A SaaS agreement is a contract in which access to software is provided as a service via the cloud. SaaS has grown into the standard for business software. For suppliers and customers, SaaS brings specific legal challenges: continuity, data ownership, privacy, security, and liability in the event of failures. In our practice, we advise both sides — suppliers who want to strengthen their position and customers who want to protect themselves against lock-in.
What is the legal problem?
SaaS agreements regulate access rather than installation. The customer is dependent on the supplier's uptime, continuity, and data management. The supplier must take into account data sovereignty, security, and liability. Multiple privacy regimes apply to international customers. Uncertainties regarding auto-renewal, price escalation, exit, and data portability lead to conflicts and lock-in.
What does the law say?
The Digital Content and Services Directive (EU 2019/770) governs B2C SaaS, implemented in the Netherlands in Article 7:50aa et seq. of the Civil Code. General contractual principles apply to B2B. The GDPR (Regulation 2016/679), NIS2 (Directive 2022/2555), and the Data Act (Regulation 2023/2854) are relevant for processing, security, and portability. The Data Act largely applies as of September 12, 2025.
For B2C SaaS to consumers, mandatory law of the country of the consumer may apply under Article 6 of the Rome I Regulation. Regulation 833/2014 (Russia) and specific regimes apply to sanctions and export controls.
What risks do companies face?
For customers: lock-in, data loss at contract end, unfavorable price increases, and inadequate uptime. For suppliers: unlimited liability in the event of data breaches, fines under Article 83 of the GDPR, and claims in the event of major outages. In international sales, additional risks threaten due to varying mandatory rules. An incorrect contract leads to revenue loss, reputational damage, and fines of up to 4 percent of global turnover.
Practical example from our practice
We advised a Dutch SaaS supplier on a British multinational. The old contract provided insufficient data portability and contained a short exit period. In the event of a potential switch to a competitor, data export would cost months and an additional 200,000 euros. Upon contract renewal, we incorporated Data Act compliance: a 90-day transition period, data format in CSV and JSON, transition assistance at a fixed rate, and termination without penalty at the end of the term. The client retained the customer with stronger terms.
What can you do?
Arrange uptime, support, and escalation via an SLA. Incorporate reasonable limitations of liability under Section 6:248 of the Dutch Civil Code. Agree on price indexation and modification rights. Provide for data portability (Section 25 of the Data Act), a transition period, and a clear exit arrangement. Align privacy, security, and localization requirements with the GDPR and NIS2. See also our article on IT contracts with foreign customers.