An IT contract is an agreement for the delivery of software, SaaS, cloud, consultancy, or a combination thereof. Dutch IT companies are increasingly supplying foreign clients. A good IT contract covers privacy, IP rights, liability, and export control. In our practice, we see that Dutch suppliers use substandard general terms and conditions that do not work internationally. With a few targeted adjustments, the contract becomes strong both commercially and legally.

What is the legal problem?

IT contracts touch upon multiple areas of law simultaneously: intellectual property, privacy, liability, export control, and consumer or B2B protection. Different rules apply per country. Without a well-thought-out contractual basis, you will face unpredictable liability, GDPR claims, or disputes over ownership of results. In addition, every market expects its own contractual standards that do not automatically fit your template.

What does the law say?

Within the EU, the GDPR (Regulation 2016/679), NIS2 (Directive 2022/2555 on network and information systems), Cyber ​​Resilience Act (Regulation 2024/2847), and Data Act (Regulation 2023/2854, largely applicable as of 12 September 2025) apply. For digital services, the Digital Services Act (Regulation 2022/2065) applies. Under Dutch law, the Telecommunications Act regulates specific sector aspects.

For consumers, Article 7:50aa of the Dutch Civil Code applies (digital content and services). For dual-use software, EU Regulation 2021/821 applies. In addition to this Regulation, the Wassenaar Arrangement also applies to export controls of encryption technology.

What risks do companies face?

You risk high liability in the event of data breaches — fines of up to 4 percent of global turnover under Article 83 of the GDPR. Misunderstandings regarding IP ownership lead to proceedings concerning source code and derivative works. Unintended application of consumer law invalidates limitations of liability. Sanctions and export rules can block deliveries. An incorrect contract can end up costing IT companies much more than the assignment itself.

Practical example from our practice

We represented a Dutch SaaS provider with a German client under Dutch general terms and conditions. A data breach led to a GDPR fine and a client claim of 950,000 euros. The limitation of liability proved invalid under Section 309 No. 7 of the German Civil Code (BGB) due to the unreasonable exclusion of essential obligations. Upon renegotiation, we incorporated: a limitation of liability compliant with German law with separate ceilings per damage category, a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) under Implementing Decree 2021/914, NIS2 compliance, and an exit policy for data transfer.

What can you do?

Use an internationally harmonized version of your IT contract and general terms and conditions. Align privacy provisions with the GDPR and local legislation (DPA with SCCs for transfer). Regulate IP rights and usage licenses clearly. Incorporate appropriate limitations of liability and SLAs under Section 6:248 of the Dutch Civil Code. Assess export control under Regulation 2021/821. See also our article on SaaS agreements: legal considerations.