Image generated with AI for illustrative purposes.

Digital Rules Are Reaching the Small Firm’s Supplier Contracts

The risk is no longer using software, but failing to show who controls it.

On a Tuesday morning, a small owner-manager does not meet European digital law in a courtroom or a policy note. She meets it in three emails. A larger client asks for security information. A software supplier changes its terms. The web agency mentions accessibility. Meanwhile, one employee is using an AI function inside a marketing tool, and nobody has written down what data goes into it.

The signal has to become readable

This is no longer only a matter of software use, or even Dutch checkout price compliance at the edge of the webshop. The pressure now reaches the contracts, tools, suppliers, and records that keep a small firm running.

That is where the pressure starts. Not in theory, but in the daily work of a small firm.

The digital business is already here

CBS reported in March 2026 that 89 percent of Dutch SMEs with 10 to 250 employees reached at least a basic level of digital intensity in 2025. The EU average was 71 percent. CBS uses that threshold for companies using at least four of twelve selected digital technologies.

AI is moving the same way. CBS reported that 33 percent of companies with 10 or more workers used one or more surveyed AI technologies in 2025. That was 23 percent in 2024 and 14 percent in 2023. Among microbusinesses with 2 to 9 workers, CBS found AI use at 13.8 percent in 2025.

For small firms, that often means software bought from a supplier, not a system built in-house. The owner may use AI through bookkeeping software, customer service tools, planning systems, HR products, document drafting, or online advertising.

What the signal changes

The question then changes. Who chose the tool? What data goes into it? Who checks the output? What happens when the result touches a customer, worker, or contract?

The legal clock is already moving

Rijksoverheid states that the AI Regulation entered into force on 1 August 2024 and applies in phases. Rules on prohibited AI systems applied from 2 February 2025. Rules for general-purpose AI models applied from 2 August 2025. High-risk AI application and transparency obligations apply from 2 August 2026, with high-risk AI product requirements and full application from 2 August 2027.

For an owner-manager, the useful question is not whether the whole rulebook lands in 2027. It is which parts of the company already touch customers, workers, credit, health, safety, complaints, pricing, planning, or legal documents. That is where a casual tool becomes a controlled business process.

In April 2026, Rijksoverheid opened consultation on Dutch implementation, with existing supervisors proposed in their own domains and coordinating roles for the Autoriteit Persoonsgegevens and Rijksinspectie Digitale Infrastructuur. That sounds far from the workshop floor. It is not far from the moment a client asks where AI is used in the work.

Contracts carry much of the pressure

For many small companies, digital law arrives first through contract terms. AFM says DORA gives strong attention to third-party ICT risk in financial firms. Entities in scope must include ICT supplier risk in risk management, keep contractual arrangements in a register, and add extra contract elements for critical or important outsourcing.

As a result, a software provider, cloud support firm, or data centre can feel that pressure even outside finance. The bank, insurer, or payment firm asks for incident support, audit rights, continuity information, subcontractor details, and exit arrangements. In practice, that changes the negotiation before it changes the supplier's own statute book.

Connected products bring the same shift. ACM says the Data Act has applied since 12 September 2025 and covers data sharing from connected products and related services. It gives users more control over data from smart devices and supports cloud switching. Rijksoverheid states that the Cyber Resilience Act entered into force on 10 December 2024. Manufacturers face reporting duties for actively exploited vulnerabilities and serious incidents from 11 September 2026.

What founders should check

A maker, importer, or reseller of a product with software now has to think beyond the sale. Updates, vulnerability handling, supplier evidence, and customer data access become part of the product's working life.

Proof has a cost

CBS reported fewer companies with at least one external cyber incident in 2024 than in 2016, 4 percent against 11 percent. That is welcome. The same CBS update also shows a sharp gap in readiness. In 2025, 86 percent of large companies used ten or more of twelve surveyed cybersecurity measures. Among companies with 2 to 10 employees, only 13 percent did.

That is a margin issue before it is a drama. Small firms have less time, fewer specialists, and more mixed responsibilities. The person who approves invoices may also manage passwords, talk to the web agency, and answer the insurer. So digital evidence has to stay compact enough to use.

The cost also shows up in work that used to feel informal. Software changes, website fixes, security measures, supplier checks, documentation, testing, and incident preparation all take time or money. If those costs stay invisible in budgets, project notes, and management information, the owner cannot price the work. A broad audit clause signed for free can turn compliance into unpaid labour.

Accessibility sits in the same line

For online sellers, accessibility is part of the same practical picture. ACM supervises e-commerce and communication services under European Accessibility Act rules from 28 June 2025. The obligations apply to companies with 10 or more employees and/or annual revenue above 2 million euros. In its 2026 control sample, ACM found that 61 percent of the largest Dutch webshops were not digitally accessible.

For a smaller seller near the threshold, the useful places to look are the checkout, forms, documents, mobile pages, and customer support. These are not separate legal islands. They are the points where customers meet the company, and where a complaint starts. The checkout is also where Dutch checkout price compliance, accessibility, payment proof, and customer trust meet in one narrow space.

What the owner-manager needs

I would not turn this into a thick binder. I would start with a living inventory: AI tools, cloud tools, connected products, the webshop, customer portal, payment system, and key suppliers. Mark the tools that touch customers, workers, legal documents, complaints, pricing, credit, or safety. Then add the contract, security statement, support route, update policy, and named internal owner where they exist.

Return to the owner-manager on Tuesday morning. She does not need theatre. She needs to answer the client, check the supplier terms, ask the web agency for a clear repair plan, and record who owns the AI tools. The company may be small, but its digital footprint is no longer informal.

That is the quiet shift in Dutch business compliance. Digital adoption brought speed. The next phase asks for responsibility that can be shown. Not panic, not paperwork for its own sake, but enough evidence to keep trust, contracts, cash, and customers moving.

Referenced in the article

Editorial standard

The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.

Add a considered note

Add your note

Your email address will not be published. Required fields are marked *