies and data processing agreements
IT contracts and vendor agreements
Cybersecurity and data breach response
Intellectual property and source code protection
Cloud computing agreements
E-commerce and online platform regulation
AI and emerging technology law
Technology disputes and liability
Why Choose Law & More
Deep expertise in tech industry and digital business models
Located in Brainport Eindhoven tech ecosystem
Practical understanding of software development and IT operations
Experience with startups, scale-ups, and enterprise clients
Multilingual service for international tech companies
Frequently Asked Questions – IT Law
Frequently asked questions about IT law, answered by our experts.
A processing agreement records the arrangements between the controller and the processor under the GDPR. It must, among other things, set out the subject, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, the security measures, the use of sub-processors, and the obligations on return or deletion of the data. We draft and review DPAs so they are watertight.
Copyright in software developed to order in principle belongs to the developer, unless otherwise agreed in writing. A client who wishes to acquire the rights must therefore have a clear deed of transfer or a broad licence included. Arrangements should also be made about pre-existing components, open source, and usage rights. We ensure the IP position is watertight.
An SLA records the agreed quality of an IT service, such as availability, response times, support, and maintenance windows. Failure to meet the levels is often linked to penalties or service credits. A clear SLA prevents disputes over what 'good service' means and gives the customer concrete leverage in the event of non-performance. We draft balanced SLAs and review those of suppliers.
Open source components are free to use, but subject to the conditions of the applicable licence. Some licences (such as copyleft) require derivative source code to be made available, which can affect commercial software. A licence inventory and a compliance policy prevent unintended obligations and infringements. We advise on responsible use of open source.
The NIS2 Directive raises cybersecurity requirements for a broad group of medium-sized and large organisations in essential and important sectors. It requires, among other things, risk-management measures, incident reporting, and management accountability. Non-compliance can lead to substantial fines. We help map out whether you fall under NIS2 and how to become compliant.
With cloud services, it is important who is responsible for availability, security, data, and back-ups, and how liability is limited. Supplier contracts often contain broad exclusions; as a customer, it is essential to assess these critically and adjust them where necessary. Exit and data-return arrangements should also be well regulated. We negotiate these terms for you.
Transfers of personal data to countries outside the EEA are only permitted where an adequate level of protection is guaranteed, for example through an adequacy decision or standard contractual clauses with additional measures. Since important case law, a careful assessment is required. We advise on lawful international data transfers and the necessary documentation.
Placing non-strictly-necessary cookies and trackers in principle requires the user's prior, informed consent. Transparency obligations also apply through a cookie statement. Incorrect cookie banners and 'consent' that is in fact forced create enforcement risks. We assess your cookie solution for lawfulness.
Trade secrets are protected if they are secret, valuable, and protected by reasonable measures. Alongside statutory protection, confidentiality and non-competition arrangements in contracts and employment agreements are essential. In the event of infringement, an injunction and damages can be claimed, among other things. We help shield your know-how contractually and in practice.
Disputes often concern delay, defects, additional work, or termination. The first step is to examine the contract and the delivered performance, followed by a substantiated claim and, if necessary, a notice of default. If a solution through negotiation or mediation fails, proceedings may follow. We represent your interests from the first reminder through to the courtroom.
With an assignment, the copyright in the software passes permanently to the customer, while with a licence the creator remains the rights holder and only grants a right of use. For bespoke software developed to order this should be agreed in advance, otherwise the rights remain with the developer.
A webshop must clearly state, among other things, the seller’s identity, the price including taxes, delivery costs, the right of withdrawal and the payment methods. Missing mandatory information can extend the withdrawal period and lead to fines from the regulator.
A DPIA is a mandatory assessment of privacy risks for processing that is likely to result in a high risk, such as large-scale profiling or video surveillance. The outcome helps you take appropriate measures before the processing begins.
SaaS contracts set out arrangements on availability, security, data loss and liability caps. Pay attention to the exclusion of consequential damage, the level of the liability ceiling and the arrangements for returning and deleting data when the agreement ends.
If you engage a party that processes personal data on your behalf, you must conclude a data processing agreement with arrangements on security, confidentiality, sub-processors and reporting data breaches. As controller you remain ultimately responsible for lawful processing.
Key Legal Terms
Important terminology explained in plain language
GDPR (General Data Protection Regulation)
EU-wide regulation governing personal data processing, effective since May 2018. Applies to any organization processing personal data of EU residents, regardless of the organization's location. Key principles: lawful basis for processing, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability. Requires transparency (privacy policies), enabling data subject rights (access, rectification, erasure, portability), Data Protection Impact Assessments for high-risk processing, and appointing a Data Protection Officer in certain cases. Breaches must be reported to supervisory authorities within 72 hours. Fines can reach €20 million or 4% of global annual turnover. Enforced by national Data Protection Authorities - in Netherlands, the Autoriteit Persoonsgegevens.
SaaS Agreement (Software as a Service)
Cloud-based software delivery model where customers access applications via the internet on a subscription basis rather than purchasing and installing software locally. SaaS agreements must address: service levels (uptime guarantees, support response times), data ownership and portability (customer retains ownership, can export data), security measures and certifications, functionality and updates, scalability, integration capabilities, termination and transition assistance, and pricing model. Critical differences from traditional licenses: customer doesn't own the software, vendor controls infrastructure and updates, data resides with vendor, and the relationship is ongoing rather than one-time. Common issues: service interruptions, data breaches, vendor lock-in, compliance with customer security requirements. Well-structured SaaS agreements balance vendor's need for operational flexibility with customer's need for reliability and data protection.
Data Processing Agreement (DPA)
Required contract under GDPR between a data controller and data processor governing how personal data will be processed. When you hire a vendor to process data on your behalf (e.g., cloud storage, email marketing, payroll services), you're the controller and they're the processor. The DPA must specify: subject matter and duration of processing, nature and purpose of processing, types of personal data and data subjects, controller's rights and obligations, and processor's obligations. Processors must: follow controller's instructions, implement appropriate security, only use approved sub-processors, assist with data subject requests and breach notifications, delete or return data when services end, and demonstrate compliance. Without a proper DPA, both parties risk GDPR violations. Standard processor terms often favor the vendor - controllers should negotiate protections aligned with their risk profile and regulatory obligations.
Source Code Escrow
Arrangement where a software vendor deposits source code with a neutral third party (escrow agent), which releases it to the customer if specified trigger events occur (vendor bankruptcy, failure to maintain software, breach of contract). Protects customers who depend on proprietary software from being stranded if the vendor can't support the product. The escrow agreement defines: what materials are deposited (source code, build instructions, documentation), deposit frequency (each major release), verification procedures (does the code actually compile?), and release conditions. Common in enterprise software deals, especially for mission-critical systems. Costs typically €2,000-€10,000 annually. Vendors resist escrow as it adds administrative burden and potentially exposes IP, but it's often necessary to close enterprise deals. Not a complete solution - even with source code, customers may lack expertise to maintain complex software. Alternatives include mandatory support terms and operational guarantees.
AI Act (EU Artificial Intelligence Act)
Comprehensive EU regulation for artificial intelligence systems, phasing in from 2025-2027. Creates risk-based framework: prohibited AI (social scoring, real-time biometric surveillance), high-risk AI (employment tools, credit scoring, critical infrastructure - requires conformity assessment, registration, ongoing monitoring), limited-risk AI (chatbots, deepfakes - transparency requirements only), minimal-risk AI (most applications - no specific rules). High-risk systems must meet requirements for: data quality, technical documentation, transparency, human oversight, accuracy, cybersecurity, and risk management. General-purpose AI models face additional obligations. Enforcement through national authorities with fines up to €35 million or 7% of global turnover. Applies to providers placing AI in EU market and users of high-risk systems in EU. Significant compliance burden for developers but provides legal certainty. International companies serving EU customers must comply.
eIDAS (Electronic Identification and Trust Services)
EU regulation establishing legal framework for electronic signatures, seals, timestamps, and other trust services across member states. Recognizes three signature levels: simple (any electronic indication of approval), advanced (uniquely linked to signatory, identifies them, created using secure means under sole control), and qualified (advanced signature with qualified certificate and secure device, legally equivalent to handwritten). Qualified trust service providers must meet strict security and audit requirements. E-signatures from one EU country must be recognized in all others. For contracts, simple signatures generally suffice; qualified required only for specific legal acts. Enables paperless transactions while maintaining security and legal certainty. Netherlands implemented through Electronic Signatures Act. Critical for digital economy and remote business. Replaced earlier E-Signatures Directive with more comprehensive framework.
Intellectual Property Assignment
Transfer of intellectual property rights from creator to another party. In Dutch law, IP rights don't automatically transfer - employment creates exception where employers own employee work product, but contractors retain rights unless contract explicitly assigns them. Written assignment must be clear and comprehensive: "assigns all right, title and interest in and to [defined work product], including all copyrights, patents, trademarks, trade secrets, and related rights." Assignments can be immediate or upon payment. Moral rights (attribution, integrity) generally can't be transferred in Netherlands but can be waived. Important to specify: what's being assigned (specific code, all work product, future improvements?), scope (worldwide? specific fields of use?), and consideration (payment, equity, other value exchange). Without proper assignment, companies may not own what they think they paid for. Essential in software development, content creation, and any commissioned creative work.
SLA (Service Level Agreement)
The agreement recording the agreed quality levels of an IT service, such as availability, response times, and support, often with service credits or penalties for failure to meet them.
Software Copyright (Auteursrecht op Software)
The right protecting the maker against unauthorised reproduction or publication of software. For bespoke work, the right in principle rests with the developer unless transferred in writing.
Open Source Licence (Open Source-licentie)
A licence permitting the use, modification, and distribution of software under certain conditions. Some (copyleft) licences require derivative source code to be released.
NIS2 Directive (NIS2-richtlijn)
European legislation imposing stricter cybersecurity requirements on a broad group of organisations in essential and important sectors, with obligations on risk management, incident reporting, and management accountability.
Cloud Computing (Cloud Computing)
Obtaining IT services such as storage, computing power, and software via the internet. In cloud contracts, arrangements on availability, security, data location, liability, and exit are particularly important.
Data Breach (Datalek)
A breach of security leading to the destruction, loss, alteration, or unauthorised access to personal data. Under the GDPR, a data breach must in certain circumstances be reported to the supervisory authority and the data subjects.
Controller (Verwerkingsverantwoordelijke)
The party that determines the purposes and means of the processing of personal data and is therefore primarily responsible for compliance with the GDPR.
Processor (Verwerker)
The party that processes personal data on behalf of the controller, such as a cloud service provider. The arrangements on this are recorded in a data processing agreement.
Trade Secret (Bedrijfsgeheim)
Information that is secret, commercially valuable, and protected by reasonable measures. On unlawful acquisition or disclosure, an injunction and damages can be claimed, among other things.
Right of Withdrawal (Herroepingsrecht)
The right of a consumer to rescind, without reason and within the statutory cooling-off period, a purchase concluded online or off-premises. Webshops must inform clearly about this.
DPIA (Data Protection Impact Assessment)
A mandatory assessment of privacy risks for processing likely to result in a high risk to individuals. Its outcome helps an organisation take appropriate technical and organisational measures before processing starts.
Escrow Agreement (Escrow-overeenkomst)
An arrangement under which the source code of software is deposited with an independent third party. The customer gains access to the code if, for example, the supplier becomes insolvent or stops maintaining it.
Records of Processing (Verwerkingsregister)
The overview organisations must keep of their personal data processing activities, including the purposes, categories of data and retention periods, as required under data protection law.
Standard Contractual Clauses (SCC)
Model contract clauses adopted by the European Commission that provide an appropriate level of protection for transfers of personal data to countries outside the EU without an adequacy decision.
Digital Services Act (DSA)
European legislation imposing obligations on online platforms and intermediaries, including on tackling illegal content, transparency about advertising and the protection of users.
Have Questions About IT Law?
Our experienced lawyers are ready to help. Schedule a consultation to discuss your specific situation.
