Are you a provider of public telecommunications networks or telecommunications services in the Netherlands? You provide, for example networks or services such as:
- landline or mobile telephony
- internet access or an internet network
- email or webmail services
- video conferencing services
- internet telephony
Then you must make sure your networks and services are always secure and working properly (in Dutch). Users must also be able to trust that communications are genuinely coming from you (authenticity)
Registering as a telecom provider with the ACM
Do you provide telecom services in the Netherlands? You must register with the Authority for Consumers and Markets (ACM, in Dutch). You have to register if you:
- provide public electronic communications networks
- provide public electronic communications services
- build or provide facilities that go with these
Registration is free. Registered companies pay an annual fee for the supervision. Is your turnover from telecom activities less than €2 million? Then you do not pay a fee for the supervision. You must provide your annual net turnover to the ACM (in Dutch).
Do you only engage in activities on behalf of a registered telecom provider? Then you do not need to register with the ACM.
Solving and reporting interruptions or failures
You must make sure your services and networks are always functional and do not break down (continuity responsibility). If there is a malfunction or other incident, you need to:
- do everything in your power to restore your services
- report the interruption or security issue to the Dutch Authority for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur).
You must make sure the emergency number 112 can be reached at all times. You must also make sure your customers will be able to receive the NL-Alert warning system’s messages at all times.
Compensation in case of interruptions
If there is an interruption in internet, television, or telephony services that lasts longer than 12 hours, for instance as a result of technical failure, you must compensate your customers (in Dutch).
Security of communication data
You must protect all telecommunications data. You have to secure data from telephony and internet. Employees who have access to sensitive data must have a certificate of conduct (VOG). You as the owner also need certificate of conduct for legal entities (VOG RP).
You have to delete or anonymise traffic and location data as soon as these are no longer needed for the transmission of a communication. These are privacy sensitive data. You are allowed to use these data for business purpose, for example, to write an invoice. You must, however, let your subscriber or user know which data you process and for how long you keep the data. In some cases you must have your subscriber’s or user’s consent before you start processing the data, for example for market research. Subscribers and users must be able to revoke their consent easily and freely.
Reporting a data leak
Did you experience a security breach where personal data has been leaked? You must report this to the Dutch Privacy Authority (DPA, in Dutch)
Submitting client details
A number of government organisations such as judicial authorities, and intelligence and security services may request information about one of your clients. You may also receive a request for the wiretapping and handing over of telephone communications for criminal investigations. Your network or services have to be available for this.
If you are a telecom or internet service provider, you must join the Central Telecommunications Research Information Point (Centraal Informatiepunt Onderzoek Telecommunicatie, CIOT, in Dutch). You provide the CIOT with an updated file of your subscribers (personal data that belong to IP addresses) every 24 hours. You will receive a fee from the government for this.
As a provider of public telecommunications networks or telecommunications services in the Netherlands you may not delay or block competitive telephone or internet services and applications. You are also not allowed to charge extra money for these services and applications. This is called net neutrality.
In some cases you may block or restrict internet access (in Dutch). For instance to prevent 'congestion' on the network, to stop the spreading of malicious software, or if a law bans a certain website, app, or internet service. In such cases you can ban a type of service, to make sure other services can keep working. You have to describe how you deal with such issues in the contract.
Reporting telecommunications company takeovers
You are not allowed to sell you telecommunications company to an unreliable, untrustworthy, or criminal company. Such a party also cannot have power of control in your company.
Any party that wants to purchase Dutch telecom facilities, should report first to the Ministry of Economic Affairs and Climate Policy (Ministerie van Economische Zaken en Klimaat, EZK). To secure continuity and reliability of service and to safeguard public interests the government can prohibit or reverse such a takeover (in Dutch). This concerns takeovers of:
- suppliers of telephone and internet networks with more than 100,000 Dutch users
- hosting services with more than 400,000 .nl domain names
- internet hubs with more than 300 autonomous connected systems
- data centres with an electric capacity of over 50 megawatts (MW)
- certification services (qualified trust services)
- companies that offer servicers or a network to government organisations concerned with national security
Do you as a telecom provider have a problem (dispute) with a customer, municipality, or another telecom provider? Then you can ask the Authority for Consumers & Markets (ACM) to decide on the issue. This is called dispute resolution (geschilbeslechting, in Dutch).