Data control is no longer an IT preference when invoices, payroll and proof live online.
The moment is usually ordinary. A founder opens the laptop before the first customer call, checks bank feeds, confirms payroll data, sends two invoices and searches an old project folder for evidence promised to a client. Nothing feels dramatic. The cloud works, so the company works.
The signal has to become readable
That is the practical core of Dutch cloud control. A June 2026 Accountant.nl news item captured a sharper business mood. Dutch organisations are weighing data control more heavily than the easy promise of cloud convenience. The official numbers explain why. CBS reported that 69 percent of Dutch companies with ten or more employed persons used paid cloud services in 2025. In ICT, the share was 89 percent.
Cloud was already common in 2024. CBS reported 71 percent cloud use among companies with more than ten employed persons, against 49 percent among companies with two to ten. That matters beyond large firms. It reaches the one-person BV and the five-person employer. Cloud is now ordinary business infrastructure.
The cloud is ordinary now
Cloud was sold to many entrepreneurs as relief. No server in the cupboard. No updates after dinner. No early Saturday visit from a technician because a hard disk sounded wrong. For many companies, that relief was real.
Relief is not the same as control. CBS describes vendor lock-in as a practical cloud-user problem. Weak interoperability, complex tariffs, egress fees and technical barriers can make switching hard after the first provider choice. Switching then costs cash, staff time, outside help and a period in which old and new systems run together.
The policy direction now follows the same line. The EU Data Act applies from 12 September 2025. It is meant to support fair access to and fair use of data, with more competition and freedom of choice in cloud services. In April 2026, Rijksoverheid reported that the Tweede Kamer approved the Cyberbeveiligingswet and the Wet weerbaarheid kritieke entiteiten. The first bill implements NIS2 in the Netherlands. Relevant organisations still have to check their own scope.
Backup is a contract question
The hardest lessons often come from small wording. In February 2026, Rechtspraak published an Amsterdam Court of Appeal judgment about a server crash and missing cloud backups for a new server. The case was heard in summary proceedings. The court held provisionally that a 2018 agreement did not automatically create a duty to back up all servers.
What the signal changes
Article 23 of the NL ICT conditions did not, by itself, prove that backups had been agreed for that new server. The lesson is precision. Which server, which database, which folder, how often, where stored, how long retained, and when restored in a test?
Return to the founder at the laptop. If the accounting environment fails in VAT week, the problem is not only irritation. Belastingdienst states that entrepreneurs must keep VAT administration in a controllable bookkeeping system. It also states that digital records must remain usable during an audit. When invoices, bank links and work papers sit in the cloud, downtime can become a proof problem.
The supplier chain is deeper than the invoice
There is another quiet trap. The supplier on the invoice may not be the whole chain. CBS says the Dutch cloud market is dominated by foreign hyperscalers. It refers to ACM’s 2022 market study, which estimated their share at about 70 to 85 percent of Dutch cloud-market turnover.
CBS also notes that SaaS, PaaS and IaaS layers can be intertwined. A European software service can still rest on non-European infrastructure. A Dutch name, a European sales office or a local helpdesk tells only part of the story.
For personal data, the Rijksoverheid GDPR manual gives another practical reminder. Access from outside the European Economic Area can count as a transfer, subject to GDPR conditions. Access and support routes therefore matter as much as storage location.
AFM and DNB made the concentration point sharply for finance in October 2025. They warned that reliance on a limited number of non-European IT service providers creates increasing systemic risk in the Dutch financial sector. A small company is not a bank. Yet the mechanics can be similar at desk level. If one account controls email, documents, identity access, accounting, customer data and backups, one interruption touches the whole day.
What changes tomorrow morning
I do not like slogans around cloud sovereignty because they often hide the practical work. Full autonomy is rarely the realistic target for a small company. Strategic controllability is more useful. Can the business see the chain? Can it export the data? Can it restore work? Can it remove a former employee’s access?
What founders should check
The same CBS 2025 table reported 80 percent telework, 69 percent business software use and 33 percent AI use. It also recorded 2024 ICT security incidents: 16 percent of companies reported an incident with an internal cause, and 7 percent one caused by an external attack. Remote work makes access control less theoretical.
DNB’s DORA material is aimed at financial entities within scope. Still, it offers a useful model for others. ICT dependency should be named, current and testable. DNB’s 2026 DORA register process made the same point in finance. The institution remains responsible for the register’s accuracy and completeness.
For a small business, the next step does not need theatre. A serious conversation can start with one page: the systems that hold invoices, payroll, customer records, contracts and delivery proof; the visible suppliers and the hidden infrastructure; the people with access; the backup scope; the last restore test; the exit format; and the cash cost of double running during migration.
That page is not legal advice, and it is not a cybersecurity costume. It is management memory. It gives the founder, adviser or director a way to see dependency before stress turns it into a dispute.
The cloud has made business lighter in many ways. I would not romanticise old servers or paper folders. But convenience has a habit of borrowing attention from the future. The Dutch signal in 2026 is that attention is returning. Not through panic. Through proof.
The founder at the laptop does not need to become an infrastructure specialist. The company does need an answer when someone asks where the data is, who can reach it, how it returns after failure, and how the business leaves without losing its own story. That is no longer an IT question. It is the director’s question.
Sources
- CBS source
- Bedrijven vinden controle over data nu belangrijker dan gemak van de cloud
- CBS – Digital capacity and ICT labour pressure
- CBS – Vendor lock-in, multicloud and cloud switching barriers
- CBS – Cloud provider concentration and hyperscaler dependence
- Overheid.nl – Data Act and cloud switching
- Rijksoverheid – Dutch Cyberbeveiligingswet and NIS2 implementation
- DNB – Financial-sector operational resilience under DORA
Referenced in the article
Column | Ledger & Tax
Low Contractor Rates Put Dutch Payroll Risk on the Table
The proposed €38 presumption is civil law, but the tax pressure is already real.
Column | Governance
When Care Money Leaves the Care Route, Governance Must Answer
A Dutch fraud signal shows why small providers need proof of work, control and cash.
Column | Ledger & Tax
EU Transfer Tax Signal Sharpens Dutch Property Share Deals
For Dutch founders, the question is cash, proof and timing before the shares move.
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
